diff --git a/deepfence_server/cloud_controls/azure/cis.json b/deepfence_server/cloud_controls/azure/cis.json new file mode 100644 index 0000000000..b861673c9f --- /dev/null +++ b/deepfence_server/cloud_controls/azure/cis.json @@ -0,0 +1,4474 @@ +[ + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management \u003e 1.1 Security Defaults", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management", + "1.1 Security Defaults" + ], + "control_id": "azure_compliance.control.cis_v200_1_1_1", + "description": "Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal.", + "title": "1.1.1 Ensure Security Defaults is enabled on Azure Active Directory", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.1.1", + "cis_level": "1", + "cis_section_id": "1.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nSecurity defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.\n\nSecurity defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal.\n\nSecurity defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings.\nFor example, doing the following:\n- Requiring all users and admins to register for MFA.\n- Challenging users with MFA - when necessary, based on factors such as location, device, role, and task.\n- Disabling authentication from legacy authentication clients, which can’t do MFA.\n\n## Remediation\n\n### From Azure Portal\n\nTo enable security defaults in your directory:\n\n1. From Azure Home select the Portal Menu.\n2. Browse to `Azure Active Directory` \u003e `Properties`.\n3. Select `Manage security defaults`.\n4. Set the `Enable security defaults toggle to Yes`.\n5. Select `Save`.\n\n### Default Value\n\nIf your tenant was created on or after October 22, 2019, security defaults may already be enabled in your tenant.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1", + "azure_compliance.benchmark.cis_v200_1_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1/azure_compliance.benchmark.cis_v200_1_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management \u003e 1.1 Security Defaults", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management", + "1.1 Security Defaults" + ], + "control_id": "azure_compliance.control.cis_v200_1_1_2", + "description": "Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources.", + "title": "1.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.1.2", + "cis_level": "1", + "cis_section_id": "1.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nEnable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. These include custom created objects or built-in roles such as;\n- Service Co-Administrators\n- Subscription Owners\n- Contributors\n\nMulti-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory` blade.\n3. Select `Users`.\n4. Take note of all users with the role `Service Co-Administrators`, `Owners` or `Contributors`.\n5. Click on the `Per-User MFA button` in the top row menu.\n6. Check the box next to each noted user.\n7. Click `Enable` under quick steps in the right-hand panel.\n8. Click `enable multi-factor auth`.\n9. Click `close`.\n\n### Other Options within Azure Portal\n\nFollow Microsoft Azure documentation and enable multi-factor authentication in your environment.\n\nhttps://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa\n\nEnabling and configuring MFA with conditional access policy is a multi-step process. Here are some additional resources on the process within Azure AD to enable multi- factor authentication for users within your subscriptions with conditional access policy.\n\nhttps://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted#enable-multi-factor-authentication-with-conditional-access https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings\n\n### Default Value\n\nBy default, multi-factor authentication is disabled for all users.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1", + "azure_compliance.benchmark.cis_v200_1_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1/azure_compliance.benchmark.cis_v200_1_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management \u003e 1.1 Security Defaults", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management", + "1.1 Security Defaults" + ], + "control_id": "azure_compliance.control.cis_v200_1_1_3", + "description": "Enable multi-factor authentication for all non-privileged users.", + "title": "1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.1.3", + "cis_level": "2", + "cis_section_id": "1.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nEnable multi-factor authentication for all non-privileged users.\n\nMulti-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select the `Azure Active Directory` blade.\n3. Then `Users`.\n4. Select `All Users`.\n5. Click on `Per-User MFA` button on the top bar.\n6. Ensure that for all users `MULTI-FACTOR AUTH STATUS` is `Enabled`.\n\nFollow Microsoft Azure documentation and enable multi-factor authentication in your environment.\n\n[https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa](https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa)\n\nEnabling and configuring MFA is a multi-step process. Here are some additional resources on the process within Azure AD:\n- [https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa)\n- [https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted#enable-multi-factor-authentication-with-conditional-access](https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted#enable-multi-factor-authentication-with-conditional-access)\n- [https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings](https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings)\n\n### Default Value\n\nBy default, multi-factor authentication is disabled for all users.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1", + "azure_compliance.benchmark.cis_v200_1_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1/azure_compliance.benchmark.cis_v200_1_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management \u003e 1.1 Security Defaults", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management", + "1.1 Security Defaults" + ], + "control_id": "azure_compliance.control.cis_v200_1_1_4", + "description": "Do not allow users to remember multi-factor authentication on devices.", + "title": "1.1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.1.4", + "cis_level": "1", + "cis_section_id": "1.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nDo not allow users to remember multi-factor authentication on devices.\n\nRemembering Multi-Factor Authentication (MFA) for devices and browsers allows users to have the option to bypass MFA for a set number of days after performing a successful sign-in using MFA. This can enhance usability by minimizing the number of times a user may need to perform two-step verification on the same device. However, if an account or device is compromised, remembering MFA for trusted devices may affect security. Hence, it is recommended that users not be allowed to bypass MFA.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Select `Users`.\n4. Click the `Per-user MFA` button on the top bar.\n5. Click on `service settings`.\n6. Uncheck the box next to `Allow users to remember multi-factor authentication on devices they trust`.\n\n### Default Value\n\nBy default, `Allow users to remember multi-factor authentication on devices they trust` is disabled.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1", + "azure_compliance.benchmark.cis_v200_1_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1/azure_compliance.benchmark.cis_v200_1_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management \u003e 1.2 Conditional Access", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management", + "1.2 Conditional Access" + ], + "control_id": "azure_compliance.control.cis_v200_1_2_1", + "description": "Azure Active Directory Conditional Access allows an organization to configure Named locations and configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify Geographical locations for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization.", + "title": "1.2.1 Ensure Trusted Locations Are Defined", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.2.1", + "cis_level": "1", + "cis_section_id": "1.2", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nAzure Active Directory Conditional Access allows an organization to configure `Named locations` and configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify Geographical locations for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization.\n\nDefining trusted source IP addresses or ranges helps organizations create and enforce Conditional Access policies around those trusted or untrusted IP addresses and ranges. Users authenticating from trusted IP addresses and/or ranges may have less access restrictions or access requirements when compared to users that try to authenticate to Azure Active Directory from untrusted locations or untrusted source IP addresses/ranges.\n\n## Remediation\n\n### From Azure Portal\n\n1. Navigate to the `Azure AD Conditional Access` Blade.\n2. Click on the `Named locations` blade.\n3. Within the `Named locations` blade, click on `IP ranges location`.\n4. Enter a name for this location setting in the Name text box.\n5. Click on the `+` sign.\n6. Add an IP Address Range in CIDR notation inside the text box that appears.\n7. Click on the `Add` button.\n8. Repeat steps 5 through 7 for each IP Range that needs to be added.\n9. If the information entered are trusted ranges, select the `Mark as trusted location` check box.\n10. Once finished, click on `Create`.\n\n### From PowerShell\n\nCreate a new trusted IP-based Named location policy\n\n```bash\n[System.Collections.Generic.List`1[Microsoft.Open.MSGraph.Model.IpRange]]$ipR anges = @()\n$ipRanges.Add(\"\u003cfirst IP range in CIDR notation\u003e\")\n$ipRanges.Add(\"\u003csecond IP range in CIDR notation\u003e\")\n$ipRanges.Add(\"\u003cthird IP range in CIDR notation\u003e\") New-AzureADMSNamedLocationPolicy -OdataType \"#microsoft.graph.ipNamedLocation\" -DisplayName \"\u003cname of IP Named location policy\u003e -IsTrusted $true -IpRanges $ipRanges\n```\n\nSet an existing IP-based Named location policy to trusted\n\n```bash\nSet-AzureADMSNamedLocationPolicy -PolicyId \"\u003cID of the policy\u003e\" -OdataType \"#microsoft.graph.ipNamedLocation\" -IsTrusted $true\n```\n\n### Default Value\n\nBy default, no locations are configured under the Named locations blade within the Azure AD Conditional Access blade.", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1", + "azure_compliance.benchmark.cis_v200_1_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1/azure_compliance.benchmark.cis_v200_1_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management \u003e 1.2 Conditional Access", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management", + "1.2 Conditional Access" + ], + "control_id": "azure_compliance.control.cis_v200_1_2_2", + "description": "Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined.", + "title": "1.2.2 Ensure that an exclusionary Geographic Access Policy is considered", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.2.2", + "cis_level": "1", + "cis_section_id": "1.2", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nConditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined.\n\nConditional Access, when used as a deny list for the tenant or subscription, is able to prevent ingress or egress of traffic to countries that are outside of the scope of interest (e.g.: customers, suppliers) or jurisdiction of an organization. This is an effective way to prevent unnecessary and long-lasting exposure to international threats such as APTs.\n\n## Remediation\n\n### From Azure Portal\n\nPart 1 of 2 - Create the policy and enable it in `Report-only` mode.\n\n1. From Azure Home open the portal menu in the top left, and select `Azure Active Directory`.\n2. Scroll down in the menu on the left, and select `Security`.\n3. Select on the left side `Conditional Access`.\n4. Click the `+ New policy` button, then:\n5. Provide a name for the policy.\n6. Under `Assignments`, select `Users or work load identities` then:\n - Under `Include`, select `All users`\n - Under `Exclude`, check Users and groups and only select emergency access accounts and service accounts (**NOTE:** Service accounts are excluded here because service accounts are non-interactive and cannot complete MFA)\n7. Under `Assignments`, select `Cloud apps or actions` then:\n - Under `Include`, select `All cloud apps`\n - Leave `Exclude` blank unless you have a well defined exception.\n8. Under `Conditions`, select `Locations` then:\n - Select `Include`, then add entries for locations for those that should be blocked.\n - Select `Exclude`, then add entries for those that should be allowed (**IMPORTANT:** Ensure that all Trusted Locations are in the `Exclude` list.)\n9. Under `Access Controls`, select `Grant` and Confirm that `Block Access` is selected.\n10. Set `Enable policy` to `Report-only`.\n11. Click `Create`.\n\n**NOTE:** The policy is not yet 'live,' since `Report-only` is being used to audit the effect of the policy.\n\nPart 2 of 2 - Confirm that the policy is not blocking access that should be granted, then toggle to `On`.\n\n1. With your policy now in report-only mode, return to the Azure Active Directory blade and click on `Sign-in logs`.\n2. Review the recent sign-in events - click an event then review the event details (specifically the `Report-only` tab) to ensure:\n - The sign-in event you're reviewing occurred **after** turning on the policy in report-only mode.\n - The policy name from step 5 above is listed in the `Policy Name` column.\n - The `Result` column for the new policy shows that the policy was `Not applied` (indicating the location origin was not blocked).\n3. If the above conditions are present, navigate back to the policy name in Conditional Access and open it.\n4. Toggle the policy from `Report-only` to `On`.\n5. Click `Save`.\n\n### From PowerShell\n\nFirst, set up the conditions objects values before updating an existing conditional access policy or before creating a new one. You may need to use additional PowerShell cmdlets to retrieve specific IDs such as the `Get-AzureADMSNamedLocationPolicy` which outputs the `Location IDs` for use with conditional access policies.\n\n```bash\n$conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet\n\n$conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition $conditions.Applications.IncludeApplications = \u003c\"All\" | \"Office365\" | \"app ID\" | @(\"app ID 1\", \"app ID 2\", etc...\u003e $conditions.Applications.ExcludeApplications = \u003c\"Office365\" | \"app ID\" | @(\"app ID 1\", \"app ID 2\", etc...)\u003e\n\n$conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition $conditions.Users.IncludeUsers = \u003c\"All\" | \"None\" | \"GuestsOrExternalUsers\" | \"Specific User ID\" | @(\"User ID 1\", \"User ID 2\", etc.)\u003e $conditions.Users.ExcludeUsers = \u003c\"GuestsOrExternalUsers\" | \"Specific User ID\" | @(\"User ID 1\", \"User ID 2\", etc.)\u003e\n$conditions.Users.IncludeGroups = \u003c\"group ID\" | \"All\" | @(\"Group ID 1\", \"Group ID 2\", etc...)\u003e\n$conditions.Users.ExcludeGroups = \u003c\"group ID\" | @(\"Group ID 1\", \"Group ID 2\", etc...)\u003e\n$conditions.Users.IncludeRoles = \u003c\"Role ID\" | \"All\" | @(\"Role ID 1\", \"Role ID 2\", etc...)\u003e\n$conditions.Users.ExcludeRoles = \u003c\"Role ID\" | @(\"Role ID 1\", \"Role ID 2\", etc...)\u003e\n\n$conditions.Locations = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessLocationCondition $conditions.Locations.IncludeLocations = \u003c\"Location ID\" | @(\"Location ID 1\", \"Location ID 2\", etc...) \u003e\n$conditions.Locations.ExcludeLocations = \u003c\"AllTrusted\" | \"Location ID\" | @(\"Location ID 1\", \"Location ID 2\", etc...)\u003e\n\n\n$controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls $controls._Operator = \"OR\"\n$controls.BuiltInControls = \"block\"\n```\n\nNext, update the existing conditional access policy with the condition set options configured with the previous commands.\n\n```bash\nSet-AzureADMSConditionalAccessPolicy -PolicyId \u003cpolicy ID\u003e -Conditions $conditions -GrantControls $controls\n```\n\nTo create a new conditional access policy that complies with this best practice, run the following commands after creating the condition set above\n\n```bash\nNew-AzureADMSConditionalAccessPolicy -Name \"Policy Name\" -State \u003cenabled|disabled\u003e -Conditions $conditions -GrantControls $controls\n```\n\n### Default Value\n\nThis policy does not exist by default.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1", + "azure_compliance.benchmark.cis_v200_1_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1/azure_compliance.benchmark.cis_v200_1_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management \u003e 1.2 Conditional Access", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management", + "1.2 Conditional Access" + ], + "control_id": "azure_compliance.control.cis_v200_1_2_3", + "description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.", + "title": "1.2.3 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.2.3", + "cis_level": "1", + "cis_section_id": "1.2", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nFor designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.\n\nEnabling multi-factor authentication is a recommended setting to limit the use of Administrative accounts to authenticated personnel.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home open the Portal Menu in top left, and select Azure Active Directory.\n2. Select `Security`.\n3. Select `Conditional Access`.\n4. Click `+ New policy`.\n5. Enter a name for the policy.\n6. Select `Users or workload identities`.\n7. Check `Users and groups`.\n8. Select administrative groups this policy should apply to and click `Select`.\n9. Under `Exclude`, check `Users and groups`.\n10. Select users this policy not should apply to and click `Select`.\n11. Select `Cloud apps or actions`.\n12. Select `All cloud apps`.\n13. Select `Grant`.\n14. Under Grant access, check `Require multifactor authentication` and click `Select`.\n15. Set `Enable policy` to `Report-only`.\n16. Click `Create`.\n\nAfter testing the policy in report-only mode, update the `Enable policy` setting from `Report-only` to `On`.\n\n### Default Value\n\nBy default, MFA is not enabled for any administrative accounts.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1", + "azure_compliance.benchmark.cis_v200_1_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1/azure_compliance.benchmark.cis_v200_1_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management \u003e 1.2 Conditional Access", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management", + "1.2 Conditional Access" + ], + "control_id": "azure_compliance.control.cis_v200_1_2_4", + "description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.", + "title": "1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.2.4", + "cis_level": "1", + "cis_section_id": "1.2", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nFor designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.\n\nEnabling multi-factor authentication is a recommended setting to limit the potential of accounts being compromised and limiting access to authenticated personnel.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home open Portal menu in the top left, and select `Azure Active Directory`.\n2. Select `Security`.\n3. Select `Conditional Access`.\n4. Click `+ New policy`.\n5. Enter a name for the policy.\n6. Select `Users or work load identities`.\n7. Under `Include`, select `All users`.\n8. Under `Exclude`, check `Users and groups`.\n9. Select users this policy should not apply to and click `Select`.\n10. Select `Cloud apps or actions`.\n11. Select `All cloud apps`.\n12. Select `Grant`.\n13. Under `Grant access`, check `Require multifactor authentication` and click `Select`.\n14. Set `Enable policy` to `Report-only`.\n15. Click `Create`.\n\nAfter testing the policy in report-only mode, update the `Enable policy` setting from `Report-only` to `On`.\n\n### Default Value\n\nMFA is not enabled by default.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1", + "azure_compliance.benchmark.cis_v200_1_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1/azure_compliance.benchmark.cis_v200_1_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management \u003e 1.2 Conditional Access", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management", + "1.2 Conditional Access" + ], + "control_id": "azure_compliance.control.cis_v200_1_2_5", + "description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.", + "title": "1.2.5 Ensure Multi-factor Authentication is Required for Risky Sign-ins", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.2.5", + "cis_level": "1", + "cis_section_id": "1.2", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nFor designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.\n\nEnabling multi-factor authentication is a recommended setting to limit the potential of accounts being compromised and limiting access to authenticated personnel.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu in the top left, and select `Azure Active Directory`.\n2. Select `Security`\n3. Select `Conditional Access`.\n4. Click `+ New policy`.\n5. Enter a name for the policy.\n6. Select `Users or workload identities`.\n7. Under `Include`, select `All users`.\n8. Under `Exclude`, check `Users and groups`.\n9. Select users this policy should not apply to and click `Select`.\n10. Select `Cloud apps or actions`.\n11. Select `All cloud apps`.\n12. Select `Conditions`.\n13. Select `Sign-in risk`.\n14. Update the `Configure` toggle to `Yes`.\n15. Check the sign-in risk level this policy should apply to, e.g. `High` and `Medium`.\n16. Select `Done`.\n17. Select `Grant`.\n18. Under `Grant access`, check `Require multifactor authentication` and click `Select`.\n19. Set `Enable policy` to `Report-only`.\n20. Click `Create`.\n\nAfter testing the policy in report-only mode, update the `Enable policy` setting from `Report-only` to `On`.\n\n### Default Value\n\nMFA is not enabled by default.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1", + "azure_compliance.benchmark.cis_v200_1_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1/azure_compliance.benchmark.cis_v200_1_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management \u003e 1.2 Conditional Access", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management", + "1.2 Conditional Access" + ], + "control_id": "azure_compliance.control.cis_v200_1_2_6", + "description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.", + "title": "1.2.6 Ensure Multi-factor Authentication is Required for Azure Management", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.2.6", + "cis_level": "1", + "cis_section_id": "1.2", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nFor designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.\n\nEnabling multi-factor authentication is a recommended setting to limit the use of Administrative actions and to prevent intruders from changing settings.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu and select `Azure Active Directory`.\n2. Select `Security`.\n3. Select `Conditional Access`.\n4. Click `+ New policy`.\n5. Enter a name for the policy.\n6. Select `Users or workload identities`.\n7. Under `Include`, select `All users`.\n8. Under `Exclude`, check `Users and groups`.\n9. Select users this policy should not apply to and click `Select`.\n10. Select `Cloud apps or actions`.\n11. Select `Select apps`.\n12. Check the box next to `Microsoft Azure Management` and click `Select`.\n13. Select `Grant`.\n14. Under `Grant access`, check `Require multifactor authentication` and click `Select`.\n15. Set `Enable policy` to `Report-only`.\n16. Click `Create`.\n\nAfter testing the policy in report-only mode, update the `Enable policy` setting from `Report-onl`y to `On`.\n\n### Default Value\n\nMFA is not enabled by default for administrative actions.\n\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1", + "azure_compliance.benchmark.cis_v200_1_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1/azure_compliance.benchmark.cis_v200_1_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_3", + "description": "Require administrators or appropriately delegated users to create new tenants.", + "title": "1.3 Ensure that 'Users can create Azure AD Tenants' is set to 'No'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.3", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nRequire administrators or appropriately delegated users to create new tenants.\n\nIt is recommended to only allow an administrator to create new tenants. This prevent users from creating new Azure AD or Azure AD B2C tenants and ensures that only authorized users are able to do so.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Select `Users`.\n4. Select `User settings`.\n5. Set `Users can create Azure AD Tenants` to `No`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_4", + "description": "This recommendation extends guest access review by utilizing the Azure AD Privileged Identity Management feature provided in Azure AD Premium P2. Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities.", + "title": "1.4 Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.4", + "cis_level": "2", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nThis recommendation extends guest access review by utilizing the Azure AD Privileged Identity Management feature provided in Azure AD Premium P2.\n\nAzure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data.\n\nWork with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources a a guest user.\n\n## Remediation\n\n### From Azure Portal\n\n1. From the Azure Portal home page click the portal menu in the top left.\n2. Select `Azure Active Directory`.\n3. Select `Users` in the left column under the `Manage` heading.\n4. Next to the search box select the `filter` option.\n5. Search for and select `User Type`.\n6. In the third drop down `Value` select `Guest`.\n7. Review the guest users in your Active Directory.\n8. For those you wish to delete, select the checkbox on the left then the `Delete` option in the top row.\n\n### From Azure CLI\n\nWith the information from the audit procedure, to remove a Guest user run the following command with their User Principal Value.\n\n```bash\nRemove-AzureADUser -ObjectId \"\u003cUserPrincipalName@emailaddress.com\"\n```\n\n### From Powershell\n\nWith the information from the audit procedure, to remove a Guest user run the following command with their User Principal Value.\n\n```bash\nRemove-AzureADUser -ObjectId \"\u003cUserPrincipalName@emailaddress.com\u003e\"\n```\n\n### Default Value\n\nBy default no guest users are created.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_5", + "description": "Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources as a guest user. Guest users in every subscription should be review on a regular basis to ensure that inactive and unneeded accounts are removed.", + "title": "1.5 Ensure Guest Users Are Reviewed on a Regular Basis", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.5", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nAzure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data.\n\nWork with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources as a guest user.\n\nGuest users in every subscription should be review on a regular basis to ensure that inactive and unneeded accounts are removed.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu\n2. Select `Azure Active Directory`\n3. Select `Users`\n4. Click on `Add filter`\n5. Select `User type`\n6. Select `Guest` from the Value drop down\n7. Click `Apply`\n8. Delete all `Guest` users that are no longer required or are inactive\n\n### From Azure CLI\n\nBefore deleting the user, set it to inactive using the ID from the Audit Procedure to determine if there are any dependent systems.\n\n```bash\naz ad user update --id \u003cexampleaccountid@domain.com\u003e --account-enabled {false}\n```\n\nAfter determining that there are no dependent systems delete the user.\n\n```bash\nRemove-AzureADUser -ObjectId \u003cexampleaccountid@domain.com\u003e\n```\n\n### From Azure PowerShell\n\nBefore deleting the user, set it to inactive using the ID from the Audit Procedure to determine if there are any dependent systems.\n\n```bash\nSet-AzureADUser -ObjectId \"\u003cexampleaccountid@domain.com\u003e\" -AccountEnabled false\n```\n\nAfter determining that there are no dependent systems delete the user.\n\n```bash\nPS C:\\\u003eRemove-AzureADUser -ObjectId \u003cexampleaccountid@domain.com\u003e\n```\n\n### Default Value\n\nBy default no guest users are created.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_6", + "description": "Ensures that two alternate forms of identification are provided before allowing a password reset.", + "title": "1.6 Ensure That 'Number of methods required to reset' is set to '2'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.6", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nEnsures that two alternate forms of identification are provided before allowing a password reset.\n\nA Self-service Password Reset (SSPR) through Azure Multi-factor Authentication (MFA) ensures the user's identity is confirmed using two separate methods of identification. With multiple methods set, an attacker would have to compromise both methods before they could maliciously reset a user's password.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Then `Users`.\n4. Select `Password reset`.\n5. Then `Authentication methods`.\n6. Set the `Number of methods required to reset` to `2`.\n\nPlease **note** that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.\n\n### Default Value\n\nBy default, the `Number of methods required to reset` is set to \"2\".\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_7", + "description": "Microsoft Azure provides a Global Banned Password policy that applies to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Azure AD Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy.", + "title": "1.7 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.7", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nMicrosoft Azure provides a Global Banned Password policy that applies to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Azure AD Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy.\n\nEnabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Select `Security`.\n4. Under `Manage`, select `Authentication Methods`.\n5. Select `Password Protection`.\n6. Set the `Enforce custom list` option to `Yes`.\n7. Double click the custom banned password list to add a string.\n\n### Default Value\n\nBy default the custom bad password list is not 'Enabled'. Organizational-specific terms can be added to the custom banned password list, such as the following examples:\n- Brand names\n- Product names\n- Locations, such as company headquarters\n- Company-specific internal terms\n- Abbreviations that have specific company meaning\n- Months and weekdays with your company's local languages.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_8", + "description": "Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0.", + "title": "1.8 Ensure that 'Number of days before users are asked to re- confirm their authentication information' is not set to '0'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.8", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nEnsure that the number of days before users are asked to re-confirm their authentication information is not set to 0.\n\nThis setting is necessary if you have setup 'Require users to register when signing in option'. If authentication re-confirmation is disabled, registered users will never be prompted to re-confirm their existing authentication information. If the authentication information for a user changes, such as a phone number or email, then the password reset information for that user reverts to the previously registered authentication information.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Then `Users`.\n4. Select `Password reset`.\n5. Then `Registration`.\n6. Set the `Number of days before users are asked to re-confirm their authentication information` to your organization-defined frequency.\n\n### Default Value\n\nBy default, `the Number of days before users are asked to re-confirm their authentication information` is set to \"180 days\".\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_9", + "description": "Ensure that users are notified on their primary and secondary emails on password resets.", + "title": "1.9 Ensure that 'Notify users on password resets?' is set to 'Yes'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.9", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nEnsure that users are notified on their primary and secondary emails on password resets.\n\nUser notification on password reset is a proactive way of confirming password reset activity. It helps the user to recognize unauthorized password reset activities.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Select `Users`.\n4. Select `Password reset`.\n5. Under Manage, select `Notifications`.\n6. Set `Notify users on password resets?` to `Yes`.\n\n### Default Value\n\nBy default, `Notify users on password resets?` is set to \"Yes\".\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_10", + "description": "Ensure that all Global Administrators are notified if any other administrator resets their password.", + "title": "1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.10", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nEnsure that all Global Administrators are notified if any other administrator resets their password.\n\nGlobal Administrator accounts are sensitive. Any password reset activity notification, when sent to all Global Administrators, ensures that all Global administrators can passively confirm if such a reset is a common pattern within their group. For example, if all Global Administrators change their password every 30 days, any password reset activity before that may require administrator(s) to evaluate any unusual activity and confirm its origin.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Select `Users`.\n4. Select `Password reset`.\n5. Under Manage, select `Notifications`.\n6. Set `Notify all admins when other admins reset their password?` to `Yes`.\n\n### Default Value\n\nBy default, `Notify all admins when other admins reset their password?` is set to \"No\".", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_11", + "description": "Require administrators to provide consent for applications before use.", + "title": "1.11 Ensure 'User consent for applications' is set to 'Do not allow user consent'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.11", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nRequire administrators to provide consent for applications before use.\n\nIf Azure Active Directory is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Select `Enterprise Applications`.\n4. Select `Consent and permissions`.\n5. Select `User consent settings`.\n6. Set `User consent for applications` to `Do not allow user consent`.\n7. Click save\n\n### Default Value\n\nBy default, `Users consent for applications` is set to `Allow user consent for apps`.", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_12", + "description": "Allow users to provide consent for selected permissions when a request is coming from a verified publisher.", + "title": "1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.12", + "cis_level": "2", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nAllow users to provide consent for selected permissions when a request is coming from a verified publisher.\n\nIf Azure Active Directory is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Select `Enterprise Applications`.\n4. Select `Consent and permissions`.\n5. Select `User consent settings`.\n6. Under `User consent for applications`, select `Allow user consent for apps from verified publishers, for selected permissions`.\n7. Select `Save`.\n\n### From PowerShell\n\n```bash\nConnect-MsolService\nSet-MsolCompanyInformation --UsersPermissionToUserConsentToAppEnabled $False\n```\n\n### Default Value\n\nBy default, `User consent for applications` is set to `Allow user consent for apps`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_13", + "description": "Require administrators to provide consent for the apps before use.", + "title": "1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.13", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nRequire administrators to provide consent for the apps before use.\n\nUnless Azure Active Directory is running as an identity provider for third-party applications, do not allow users to use their identity outside of your cloud environment. User profiles contain private information such as phone numbers and email addresses which could then be sold off to other third parties without requiring any further consent from the user.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Then `Users`.\n4. Select `User settings`.\n5. Then `Manage how end users launch and view their applications`.\n6. Set `Users can add gallery apps to My Apps` to `No`.\n\n### Default Value\n\nBy default, `Users can add gallery apps to My Apps` is set to `No`.", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_14", + "description": "Require administrators or appropriately delegated users to register third-party applications.", + "title": "1.14 Ensure That 'Users Can Register Applications' Is Set to 'No'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.14", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nRequire administrators or appropriately delegated users to register third-party applications.\n\nIt is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Azure Active Directory data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Select `Users`.\n4. Select `User settings`.\n5. Set `Users can register applications` to `No`.\n\n### From Powershell\n\n```bash\nConnect-MsolService\nSet-MsolCompanyInformation -UsersPermissionToCreateLOBAppsEnabled $False\n```\n\n### Default Value\n\nBy default, `Users can register applications` is set to \"Yes\".\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_15", + "description": "Limit guest user permissions.", + "title": "1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.15", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nLimit guest user permissions.\n\nLimiting guest access ensures that guest accounts do not have permission for certain directory tasks, such as enumerating users, groups or other directory resources, and cannot be assigned to administrative roles in your directory. Guest access has three levels of restriction.\n\n1. Guest users have the same access as members (most inclusive),\n2. Guest users have limited access to properties and memberships of directory objects (default value),\n3. Guest user access is restricted to properties and memberships of their own directory objects (most restrictive).\n\nThe recommended option is the 3rd, most restrictive: \"Guest user access is restricted to their own directory object\".\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Then `External Identities`.\n4. Select `External collaboration settings`.\n5. Under `Guest user access`, change `Guest user access restrictions` to be `Guest user access is restricted to properties and memberships of their own directory objects`.\n\n### From Powershell\n\n1. From a PowerShell session enter `Set-AzureADMSAuthorizationPolicy- GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b'`\n2. Check that the setting was applied by entering `Get- AzureADMSAuthorizationPolicy`\n3. Make certain that the GuestUserRoleId is equal to the earlier entered value of 2af84b1e-32c8-42b7-82bc-daa82404023b.\n\n### Default Value\n\nBy default, `Guest user access restrictions` is set to `Guest user access is restricted to properties and memberships of their own directory objects`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_16", + "description": "Restrict invitations to users with specific administrative roles only.", + "title": "1.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.16", + "cis_level": "2", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nRestrict invitations to users with specific administrative roles only.\n\nRestricting invitations to users with specific administrator roles ensures that only authorized accounts have access to cloud resources. This helps to maintain \"Need to Know\" permissions and prevents inadvertent access to data.\n\nBy default the setting Guest invite restrictions is set to Anyone in the organization can invite guest users including guests and non-admins. This would allow anyone within the organization to invite guests and non-admins to the tenant, posing a security risk.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Then `External Identities`.\n4. Select `External collaboration settings`.\n5. Under `Guest invite settings`, for `Guest invite restrictions`, ensure that `Only users assigned to specific admin roles can invite guest users` is selected.\n\n### Default Value\n\nBy default, `Guest invite restrictions` is set to `Anyone in the organization can invite guest users including guests and non-admins`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_17", + "description": "Restrict access to the Azure AD administration portal to administrators only.", + "title": "1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.17", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nRestrict access to the Azure AD administration portal to administrators only.\n\n**NOTE:** This only affects access to the Azure AD administrator's web portal. This setting does not prohibit privileged users from using other methods such as Rest API or Powershell to obtain sensitive information from Azure AD.\n\nThe Azure AD administrative portal has sensitive data and permission settings. All non- administrators should be prohibited from accessing any Azure AD data in the administration portal to avoid exposure.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Then `Users`.\n4. Select `User settings`.\n5. Set `Restrict access to Azure AD administration portal` to `Yes`.\n\n### Default Value\n\nBy default, `Restrict access to Azure AD administration portal` is set to `No`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_18", + "description": "Restricts group creation to administrators with permissions only.", + "title": "1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.18", + "cis_level": "2", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nRestricts group creation to administrators with permissions only.\n\nSelf-service group management enables users to create and manage security groups or Office 365 groups in Azure Active Directory (Azure AD). Unless a business requires this day-to-day delegation for some users, self-service group management should be disabled.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Select `Groups`.\n4. Select `General` under `Settings`.\n5. Ensure that `Restrict user ability to access groups features in the Access Panel` is set to `Yes`.\n\n### Default Value\n\nBy default, `Restrict user ability to access groups features in the Access Pane` is set to `No`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_19", + "description": "Restrict security group creation to administrators only.", + "title": "1.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.19", + "cis_level": "2", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nRestrict security group creation to administrators only.\n\nWhen creating security groups is enabled, all users in the directory are allowed to create new security groups and add members to those groups. Unless a business requires this day-to-day delegation, security group creation should be restricted to administrators only.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Select `Groups`.\n4. Select `General under Settings`.\n5. Set `Users can create security groups in Azure portals, API or PowerShell` to `No`.\n\n### Default Value\n\nBy default, `Users can create security groups in Azure portals, API or PowerShell` is set to `Yes`.", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_20", + "description": "Restrict security group management to administrators only.", + "title": "1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.20", + "cis_level": "2", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nRestrict security group management to administrators only.\n\nRestricting security group management to administrators only prohibits users from making changes to security groups. This ensures that security groups are appropriately managed and their management is not delegated to non-administrators.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Then `Groups`.\n4. Select `General` in `settings`.\n5. Set `Owners can manage group membership requests in the Access Panel` to `No`.\n\n### Default Value\n\nBy default, `Owners can manage group membership requests in the Access Panel` is set to `No`.", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_21", + "description": "Restrict Microsoft 365 group creation to administrators only.", + "title": "1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.21", + "cis_level": "2", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nRestrict Microsoft 365 group creation to administrators only.\n\nRestricting Microsoft 365 group creation to administrators only ensures that creation of Microsoft 365 groups is controlled by the administrator. Appropriate groups should be created and managed by the administrator and group creation rights should not be delegated to any other user.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Then `Groups`.\n4. Select `General` in `settings`.\n5. Set `Users can create Microsoft 365 groups in Azure portals, API or PowerShell` to `No`.\n\n### Default Value\n\nBy default, `Users can create Microsoft 365 groups in Azure portals, API or PowerShell` is set to `Yes`.", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_22", + "description": "Joining or registering devices to the active directory should require Multi-factor authentication.", + "title": "1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.22", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nJoining or registering devices to the active directory should require Multi-factor authentication.\n\nMulti-factor authentication is recommended when adding devices to Azure AD. When set to Yes, users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory. This ensures that rogue devices are not added to the domain using a compromised user account. Note: Some Microsoft documentation suggests to use conditional access policies for joining a domain from certain whitelisted networks or devices. Even with these in place, using Multi-Factor Authentication is still recommended, as it creates a process for review before joining the domain.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Active Directory`.\n3. Select `Devices`.\n4. Select `Device settings`.\n5. Set `Require Multi-Factor Authentication to register or join devices with Azure AD` to `Yes`.\n\n### Default Value\n\nBy default, `Require Multi-Factor Authentication to register or join devices with Azure AD` is set to `No`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_23", + "description": "The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.", + "title": "1.23 Ensure That No Custom Subscription Administrator Roles Exist", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.23", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nThe principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.\n\nClassic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Subscriptions`.\n3. Select `Access control (IAM)`.\n4. Select `Roles`.\n5. Click `Type` and select `CustomRole` from the drop down menu.\n6. Check the box next to each role which grants subscription administrator privileges.\n7. Select `Remove`.\n8. Select `Yes`.\n\n### From Azure CLI\n\nList custom roles:\n\n```bash\naz role definition list --custom-role-only True\n```\nCheck for entries with `assignableScope` of / or the `subscription`, and an action of `*`. To remove a violating role:\n\n```bash\naz role definition delete --name \u003crole name\u003e\n```\n\n**Note** that any role assignments must be removed before a custom role can be deleted. Ensure impact is assessed before deleting a custom role granting subscription administrator privileges.\n\n### Default Value\n\nBy default, no custom owner roles are created.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_24", + "description": "Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.", + "title": "1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.24", + "cis_level": "2", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nResource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.\n\nGiven the resource lock functionality is outside of standard Role Based Access Control(RBAC), it would be prudent to create a resource lock administrator role to prevent inadvertent unlocking of resources.\n\n## Remediation\n\n### From Azure Portal\n\n1. In the Azure portal, open a subscription or resource group where you want the custom role to be assigned.\n2. `Select Access control (IAM).`\n3. Click `Add`.\n4. Select `Add custom role`.\n5. In the `Custom Role Name` field enter `Resource Lock Administrator`.\n6. In the Description field enter `Can Administer Resource Locks`.\n7. For Baseline permissions select `Start from scratch`\n8. Select `next`.\n9. In the Permissions tab select `Add permissions`.\n10. In the Search for a permission box, type in `Microsoft.Authorization/locks` to search for permissions.\n11. Select the check box next to the permission `Microsoft.Authorization/locks`.\n12. Select `Add`.\n13. Select `Review + create`.\n14. Select `Create`.\n15. Assign the newly created role to the appropriate user.\n\n### From PowerShell:\n\nBelow is a power shell definition for a resource lock administrator role created at an Azure Management group level\n\n```bash\nImport-Module Az.Accounts\nConnect-AzAccount\n\n$role = Get-AzRoleDefinition \"User Access Administrator\" $role.Id = $null\n$role.Name = \"Resource Lock Administrator\" $role.Description = \"Can Administer Resource Locks\" $role.Actions.Clear() $role.Actions.Add(\"Microsoft.Authorization/locks/*\") $role.AssignableScopes.Clear()\n\n* Scope at the Management group level Management group\n\n$role.AssignableScopes.Add(\"/providers/Microsoft.Management/managementGroups/ MG-Name\")\n\nNew-AzRoleDefinition -Role $role Get-AzureRmRoleDefinition \"Resource Lock Administrator\"\n```\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "azure_compliance.control.cis_v200_1_25", + "description": "Users who are set as subscription owners are able to make administrative changes to the subscriptions and move them into and out of Azure Active Directories.", + "title": "1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "1.25", + "cis_level": "2", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory" + }, + "documentation": "## Description\n\nUsers who are set as subscription owners are able to make administrative changes to the subscriptions and move them into and out of Azure Active Directories.\n\nPermissions to move subscriptions in and out of Azure Active Directory must only be given to appropriate administrative personnel. A subscription that is moved into an Azure Active Directory may be within a folder to which other users have elevated permissions. This prevents loss of data or unapproved changes of the objects within by potential bad actors.\n\n## Remediation\n\n### From Azure Portal\n\n1. From the Azure Portal Home select the portal menu.\n2. Select `Subscriptions`.\n3. Select `Manage Policies`.\n4. Under `Subscription leaving AAD directory` and `Subscription entering AAD directory` select `Permit no one`.\n\n### Default Value\n\nBy default `Subscription leaving AAD director`y and `Subscription entering AA`D are set to `Allow everyone (default)`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_1", + "description": "Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "title": "2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.1", + "cis_level": "2", + "cis_section_id": "2.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nTurning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.\n\nEnabling Microsoft Defender for Servers allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Microsoft Defender for Cloud`.\n2. Select `Environment Settings`.\n3. Click on the subscription name.\n4. Select `Defender plans`.\n5. Set `Server` Status to `On`.\n6. Select `Save`.\n\n### From Azure CLI\n\nRun the following command:\n\n```bash\naz security pricing create -n VirtualMachines --tier 'standard'\n```\n\n### From Powershell\n\nRun the following command:\n\n```bash\nSet-AzSecurityPricing -Name 'VirtualMachines' -PricingTier 'Standard'\n```\n\n### Default Value\n\nBy default, Microsoft Defender plan is off.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_2", + "description": "Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "title": "2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.2", + "cis_level": "2", + "cis_section_id": "2.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nTurning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.\n\nEnabling Microsoft Defender for App Service allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Microsoft Defender for Cloud`.\n2. Select `Environment Settings`.\n3. Click on the subscription name.\n4. Select `Defender plans`.\n5. Set `App Service` Status to `On`.\n6. Select `Save`.\n\n### From Azure CLI\n\nRun the following command:\n\n```bash\naz security pricing create -n Appservices --tier 'standard'\n```\n\n### From Powershell\n\nRun the following command:\n\n```bash\nSet-AzSecurityPricing -Name \"AppServices\" -PricingTier \"Standard\"\n```\n\n### Default Value\n\nBy default, Microsoft Defender plan is off.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_3", + "description": "Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases.", + "title": "2.1.3 Ensure That Microsoft Defender for Databases Is Set To 'On'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.3", + "cis_level": "2", + "cis_section_id": "2.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nTurning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases.\n\nEnabling Microsoft Defender for Azure SQL Databases allows your organization more granular control of the infrastructure running your database software. Instead of waiting on Microsoft release updates or other similar processes, you can manage them yourself. Threat detection is provided by the Microsoft Security Response Center (MSRC).\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Microsoft Defender for Cloud`.\n2. Select `Environment Settings`.\n3. Click on the subscription name.\n4. Select `Defender plans`.\n5. Set `Databases Status` to `On`.\n6. Select `Save`.\n\nReview the chosen pricing tier. For the `Azure Databases` resource review the different plan information and choose one that fits the needs of your organization.\n\n### From Azure CLI\n\nRun the following command:\n\n```bash\naz security pricing create -n 'SqlServers' --tier 'Standard'\naz security pricing create -n 'SqlServerVirtualMachines' --tier 'Standard'\naz security pricing create -n 'OpenSourceRelationalDatabases' --tier 'Standard'\naz security pricing create -n 'CosmosDbs' --tier 'Standard'\n```\n\n### From Azure PowerShell\n\nRun the following command:\n\n```bash\nSet-AzSecurityPricing -Name 'SqlServers' -PricingTier 'Standard'\nSet-AzSecurityPricing -Name 'SqlServerVirtualMachines' -PricingTier 'Standard'\nSet-AzSecurityPricing -Name 'OpenSourceRelationalDatabases' -PricingTier 'Standard'\nSet-AzSecurityPricing -Name 'CosmosDbs' -PricingTier 'Standard'\n```\n\n### Default Value\n\nBy default, Microsoft Defender Plans are off.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_4", + "description": "Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "title": "2.1.4 Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.4", + "cis_level": "2", + "cis_section_id": "2.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nTurning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.\n\nEnabling Microsoft Defender for Azure SQL Databases allows for greater defense-in- depth, with threat detection provided by the Microsoft Security Response Center (MSRC).\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Microsoft Defender for Cloud`.\n2. Select `Environment Settings` blade.\n3. Click on the subscription name.\n4. Select the `Defender plans `blade.\n5. Click `Select types` \u003e in the row for `Databases`.\n6. Set the radio button next to `Azure SQL Databases` to `On`.\n7. Select `Continue`.\n8. Select `Save`.\n\n### From Azure CLI\n\nRun the following command:\n\n```bash\naz security pricing create -n SqlServers --tier 'standard'az security pricing create -n SqlServers --tier 'standard'\n```\n\n### From Powershell\n\nRun the following command:\n\n```bash\nSet-AzSecurityPricing -Name 'SqlServers' -PricingTier 'Standard'\n```\n\n### Default Value\n\nBy default, Microsoft Defender plan is off.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_5", + "description": "Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "title": "2.1.5 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.5", + "cis_level": "2", + "cis_section_id": "2.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nTurning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.\n\nEnabling Microsoft Defender for SQL servers on machines allows for greater defense- in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Microsoft Defender for Cloud`\n2. Select `Environment Settings` blade.\n3. Click on the subscription name.\n4. Select the `Defender plans` blade.\n5. Click `Select types` \u003e in the row for `Databases`.\n6. Set the radio button next to `SQL servers on machines` to `On`.\n7. Select `Continue`.\n8. Select `Save`.\n\n### From Azure CLI\n\nRun the following command:\n\n```bash\naz security pricing create -n SqlServerVirtualMachines --tier 'standard'\n```\n\n### From Powershell\n\nRun the following command:\n\n```bash\nSet-AzSecurityPricing -Name 'SqlServerVirtualMachines' -PricingTier 'Standard'\n```\n\n### Default Value\n\nBy default, Microsoft Defender plan is off.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_6", + "description": "Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "title": "2.1.6 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.6", + "cis_level": "2", + "cis_section_id": "2.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nTurning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.\n\nEnabling Microsoft Defender for Open-source relational databases allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Microsoft Defender for Cloud`.\n2. Select `Environment Settings` blade.\n3. Click on the subscription name.\n4. Select the `Defender plans` blade.\n5. Click `Select types` \u003e in the row for `Databases`.\n6. Set the radio button next to `Open-source relational databases` to `On`.\n7. Select `Continue`.\n8. Select `Save`.\n\n### From Azure CLI\n\nRun the following command:\n\n```bash\naz security pricing create -n 'OpenSourceRelationalDatabases' --tier 'standard'\n```\n\n### From Powershell\n\nUse the below command to enable Standard pricing tier for Open-source relational databases\n\n```bash\nset-azsecuritypricing -name \"OpenSourceRelationalDatabases\" -pricingtier \"Standard\"\n```\n\n### Default Value\n\nBy default, Microsoft Defender plan is off.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_7", + "description": "Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "title": "2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.7", + "cis_level": "2", + "cis_section_id": "2.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nTurning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.\n\nEnabling Microsoft Defender for Storage allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Microsoft Defender for Cloud`.\n2. Select `Environment Settings` blade.\n3. Click on the subscription name.\n4. Select the `Defender plans` blade.\n5. Set `Status` to `On` for `Storage`.\n6. Select `Save`.\n\n### From Azure CLI\n\nEnsure the output of the below command is Standard\n\n```bash\naz security pricing create -n StorageAccounts --tier 'standard'\n```\n\n### From Powershell\n\n```bash\nSet-AzSecurityPricing -Name 'StorageAccounts' -PricingTier 'Standard'\n```\n\n### Default Value\n\nBy default, Microsoft Defender plan is off.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_8", + "description": "Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "title": "2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.8", + "cis_level": "2", + "cis_section_id": "2.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nTurning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.\n\nEnabling Microsoft Defender for Container Registries allows for greater defense-in- depth, with threat detection provided by the Microsoft Security Response Center (MSRC).\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Microsoft Defender for Cloud`.\n2. Select `Environment Settings`.\n3. Click on the subscription name.\n4. Select `Defender plans`.\n5. Set `Status` to `On` for `Containers`.\n6. Click `Save`.\n\n### From Azure CLI\n\n(**Note:** 'ContainerRegistry' has been deprecated and is replaced by 'Containers')\nUse the below command to enable Standard pricing tier for Containers.\n\n```bash\naz security pricing create -n 'Containers' --tier 'standard'\n```\n\n### From Powershell\n\n(**Note:** 'ContainerRegistry' has been deprecated and is replaced by 'Containers')\nUse the below command to enable Standard pricing tier for Containers.\n\n```bash\nSet-AzSecurityPricing -Name 'Containers' -PricingTier 'Standard'\n```\n\n### Default Value\n\nBy default, Microsoft Defender plan is off.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_9", + "description": "Microsoft Defender for Azure Cosmos DB scans all incoming network requests for threats to your Azure Cosmos DB resources.", + "title": "2.1.9 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.9", + "cis_level": "2", + "cis_section_id": "2.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nMicrosoft Defender for Azure Cosmos DB scans all incoming network requests for threats to your Azure Cosmos DB resources.\n\nIn scanning Azure Cosmos DB requests within a subscription, requests are compared to a heuristic list of potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Microsoft Defender for Cloud`.\n2. Select `Environment Settings` blade.\n3. Click on the subscription name.\n4. Select the `Defender plans` blade.\n5. On the Database row click on `Select types \u003e`.\n6. Set the radio button next to `Azure Cosmos DB` to `On`.\n7. Click `Continue`.\n8. Click `Save`.\n\n### From Azure CLI\n\nRun the following command:\n\n```bash\naz security pricing create -n 'CosmosDbs' --tier 'standard'\n```\n\n### From Powershell\n\nUse the below command to enable Standard pricing tier for Azure Cosmos DB\n\n```bash\nSet-AzSecurityPricing -Name 'CosmosDbs' -PricingTier 'Standard\n```\n\n### Default Value\n\nBy default, Microsoft Defender for Azure Cosmos DB is not enabled.", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_10", + "description": "Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "title": "2.1.10 Ensure That Microsoft Defender for Key Vault Is Set To 'On'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.10", + "cis_level": "2", + "cis_section_id": "2.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nTurning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.\n\nEnabling Microsoft Defender for Key Vault allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Microsoft Defender for Cloud`.\n2. Select `Environment Settings` blade.\n3. Click on the subscription name.\n4. Select the `Defender plans` blade.\n5. Select `On` under `Status` for `Key Vault`.\n6. Select `Save`.\n\n### From Azure CLI\n\nEnable Standard pricing tier for Key Vault:\n\n```bash\naz security pricing create -n 'KeyVaults' --tier 'Standard'\n```\n\n### From Powershell\n\nEnable Standard pricing tier for Key Vault:\n\n```bash\nSet-AzSecurityPricing -Name 'KeyVaults' -PricingTier 'Standard'\n```\n\n### Default Value\n\nBy default, Microsoft Defender plan is off.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_11", + "description": "Microsoft Defender for DNS scans all network traffic exiting from within a subscription.", + "title": "2.1.11 Ensure That Microsoft Defender for DNS Is Set To 'On'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.11", + "cis_level": "2", + "cis_section_id": "2.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nMicrosoft Defender for DNS scans all network traffic exiting from within a subscription.\n\nDNS lookups within a subscription are scanned and compared to a dynamic list of websites that might be potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Microsoft Defender for Cloud`.\n2. Select `Environment Settings` blade.\n3. Click on the subscription name.\n4. Select the `Defender plans` blade.\n5. Select `On` under `Status` for `DNS`.\n6. Select `Save`.\n\n### From Azure CLI\n\nEnable Standard pricing tier for DNS:\n\n```bash\naz security pricing create -n 'DNS' --tier 'Standard'\n```\n\n### From Powershell\n\nEnable Standard pricing tier for DNS:\n\n```bash\nSet-AzSecurityPricing -Name 'DNS' -PricingTier 'Standard'\n```\n\n### Default Value\n\nBy default, Microsoft Defender for DNS is not enabled.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_12", + "description": "Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal.", + "title": "2.1.12 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.12", + "cis_level": "2", + "cis_section_id": "2.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nMicrosoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal.\n\nScanning resource requests lets you be alerted every time there is suspicious activity in order to prevent a security threat from being introduced.\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Microsoft Defender for Cloud`.\n2. Select `Environment Settings` blade.\n3. Click on the subscription name.\n4. Select the `Defender plans` blade.\n5. Select `On` under `Status` for `Resource Manager`.\n6. Select `Save`.\n\n### From Azure CLI\n\nUse the below command to enable Standard pricing tier for Defender for Resource Manager\n\n```bash\naz security pricing create -n 'Arm' --tier 'Standard'\n```\n\n### From PowerShell\n\nUse the below command to enable Standard pricing tier for Defender for Resource Manager\n\n```bash\nSet-AzSecurityPricing -Name 'Arm' -PricingTier 'Standard'\n```\n\n### Default Value\n\nBy default, Microsoft Defender for Resource Manager is not enabled.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_13", + "description": "Ensure that the latest OS patches for all virtual machines are applied.", + "title": "2.1.13 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.13", + "cis_level": "1", + "cis_section_id": "2.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nEnsure that the latest OS patches for all virtual machines are applied.\n\nWindows and Linux virtual machines should be kept updated to:\n- Address a specific bug or flaw\n- Improve an OS or application’s general stability\n- Fix a security vulnerability\n\nThe Azure Security Center retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows VM. The security center also checks for the latest updates in Linux systems. If a VM is missing a system update, the security center will recommend system updates be applied.\n\n## Remediation\n\nFollow Microsoft Azure documentation to apply security patches from the security center. Alternatively, you can employ your own patch assessment and management tool to periodically assess, report, and install the required security patches for your OS.\n\n### Default Value\n\nBy default, patches are not automatically deployed.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_14", + "description": "None of the settings offered by ASC Default policy should be set to effect Disabled.", + "title": "2.1.14 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.14", + "cis_level": "1", + "cis_section_id": "2.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nNone of the settings offered by ASC Default policy should be set to effect `Disabled`.\n\nA security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. ASC Default policy is associated with every subscription by default. ASC default policy assignment is a set of security recommendations based on best practices. Enabling recommendations in ASC default policy ensures that Azure security center provides the ability to monitor all of the supported recommendations and optionally allow automated action for a few of the supported recommendations.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Microsoft Defender for Cloud`.\n3. Select `Environment Settings`.\n4. Click on a subscription.\n5. Select `Security Policy` in the left column.\n6. Click on `ASC Default` under `Default initiative`.\n7. Ensure `Policy Enforcement` is `Enabled`.\n8. Click on the `Parameters` tab and uncheck `Only show parameters that need input or review`.\n9. For any parameters set to `Disabled` or empty, update to a valid value for the organization.\n10. Click `Save`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_15", + "description": "Enable automatic provisioning of the monitoring agent to collect security data.", + "title": "2.1.15 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.15", + "cis_level": "1", + "cis_section_id": "2.1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nEnable automatic provisioning of the monitoring agent to collect security data.\n\nWhen `Log Analytics agent for Azure VMs` is turned on, Microsoft Defender for Cloud provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Microsoft Defender for Cloud`.\n3. Select `Environment Settings`.\n4. Select a subscription.\n5. Click on `Settings \u0026 Monitoring`.\n6. Ensure that `Log Analytics agent for Azure VMs` is set to `On`.\n\n### From Azure CLI\n\nUse the below command to set `Automatic provisioning of monitoring agent` to `On`.\n\n```bash\naz account get-access-token --query\n\"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\"\nhttps://management.azure.com/subscriptions/subscriptionID/providers/Microsoft .Security/autoProvisioningSettings/default?api-version=2017-08-01-preview - d@\"input.json\"'\n```\n\nWhere `input.json` contains the Request body json data as mentioned below.\n\n```bash\n{\n \"id\":\"/subscriptions/\u003cYour_Subscription_Id\u003e/providers/Microsoft.Security/autoProvi sioningSettings/default\",\n \"name\": \"default\",\n \"type\": \"Microsoft.Security/autoProvisioningSettings\",\n \"properties\": {\n \"autoProvision\": \"On\"\n }\n}\n```\n\n### Default Value\n\nBy default, `Automatic provisioning of monitoring agent` is set to `On`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_16", + "description": "Enable automatic provisioning of vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines.", + "title": "2.1.16 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.16", + "cis_level": "2", + "cis_section_id": "2.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nEnable automatic provisioning of vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines.\n\nVulnerability assessment for machines scans for various security-related configurations and events such as system updates, OS vulnerabilities, and endpoint protection, then produces alerts on threat and vulnerability findings.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Microsoft Defender for Cloud`.\n3. Then `Environment Settings`.\n4. Select a subscription.\n5. Click on `Settings \u0026 Monitoring`.\n6. Ensure that `Vulnerability assessment for machines` is set to `On`.\n\nRepeat the above for any additional subscriptions.\n\n### Default Value\n\nBy default, `Automatic provisioning of monitoring agent` is set to `Off`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_17", + "description": "Enable automatic provisioning of the Microsoft Defender for Containers components.", + "title": "2.1.17 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.17", + "cis_level": "2", + "cis_section_id": "2.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nEnable automatic provisioning of the Microsoft Defender for Containers components.\n\nAs with any compute resource, Container environments require hardening and run-time protection to ensure safe operations and detection of threats and vulnerabilities.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Microsoft Defender for Cloud`.\n3. Then `Environment Settings`.\n4. Select a subscription.\n5. Then `Auto Provisioning` in the left column.\n6. Set `Microsoft Defender for Containers components` to `On`.\n\nRepeat the above for any additional subscriptions.\n\n### Default Value\n\nBy default, Microsoft Defender for Containers is disabled. If Defender for Containers is enabled from the Microsoft Defender for Cloud portal, auto provisioning will be enabled.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_18", + "description": "Enable security alert emails to subscription owners.", + "title": "2.1.18 Ensure That 'All users with the following roles' is set to 'Owner'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.18", + "cis_level": "1", + "cis_section_id": "2.1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nEnable security alert emails to subscription owners.\n\nEnabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Microsoft Defender for Cloud`.\n3. Click on `Environment Settings`.\n4. Click on the appropriate Management Group, Subscription, or Workspace.\n5. Click on `Email notifications`.\n6. In the drop down of the `All users with the following roles` field select `Owner`.\n7. Click `Save`.\n\n### From Azure CLI\n\nUse the below command to set `Send email also to subscription owners` to `On`.\n\n```bash\naz account get-access-token --query\n\"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\"\nhttps://management.azure.com/subscriptions/$0/providers/Microsoft.Security/se curityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"'\n```\n\nWhere `input.json` contains the data below, replacing `validEmailAddress` with a single email address or multiple comma-separated email addresses:\n\n```bash\n{\n \"id\":\"/subscriptions/\u003cYour_Subscription_Id\u003e/providers/Microsoft.Security/securityC ontacts/default1\",\n \"name\": \"default1\",\n \"type\": \"Microsoft.Security/securityContacts\",\n \"properties\": {\n \"email\": \"\u003cvalidEmailAddress\u003e\",\n \"alertNotifications\": \"On\",\n \"alertsToAdmins\": \"On\",\n \"notificationsByRole\": \"Owner\"\n }\n}\n```\n\n### Default Value\n\nBy default, `Owner` is selected.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_19", + "description": "Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.", + "title": "2.1.19 Ensure 'Additional email addresses' is Configured with a Security Contact Email", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.19", + "cis_level": "1", + "cis_section_id": "2.1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nMicrosoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.\n\nMicrosoft Defender for Cloud emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the 'Additional email addresses' field ensures that your organization's Security Team is included in these alerts. This ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Microsoft Defender for Cloud`.\n3. Click on `Environment Settings`.\n4. Click on the appropriate Management Group, Subscription, or Workspace.\n5. Click on `Email notifications`.\n6. Enter a valid security contact email address (or multiple addresses separated by commas) in the `Additional email addresses` field.\n7. Click `Save`.\n\n### From Azure CLI\n\nUse the below command to set `Security contact emails` to `On`.\n\n```bash\naz account get-access-token --query\n\"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\"\nhttps://management.azure.com/subscriptions/$0/providers/Microsoft.Security/se curityContacts/default?api-version=2020-01-01-preview -d@\"input.json\"'\n```\n\nWhere `input.json` contains the data below, replacing `validEmailAddress` with a single email address or multiple comma-separated email addresses:\n\n```bash\n{\n \"id\":\"/subscriptions/\u003cYour_Subscription_Id\u003e/providers/Microsoft.Security/securityC ontacts/default\",\n \"name\": \"default\",\n \"type\": \"Microsoft.Security/securityContacts\",\n \"properties\": {\n \"email\": \"\u003cvalidEmailAddress\u003e\",\n \"alertNotifications\": \"On\",\n \"alertsToAdmins\": \"On\"\n }\n}\n```\n\n### Default Value\n\nBy default, there are no additional email addresses entered.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_20", + "description": "Enables emailing security alerts to the subscription owner or other designated security contact.", + "title": "2.1.20 Ensure That 'Notify about alerts with the following severity' is Set to 'High'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.20", + "cis_level": "1", + "cis_section_id": "2.1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nEnables emailing security alerts to the subscription owner or other designated security contact.\n\nEnabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Microsoft Defender for Cloud`.\n3. Click on `Environment Settings`.\n4. Click on the appropriate Management Group, Subscription, or Workspace.\n5. Click on `Email notifications`.\n6. Under `Notification types`, check the check box next to `Notify about alerts with the following severity (or higher)`: and select `High` from the drop down menu.\n7. Click `Save`.\n\n### From Azure CLI\n\nUse the below command to set `Send email notification for high severity alerts` to `On`.\n\n```bash\naz account get-access-token --query\n\"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type:\napplication/json\"\nhttps://management.azure.com/subscriptions/\u003c$0\u003e/providers/Microsoft.Security/ securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"'\n```\n\nWhere `input.json` contains the data below, replacing `validEmailAddress` with a single email address or multiple comma-separated email addresses:\n\n```bash\n{\n \"id\":\"/subscriptions/\u003cYour_Subscription_Id\u003e/providers/Microsoft.Security/securityC ontacts/default1\",\n \"name\": \"default1\",\n \"type\": \"Microsoft.Security/securityContacts\",\n \"properties\": {\n \"email\": \"\u003cvalidEmailAddress\u003e\",\n \"alertNotifications\": \"On\",\n \"alertsToAdmins\": \"On\"\n }\n}\n```\n\n### Default Value\n\nBy default, `Notify about alerts with the following severity (or higher)`: is set to `High`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_21", + "description": "This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.", + "title": "2.1.21 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.21", + "cis_level": "2", + "cis_section_id": "2.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nThis integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.\n\nMicrosoft Defender for Cloud offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Microsoft Defender for Cloud detects unusual or potentially harmful operations in the Azure subscription environment. Several of the preceding analytics are powered by Microsoft Defender for Cloud Apps. To benefit from these analytics, subscription must have a Cloud App Security license.\n\nMicrosoft Defender for Cloud Apps works only with Standard Tier subscriptions.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Microsoft Defender for Cloud`.\n3. Select `Environment Settings` blade.\n4. Select the subscription.\n5. Select `Integrations`.\n6. Check `Allow Microsoft Defender for Cloud Apps to access my data`.\n7. Select `Save`.\n\n### From Azure CLI\n\nUse the below command to enable Standard pricing tier for Storage Accounts\n\n```bash\naz account get-access-token --query\n\"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\"\nhttps://management.azure.com/subscriptions/\u003csubscription_ID\u003e/providers/Micros oft.Security/settings/MCAS?api-version=2021-06-01 -d@\"input.json\"'\n```\n\nWhere input.json contains the Request body json data as mentioned below.\n\n```bash\n{\n \"id\":\"/subscriptions/\u003cYour_Subscription_Id\u003e/providers/Microsoft.Security/settings/MCAS\",\n \"kind\": \"DataExportSetting\",\n \"type\": \"Microsoft.Security/settings\",\n \"properties\": {\n \"enabled\": true\n }\n}\n```\n\n### Default Value\n\nWith Cloud App Security license, these alerts are enabled by default.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.1 Microsoft Defender for Cloud", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.1 Microsoft Defender for Cloud" + ], + "control_id": "azure_compliance.control.cis_v200_2_1_22", + "description": "This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud.", + "title": "2.1.22 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.1.22", + "cis_level": "2", + "cis_section_id": "2.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nThis integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud.\n\n**IMPORTANT:** When enabling integration between DfE \u0026 DfC it needs to be taken into account that this will have some side effects that may be undesirable.\n\n1. For server 2019 \u0026 above if defender is installed (default for these server SKU's) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal.\n2. If the new unified agent is required for server SKU's of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned.\n\nMicrosoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on endpoints monitored by Microsoft Defender for Cloud.\n\nMDE works only with Standard Tier subscriptions.\n\n## Remediation\n\n### From Azure Console\n\n1. From Azure Home select the Portal Menu.\n2. Go to `Microsoft Defender for Cloud`.\n3. Select `Environment Settings` blade.\n4. Select the subscription.\n5. Select `Integrations`.\n6. Check `Allow Microsoft Defender for Endpoint to access my data`.\n7. Select `Save`.\n\n### From Azure CLI\n\nUse the below command to enable Standard pricing tier for Storage Accounts\n\n```bash\naz account get-access-token --query\n\"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\"\nhttps://management.azure.com/subscriptions/\u003csubscriptionID\u003e/providers/Microso ft.Security/settings/WDATP?api-version=2021-06-01 -d@\"input.json\"'\n```\n\nWhere input.json contains the Request body json data as mentioned below.\n\n```bash\n{\n \"id\":\"/subscriptions/\u003cYour_Subscription_Id\u003e/providers/Microsoft.Security/settings/ WDATP\",\n \"kind\": \"DataExportSettings\",\n \"type\": \"Microsoft.Security/settings\",\n \"properties\": {\n \"enabled\": true\n }\n}\n```\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender \u003e 2.2 Microsoft Defender for IoT", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender", + "2.2 Microsoft Defender for IoT" + ], + "control_id": "azure_compliance.control.cis_v200_2_2_1", + "description": "Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization.", + "title": "2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "2.2.1", + "cis_level": "2", + "cis_section_id": "2.2", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter" + }, + "documentation": "## Description\n\nMicrosoft Defender for IoT acts as a central security hub for IoT devices within your organization.\n\nIoT devices are very rarely patched and can be potential attack vectors for enterprise networks. Updating their network configuration to use a central security hub allows for detection of these breaches.\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `IoT Hub`.\n2. Select a `IoT Hub` to validate.\n3. Select `Overview` in `Defender for IoT`.\n4. Click on `Secure your IoT solution`, and complete the onboarding.\n\n### Default Value\n\nBy default, Microsoft Defender for IoT is not enabled.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_2_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2/azure_compliance.benchmark.cis_v200_2_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Microsoft Defender", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Microsoft Defender" + ], + "control_id": "azure_compliance.benchmark.cis_v200_2_3", + "description": "", + "title": "2.3 Microsoft Defender for External Attack Surface Monitoring", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "2", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nAs more services are exposed to the public internet it is important to be able to monitor the externally exposed surface of your Azure Tenant, to this end it is recommended that tools that monitor this surface are implemented.\n\nMicrosoft have a new tool to do this in their Defender Suite of products. Defender EASM, this tool is configured very simply to scan specified domains and report on them, specific domains and addresses can be excluded from the scan.\n\nTypically these tools will report on any vulnerability that is identified (CVE) and will also identify ports and protocols that are open on devices.\n\nResults are classified Critical/High/Medium \u0026 Low with proposed mitigations.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Storage Accounts", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Storage Accounts" + ], + "control_id": "azure_compliance.control.cis_v200_3_1", + "description": "Enable data encryption in transit.", + "title": "3.1 Ensure that 'Secure transfer required' is set to 'Enabled'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "3.1", + "cis_level": "1", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Storage" + }, + "documentation": "## Description\n\nEnable data encryption in transit.\n\nThe secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPS for custom domain names, this option is not applied when using a custom domain name.\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Storage Accounts`.\n2. For each storage account, go to `Configuration`.\n3. Set `Secure transfer required` to `Enabled`.\n\n### From Azure CLI\n\nUse the below command to enable `Secure transfer required` for a `Storage Account`\n\n```bash\naz storage account update --name \u003cstorageAccountName\u003e --resource-group \u003cresourceGroupName\u003e --https-only true\n```\n\n### Default Value\n\nBy default, `Secure transfer required` is set to `Disabled`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Storage Accounts", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Storage Accounts" + ], + "control_id": "azure_compliance.control.cis_v200_3_2", + "description": "Enabling encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions.", + "title": "3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "3.2", + "cis_level": "2", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Storage" + }, + "documentation": "## Description\n\nEnabling double encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions.\n\nAzure Storage automatically encrypts all data in a storage account at the network level using 256-bit AES encryption, which is one of the strongest, FIPS 140-2-compliant block ciphers available. Customers who require higher levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level for double encryption. Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised. Similarly, data is encrypted even before network transmission and in all backups. In this scenario, the additional layer of encryption continues to protect your data. For the most secure implementation of key based encryption, it is recommended to use a Customer Managed asymmetric RSA 2048 Key in Azure Key Vault.\n\n## Remediation\n\n### From Azure Portal\n\n1. When creating a storage account, proceed as normal, but stop on the `Advanced` tab.\n2. Select `Enabled` next to Infrastructure Encryption.\n\n### From Azure CLI\n\nReplace the information within \u0026lt;\u0026gt; with your values.\n\n```bash\naz storage account create \\\n --name \u003cstorage-account\u003e \\\n --resource-group \u003cresource-group\u003e \\\n --location \u003clocation\u003e \\\n --sku Standard_RAGRS \\\n --kind StorageV2 \\\n --require-infrastructure-encryption\n```\n\n### From Powershell\n\n```bash\nNew-AzStorageAccount -ResourceGroupName \u003cresource_group\u003e `\n -AccountName \u003cstorage-account\u003e `\n -Location \u003clocation\u003e `\n -SkuName \"Standard_RAGRS\" `\n -Kind StorageV2 `\n -RequireInfrastructureEncryption\n```\n\n`Enabling Infrastructure Encryption after Storage Account Creation`\nIf a infrastructure encryption was not enabled on blob storage creation, there is no official way to enable it. Please see the additional information section.\n\n### Default Value\n\nBy default, Infrastructure Encryption is disabled in blob creation.", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Storage Accounts", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Storage Accounts" + ], + "control_id": "azure_compliance.control.cis_v200_3_3", + "description": "Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The 'Rotation Reminder' is an automatic reminder feature for a manual procedure.", + "title": "3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "3.3", + "cis_level": "1", + "cis_section_id": "3", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Storage" + }, + "documentation": "## Description\n\nAccess Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The \"Rotation Reminder\" is an automatic reminder feature for a manual procedure.\n\nReminders such as those generated by this recommendation will help maintain a regular and healthy cadence for activities which improve the overall efficacy of a security program.\n\nCryptographic key rotation periods will vary depending on your organization's security requirements and the type of data which is being stored in the Storage Account. For example, PCI DSS mandates that cryptographic keys be replaced or rotated 'regularly,' and advises that keys for static data stores be rotated every 'few months.'\n\nFor the purposes of this recommendation, 90 days will prescribed for the reminder. Review and adjustment of the 90 day period is recommended, and may even be necessary. Your organization's security requirements should dictate the appropriate setting.\n\n## Remediation\n\n### From Azure Portal\n\nop down menu to `Days`.\n1. Go to `Storage Accounts`.\n2. For each Storage Account that is not compliant, go to `Access keys`.\n3. Click `Set rotation reminder`.\n4. Check `Enable key rotation reminders`.\n5. In the `Send reminders` field select `Custom`, then set the `Remind me every` field to `90` and the period drop down to `Days`.\n6. Click `Save`.\n\n### Default Value\n\nBy default, Key rotation reminders is not configured.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Storage Accounts", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Storage Accounts" + ], + "control_id": "azure_compliance.control.cis_v200_3_4", + "description": "For increased security, regenerate storage account access keys periodically.", + "title": "3.4 Ensure that Storage Account Access Keys are Periodically Regenerated", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "3.4", + "cis_level": "1", + "cis_section_id": "3", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Storage" + }, + "documentation": "## Description\n\nFor increased security, regenerate storage account access keys periodically.\n\nWhen a storage account is created, Azure generates two 512-bit storage access keys which are used for authentication when the storage account is accessed. Rotating these keys periodically ensures that any inadvertent access or exposure does not result from the compromise of these keys.\n\nCryptographic key rotation periods will vary depending on your organization's security requirements and the type of data which is being stored in the Storage Account. For example, PCI DSS mandates that cryptographic keys be replaced or rotated 'regularly,' and advises that keys for static data stores be rotated every 'few months.'\n\nFor the purposes of this recommendation, 90 days will prescribed for the reminder. Review and adjustment of the 90 day period is recommended, and may even be necessary. Your organization's security requirements should dictate the appropriate setting.\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Storage Accounts`.\n2. For each Storage Account with outdated keys, go to `Access keys`.\n3. Click `Rotate key` next to the outdated key, then click `Yes` to the prompt confirming that you want to regenerate the access key.\n\nAfter Azure regenerates the Access Key, you can confirm that `Access keys` reflects a `Last rotated` date of `(0 days ago)`.\n\n### Default Value\n\nBy default, access keys are not regenerated periodically.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Storage Accounts", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Storage Accounts" + ], + "control_id": "azure_compliance.control.cis_v200_3_5", + "description": "The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account.", + "title": "3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "3.5", + "cis_level": "2", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Storage" + }, + "documentation": "## Description\n\nThe Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.\n\nStorage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.\n\nStorage Analytics logging is not enabled by default for your storage account.\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Storage Accounts`.\n2. Select the specific Storage Account.\n3. Click the `Diagnostics settings (classic)` blade from `Monitoring (classic)` section.\n4. Set the `Status` to `On`, if set to `Off`.\n5. Select `Queue properties`.\n6. Select `Read`, `Write` and `Delete` options under the `Logging` section to enable Storage Logging for Queue service.\n\n### From Azure CLI\n\nUse the below command to enable the Storage Logging for Queue service.\n\n```bash\naz storage logging update --account-name \u003cstorageAccountName\u003e --account-key \u003cstorageAccountKey\u003e --services q --log rwd --retention 90\n```\n\n### Default Value\n\nBy default storage account queue services are not logged.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Storage Accounts", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Storage Accounts" + ], + "control_id": "azure_compliance.control.cis_v200_3_6", + "description": "Expire shared access signature tokens within an hour.", + "title": "3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "3.6", + "cis_level": "1", + "cis_section_id": "3", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Storage" + }, + "documentation": "## Description\n\nExpire shared access signature tokens within an hour.\n\nA shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. A shared access signature can be provided to clients who should not be trusted with the storage account key but for whom it may be necessary to delegate access to certain storage account resources. Providing a shared access signature URI to these clients allows them access to a resource for a specified period of time. This time should be set as low as possible and preferably no longer than an hour.\n\n## Remediation\n\nWhen generating shared access signature tokens, use start and end time such that it falls within an hour.\n\n### From Azure Portal\n\n1. Go to Storage Accounts\n2. For each storage account, go to Shared access signature\n3. Set Start and expiry date/time within an hour\n\n### Default Value\n\nBy default, expiration for shared access signature is set to 8 hours.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Storage Accounts", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Storage Accounts" + ], + "control_id": "azure_compliance.control.cis_v200_3_7", + "description": "Disallowing public access for a storage account overrides the public access settings for individual containers in that storage account.", + "title": "3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "3.7", + "cis_level": "1", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Storage" + }, + "documentation": "## Description\n\nDisallowing public access for a storage account overrides the public access settings for individual containers in that storage account.\n\nThe default configuration for a storage account permits a user with appropriate permissions to configure public (anonymous) access to containers and blobs in a storage account. Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. It grants read- only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token or Azure AD RBAC should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on any container in the storage account, it’s recommended to set allowBlobPublicAccess false at the account level, which forbids any container to accept anonymous access in the future.\n\n## Remediation\n\n### From Azure Portal\n\nFirst, follow Microsoft documentation and create shared access signature tokens for your blob containers. Then,\n\n1. Go to `Storage Accounts`.\n2. For each storage account, go to `Networking` in `Security + networking`.\n3. Set `Public Network Access` to `Disabled` if no anonymous access is needed on the storage account.\n\n### From Azure CLI\n\nSet 'Public Network Access' to `Disabled` on the storage account\n\n1. Set 'Allow Blob Public Access' to false on the storage account\n\n```bash\naz storage account update --name \u003cstorage-account\u003e --resource-group \u003cresource-group\u003e --public-network-access Disabled\n```\n\n### From PowerShell\n\nFor each Storage Account, run the following to set the `PublicNetworkAccess` setting to `Disabled`.\n\n```bash\nSet-AzStorageAccount -ResourceGroupName \u003cresource group name\u003e -Name \u003cstorage account name\u003e -PublicNetworkAccess Disabled\n```\n\n### Default Value\n\nBy default, `Public Network Access` is set to `Enabled from all networks` for the Storage Account.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Storage Accounts", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Storage Accounts" + ], + "control_id": "azure_compliance.control.cis_v200_3_8", + "description": "Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.", + "title": "3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "3.8", + "cis_level": "1", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Storage" + }, + "documentation": "## Description\n\nRestricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.\n\nStorage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.\n\n## Remediation\n\n### From Azure Console\n\n1. Go to `Storage Accounts`.\n2. For each storage account, Click on the `Networking` blade.\n3. Click the `Firewalls and virtual networks` heading.\n4. Ensure that you have elected to `allow access from Selected networks`.\n5. Add rules to allow traffic from specific network.\n6. Click Save to apply your changes.\n\n### From Azure CLI\n\nUse the below command to update `default-action` to `Deny`.\n\n```bash\naz storage account update --name \u003cStorageAccountName\u003e --resource-group \u003cresourceGroupName\u003e --default-action Deny\n```\n\n### Default Value\n\nBy default, Storage Accounts will accept connections from clients on any network.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Storage Accounts", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Storage Accounts" + ], + "control_id": "azure_compliance.control.cis_v200_3_9", + "description": "Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account.", + "title": "3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "3.9", + "cis_level": "2", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Storage" + }, + "documentation": "## Description\n\nSome Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Azure services exception is enabled, the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, and Azure SQL Data Warehouse (when registered in the subscription).\n\nTurning on firewall rules for storage account will block access to incoming requests for data, including from other Azure services. We can re-enable this functionality by enabling \"`Trusted Azure Services`\" through networking exceptions.\n\n## Remediation\n\n### From Azure Console\n\n1. Go to `Storage Accounts`.\n2. For each storage account, Click on the `Networking` blade.\n3. Click on the `Firewalls and virtual networks` heading.\n4. Ensure that `Enabled from selected virtual networks and IP addresses` is selected.\n5. Under the 'Exceptions' label, enable check box for `Allow Azure services on the trusted services list to access this storage account`.\n6. Click Save to apply your changes.\n\n### From Azure CLI\n\nUse the below command to update `Azure services`.\n\n```bash\naz storage account update --name \u003cStorageAccountName\u003e --resource-group \u003cresourceGroupName\u003e --bypass AzureServices\n```\n\n### Default Value\n\nBy default, Storage Accounts will accept connections from clients on any network.\n\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Storage Accounts", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Storage Accounts" + ], + "control_id": "azure_compliance.control.cis_v200_3_10", + "description": "Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet.", + "title": "3.10 Ensure Private Endpoints are used to access Storage Accounts", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "3.10", + "cis_level": "1", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Storage" + }, + "documentation": "## Description\n\nUse private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.\n\nSecuring traffic between services through encryption protects the data from easy interception and reading.\n\n## Remediation\n\n### From Azure Console\n\n1. Open the `Storage Accounts` blade.\n2. For each list Storage Account, perform the following:\n3. Under the `Security + networking` heading, click on `Networking`.\n4. Click on the `Private Endpoint Connections` tab at the top of the networking window.\n5. Click the `+Private endpoint` button.\n6. In the `1 - Basics` tab/step:\n - `Enter a name` that will be easily recognizable as associated with the Storage Account (Note: The \"Network Interface Name\" will be automatically completed, but you can customize it if needed.)\n - Ensure that the `Region` matches the region of the Storage Account.\n - Click `Next`.\n7. In the `2 - Resource` tab/step:\n - Select the `target sub-resource` based on what type of storage resource is being made available.\n - Click `Next`.\n8. In the `3 - Virtual Network` tab/step:\n - Select the `Virtual network` that your Storage Account will be connecting to.\n - Select the `Subnet` that your Storage Account will be connecting to.\n - (Optional) Select other network settings as appropriate for your environment.\n - Click `Next`.\n9. In the `4 - DNS` tab/step:\n - (Optional) Select other DNS settings as appropriate for your environment\n - Click `Next`.\n10. In the `5 - Tags` tab/step:\n - (Optional) Set any tags that are relevant to your organization.\n - Click `Next`.\n11. In the `6 - Review + create` tab/step:\n - A validation attempt will be made and after a few moments it should indicate `Validation Passed` - if it does not pass, double-check your settings before beginning more in depth troubleshooting.\n - If validation has passed, click `Create` then wait for a few minutes for the scripted deployment to complete.\n\nRepeat the above procedure for each Private Endpoint required within every Storage Account.\n\n### From PowerShell\n\n```bash\n$storageAccount = Get-AzStorageAccount -ResourceGroupName '\n\u003cResourceGroupName\u003e' -Name '\u003cstorageaccountname\u003e'\n\n\n$privateEndpointConnection = @{\n Name = 'connectionName'\n PrivateLinkServiceId = $storageAccount.Id\n GroupID = \"blob|blob_secondary|file|file_secondary|table|table_secondary|queue|queue_se condary|web|web_secondary|dfs|dfs_secondary\"\n}\n\n$privateLinkServiceConnection = New-AzPrivateLinkServiceConnection @privateEndpointConnection\n\n$virtualNetDetails = Get-AzVirtualNetwork -ResourceGroupName '\n\u003cResourceGroupName\u003e' -Name '\u003cname\u003e'\n\n\n$privateEndpoint = @{\n ResourceGroupName = '\u003cResourceGroupName\u003e'\n Name = '\u003cPrivateEndpointName\u003e'\n Location = '\u003clocation\u003e'\n Subnet = $virtualNetDetails.Subnets[0]\n PrivateLinkServiceConnection = $privateLinkServiceConnection\n}\nNew-AzPrivateEndpoint @privateEndpoint\n```\n\n### From Azure CLI\n\n```bash\naz network private-endpoint create --resource-group \u003cResourceGroupName -- location \u003clocation\u003e --name \u003cprivate endpoint name\u003e --vnet-name \u003cVNET Name\u003e -- subnet \u003csubnet name\u003e --private-connection-resource-id \u003cstorage account ID\u003e -- connection-name \u003cprivate link service connection name\u003e --group-id \u003cblob|blob_secondary|file|file_secondary|table|table_secondary|queue|queue_se condary|web|web_secondary|dfs|dfs_secondary\u003e\n```\n\n### Default Value\n\nBy default, Private Endpoints are not created for Storage Accounts.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Storage Accounts", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Storage Accounts" + ], + "control_id": "azure_compliance.control.cis_v200_3_11", + "description": "The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability.", + "title": "3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "3.11", + "cis_level": "1", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Storage" + }, + "documentation": "## Description\n\nThe Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability.\n\nIt is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the **soft delete** configuration. This is to save and recover data when blobs or blob snapshots are deleted.\n\nContainers and Blob Storage data can be incorrectly deleted. An attacker/malicious user may do this deliberately in order to cause disruption. Deleting an Azure Storage blob causes immediate data loss. Enabling this configuration for Azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects are recoverable for a particular time which is set in the \"Retention policies,\" ranging from 7 days to 365 days.\n\n## Remediation\n\n### From Azure Portal\n\n1. From the Azure home page, open the hamburger menu in the top left or click on the arrow pointing right with 'More services' underneath.\n2. Select Storage.\n3. Select Storage Accounts.\n4. For each Storage Account, navigate to Data protection in the left scroll column.\n5. Check soft delete for both blobs and containers. Set the retention period to a sufficient length for your organization.\n\n### From Azure CLI\n\nUpdate blob storage retention days in below command\n\n```bash\naz storage blob service-properties delete-policy update --days-retained \u003cRetentionDaysValue\u003e --account-name \u003cStorageAccountName\u003e --account-key \u003cAccountKey\u003e --enable true\n```\n\nUpdate container retention with the below command\n\n```bash\naz storage account blob-service-properties update\n --enable-container-delete-retention true\n --container-delete-retention-days \u003cdays\u003e\n --account-name \u003cstorage-account\u003e\n --resource-group \u003cresource_group\u003e\n --account-key \u003cAccountKey\u003e\n```\n\n### Default Value\n\nWhen a new storage account is created, soft delete for containers and blob storage is by default **disabled**.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Storage Accounts", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Storage Accounts" + ], + "control_id": "azure_compliance.control.cis_v200_3_12", + "description": "Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.", + "title": "3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "3.12", + "cis_level": "2", + "cis_section_id": "3", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Storage" + }, + "documentation": "## Description\n\nEnable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.\n\nBy default, data in the storage account is encrypted using Microsoft Managed Keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. If you want to control and manage this encryption key yourself, however, you can specify a customer-managed key. That key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated Key Vault.\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Storage Accounts`.\n2. For each storage account, go to `Encryption`.\n3. Set Customer Managed Keys.\n4. Select the Encryption key and enter the appropriate setting value.\n5. Click `Save`.\n\n### Default Value\n\nBy default, Encryption type is set to Microsoft Managed Keys.", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Storage Accounts", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Storage Accounts" + ], + "control_id": "azure_compliance.control.cis_v200_3_13", + "description": "The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.", + "title": "3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "3.13", + "cis_level": "2", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Storage" + }, + "documentation": "## Description\n\nThe Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.\n\nStorage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor each individual request to a storage service for increased security or diagnostics. Requests are logged on a best- effort basis.\n\nStorage Analytics logging is not enabled by default for your storage account.\n\n## Remediation\n\n### From Azure Portal\n\n1. From the default portal page select `Storage Accounts`.\n2. Select the specific Storage Account.\n3. Click the `Diagnostics settings` under the `Monitoring` section in the left column.\n4. Select the 'blob' tab indented below the storage account.\n5. Click '+ Add diagnostic setting'.\n6. Select `StorageRead`, `StorageWrite` and `StorageDelete` options under the `Logging` section to enable Storage Logging for Blob service.\n7. Select a destination for your logs to be sent to.\n\n### From Azure CLI\n\nUse the below command to enable the Storage Logging for Blob service.\n\n```bash\naz storage logging update --account-name \u003cstorageAccountName\u003e --account-key \u003cstorageAccountKey\u003e --services b --log rwd --retention 90\n```\n\n### Default Value\n\nBy default, storage account blob service logging is disabled for read, write, and delete operations.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Storage Accounts", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Storage Accounts" + ], + "control_id": "azure_compliance.control.cis_v200_3_14", + "description": "Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.", + "title": "3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "3.14", + "cis_level": "2", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Storage" + }, + "documentation": "## Description\n\nAzure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.\n\nStorage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor each individual request to a storage service for increased security or diagnostics. Requests are logged on a best- effort basis.\n\nStorage Analytics logging is not enabled by default for your storage account.\n\n## Remediation\n\n### From Azure Portal\n\n1. From the default portal page select `Storage Accounts`.\n2. Select the specific Storage Account.\n3. Click the `Diagnostics settings` under the `Monitoring` section in the left column.\n4. Select the 'table' tab indented below the storage account.\n5. Click '+ Add diagnostic setting'.\n6. Select `StorageRead`, `StorageWrite` and `StorageDelete` options under the `Logging` section to enable Storage Logging for Table service.\n7. Select a destination for your logs to be sent to.\n\n### From Azure CLI\n\nUse the below command to enable the Storage Logging for Table service.\n\n```bash\naz storage logging update --account-name \u003cstorageAccountName\u003e --account-key \u003cstorageAccountKey\u003e --services t --log rwd --retention 90\n```\n\n### Default Value\n\nBy default, storage account table service logging is disabled for read, write, an delete operations\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Storage Accounts", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Storage Accounts" + ], + "control_id": "azure_compliance.control.cis_v200_3_15", + "description": "In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.", + "title": "3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "3.15", + "cis_level": "1", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Storage" + }, + "documentation": "## Description\n\nIn some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.\n\nTLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit.\n\n## Remediation\n\n### From Azure Console\n\n1. Login to Azure Portal using [https://portal.azure.com](https://portal.azure.com).\n2. Go to `Storage Accounts`.\n3. Click on each Storage Account.\n4. Under `Setting` section, Click on `Configuration`.\n5. Set the `minimum TLS version` to be Version 1.2.\n\n### From Azure CLI\n\n```bash\naz storage account update \\\n--name \u003cstorage-account\u003e \\\n--resource-group \u003cresource-group\u003e \\\n--min-tls-version TLS1_2\n```\n\n### From Azure Powershell\n\nTo set the minimum TLS version, run the following command:\n\n```bash\nSet-AzStorageAccount -AccountName \u003cSTORAGEACCOUNTNAME\u003e `\n-ResourceGroupName \u003cRESOURCEGROUPNAME\u003e `\n-MinimumTlsVersion TLS1_2\n```\n\n### Default Value\n\nIf a storage account is created through the portal, the MinimumTlsVersion property for that storage account will be set to TLS 1.2.\n\nIf a storage account is created through PowerShell or CLI, the MinimumTlsVersion property for that storage account will not be set, and defaults to TLS 1.0.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.1 SQL Server - Auditing", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.1 SQL Server - Auditing" + ], + "control_id": "azure_compliance.control.cis_v200_4_1_1", + "description": "Enable auditing on SQL Servers.", + "title": "4.1.1 Ensure that 'Auditing' is set to 'On'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.1.1", + "cis_level": "1", + "cis_section_id": "4.1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SQL" + }, + "documentation": "## Description\n\nEnable auditing on SQL Servers.\n\nThe Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted.\n\nAuditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.\n\n## Remediation\n\n### From Azure Console\n\n1. Go to `SQL servers`.\n2. Select the SQL server instance.\n3. Under `Security`, click `Auditing`.\n4. Click the toggle next to `Enable Azure SQL Auditing`.\n5. Select an Audit log destination.\n6. Click `Save`.\n\n### From Powershell\n\nGet the list of all SQL Servers\n\n```bash\nGet-AzSqlServer\n```\n\nFor each Server, enable auditing and set the retention for at least 90 days.\n\n### Log Analytics Example\n\n```bash\nSet-AzSqlServerAudit -ResourceGroupName \u003cresource group name\u003e -ServerName \u003cSQL Server name\u003e -RetentionInDays \u003cNumber of Days to retain the audit logs, should be 90days minimum\u003e -LogAnalyticsTargetState Enabled - WorkspaceResourceId \"/subscriptions/\u003csubscription ID\u003e/resourceGroups/insights- integration/providers/Microsoft.OperationalInsights/workspaces/\u003cworkspace name\u003e\n```\n\n## Event Hub Example\n\n```bash\nSet-AzSqlServerAudit -ResourceGroupName \"\u003cresource group name\u003e\" -ServerName\n\"\u003cSQL Server name\u003e\" -EventHubTargetState Enabled -EventHubName\n\"\u003cEvent Hub name\u003e\" -EventHubAuthorizationRuleResourceId \"\u003cEvent HubAuthorization Rule Resource ID\u003e\"\n```\n\n## Blob Storage Example*\n\n```bash\nSet-AzSqlServerAudit -ResourceGroupName \"\u003cresource group name\u003e\" -ServerName \"\u003cSQL Server name\u003e\" -BlobStorageTargetState Enabled\n-StorageAccountResourceId \"/subscriptions/\u003csubscription_ID\u003e/resourceGroups/\u003cResource_Group\u003e/providers/M icrosoft.Stora\nge/storageAccounts/\u003cStorage Account name\u003e\"\n```\n\n### Default Value\n\nBy default, `Enable Azure SQL Auditing` is set to `Off`.", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.1 SQL Server - Auditing", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.1 SQL Server - Auditing" + ], + "control_id": "azure_compliance.control.cis_v200_4_1_2", + "description": "Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).", + "title": "4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.1.2", + "cis_level": "1", + "cis_section_id": "4.1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SQL" + }, + "documentation": "## Description\n\nEnsure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\nAzure SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.\n\nBy default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services.\n\nAdditionally, a custom rule can be set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet.\n\nIn order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific datacenters.\n\n## Remediation\n\n### From Azure Console\n\n1. Go to `SQL servers`.\n2. For each SQL server.\n3. Click on `Networking`.\n4. `Uncheck` the checkbox for `Allow Azure services and resources to access this server`.\n5. Set firewall rules to limit access to only authorized connections.\n\n### From Azure CLI\n\nDisable default firewall rule `Allow access to Azure services`:\n\n```bash\naz sql server firewall-rule delete --resource-group \u003cresource group\u003e --server \u003csql server name\u003e --name \"AllowAllWindowsAzureIps\"\n```\n\nRemove a custom firewall rule:\n\n```bash\naz sql server firewall-rule delete --resource-group \u003cresource group\u003e --server \u003csql server name\u003e --name \u003cfirewall rule name\u003e\n```\n\nCreate a firewall rule:\n\n```bash\naz sql server firewall-rule create --resource-group \u003cresource group\u003e --server \u003csql server name\u003e --name \u003cfirewall rule name\u003e --start-ip-address \"\u003cIP Address other than 0.0.0.0\u003e\" --end-ip-address \"\u003cIP Address other than 0.0.0.0 or 255.255.255.255\u003e\"\n```\n\nUpdate a firewall rule:\n\n```bash\naz sql server firewall-rule update --resource-group \u003cresource group\u003e --server \u003csql server name\u003e --name \u003cfirewall rule name\u003e --start-ip-address \"\u003cIP Address other than 0.0.0.0\u003e\" --end-ip-address \"\u003cIP Address other than 0.0.0.0 or 255.255.255.255\u003e\"\n```\n\n### From PowerShell\n\nDisable Default Firewall Rule `Allow access to Azure services:\n\n```bash\nRemove-AzSqlServerFirewallRule -FirewallRuleName \"AllowAllWindowsAzureIps\" -ResourceGroupName \u003cresource group name\u003e -ServerName \u003cserver name\u003e\n```\n\nRemove a custom Firewall rule:\n\n```bash\nRemove-AzSqlServerFirewallRule -FirewallRuleName \"\u003cfirewall rule name\u003e\" -ResourceGroupName \u003cresource group name\u003e -ServerName \u003cserver name\u003e\n```\n\nSet the appropriate firewall rules:\n\n```bash\nSet-AzSqlServerFirewallRule -ResourceGroupName \u003cresource group name\u003e - ServerName \u003cserver name\u003e -FirewallRuleName \"\u003cfirewall rule name\u003e\" - StartIpAddress \"\u003cIP Address other than 0.0.0.0\u003e\" -EndIpAddress \"\u003cIP Address other than 0.0.0.0 or 255.255.255.255\u003e\"\n```\n\n### Default Value\n\nBy default, `Allow access to Azure Services` is set to `NO`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.1 SQL Server - Auditing", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.1 SQL Server - Auditing" + ], + "control_id": "azure_compliance.control.cis_v200_4_1_3", + "description": "Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.", + "title": "4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.1.3", + "cis_level": "2", + "cis_section_id": "4.1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SQL" + }, + "documentation": "## Description\n\nTransparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.\n\nWith TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Azure Key Vault. The Azure Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data for additional security.\n\nBased on business needs or criticality of data/databases hosted on a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).\n\nCustomer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azure’s cloud-based external key management system, is the first key management service where TDE has integrated support for Customer-managed keys. With Customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.\n\n## Remediation\n\n### From Azure Console\n\n1. Go to `SQL servers`.\nFor the desired server instance\n\n2. Click On `Transparent data encryption`.\n3. Set `Transparent data encryption` to `Customer-managed key`.\n4. Browse through your `key vaults` to Select an existing key or create a new key in the Azure Key Vault.\n5. Check `Make selected key the default TDE protector`.\n\n### From Azure CLI\n\nUse the below command to encrypt SQL server's TDE protector with a Customer- managed key\n\n```bash\naz sql server tde-key set --resource-group \u003cresourceName\u003e --server \u003cdbServerName\u003e --server-key-type {AzureKeyVault} --kid \u003ckeyIdentifier\u003e\n```\n\n### From PowerShell\n\nUse the below command to encrypt SQL server's TDE protector with a Customer- managed Key Vault key\n\n```bash\nSet-AzSqlServerTransparentDataEncryptionProtector -Type AzureKeyVault -KeyId \u003cKeyIdentifier\u003e -ServerName \u003cServerName\u003e -ResourceGroupName\n\u003cResourceGroupName\u003e\n```\n\nSelect `Y` when prompted\n\n### Default Value\n\nBy Default, Microsoft managed TDE protector is enabled for a SQL server.", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.1 SQL Server - Auditing", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.1 SQL Server - Auditing" + ], + "control_id": "azure_compliance.control.cis_v200_4_1_4", + "description": "Use Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place.", + "title": "4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.1.4", + "cis_level": "1", + "cis_section_id": "4.1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SQL" + }, + "documentation": "## Description\n\nUse Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place.\n\nAzure Active Directory authentication is a mechanism to connect to Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, identities of database users and other Microsoft services can be managed in one central location. Central ID management provides a single place to manage database users and simplifies permission management.\n- It provides an alternative to SQL Server authentication.\n- Helps stop the proliferation of user identities across database servers.\n- Allows password rotation in a single place.\n- Customers can manage database permissions using external (AAD) groups.\n- It can eliminate storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory.\n- Azure AD authentication uses contained database users to authenticate identities at the database level.\n- Azure AD supports token-based authentication for applications connecting to SQL Database.\n- Azure AD authentication supports ADFS (domain federation) or native user/password authentication for a local Azure Active Directory without domain synchronization.\n- Azure AD supports connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options — phone call, text message, smart cards with pin, or mobile app notification.\n\n## Remediation\n\n### From Azure Console\n\n1. Go to `SQL servers`.\n2. For each SQL server, click on `Active Directory admin`.\n3. Click on `Set admin`.\n4. Select an admin.\n5. Click `Save`.\n\n### From Azure CLI\n\n```bash\naz ad user show --id\n```\n\nFor each Server, set AD Admin\n\n```bash\naz sql server ad-admin create --resource-group \u003cresource group name\u003e --server \u003cserver name\u003e --display-name \u003cdisplay name\u003e --object-id \u003cobject id of user\u003e\n```\n\n### Using PowerShell\n\nFor each Server, set AD Admin\n\n```bash\nSet-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName \u003cresource group name\u003e -ServerName \u003cserver name\u003e -DisplayName \"\u003cDisplay name of AD account to set as DB administrator\u003e\"\n```\n\n### Default Value\n\nAzure Active Directory Authentication for SQL Database/Server is not enabled by default.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.1 SQL Server - Auditing", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.1 SQL Server - Auditing" + ], + "control_id": "azure_compliance.control.cis_v200_4_1_5", + "description": "Enable Transparent Data Encryption on every SQL server.", + "title": "4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.1.5", + "cis_level": "1", + "cis_section_id": "4.1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SQL" + }, + "documentation": "## Description\n\nEnable Transparent Data Encryption on every SQL server.\n\nAzure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.\n\n## Remediation\n\n### From Azure Console\n\n1. Go to `SQL databases`.\n2. For each DB instance.\n3. Click on `Transparent data encryption`.\n4. Set `Data encryption` to `On`.\n\n### From Azure CLI\n\nUse the below command to enable `Transparent data encryption` for SQL DB instance.\n\n```bash\naz sql db tde set --resource-group \u003cresourceGroup\u003e --server \u003cdbServerName\u003e --database \u003cdbName\u003e --status Enabled\n```\n\n### From PowerShell\n\nUse the below command to enable `Transparent data encryption` for SQL DB instance.\n\n```bash\nSet-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName \u003cResource Group Name\u003e -ServerName \u003cSQL Server Name\u003e -DatabaseName \u003cDatabase Name\u003e -State 'Enabled'\n```\n\n**Note:**\n\n- TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.\n- Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.\n\n### Default Value\n\nBy default, `Data encryption` is set to `On`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.1 SQL Server - Auditing", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.1 SQL Server - Auditing" + ], + "control_id": "azure_compliance.control.cis_v200_4_1_6", + "description": "SQL Server Audit Retention should be configured to be greater than 90 days.", + "title": "4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.1.6", + "cis_level": "1", + "cis_section_id": "4.1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SQL" + }, + "documentation": "## Description\n\nSQL Server Audit Retention should be configured to be greater than 90 days.\n\nAudit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.\n\n## Remediation\n\n### From Azure Console\n\n1. Go to `SQL servers`.\n2. For each server instance.\n3. Click on `Auditing`.\n4. If storage is selected, expand `Advanced properties`.\n5. Set the `Retention (days)` setting greater than `90` days or `0` for unlimited retention.\n6. Select `Save`.\n\n### From Powershell\n\nFor each Server, set retention policy to more than 90 days\n\n### Log Analytics Example\n\n```bash\nSet-AzSqlServerAudit -ResourceGroupName \u003cresource group name\u003e -ServerName \u003cSQL Server name\u003e -RetentionInDays \u003cNumber of Days to retain the audit logs, should be more than 90 days\u003e -LogAnalyticsTargetState Enabled - WorkspaceResourceId \"/subscriptions/\u003csubscription ID\u003e/resourceGroups/insights- integration/providers/Microsoft.OperationalInsights/workspaces/\u003cworkspace name\u003e\n```\n\n### Event Hub Example\n\n```bash\nSet-AzSqlServerAudit -ResourceGroupName \"\u003cresource group name\u003e\" -ServerName \"\u003cSQL Server name\u003e\" -EventHubTargetState Enabled -EventHubName\n\"\u003cEvent Hub name\u003e\" -EventHubAuthorizationRuleResourceId \"\u003cEvent Hub Authorization Rule Resource ID\u003e\"\n```\n\n### Blob Storage Example*\n\n```bash\nSet-AzSqlServerAudit -ResourceGroupName \"\u003cresource group name\u003e\" -ServerName \"\u003cSQL Server name\u003e\" -BlobStorageTargetState Enabled\n-StorageAccountResourceId \"/subscriptions/\u003csubscription_ID\u003e/resourceGroups/\u003cResource_Group\u003e/providers/M icrosoft.Stora\nge/storageAccounts/\u003cStorage Account name\u003e\"\n```\n\n### Default Value\n\nBy default, SQL Server audit storage is `disabled`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.2 SQL Server - Microsoft Defender for SQL", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.2 SQL Server - Microsoft Defender for SQL" + ], + "control_id": "azure_compliance.control.cis_v200_4_2_1", + "description": "Enable \"Azure Defender for SQL\" on critical SQL Servers.", + "title": "4.2.1 Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.2.1", + "cis_level": "2", + "cis_section_id": "4.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SQL" + }, + "documentation": "## Description\n\nEnable \"Microsoft Defender for SQL\" on critical SQL Servers.\n\nMicrosoft Defender for SQL is a unified package for advanced SQL security capabilities. Microsoft Defender is available for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. It includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. It provides a single go-to location for enabling and managing these capabilities.\n\n## Remediation\n\n### From Azure Console\n\n1. Go to `SQL servers` For each \"critical\" server instance (e.g. production SQL servers)\n2. Click `Microsoft Defender for Cloud`\n3. Click `Enable Microsoft Defender for SQL`\n\n### From Powershell\n\nEnable `Advanced Data Security` for a SQL Server:\n\n```bash\nSet-AzSqlServerThreatDetectionPolicy -ResourceGroupName \u003cresource group name\u003e -ServerName \u003cserver name\u003e -EmailAdmins $True\n```\n\n**Note:**\n\n- Enabling 'Microsoft Defender for SQL' from the Azure portal enables `Threat Detection`\n- Using Powershell command `Set-AzSqlServerThreatDetectionPolicy` enables `Microsoft Defender for SQL` for a SQL server\n\n### Default Value\n\nBy default, `Microsoft Defender for SQL` is set to `Off`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.2 SQL Server - Microsoft Defender for SQL", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.2 SQL Server - Microsoft Defender for SQL" + ], + "control_id": "azure_compliance.control.cis_v200_4_2_2", + "description": "Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.", + "title": "4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.2.2", + "cis_level": "2", + "cis_section_id": "4.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SQL" + }, + "documentation": "## Description\n\nEnable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.\n\nEnabling Microsoft Defender for SQL server does not enables Vulnerability Assessment capability for individual SQL databases unless storage account is set to store the scanning data and reports.\n\nThe Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.\n\n## Remediation\n\n### From Azure Console\n\n1. Go to `SQL servers`.\n2. Select a server instance.\n3. Click on `Security Center`.\n4. Select `Configure` next to `Enabled at subscription-level`.\n5. In Section `Vulnerability Assessment Settings`, Click `Select Storage account`.\n6. Choose Storage Account (Existing or `Create New`). Click `Ok`.\n7. Click `Save`.\n\n### From Powershell\n\nIf not already, Enable `Microsoft Defender for a SQL`:\n\n```bash\nSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName \u003cresource group name\u003e -ServerName \u003cserver name\u003e -EmailAdmins $True\n```\n\nTo enable ADS-VA service by setting Storage Account\n\n```bash\nUpdate-AzSqlServerVulnerabilityAssessmentSetting `\n -ResourceGroupName \"\u003cresource group name\u003e\"`\n -ServerName \"\u003cServer Name\u003e\"`\n -StorageAccountName \"\u003cStorage Name from same subscription andsame Location\" `\n -ScanResultsContainerName \"vulnerability-assessment\" `\n -RecurringScansInterval Weekly `\n -EmailSubscriptionAdmins $true `\n -NotificationEmail @(\"mail1@mail.com\" , \"mail2@mail.com\")\n```\n\n### Default Value\n\nBy default, Microsoft Defender for SQL is not enabled for a SQL server. Enabling Microsoft Defender for SQL does not enable VA scanning by setting Storage Account automatically.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.2 SQL Server - Microsoft Defender for SQL", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.2 SQL Server - Microsoft Defender for SQL" + ], + "control_id": "azure_compliance.control.cis_v200_4_2_3", + "description": "Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases.", + "title": "4.2.3 Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.2.3", + "cis_level": "2", + "cis_section_id": "4.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SQL" + }, + "documentation": "## Description\n\nEnable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases.\n\nVA setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.\n\n## Remediation\n\n### From Azure Console\n\n1. Go to `SQL servers`.\n2. For each server instance.\n3. Click on `Security Center`.\n4. In Section `Vulnerability Assessment Settings`, set `Storage Account` if not already.\n5. Toggle 'Periodic recurring scans' to ON.\n6. Click `Save`.\n\n### From Powershell\n\nIf not already, Enable `Advanced Data Security` for a SQL Server:\n\n```bash\nSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName \u003cresource group name\u003e -ServerName \u003cserver name\u003e -EmailAdmins $True\n```\n\nTo enable ADS-VA service with 'Periodic recurring scans'\n\n```bash\nUpdate-AzSqlServerVulnerabilityAssessmentSetting `\n -ResourceGroupName \"\u003cresource group name\u003e\"`\n -ServerName \"\u003cServer Name\u003e\"`\n -StorageAccountName \"\u003cStorage Name from same subscription and same Location\" `\n -ScanResultsContainerName \"vulnerability-assessment\" `\n -RecurringScansInterval Weekly `\n -EmailSubscriptionAdmins $true `\n -NotificationEmail @(\"mail1@mail.com\" , \"mail2@mail.com\")\n```\n\n### Default Value\n\nEnabling `Microsoft Defender for SQL` enables 'Periodic recurring scans' by default but does not configure the Storage account.", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.2 SQL Server - Microsoft Defender for SQL", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.2 SQL Server - Microsoft Defender for SQL" + ], + "control_id": "azure_compliance.control.cis_v200_4_2_4", + "description": "Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers.", + "title": "4.2.4 Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.2.4", + "cis_level": "2", + "cis_section_id": "4.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SQL" + }, + "documentation": "## Description\n\nConfigure 'Send scan reports to' with email addresses of concerned data owners/stakeholders for a critical SQL servers.\n\nVulnerability Assessment (VA) scan reports and alerts will be sent to email addresses configured at 'Send scan reports to'. This may help in reducing time required for identifying risks and taking corrective measures.\n\n## Remediation\n\n### From Azure Console\n\n1. Go to `SQL servers`.\n2. Select a server instance.\n3. Select `Microsoft Defender for Cloud`.\n4. Select `Configure` next to `Enablement status`.\n5. Set `Microsoft Defender for SQL` to `On`.\n6. Under `Vulnerability Assessment Settings`, select a Storage Account.\n7. Set `Periodic recurring scans` to `On`.\n8. Under `Send scan reports to`, provide email addresses for data owners and stakeholders.\n9. Click `Save`.\n\n### From Powershell\n\nIf not already, Enable `Advanced Data Security` for a SQL Server:\n\n```bash\nSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName \u003cresource group name\u003e -ServerName \u003cserver name\u003e -EmailAdmins $True\n```\n\nTo enable ADS-VA service and Set 'Send scan reports to'\n\n```bash\nUpdate-AzSqlServerVulnerabilityAssessmentSetting\n `-ResourceGroupName \"\u003cresource group name\u003e\"`\n -ServerName \"\u003cServer Name\u003e\"`\n -StorageAccountName \"\u003cStorage Name from same subscription and same Location\" `\n -ScanResultsContainerName \"vulnerability-assessment\" `\n -RecurringScansInterval Weekly `\n -EmailSubscriptionAdmins $true `\n -NotificationEmail @(\"mail1@mail.com\" , \"mail2@mail.com\")\n```\n\n### Default Value\n\nBy default, 'Send reports to' is blank.", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.2 SQL Server - Microsoft Defender for SQL", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.2 SQL Server - Microsoft Defender for SQL" + ], + "control_id": "azure_compliance.control.cis_v200_4_2_5", + "description": "Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'.", + "title": "4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.2.5", + "cis_level": "1", + "cis_section_id": "4.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SQL" + }, + "documentation": "## Description\n\nEnable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'.\n\nVA scan reports and alerts will be sent to admins and subscription owners by enabling setting 'Also send email notifications to admins and subscription owners'. This may help in reducing time required for identifying risks and taking corrective measures.\n\n## Remediation\n\n### From Azure Console\n\n1. Go to `SQL servers`.\n2. Select a server instance.\n3. Click on `Security Center`.\n4. Select `Configure` next to `Enabled at subscription-level`.\n5. In Section `Vulnerability Assessment Settings`, configure `Storage Accounts` if not already.\n6. Check/enable 'Also send email notifications to admins and subscription owners'.\n7. Click `Save`.\n\n### From Powershell\n\nIf not already, Enable `Advanced Data Security` for a SQL Server:\n\n```bash\nSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName \u003cresource group name\u003e -ServerName \u003cserver name\u003e -EmailAdmins $True\n```\n\nTo enable ADS-VA service and Set 'Also send email notifications to admins and subscription owners'\n\n```bash\nUpdate-AzSqlServerVulnerabilityAssessmentSetting `\n -ResourceGroupName \"\u003cresource group name\u003e\"`\n -ServerName \"\u003cServer Name\u003e\"`\n -StorageAccountName \"\u003cStorage Name from same subscription and same Location\" `\n -ScanResultsContainerName \"vulnerability-assessment\" `\n -RecurringScansInterval Weekly `\n -EmailSubscriptionAdmins $true `\n -NotificationEmail @(\"mail1@mail.com\" , \"mail2@mail.com\")\n```\n\n### Default Value\n\nBy default, 'Also send email notifications to admins and subscription owners' is enabled.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.3 PostgreSQL Database Server", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.3 PostgreSQL Database Server" + ], + "control_id": "azure_compliance.control.cis_v200_4_3_1", + "description": "Enable SSL connection on PostgreSQL Servers.", + "title": "4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.3.1", + "cis_level": "1", + "cis_section_id": "4.3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/PostgreSQL" + }, + "documentation": "## Description\n\nEnable `SSL connection` on `PostgreSQL` Servers.\n\n`SSL connectivity` helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\n### From Azure Portal\n\n1. Login to Azure Portal using [https://portal.azure.com](https://portal.azure.com)\n2. Go to Azure Database for `PostgreSQL server`.\n3. For each database, click on `Connection security`.\n4. In `SSL` settings, click on `ENABLED` to enforce SSL connections.\n5. Click `Save`.\n\n### From Azure CLI\n\nUse the below command to `enforce ssl connection` for `PostgreSQL` Database.\n\n```bash\naz postgres server update --resource-group \u003cresourceGroupName\u003e --name\n\u003cserverName\u003e --ssl-enforcement Enabled\n```\n\n### From PowerShell\n\n```bash\nUpdate-AzPostgreSqlServer -ResourceGroupName \u003cResourceGroupName \u003e -ServerName \u003cServerName\u003e -SslEnforcement Enabled\n```\n\n### Default Value\n\nBy default, secure connectivity is enforced, but some application frameworks may not enable it during deployment.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.3 PostgreSQL Database Server", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.3 PostgreSQL Database Server" + ], + "control_id": "azure_compliance.control.cis_v200_4_3_2", + "description": "Enable log_checkpoints on PostgreSQL Servers.", + "title": "4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.3.2", + "cis_level": "1", + "cis_section_id": "4.3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/PostgreSQL" + }, + "documentation": "## Description\n\nEnable `log_checkpoints` on `PostgreSQL Servers`.\n\nEnabling `log_checkpoints` helps the PostgreSQL Database to `Log each checkpoint` in turn generates query and error logs. However, access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Go to `Azure Database for PostgreSQL servers`.\n3. For each database, click on `Server parameters`.\n4. Search for `log_checkpoints`.\n5. Click `ON` and save.\n\n### From Azure CLI\n\nUse the below command to update `log_checkpoints` configuration.\n\n```bash\naz postgres server configuration set --resource-group \u003cresourceGroupName\u003e --server-name \u003cserverName\u003e --name log_checkpoints --value on\n```\n\n### From PowerShell\n\n```bash\nUpdate-AzPostgreSqlConfiguration -ResourceGroupName \u003cResourceGroupName\u003e - ServerName \u003cServerName\u003e -Name log_checkpoints -Value on\n```\n\n### Default Value\n\nBy default `log_checkpoints` is enabled (set to `on`).\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.3 PostgreSQL Database Server", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.3 PostgreSQL Database Server" + ], + "control_id": "azure_compliance.control.cis_v200_4_3_3", + "description": "Enable log_connections on PostgreSQL Servers.", + "title": "4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.3.3", + "cis_level": "1", + "cis_section_id": "4.3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/PostgreSQL" + }, + "documentation": "## Description\n\nEnable `log_connections` on `PostgreSQL Servers`.\n\nEnabling `log_connections` helps PostgreSQL Database to log attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.\n\n## Remediation\n\n### From Azure Portal\n\n1. Login to Azure Portal using [https://portal.azure.com](https://portal.azure.com).\n2. Go to `Azure Database for PostgreSQL servers`.\n3. For each database, click on `Server parameters`.\n4. Search for `log_connections`.\n5. Click `ON` and save.\n\n### From Azure CLI\n\nUse the below command to update `log_connections` configuration.\n\n```bash\naz postgres server configuration set --resource-group \u003cresourceGroupName\u003e --server-name \u003cserverName\u003e --name log_connections --value on\n```\n\n### From PowerShell\n\nUse the below command to update `log_connections` configuration.\n\n```bash\nUpdate-AzPostgreSqlConfiguration -ResourceGroupName \u003cResourceGroupName\u003e - ServerName \u003cServerName\u003e -Name log_connections -Value on\n```\n\n### Default Value\n\nBy default `log_connections` is enabled (set to `on`).\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.3 PostgreSQL Database Server", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.3 PostgreSQL Database Server" + ], + "control_id": "azure_compliance.control.cis_v200_4_3_4", + "description": "Enable log_disconnections on PostgreSQL Servers.", + "title": "4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.3.4", + "cis_level": "1", + "cis_section_id": "4.3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/PostgreSQL" + }, + "documentation": "## Description\n\nEnable `log_disconnections` on `PostgreSQL Servers`.\n\nEnabling `log_disconnections` helps PostgreSQL Database to `Logs end of a session`, including duration, which in turn generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Go to `Azure Database` for `PostgreSQL servers`.\n3. For each database, click on `Server parameters`.\n4. Search for `log_disconnections`.\n5. Click `ON` and save.\n\n### From Azure CLI\n\nUse the below command to update `log_disconnections` configuration.\n\n```bash\naz postgres server configuration set --resource-group \u003cresourceGroupName\u003e --server-name \u003cserverName\u003e --name log_connections --value on\n```\n\n### From Powershell\n\nUse the below command to update `log_disconnections` configuration.\n\n```bash\nUpdate-AzPostgreSqlConfiguration -ResourceGroupName \u003cResourceGroupName\u003e - ServerName \u003cServerName\u003e -Name log_disconnections -Value on\n```\n\n### Default Value\n\nBy default `log_disconnections` is disabled (set to `off`).\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.3 PostgreSQL Database Server", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.3 PostgreSQL Database Server" + ], + "control_id": "azure_compliance.control.cis_v200_4_3_5", + "description": "Enable connection_throttling on PostgreSQL Servers.", + "title": "4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.3.5", + "cis_level": "1", + "cis_section_id": "4.3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/PostgreSQL" + }, + "documentation": "## Description\n\nEnable `connection_throttling` on `PostgreSQL Servers`.\n\nEnabling `connection_throttling` helps the PostgreSQL Database to `Set the verbosity of logged messages`. This in turn generates query and error logs with respect to concurrent connections that could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From Azure Console\n\n1. Login to Azure Portal using [https://portal.azure.com](https://portal.azure.com).\n2. Go to `Azure Database for PostgreSQL servers`.\n3. For each database, click on `Server parameters`.\n4. Search for `connection_throttling`.\n5. Click `ON` and save.\n\n### From Azure CLI\n\nUse the below command to update `connection_throttling` configuration.\n\n```bash\naz postgres server configuration set --resource-group \u003cresourceGroupName\u003e --server-name \u003cserverName\u003e --name connection_throttling --value on\n```\n\n### From PowerShell\n\nUse the below command to update `connection_throttling` configuration.\n\n```bash\nUpdate-AzPostgreSqlConfiguration -ResourceGroupName \u003cResourceGroupName\u003e - ServerName \u003cServerName\u003e -Name connection_throttling -Value on\n```\n\n### Default Value\n\nBy default, `connection_throttling` is enabled (set to `on`).\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.3 PostgreSQL Database Server", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.3 PostgreSQL Database Server" + ], + "control_id": "azure_compliance.control.cis_v200_4_3_6", + "description": "Ensure log_retention_days on PostgreSQL Servers is set to an appropriate value.", + "title": "4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.3.6", + "cis_level": "1", + "cis_section_id": "4.3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/PostgreSQL" + }, + "documentation": "## Description\n\nEnsure `log_retention_days` on `PostgreSQL Servers` is set to an appropriate value.\n\nConfiguring `log_retention_days` determines the duration in days that `Azure Database for PostgreSQL` retains log files. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Go to `Azure Database for PostgreSQL servers`.\n3. For each database, click on `Server parameters`.\n4. Search for `log_retention_days`.\n5. Input a value between 4 and 7 (inclusive) and click `Save`.\n\n### From Azure CLI\n\nUse the below command to update `log_retention_days` configuration.\n\n```bash\naz postgres server configuration set --resource-group \u003cresourceGroupName\u003e --server-name \u003cserverName\u003e --name log_retention_days --value \u003c4-7\u003e\n```\n\n### From Powershell\n\nUse the below command to update `log_retention_days` configuration.\n\n```bash\nUpdate-AzPostgreSqlConfiguration -ResourceGroupName \u003cResourceGroupName\u003e - ServerName \u003cServerName\u003e -Name log_retention_days -Value \u003c4-7\u003e\n```\n\n### Default Value\n\nBy default `log_retention_days` is set to `3`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.3 PostgreSQL Database Server", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.3 PostgreSQL Database Server" + ], + "control_id": "azure_compliance.control.cis_v200_4_3_7", + "description": "Disable access from Azure services to PostgreSQL Database Server.", + "title": "4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.3.7", + "cis_level": "1", + "cis_section_id": "4.3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/PostgreSQL" + }, + "documentation": "## Description\n\nDisable access from Azure services to PostgreSQL Database Server.\n\nIf access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.\n\n## Remediation\n\n### From Azure Portal\n\n1. Login to Azure Portal using [https://portal.azure.com](https://portal.azure.com).\n2. Go to `Azure Database for PostgreSQL servers`.\n3. For each database, click on `Connection security`.\n4. Under `Firewall rules`, set `Allow access to Azure services` to `No`.\n5. Click `Save`.\n\n### From Azure CLI\n\nUse the below command to delete the AllowAllWindowsAzureIps rule for PostgreSQL Database.\n\n```bash\naz postgres server firewall-rule delete --name AllowAllWindowsAzureIps -- resource-group \u003cresourceGroupName\u003e --server-name \u003cserverName\u003e\n```\n\n### Default Value\n\nThe Azure Postgres firewall is set to block all access by default.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.3 PostgreSQL Database Server", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.3 PostgreSQL Database Server" + ], + "control_id": "azure_compliance.control.cis_v200_4_3_8", + "description": "Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled.", + "title": "4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.3.8", + "cis_level": "1", + "cis_section_id": "4.3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/PostgreSQL" + }, + "documentation": "## Description\n\nAzure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled.\n\nIf Double Encryption is enabled, another layer of encryption is implemented at the hardware level before the storage or network level. Information will be encrypted before it is even accessed, preventing both interception of data in motion if the network layer encryption is broken and data at rest in system resources such as memory or processor cache. Encryption will also be in place for any backups taken of the database, so the key will secure access the data in all forms. For the most secure implementation of key based encryption, it is recommended to use a Customer Managed asymmetric RSA 2048 Key in Azure Key Vault.\n\n## Remediation\n\nIt is not possible to enable 'infrastructure double encryption' on an existing Azure Database for PostgreSQL server.\nThe remediation steps detail the creation of a new Azure Database for PostgreSQL server with 'infrastructure double encryption' enabled.\n\n### From Azure Portal\n\n1. Go through the normal process of database creation.\n2. On step 2 titled 'Additional settings' ensure that 'Infrastructure double encryption enabled' is 'checked'.\n3. Acknowledge that you understand this will impact database performance.\n4. Finish database creation as normal.\n\n```bash\naz postgres server create --resource-group \u003cresourcegroup\u003e --name \u003cservername\u003e --location \u003clocation\u003e --admin-user \u003cadminusername\u003e --admin- password \u003cserver_admin_password\u003e --sku-name GP_Gen4_2 --version 11 -- infrastructure-encryption Enabled\n```\n\n### Default Value:\n\nBy Default, Double Encryption is disabled.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.4 MySQL Database", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.4 MySQL Database" + ], + "control_id": "azure_compliance.control.cis_v200_4_4_1", + "description": "Enable SSL connection on MySQL Servers.", + "title": "4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.4.1", + "cis_level": "1", + "cis_section_id": "4.4", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/MySQL" + }, + "documentation": "## Description\n\nEnable `SSL connection` on `MYSQL` Servers.\n\nSSL connectivity helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\n### From Azure Portal\n\n1. Login to Azure Portal using [https://portal.azure.com](https://portal.azure.com).\n2. Go to `Azure Database for MySQL servers`.\n3. For each database, click on `Connection security`.\n4. In `SSL` settings, click on `ENABLED` to `Enforce SSL connections`.\n\n### From Azure CLI\n\nUse the below command to set MYSQL Databases to Enforce SSL connection.\n\n```bash\naz mysql server update --resource-group \u003cresourceGroupName\u003e --name \u003cserverName\u003e --ssl-enforcement Enabled\n```\n\n### Default Value\n\nAzure Database for MySQL when provisioned through the Azure portal or CLI will require SSL connections by default.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_4", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.4 MySQL Database", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.4 MySQL Database" + ], + "control_id": "azure_compliance.control.cis_v200_4_4_2", + "description": "Ensure TLS version on MySQL flexible servers is set to the default value.", + "title": "4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.4.2", + "cis_level": "1", + "cis_section_id": "4.4", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/MySQL" + }, + "documentation": "## Description\n\nEnsure `TLS version` on `MySQL flexible` servers is set to the default value.\n\nTLS connectivity helps to provide a new layer of security by connecting database server to client applications using Transport Layer Security (TLS). Enforcing TLS connections between database server and client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\n### From Azure Portal\n\n1. Login to Azure Portal using [https://portal.azure.com](https://portal.azure.com)\n2. Go to `Azure Database for MySQL flexible servers`\n3. For each database, click on `Server parameters` under `Settings`\n4. In the search box, type in `tls_version`\n5. Click on the VALUE dropdown, and ensure only `TLSV1.2` is selected for `tls_version`\n\n### From Azure CLI\n\nUse the below command to set MYSQL flexible databases to used version 1.2 for the `tls_version` parameter.\n\n```bash\naz mysql flexible-server parameter set --name tls_version --resource- group \u003cresourceGroupName\u003e --server-name \u003cserverName\u003e --value TLSV1.2\n```\n\n### Default Value\n\nBy default, TLS is set to v1.2 for MySQL Flexible servers.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_4", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.4 MySQL Database", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.4 MySQL Database" + ], + "control_id": "azure_compliance.control.cis_v200_4_4_3", + "description": "Enable audit_log_enabled on MySQL Servers.", + "title": "4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.4.3", + "cis_level": "2", + "cis_section_id": "4.4", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/MySQL" + }, + "documentation": "## Description\n\nEnable audit_log_enabled on MySQL Servers.\n\nEnabling audit_log_enabled helps MySQL Database to log items such as connection attempts to the server, DDL/DML access, and more. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.\n\n## Remediation\n\n### From Azure Portal\n\n1. Login to Azure Portal using [https://portal.azure.com](https://portal.azure.com).\n2. Select `Azure Database for MySQL Servers`.\n3. Select a database.\n4. Under Settings, select `Server parameters`.\n5. Update `audit_log_enabled` parameter to ON\n6. Under Monitoring, select `Diagnostic settings`.\n7. Select `+ Add diagnostic setting`.\n8. Provide a diagnostic setting name.\n9. Under Categories, select `MySQL Audit Logs`.\n10. Specify destination details.\n11. Click `Save`.\n\nIt may take up to 10 minutes for the logs to appear in the configured destination.\n\n### Default Value\n\naudit_log_enabled is set to OFF by default\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_4", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.4 MySQL Database", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.4 MySQL Database" + ], + "control_id": "azure_compliance.control.cis_v200_4_4_4", + "description": "Set audit_log_enabled to include CONNECTION on MySQL Servers.", + "title": "4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.4.4", + "cis_level": "2", + "cis_section_id": "4.4", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/MySQL" + }, + "documentation": "## Description\n\nSet `audit_log_enabled` to include CONNECTION on MySQL Servers.\n\nEnabling CONNECTION helps MySQL Database to log items such as successful and failed connection attempts to the server. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Select `Azure Database for MySQL servers`.\n3. Select a database.\n4. Under Settings, select `Server parameters`.\n5. Update `audit_log_enabled` parameter to `ON`.\n6. Update `audit_log_events` parameter to have at least `CONNECTION` checked.\n7. Click `Save`.\n8. Under `Monitoring`, select `Diagnostic settings`.\n9. Select `+ Add diagnostic setting`.\n10. Provide a diagnostic setting name.\n11. Under `Categories`, select `MySQL Audit Logs`.\n12. Specify destination details.\n13. Click `Save`.\n\nIt may take up to 10 minutes for the logs to appear in the configured destination.\n\n### Default Value\n\nBy default `audit_log_events` is disabled.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_4", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.5 Cosmos DB", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.5 Cosmos DB" + ], + "control_id": "azure_compliance.control.cis_v200_4_5_1", + "description": "Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.", + "title": "4.5.1 Ensure That 'Firewalls \u0026 Networks' Is Limited to Use Selected Networks Instead of All Networks", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.5.1", + "cis_level": "2", + "cis_section_id": "4.5", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SQL" + }, + "documentation": "## Description\n\nLimiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.\n\nSelecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database.\n\n## Remediation\n\n### From Azure Portal\n\n1. Open the portal menu.\n2. Select the Azure Cosmos DB blade.\n3. Select a Cosmos DB account to audit.\n4. Select `Networking`.\n5. Under `Public network access`, select `Selected networks`.\n6. Under `Virtual networks`, select `+ Add existing virtual network` or `+ Add a new virtual network`.\n7. For existing networks, select subscription, virtual network, subnet and click `Add`. For new networks, provide a name, update the default values if required, and click `Create`.\n8. Click `Save`.\n\n### Default Value\n\nBy default, Cosmos DBs are set to have access all networks.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_5", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.5 Cosmos DB", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.5 Cosmos DB" + ], + "control_id": "azure_compliance.control.cis_v200_4_5_2", + "description": "Private endpoints limit network traffic to approved sources.", + "title": "4.5.2 Ensure That Private Endpoints Are Used Where Possible", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.5.2", + "cis_level": "2", + "cis_section_id": "4.5", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SQL" + }, + "documentation": "## Description\n\nPrivate endpoints limit network traffic to approved sources.\n\nFor sensitive data, private endpoints allow granular control of which services can communicate with Cosmos DB and ensure that this network traffic is private. You set this up on a case by case basis for each service you wish to be connected.\n\n## Remediation\n\n### From Azure Portal\n\n1. Open the portal menu.\n2. Select the Azure Cosmos DB blade.\n3. Select the Azure Cosmos DB account.\n4. Select `Networking`.\n5. Select `Private access`.\n6. Click `+ Private Endpoint`.\n7. Provide a Name.\n8. Click `Next`.\n9. From the Resource type drop down, select `Microsoft.AzureCosmosDB/databaseAccounts`.\n10. From the Resource drop down, select the Cosmos DB account.\n11. Click `Next`.\n12. Provide appropriate Virtual Network details.\n13. Click `Next`.\n14. Provide appropriate DNS details.\n15. Click `Next`.\n16. Optionally provide Tags.\n17. Click `Next` : `Review + create`.\n18. Click `Create`.\n\n### Default Value\n\nBy default Cosmos DB does not have private endpoints enabled and its traffic is public to the network.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_5", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Database Services \u003e 4.5 Cosmos DB", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Database Services", + "4.5 Cosmos DB" + ], + "control_id": "azure_compliance.control.cis_v200_4_5_3", + "description": "Cosmos DB can use tokens or AAD for client authentication which in turn will use Azure RBAC for authorization. Using AAD is significantly more secure because AAD handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure.", + "title": "4.5.3 Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "4.5.3", + "cis_level": "1", + "cis_section_id": "4.5", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SQL" + }, + "documentation": "## Description\n\nCosmos DB can use tokens or AAD for client authentication which in turn will use Azure RBAC for authorization. Using AAD is significantly more secure because AAD handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure.\n\nAAD client authentication is considerably more secure than token-based authentication because the tokens must be persistent at the client. AAD does not require this.\n\n## Remediation\n\nMap all the resources that currently access to the Azure Cosmos DB account with keys or access tokens.\nCreate an Azure Active Directory (AAD) identity for each of these resources:\nFor Azure resources, you can create a managed identity . You may choose between system-assigned and user-assigned managed identities.\nFor non-Azure resources, create an AAD identity.\nGrant each AAD identity the minimum permission it requires. When possible, we recommend you use one of the 2 built-in role definitions: Cosmos DB Built-in Data Reader or Cosmos DB Built-in Data Contributor.\nValidate that the new resource is functioning correctly. After new permissions are granted to identities, it may take a few hours until they propagate. When all resources are working correctly with the new identities, continue to the next step.\nYou can use the az resource update powershell command:\n- $cosmosdbname = \"cosmos-db-account-name\"\n- $resourcegroup = \"resource-group-name\"\n- $cosmosdb = az cosmosdb show --name $cosmosdbname --resource-group\n- $resourcegroup | ConvertFrom-Json\naz resource update --ids $cosmosdb.id --set properties.disableLocalAuth=true --latest- include-preview.\n\n### Default Value:\n\nThe default is to use tokens/keys for client authentication.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_4_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_4/azure_compliance.benchmark.cis_v200_4_5", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.1 Configuring Diagnostic Settings", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.1 Configuring Diagnostic Settings" + ], + "control_id": "azure_compliance.control.cis_v200_5_1_1", + "description": "Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Settings should be configured for all appropriate resources for your environment.", + "title": "5.1.1 Ensure that a 'Diagnostic Setting' exists", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.1.1", + "cis_level": "1", + "cis_section_id": "5.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Monitor" + }, + "documentation": "## Description\n\nEnable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Settings should be configured for all appropriate resources for your environment.\n\nA diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.\n\n## Remediation\n\n### From Azure Portal\n\nTo enable Diagnostic Settings on a Subscription:\n\n1. Go to `Monitor`.\n2. Click on `Activity Log`.\n3. Click on `Export Activity Logs`.\n4. Click `+ Add diagnostic setting`.\n5. Enter a `Diagnostic setting name`.\n6. Select `Categories` for the diagnostic settings.\n7. Select the appropriate `Destination details` (this may be Log Analytics/Storage Account/Event Hub or Partner solution).\n8. Click `Save`.\n\nTo enable Diagnostic Settings on a specific resource:\n\n1. Go to `Monitor`.\n2. Click `Diagnostic settings`.\n3. Click on the resource that has a diagnostics status of `disabled`.\n4. Select `Add Diagnostic Setting`.\n5. Enter a `Diagnostic setting name`.\n6. Select the appropriate log, metric, and destination. (This may be Log Analytics/Storage account or Event Hub).\n7. Click `save`.\n\nRepeat these step for all resources as needed.\n\n### From Azure CLI\n\nTo configure Diagnostic Settings on a Subscription:\n\n```bash\naz monitor diagnostic-settings subscription create --subscription \u003csubscription id\u003e --name \u003cdiagnostic settings name\u003e --location \u003clocation\u003e \u003c[- -event-hub \u003cevent hub ID\u003e --event-hub-auth-rule \u003cevent hub auth rule ID\u003e] [-- storage-account \u003cstorage account ID\u003e] [--workspace \u003clog analytics workspace ID\u003e] --logs \"\u003cJSON encoded categories\u003e\" (e.g. [{category:Security,enabled:true},{category:Administrative,enabled:true},{cat egory:Alert,enabled:true},{category:Policy,enabled:true}])\n```\n\nTo configure Diagnostic Settings on a specific resource:\n\n```bash\naz monitor diagnostic-settings create --subscription \u003csubscription ID\u003e -- resource \u003cresource ID\u003e --name \u003cdiagnostic settings name\u003e \u003c[--event-hub \u003cevent hub ID\u003e --event-hub-rule \u003cevent hub auth rule ID\u003e] [--storage-account \u003cstorage account ID\u003e] [--workspace \u003clog analytics workspace ID\u003e] --logs \u003cresource specific JSON encoded log settings\u003e --metrics \u003cmetric settings (shorthand|json-file|yaml-file)\u003e\n```\n\n### From PowerShell\n\nTo configure Diagnostic Settings on a subscription:\n\n```bash\n$logCategories = @();\n$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Administrative -Enabled $true\n$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Security -Enabled $true\n$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category ServiceHealth -Enabled $true\n$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Alert -Enabled $true\n$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Recommendation -Enabled $true\n$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -\nCategory Policy -Enabled $true\n$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Autoscale -Enabled $true\n$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category ResourceHealth -Enabled $true\n\nNew-AzSubscriptionDiagnosticSetting -SubscriptionId \u003csubscription ID\u003e -Name \u003cDiagnostic settings name\u003e \u003c[-EventHubAuthorizationRule \u003cevent hub auth rule ID\u003e -EventHubName \u003cevent hub name\u003e] [-StorageAccountId \u003cstorage account ID\u003e] [-WorkSpaceId \u003clog analytics workspace ID\u003e] [-MarketplacePartner ID \u003cfull ARM Marketplace resource ID\u003e]\u003e -Log $logCategories\n```\n\nTo configure Diagnostic Settings on a specific resource:\n\n```bash\n$logCategories = @()\n$logCategories += New-AzDiagnosticSettingLogSettingsObject -Category \u003cresource specific log category\u003e -Enabled $true\n\nRepeat command and variable assignment for each Log category specific to the resource where this Diagnostic Setting will get configured.\n\n$metricCategories = @()\n$metricCategories += New-AzDiagnosticSettingMetricSettingsObject -Enabled $true [-Category \u003cresource specific metric category | AllMetrics\u003e] [- RetentionPolicyDay \u003cInteger\u003e] [-RetentionPolicyEnabled $true]\n\nRepeat command and variable assignment for each Metric category or use the 'AllMetrics' category.\n\nNew-AzDiagnosticSetting -ResourceId \u003cresource ID\u003e -Name \u003cDiagnostic settings name\u003e -Log $logCategories -Metric $metricCategories [- EventHubAuthorizationRuleId \u003cevent hub auth rule ID\u003e -EventHubName \u003cevent hub name\u003e] [-StorageAccountId \u003cstorage account ID\u003e] [-WorkspaceId \u003clog analytics workspace ID\u003e] [-MarketplacePartnerId \u003cfull ARM marketplace resource ID\u003e]\u003e\n```\n\n### Default Value\n\nBy default, diagnostic setting is not set.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.1 Configuring Diagnostic Settings", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.1 Configuring Diagnostic Settings" + ], + "control_id": "azure_compliance.control.cis_v200_5_1_2", + "description": "A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: 'Ensure that a 'Diagnostic Setting' exists.' The diagnostic setting should be configured to log the appropriate activities from the control/management plane.", + "title": "5.1.2 Ensure Diagnostic Setting captures appropriate categories", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.1.2", + "cis_level": "1", + "cis_section_id": "5.1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Monitor" + }, + "documentation": "## Description\n\n**Prerequisite:** A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: \"Ensure that a 'Diagnostic Setting' exists.\"\n\nThe diagnostic setting should be configured to log the appropriate activities from the control/management plane.\n\nA diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Azure Monitor`.\n2. Click `Activity log`.\n3. Click on `Export Activity Logs`.\n4. Select the `Subscription` from the drop down menu.\n5. Click on `Add diagnostic setting`.\n6. Enter a name for your new Diagnostic Setting.\n7. Check the following categories: `Administrative`, `Alert`, `Policy`, and `Security`.\n8. Choose the destination details according to your organization's needs.\n\n### From Az CLI\n\n```bash\naz monitor diagnostic-settings subscription create --subscription \u003csubscription id\u003e --name \u003cdiagnostic settings name\u003e --location \u003clocation\u003e \u003c[- -event-hub \u003cevent hub ID\u003e --event-hub-auth-rule \u003cevent hub auth rule ID\u003e] [-- storage-account \u003cstorage account ID\u003e] [--workspace \u003clog analytics workspace ID\u003e] --logs \"[{category:Security,enabled:true},{category:Administrative,enabled:true},{ca tegory:Alert,enabled:true},{category:Policy,enabled:true}]\"\n```\n\n### From Powershell\n\n```bash\n$logCategories = @();\n$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Administrative -Enabled $true\n$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Security -Enabled $true\n$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Alert -Enabled $true\n$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Policy -Enabled $true\n\nNew-AzSubscriptionDiagnosticSetting -SubscriptionId \u003csubscription ID\u003e -Name \u003cDiagnostic settings name\u003e \u003c[-EventHubAuthorizationRule \u003cevent hub auth rule ID\u003e -EventHubName \u003cevent hub name\u003e] [-StorageAccountId \u003cstorage account ID\u003e] [-WorkSpaceId \u003clog analytics workspace ID\u003e] [-MarketplacePartner ID \u003cfull ARM Marketplace resource ID\u003e]\u003e -Log $logCategories\n```\n\n### Default Value\n\nWhen the diagnostic setting is created using Azure Portal, by default no categories are selected.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.1 Configuring Diagnostic Settings", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.1 Configuring Diagnostic Settings" + ], + "control_id": "azure_compliance.control.cis_v200_5_1_3", + "description": "The storage account container containing the activity log export should not be publicly accessible.", + "title": "5.1.3 Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.1.3", + "cis_level": "1", + "cis_section_id": "5.1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Monitor" + }, + "documentation": "## Description\n\nThe storage account container containing the activity log export should not be publicly accessible.\n\nAllowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home select the Portal Menu.\n2. Search for `Storage Accounts` to access Storage account blade.\n3. Click on the storage account name.\n4. Click on `Configuration` under settings.\n5. Select `Enabled` under \"Allow Blob public access\".\n\n### From Azure CLI\n\n```bash\naz storage container set-permission --name insights-activity-logs --account- name \u003cStorage Account Name\u003e --sas-token \u003cSAS token\u003e --public-access off\n```\n\n### From PowerShell\n\nCreate a new storage account context for the storage account holding the `insight- activity-logs` container making sure to use a valid `Shared Access Signature (SAS)` token.\n\n```bash\n$context = New-AzStorageContext -StorageAccountName \u003cstorage account name\u003e - SasToken \"\u003cSAS token\u003e\"\n```\n\nChange the `insights-activity-logs` container public access to `off`\n\n```bash\nSet-AzStorageContainerAcl -Context $context -Name \"insights-activity-logs\" - Permission Off -PassThru\n```\n\n### Default Value\n\nBy default, public access is set to null (allowing only private access) for a container with activity log export.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.1 Configuring Diagnostic Settings", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.1 Configuring Diagnostic Settings" + ], + "control_id": "azure_compliance.control.cis_v200_5_1_4", + "description": "Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).", + "title": "5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.1.4", + "cis_level": "2", + "cis_section_id": "5.1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Monitor" + }, + "documentation": "## Description\n\nStorage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).\n\nConfiguring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.\n\n## Remediation\n\n### From Azure Portal\n\n1. Navigate to the Storage accounts blade.\n2. Click on the storage account.\n3. Under `Security + networking`, click `Encryption`.\n4. Next to `Encryption type`, select `Customer-managed keys`.\n5. Complete the steps to configure a customer-managed key for encryption of the storage account.\n\n### From Azure CLI\n\n```bash\naz storage account update --name \u003cname of the storage account\u003e --resource- group \u003cresource group for a storage account\u003e --encryption-key- source=Microsoft.Keyvault --encryption-key-vault \u003cKey Vault URI\u003e -- encryption-key-name \u003cKeyName\u003e --encryption-key-version \u003cKey Version\u003e\n```\n\n### From PowerShell\n\n```bash\nSet-AzStorageAccount -ResourceGroupName \u003cresource group name\u003e -Name \u003cstorage account name\u003e -KeyvaultEncryption -KeyVaultUri \u003ckey vault URI\u003e -KeyName \u003ckey name\u003e\n```\n\n### Default Value\n\nBy default, for a storage account `keySource` is set to `Microsoft.Storage` allowing encryption with vendor Managed key and not a Customer Managed Key.", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.1 Configuring Diagnostic Settings", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.1 Configuring Diagnostic Settings" + ], + "control_id": "azure_compliance.control.cis_v200_5_1_5", + "description": "Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.", + "title": "5.1.5 Ensure that logging for Azure Key Vault is 'Enabled'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.1.5", + "cis_level": "1", + "cis_section_id": "5.1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/KeyVault" + }, + "documentation": "## Description\n\nEnable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.\n\nMonitoring how and when key vaults are accessed, and by whom, enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Keyvault. Enabling logging for Key Vault saves information in an Azure storage account which the user provides. This creates a new container named insights-logs-auditevent automatically for the specified storage account. This same storage account can be used for collecting logs for multiple key vaults.\n\n## Remediation\n\n## From Azure Portal\n\n1. Go to `Key vaults`.\n2. Select a Key vault.\n3. Select `Diagnostic settings`.\n4. Click on `Edit setting` against an existing diagnostic setting, or `Add diagnostic setting`.\n5. If creating a new diagnostic setting, provide a name.\n6. Check `Archive to a storage account`.\n7. Under Categories, check `Audit Logs`.\n8. Set an appropriate value for `Retention (days)`.\n9. Click `Save`.\n\n## From Azure CLI\n\nTo update an existing `Diagnostic Settings`\n\n```bash\naz monitor diagnostic-settings update --name \"\u003cdiagnostics settings name\u003e\" -- resource \u003ckey vault resource ID\u003e --set retentionPolicy.days=90\n```\n\nTo create a new `Diagnostic Settings`\n\n```bash\naz monitor diagnostic-settings create --name \u003cdiagnostic settings name\u003e -- resource \u003ckey vault resource ID\u003e --logs \"[{category:AuditEvents,enabled:true,retention- policy:{enabled:true,days:180}}]\" --metrics \"[{category:AllMetrics,enabled:true,retention- policy:{enabled:true,days:180}}]\" \u003c[--event-hub \u003cevent hub ID\u003e --event-hub- rule \u003cevent hub auth rule ID\u003e | --storage-account \u003cstorage account ID\u003e |-- workspace \u003clog analytics workspace ID\u003e | --marketplace-partner-id \u003cfull\nresource ID of third-party solution\u003e]\u003e\n```\n\n### From PowerShell\n\nCreate the `Log` settings object\n\n```bash\n$logSettings = @()\n$logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true - RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category AuditEvent\n```\n\nCreate the `Metric` settings object\n\n```bash\n$metricSettings = @()\n$metricSettings += New-AzDiagnosticSettingMetricSettingsObject -Enabled $true -RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category AllMetrics\n```\n\nCreate the `Diagnostic Settings` for each `Key Vault`\n\n```bash\nNew-AzDiagnosticSetting -Name \"\u003cdiagnostic setting name\u003e\" -ResourceId \u003ckey vault resource ID\u003e -Log $logSettings -Metric $metricSettings [- StorageAccountId \u003cstorage account ID\u003e | -EventHubName \u003cevent hub name\u003e - EventHubAuthorizationRuleId \u003cevent hub auth rule ID\u003e | -WorkSpaceId \u003clog analytics workspace ID\u003e | -MarketPlacePartnerId \u003cfull resource ID for third- party solution\u003e]\n```\n\n### Default Value\n\nBy default, Diagnostic AuditEvent logging is not enabled for Key Vault instances.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.1 Configuring Diagnostic Settings", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.1 Configuring Diagnostic Settings" + ], + "control_id": "azure_compliance.control.cis_v200_5_1_6", + "description": "Ensure that network flow logs are captured and fed into a central log analytics workspace.", + "title": "5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.1.6", + "cis_level": "2", + "cis_section_id": "5.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/KeyVault" + }, + "documentation": "## Description\n\nEnsure that network flow logs are captured and fed into a central log analytics workspace.\n\nNetwork Flow Logs provide valuable insight into the flow of traffic around your network and feed into both Azure Monitor and Azure Sentinel (if in use), permitting the generation of visual flow diagrams to aid with analyzing for lateral movement, etc.\n\n## Remediation\n\n### From Azure Portal\n\n1. Navigate to `Network Watcher`.\n2. Select `NSG flow logs`.\n3. Select `+ Create`.\n4. Select the desired Subscription.\n5. Select `+ Select NSG`.\n6. Select a network security group.\n7. Click `Confirm selection`.\n8. Select or create a new Storage Account.\n9. Input the retention in days to retain the log.\n10. Click `Next`.\n11. Under `Configuration`, select `Version 2`.\n12. If rich analytics are required, select `Enable Traffic Analytics`, a processing interval, and a `Log Analytics Workspace`.\n13. Select `Next`.\n14. Optionally add Tags.\n15. Select `Review + create`.\n16. Select `Create`.\n\n**Warning**\nThe remediation policy creates remediation deployment and names them by concatenating the subscription name and the resource group name. The MAXIMUM permitted length of a deployment name is 64 characters. Exceeding this will cause the remediation task to fail.\n\n### Default Value\n\nBy default Network Security Group logs are not sent to Log Analytics.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.1 Configuring Diagnostic Settings", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.1 Configuring Diagnostic Settings" + ], + "control_id": "azure_compliance.control.cis_v200_5_1_7", + "description": "Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged.", + "title": "5.1.7 Ensure that logging for Azure AppService 'HTTP logs' is enabled", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.1.7", + "cis_level": "2", + "cis_section_id": "5.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/KeyVault" + }, + "documentation": "## Description\n\nEnable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged.\n\nCapturing web requests can be important supporting information for security analysts performing monitoring and incident response activities. Once logging, these logs can be ingested into SIEM or other central aggregation point for the organization.\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `App Services` and for each `App Service`:\n2. Go to `Diagnostic Settings`.\n3. Click `Add Diagnostic Setting`.\n4. Check the checkbox next to 'HTTP logs'.\n5. Configure a destination based on your specific logging consumption capability (for example Stream to an event hub and then consuming with SIEM integration for Event Hub logging).\n\n### Default Value:\n\nNot configured.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.2 Monitoring using Activity Log Alerts", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.2 Monitoring using Activity Log Alerts" + ], + "control_id": "azure_compliance.control.cis_v200_5_2_1", + "description": "Create an activity log alert for the Create Policy Assignment event.", + "title": "5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.2.1", + "cis_level": "1", + "cis_section_id": "5.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Monitor" + }, + "documentation": "## Description\n\nCreate an activity log alert for the Create Policy Assignment event.\n\nMonitoring for create policy assignment events gives insight into changes done in \"Azure policy - assignments\" and can reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\n### From Azure Portal\n\n1. Navigate to the `Monitor` blade.\n2. Select `Alerts`.\n3. Select `Create`.\n4. Select `Alert rule`.\n5. Under `Filter by subscription`, choose a subscription.\n6. Under `Filter by resource type`, select `Policy assignment (policyAssignments)`.\n7. Under `Filter by location`, select `All`.\n8. From the results, select the subscription.\n9. Select `Done`.\n10. Select the `Condition` tab.\n11. Under `Signal name`, click `Create policy assignment (Microsoft.Authorization/policyAssignments)`.\n12. Select the `Actions` tab.\n13. To use an existing action group, click `Select action groups`. To create a new action group, click `Create action group`. Fill out the appropriate details for the selection.\n14. Select the `Details` tab.\n15. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`.\n16. Click `Review + create`.\n17. Click `Create`.\n\n### From Azure CLI\n\n```bash\naz monitor activity-log alert create --resource-group \"\u003cresource group name\u003e\"\n--condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/write and level=\u003cverbose | information | warning | error | critical\u003e --scope \"/subscriptions/\u003csubscription ID\u003e\" --name \"\u003cactivity log rule name\u003e\" -- subscription \u003csubscription ID\u003e --action-group \u003caction group ID\u003e --location global\n```\n\n### From PowerShell\n\nCreate the `conditions` object.\n\n```bash\n$conditions = @()\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Authorization/policyAssignments/write -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level\n```\n\nGet the `Action Group` information and store it in a variable, then create a new `Action` object.\n\n```bash\n$actionGroup = Get-AzActionGroup -ResourceGroupName \u003cresource group name\u003e -\nName \u003caction group name\u003e\n$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id\n```\n\nCreate the `Scope` variable.\n\n```bash\n$scope = \"/subscriptions/\u003csubscription ID\u003e\"\n```\n\nCreate the `Activity Log Alert Rule` for `Microsoft.Authorization/policyAssignments/write`\n\n```bash\nNew-AzActivityLogAlert -Name \"\u003cactivity alert rule name\u003e\" -ResourceGroupName \"\u003cresource group name\u003e\" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription \u003csubscription ID\u003e -Enabled $true\n```\n\n### Default Value\n\nBy default, no monitoring alerts are created.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.2 Monitoring using Activity Log Alerts", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.2 Monitoring using Activity Log Alerts" + ], + "control_id": "azure_compliance.control.cis_v200_5_2_2", + "description": "Create an activity log alert for the Delete Policy Assignment event.", + "title": "5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.2.2", + "cis_level": "1", + "cis_section_id": "5.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Monitor" + }, + "documentation": "## Description\n\nCreate an activity log alert for the Delete Policy Assignment event.\n\nMonitoring for delete policy assignment events gives insight into changes done in \"azure policy - assignments\" and can reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\n### From Azure Portal\n\n1. Navigate to the `Monitor` blade.\n2. Click on `Alerts`.\n3. Click on `Create`.\n4. Click on `Alert rule`.\n5. Under `Filter by subscription`, choose a subscription.\n6. Under `Filter by resource type`, select `Policy assignment (policyAssignments)`.\n7. Under `Filter by location`, select `All`.\n8. From the results, select the subscription.\n9. Select `Done`.\n10. Select the `Condition` tab.\n11. Under `Signal name`, click `Delete policy assignment (Microsoft.Authorization/policyAssignments)`.\n12. Select the `Actions` tab.\n13. To use an existing action group, click `Select action groups`. To create a new action group, click `Create action group`. Fill out the appropriate details for the selection.\n14. Select the `Details` tab.\n15. Select a Resource group, provide an `Alert rule name` and an optional `Alert rule description`.\n16. Click `Review + create`.\n17. Click `Create`.\n\n### From Azure CLI\n\n```bash\naz monitor activity-log alert create --resource-group \"\u003cresource group name\u003e\" --condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/delete and level=\u003cverbose | information | warning | error | critical\u003e --scope \"/subscriptions/\u003csubscription ID\u003e\" --name \"\u003cactivity log rule name\u003e\" -- subscription \u003csubscription id\u003e --action-group \u003caction group ID\u003e --location global\n```\n\n### From PowerShell\n\nCreate the conditions object\n\n```bash\n$conditions = @()\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Authorization/policyAssignments/delete -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level\n```\n\nRetrieve the `Action Group` information and store in a variable, then create the `Action` object.\n\n```bash\n$actionGroup = Get-AzActionGroup -ResourceGroupName \u003cresource group name\u003e - Name \u003caction group name\u003e\n$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id\n```\n\nCreate the `Scope` variable.\n\n```bash\n$scope = \"/subscriptions/\u003csubscription id\u003e\"\n```\n\nCreate the `Activity Log Alert Rule` for `Microsoft.Authorization/policyAssignments/delete`.\n\n```bash\nNew-AzActivityLogAlert -Name \"\u003cactivity log alert rule name\u003e\" -\nResourceGroupName \"\u003cresource group name\u003e\" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription \u003csubscription ID\u003e -Enabled $true\n```\n\n### Default Value\n\nBy default, no monitoring alerts are created.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.2 Monitoring using Activity Log Alerts", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.2 Monitoring using Activity Log Alerts" + ], + "control_id": "azure_compliance.control.cis_v200_5_2_3", + "description": "Create an Activity Log Alert for the Create or Update Network Security Group event.", + "title": "5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.2.3", + "cis_level": "1", + "cis_section_id": "5.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Monitor" + }, + "documentation": "## Description\n\nCreate an Activity Log Alert for the Create or Update Network Security Group event.\n\nMonitoring for Create or Update Network Security Group events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From Azure Portal\n\n1. Navigate to the `Monitor` blade.\n2. Select `Alerts`.\n3. Select `Create`.\n4. Select `Alert rule`.\n5. Under `Filter by subscription`, choose a subscription.\n6. Under `Filter by resource type`, select `Network security groups`.\n7. Under `Filter by location`, select `All`.\n8. From the results, select the subscription.\n9. Select `Done`.\n10. Select the `Condition` tab.\n11. Under `Signal name`, click `Create or Update Network Security Group (Microsoft.Network/networkSecurityGroups)`.\n12. Select the `Actions` tab.\n13. To use an existing action group, click `Select action groups`. To create a new action group, click `Create action group`. Fill out the appropriate details for the selection.\n14. Select the `Details` tab.\n15. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`.\n16. Click `Review + create`.\n17. Click `Create`.\n\n### From Azure CLI\n\n```bash\naz monitor activity-log alert create --resource-group \"\u003cresource group name\u003e\" --condition category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/write and level=verbose --scope \"/subscriptions/\u003csubscription ID\u003e\" --name \"\u003cactivity log rule name\u003e\" --subscription \u003csubscription id\u003e --action-group \u003caction group ID\u003e --location global\n```\n\n### From PowerShell\n\nCreate the `Conditions` object.\n\n```bash\n$conditions = @()\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Network/networkSecurityGroups/write -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level\n```\n\nRetrieve the `Action Group` information and store in a variable, then create the `Actions` object.\n\n```bash\n$actionGroup = Get-AzActionGroup -ResourceGroupName \u003cresource group name\u003e - Name \u003caction group name\u003e\n$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id\n```\n\nCreate the `Scope` object\n\n```bash\n$scope = \"/subscriptions/\u003csubscription id\u003e\"\n```\n\nCreate the `Activity Log Alert Rule` for `Microsoft.Network/networkSecurityGroups/write`\n\n```bash\nNew-AzActivityLogAlert -Name \"\u003cactivity log alert rule name\u003e\" - ResourceGroupName \"\u003cresource group name\u003e\" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription \u003csubscription ID\u003e -Enabled $true\n```\n\n### Default Value\n\nBy default, no monitoring alerts are created.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.2 Monitoring using Activity Log Alerts", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.2 Monitoring using Activity Log Alerts" + ], + "control_id": "azure_compliance.control.cis_v200_5_2_4", + "description": "Create an activity log alert for the Delete Network Security Group event.", + "title": "5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.2.4", + "cis_level": "1", + "cis_section_id": "5.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Monitor" + }, + "documentation": "## Description\n\nCreate an activity log alert for the Delete Network Security Group event.\n\nMonitoring for \"Delete Network Security Group\" events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From Azure Portal\n\n1. Navigate to the `Monitor` blade.\n2. Select `Alerts`.\n3. Select `Create`.\n4. Select `Alert rule`.\n5. Under `Filter by subscription`, choose a subscription.\n6. Under `Filter by resource type`, select `Network security groups`.\n7. Under `Filter by location`, select `All`.\n8. From the results, select the subscription.\n9. Select `Done`.\n10. Select the `Condition` tab.\n11. Under `Signal name`, click `Delete Network Security Group (Microsoft.Network/networkSecurityGroups)`.\n12. Select the `Actions` tab.\n13. To use an existing action group, click `Select action groups`. To create a new action group, click `Create action group`. Fill out the appropriate details for the selection.\n14. Select the `Details` tab.\n15. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`.\n16. Click `Review + create`.\n17. Click `Create`.\n\n### From Azure CLI\n\n```bash\naz monitor activity-log alert create --resource-group \"\u003cresource group name\u003e\" --condition category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/delete and level=\u003cverbose | information | warning | error | critical\u003e--scope \"/subscriptions/\u003csubscription ID\u003e\" --name \"\u003cactivity log rule name\u003e\" -- subscription \u003csubscription id\u003e --action-group \u003caction group ID\u003e --location global\n```\n\n### From PowerShell\n\nCreate the `Conditions` object.\n\n```bash\n$conditions = @()\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Network/networkSecurityGroups/delete -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level\n```\n\nRetrieve the `Action Group` information and store in a variable, then create the `Actions` object.\n\n```bash\n$actionGroup = Get-AzActionGroup -ResourceGroupName \u003cresource group name\u003e - Name \u003caction group name\u003e\n$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id\n```\n\nCreate the `Scope` object\n\n```bash\n$scope = \"/subscriptions/\u003csubscription id\u003e\"\n```\n\nCreate the `Activity Log Alert Rule` for `Microsoft.Network/networkSecurityGroups/delete`\n\n```bash\nNew-AzActivityLogAlert -Name \"\u003cactivity log alert rule name\u003e\" -\nResourceGroupName \"\u003cresource group name\u003e\" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription \u003csubscription ID\u003e -Enabled $true\n```\n\n### Default Value\n\nBy default, no monitoring alerts are created.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.2 Monitoring using Activity Log Alerts", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.2 Monitoring using Activity Log Alerts" + ], + "control_id": "azure_compliance.control.cis_v200_5_2_5", + "description": "Create an activity log alert for the Create or Update Security Solution event.", + "title": "5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.2.5", + "cis_level": "1", + "cis_section_id": "5.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Monitor" + }, + "documentation": "## Description\n\nCreate an activity log alert for the Create or Update Security Solution event.\n\nMonitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From Azure Portal\n\n1. Navigate to the `Monitor` blade.\n2. Select `Alerts`.\n3. Select `Create`.\n4. Select `Alert rule`.\n5. Under `Filter by subscription`, choose a subscription.\n6. Under `Filter by resource type`, select `Network security groups`.\n7. Under `Filter by location`, select `All`.\n8. From the results, select the subscription.\n9. Select `Done`.\n10. Select the `Condition` tab.\n11. Under `Signal name`, click `Create or Update Security Solutions (Microsoft.Security/securitySolutions)`.\n12. Select the `Actions` tab.\n13. To use an existing action group, click `Select action groups`. To create a new action group, click `Create action group`. Fill out the appropriate details for the selection.\n14. Select the `Details` tab.\n15. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`.\n16. Click `Review + create`.\n17. Click `Create`.\n\n### From Azure CLI\n\n```bash\naz monitor activity-log alert create --resource-group \"\u003cresource group name\u003e\" --condition category=Administrative and operationName=Microsoft.Security/securitySolutions/write and level=\u003cverbose | information | warning | error | critical\u003e--scope \"/subscriptions/\u003csubscription ID\u003e\" --name \"\u003cactivity log rule name\u003e\" -- subscription \u003csubscription id\u003e --action-group \u003caction group ID\u003e --location global\n```\n\n### From PowerShell\n\nCreate the `Conditions` object.\n\n```bash\n$conditions = @()\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Security/securitySolutions/write -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level\n```\n\nRetrieve the `Action Group` information and store in a variable, then create the `Actions` object.\n\n```bash\n$actionGroup = Get-AzActionGroup -ResourceGroupName \u003cresource group name\u003e - Name \u003caction group name\u003e\n$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id\n```\n\nCreate the `Scope` object\n\n```bash\n$scope = \"/subscriptions/\u003csubscription ID\u003e\"\n```\n\nCreate the `Activity Log Alert Rule` for `Microsoft.Security/securitySolutions/write`\n\n```bash\nNew-AzActivityLogAlert -Name \"\u003cactivity log alert rule name\u003e\" -\nResourceGroupName \"\u003cresource group name\u003e\" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription \u003csubscription ID\u003e -Enabled $true\n```\n\n### Default Value\n\nBy default, no monitoring alerts are created.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.2 Monitoring using Activity Log Alerts", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.2 Monitoring using Activity Log Alerts" + ], + "control_id": "azure_compliance.control.cis_v200_5_2_6", + "description": "Create an activity log alert for the Delete Security Solution event.", + "title": "5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.2.6", + "cis_level": "1", + "cis_section_id": "5.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Monitor" + }, + "documentation": "## Description\n\nCreate an activity log alert for the Delete Security Solution event.\n\nMonitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From Azure Portal\n\n1. Navigate to the `Monitor` blade.\n2. Select `Alerts`.\n3. Select `Create`.\n4. Select `Alert rule`.\n5. Under `Filter by subscription`, choose a subscription.\n6. Under `Filter by resource type`, select `Security Solutions (securitySolutions).`\n7. Under `Filter by location`, select `All`.\n8. From the results, select the subscription.\n9. Select `Done`.\n10. Select the `Condition` tab.\n11. Under `Signal name`, click `Delete Security Solutions (Microsoft.Security/securitySolutions)`\n12. Select the `Actions` tab.\n13. To use an existing action group, click `Select action groups`. To create a new action group, click `Create action group`. Fill out the appropriate details for the selection.\n14. Select the `Details` tab.\n15. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`.\n16. Click `Review + create`.\n17. Click `Create`.\n\n### From Azure CLI\n\n```bash\naz monitor activity-log alert create --resource-group \"\u003cresource group name\u003e\" --condition category=Administrative and operationName=Microsoft.Security/securitySolutions/delete and level=\u003cverbose | information | warning | error | critical\u003e--scope \"/subscriptions/\u003csubscription ID\u003e\" --name \"\u003cactivity log rule name\u003e\" -- subscription \u003csubscription id\u003e --action-group \u003caction group ID\u003e --location global\n```\n\n### From PowerShell\n\nCreate the `Conditions` object.\n\n```bash\n$conditions = @()\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Security/securitySolutions/delete -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level\n```\n\nRetrieve the `Action Group` information and store in a variable, then create the `Actions` object.\n\n```bash\n$actionGroup = Get-AzActionGroup -ResourceGroupName \u003cresource group name\u003e - Name \u003caction group name\u003e\n$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id\n```\n\nCreate the `Scope` object\n\n```bash\n$scope = \"/subscriptions/\u003csubscription ID\u003e\"\n```\n\nCreate the `Activity Log Alert Rule` for `Microsoft.Security/securitySolutions/delete`\n\n```bash\nNew-AzActivityLogAlert -Name \"\u003cactivity log alert rule name\u003e\" -\nResourceGroupName \"\u003cresource group name\u003e\" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription \u003csubscription ID\u003e -Enabled $true\n```\n\n### Default Value\n\nBy default, no monitoring alerts are created.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.2 Monitoring using Activity Log Alerts", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.2 Monitoring using Activity Log Alerts" + ], + "control_id": "azure_compliance.control.cis_v200_5_2_7", + "description": "Create an activity log alert for the Create or Update SQL Server Firewall Rule event.", + "title": "5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.2.7", + "cis_level": "1", + "cis_section_id": "5.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Monitor" + }, + "documentation": "## Description\n\nCreate an activity log alert for the Create or Update SQL Server Firewall Rule event.\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From Azure Portal\n\n1. Navigate to the `Monitor` blade.\n2. Select `Alerts`.\n3. Select `Create`.\n4. Select `Alert rule`.\n5. Under `Filter by subscription`, choose a subscription.\n6. Under `Filter by resource type`, select `Server Firewall Rule (servers/firewallRules)`.\n7. Under `Filter by location`, select `All`.\n8. From the results, select the subscription.\n9. Select `Done`.\n10. Select the `Condition` tab.\n11. Under `Signal name`, click `Create/Update server firewall rule (Microsoft.Sql/servers/firewallRules)`.\n12. Select the `Actions` tab.\n13. To use an existing action group, click `Select action groups`. To create a new action group, click `Create action group`. Fill out the appropriate details for the selection.\n14. Select the `Details` tab.\n15. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`.\n16. Click `Review + create`.\n17. Click `Create`.\n\n### From Azure CLI\n\n```bash\naz monitor activity-log alert create --resource-group \"\u003cresource group name\u003e\" --condition category=Administrative and operationName=Microsoft.Sql/servers/firewallRules/write and level=\u003cverbose |\ninformation | warning | error | critical\u003e--scope \"/subscriptions/\u003csubscription ID\u003e\" --name \"\u003cactivity log rule name\u003e\" -- subscription \u003csubscription id\u003e --action-group \u003caction group ID\u003e --location global\n```\n\n### From PowerShell\n\nCreate the `Conditions` object.\n\n```bash\n$conditions = @()\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Sql/servers/firewallRules/write -Field operationName\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level\n```\n\nRetrieve the `Action Group` information and store in a variable, then create the `Actions` object.\n\n```bash\n$actionGroup = Get-AzActionGroup -ResourceGroupName \u003cresource group name\u003e -Name \u003caction group name\u003e\n$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id\n```\n\nCreate the `Scope` object\n\n```bash\n$scope = \"/subscriptions/\u003csubscription ID\u003e\"\n```\n\nCreate the `Activity Log Alert Rule` for `Microsoft.Security/securitySolutions/write`\n\n```bash\nNew-AzActivityLogAlert -Name \"\u003cactivity log alert rule name\u003e\" - ResourceGroupName \"\u003cresource group name\u003e\" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription \u003csubscription ID\u003e -Enabled $true\n```\n\n### Default Value\n\nBy default, no monitoring alerts are created or active.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.2 Monitoring using Activity Log Alerts", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.2 Monitoring using Activity Log Alerts" + ], + "control_id": "azure_compliance.control.cis_v200_5_2_8", + "description": "Create an activity log alert for the 'Delete SQL Server Firewall Rule.'", + "title": "5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.2.8", + "cis_level": "1", + "cis_section_id": "5.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Monitor" + }, + "documentation": "## Description\n\nCreate an activity log alert for the \"Delete SQL Server Firewall Rule.\"\n\nMonitoring for Delete SQL Server Firewall Rule events gives insight into SQL network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From Azure Portal\n\n1. Navigate to the `Monitor` blade.\n2. Select `Alerts`.\n3. Select `Create`.\n4. Select `Alert rule`.\n5. Under `Filter by subscription`, choose a subscription.\n6. Under `Filter by resource type`, select `Server Firewall Rule (servers/firewallRules)`\n7. Under `Filter by location`, select `All`.\n8. From the results, select the subscription.\n9. Select `Done`.\n10. Select the `Condition` tab.\n11. Under `Signal name`, click `Delete server firewall rule (Microsoft.Sql/servers/firewallRules)`\n12. Select the `Actions` tab.\n13. To use an existing action group, click `Select action groups`. To create a new action group, click `Create action group`. Fill out the appropriate details for the selection.\n14. Select the `Details` tab.\n15. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`.\n16. Click `Review + create`.\n17. Click `Create`.\n\n### From Azure CLI\n\n```bash\naz monitor activity-log alert create --resource-group \"\u003cresource group name\u003e\" --condition category=Administrative and operationName=Microsoft.Sql/servers/firewallRules/delete and level=\u003cverbose |\ninformation | warning | error | critical\u003e--scope \"/subscriptions/\u003csubscription ID\u003e\" --name \"\u003cactivity log rule name\u003e\" -- subscription \u003csubscription id\u003e --action-group \u003caction group ID\u003e --location global\n```\n\n### From PowerShell\n\nCreate the `Conditions` object.\n\n```bash\n$conditions = @()\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Sql/servers/firewallRules/delete -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level\n```\n\nRetrieve the `Action Group` information and store in a variable, then create the `Actions` object.\n\n```bash\n$actionGroup = Get-AzActionGroup -ResourceGroupName \u003cresource group name\u003e -Name \u003caction group name\u003e\n$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id\n```\n\nCreate the `Scope` object\n\n```bash\n$scope = \"/subscriptions/\u003csubscription ID\u003e\"\n```\n\nCreate the `Activity Log Alert Rule` for `Microsoft.Sql/servers/firewallRules/delete`\n\n```bash\nNew-AzActivityLogAlert -Name \"\u003cactivity log alert rule name\u003e\" - ResourceGroupName \"\u003cresource group name\u003e\" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription \u003csubscription ID\u003e -Enabled $true\n```\n\n### Default Value\n\nBy default, no monitoring alerts are created or active.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.2 Monitoring using Activity Log Alerts", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.2 Monitoring using Activity Log Alerts" + ], + "control_id": "azure_compliance.control.cis_v200_5_2_9", + "description": "Create an activity log alert for the Create or Update Public IP Addresses rule.", + "title": "5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.2.9", + "cis_level": "1", + "cis_section_id": "5.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Monitor" + }, + "documentation": "## Description\n\nCreate an activity log alert for the Create or Update Public IP Addresses rule.\n\nMonitoring for Create or Update Public IP Address events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From Azure Portal\n\n1. Navigate to the `Monitor` blade.\n2. Select `Alerts`.\n3. Select `Create`.\n4. Select `Alert rule`.\n5. Under `Filter by subscription`, choose a subscription.\n6. Under `Filter by resource type`, select `Public IP addresses`.\n7. Under `Filter by location`, select `All`.\n8. From the results, select the subscription.\n9. Select `Done`.\n10. Select the `Condition` tab.\n11. Under `Signal name`, click `Create or Update Public Ip Address (Microsoft.Network/publicIPAddresses)`.\n12. Select the `Actions` tab.\n13. To use an existing action group, click `Select action groups`. To create a new action group, click `Create action group`. Fill out the appropriate details for the selection.\n14. Select the `Details` tab.\n15. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`.\n16. Click `Review + create`.\n17. Click `Create`.\n\n### From Azure CLI\n\n```bash\naz monitor activity-log alert create --resource-group \"\u003cresource group name\u003e\" --condition category=Administrative and operationName=Microsoft.Network/publicIPAddresses/write and level=\u003cverbose | information | warning | error | critical\u003e--scope\n\"/subscriptions/\u003csubscription ID\u003e\" --name \"\u003cactivity log rule name\u003e\" -- subscription \u003csubscription id\u003e --action-group \u003caction group ID\u003e --location global\n```\n\n### From PowerShell\n\nCreate the `Conditions` object.\n\n```bash\n$conditions = @()\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Network/publicIPAddresses/write -Field operationName\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level\n```\n\nRetrieve the `Action Group` information and store in a variable, then create the `Actions` object.\n\n```bash\n$actionGroup = Get-AzActionGroup -ResourceGroupName \u003cresource group name\u003e -Name \u003caction group name\u003e\n$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id\n```\n\nCreate the `Scope` object\n\n```bash\n$scope = \"/subscriptions/\u003csubscription ID\u003e\"\n```\n\nCreate the `Activity Log Alert Rule` for `Microsoft.Sql/servers/firewallRules/delete`\n\n```bash\nNew-AzActivityLogAlert -Name \"\u003cactivity log alert rule name\u003e\" - ResourceGroupName \"\u003cresource group name\u003e\" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription \u003csubscription ID\u003e -Enabled $true\n```\n\n### Default Value\n\nBy default, no monitoring alerts are created or active.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.2 Monitoring using Activity Log Alerts", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.2 Monitoring using Activity Log Alerts" + ], + "control_id": "azure_compliance.control.cis_v200_5_2_10", + "description": "Create an activity log alert for the Delete Public IP Address rule.", + "title": "5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.2.10", + "cis_level": "1", + "cis_section_id": "5", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Monitor" + }, + "documentation": "## Description\n\nCreate an activity log alert for the Delete Public IP Address rule.\n\nMonitoring for Delete Public IP Address events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From Azure Portal\n\n1. Navigate to the `Monitor` blade.\n2. Select `Alerts`.\n3. Select `Create`.\n4. Select `Alert rule`.\n5. Under `Filter by subscription`, choose a subscription.\n6. Under `Filter by resource type`, select `Public IP addresses`\n7. Under `Filter by location`, select `All`.\n8. From the results, select the subscription.\n9. Select `Done`.\n10. Select the `Condition` tab.\n11. Under `Signal name`, click `Delete Public Ip Address (Microsoft.Network/publicIPAddresses)`\n12. Select the `Actions` tab.\n13. To use an existing action group, click `Select action groups`. To create a new action group, click `Create action group`. Fill out the appropriate details for the selection.\n14. Select the `Details` tab.\n15. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`.\n16. Click `Review + create`.\n17. Click `Create`.\n\n### From Azure CLI\n\n```bash\naz monitor activity-log alert create --resource-group \"\u003cresource group name\u003e\" --condition category=Administrative and\noperationName=Microsoft.Network/publicIPAddresses/delete and level=\u003cverbose | information | warning | error | critical\u003e--scope \"/subscriptions/\u003csubscription ID\u003e\" --name \"\u003cactivity log rule name\u003e\" -- subscription \u003csubscription id\u003e --action-group \u003caction group ID\u003e --location global\n```\n\n### From PowerShell\n\nCreate the `Conditions` object.\n\n```bash\n$conditions = @()\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category\n$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Network/publicIPAddresses/delete -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level\n```\n\nRetrieve the `Action Group` information and store in a variable, then create the `Actions` object.\n\n```bash\n$actionGroup = Get-AzActionGroup -ResourceGroupName \u003cresource group name\u003e -Name \u003caction group name\u003e\n$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id\n```\n\nCreate the `Scope` object\n\n```bash\n$scope = \"/subscriptions/\u003csubscription ID\u003e\"\n```\n\nCreate the `Activity Log Alert Rule` for `Microsoft.Sql/servers/firewallRules/delete`\n\n```bash\nNew-AzActivityLogAlert -Name \"\u003cactivity log alert rule name\u003e\" - ResourceGroupName \"\u003cresource group name\u003e\" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription \u003csubscription ID\u003e -Enabled $true\n```\n\n### Default Value\n\nBy default, no monitoring alerts are created or active.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.3 Configuring Application Insights", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.3 Configuring Application Insights" + ], + "control_id": "azure_compliance.control.cis_v200_5_3_1", + "description": "Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions.", + "title": "5.3.1 Ensure Application Insights are Configured", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.3.1", + "cis_level": "2", + "cis_section_id": "5", + "cis_type": "automated", + "cis_version": "v1.4.0", + "plugin": "azure", + "service": "Azure/Monitor" + }, + "documentation": "## Description\n\nApplication Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions. Both data sets help organizations adopt a proactive and retroactive means to handle security and performance related metrics within their modern applications.\n\nConfiguring Application Insights provides additional data not found elsewhere within Azure as part of a much larger logging and monitoring program within an organization's Information Security practice. The types and contents of these logs will act as both a potential cost saving measure (application performance) and a means to potentially confirm the source of a potential incident (trace logging). Metrics and Telemetry data provide organizations with a proactive approach to cost savings by monitoring an application's performance, while the trace logging data provides necessary details in a reactive incident response scenario by helping organizations identify the potential source of an incident within their application.\n\n## Remediation\n\n### From Azure Portal\n\n1. Navigate to `Application Insights`.\n2. Under the `Basics` tab within the `PROJECT DETAILS` section, select the `Subscription`.\n3. Select the `Resource group`.\n4. Within the `INSTANCE DETAILS`, enter a `Name`.\n5. Select a `Region`.\n6. Next to `Resource Mode`, select `Workspace-based`.\n7. Within the `WORKSPACE DETAILS`, select the `Subscription` for the log analytics workspace.\n8. Select the appropriate `Log Analytics Workspace`.\n9. Click `Next : Tags \u003e`.\n10. Enter the appropriate `Tags` as `Name`, `Value` pairs.\n11. Click `Next: Review + Create`.\n12. Click `Create`.\n\n### From Azure CLI\n\n```bash\naz monitor app-insights component create --app \u003capp name\u003e --resource-group \u003cresource group name\u003e --location \u003clocation\u003e --kind \"web\" --retention-time \u003cINT days to retain logs\u003e --workspace \u003clog analytics workspace ID\u003e -- subscription \u003csubscription ID\u003e\n```\n\n### From PowerShell\n\n```bash\nNew-AzApplicationInsights -Kind \"web\" -ResourceGroupName \u003cresource group name\u003e -Name \u003capp insights name\u003e -location \u003clocation\u003e -RetentionInDays \u003cINT days to retain logs\u003e -SubscriptionID \u003csubscription ID\u003e -WorkspaceResourceId \u003clog analytics workspace ID\u003e\n```\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring" + ], + "control_id": "azure_compliance.control.cis_v200_5_4", + "description": "Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault.", + "title": "5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.4", + "cis_level": "1", + "cis_section_id": "5", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Monitor" + }, + "documentation": "## Description\n\nResource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. Currently, 95 Azure resources support Azure Monitoring (See the more information section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps, and CosmosDB. The content of these logs varies by resource type.\n\nA number of back-end services were not configured to log and store Resource Logs for certain activities or for a sufficient length. It is crucial that monitoring is correctly configured to log all relevant activities and retain those logs for a sufficient length of time. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.\n\nA lack of monitoring reduces the visibility into the data plane, and therefore an organization's ability to detect reconnaissance, authorization attempts or other malicious activity. Unlike Activity Logs, Resource Logs are not enabled by default. Specifically, without monitoring it would be impossible to tell which entities had accessed a data store that was breached. In addition, alerts for failed attempts to access APIs for Web Services or Databases are only possible when logging is enabled.\n\n## Remediation\n\nAzure Subscriptions should log every access and operation for all resources.\n\nLogs should be sent to Storage and a Log Analytics Workspace or equivalent third-party system. Logs should be kept in readily-accessible storage for a minimum of one year, and then moved to inexpensive cold storage for a duration of time as necessary. If retention policies are set but storing logs in a Storage Account is disabled (for example, if only Event Hubs or Log Analytics options are selected), the retention policies have no effect. Enable all monitoring at first, and then be more aggressive moving data to cold storage if the volume of data becomes a cost concern.\n\n### From Azure Portal\n\nThe specific steps for configuring resources within the Azure console vary depending on resource, but typically the steps are:\n\n1. Go to the resource\n2. Click on Diagnostic settings\n3. In the blade that appears, click \"Add diagnostic setting\"\n4. Configure the diagnostic settings\n5. Click on Save\n\n### From Azure CLI\n\nFor each `resource`, run the following making sure to use a `resource` appropriate JSON encoded `category` for the `--logs` option.\n\n```bash\naz monitor diagnostic-settings create --name \u003cdiagnostic settings name\u003e -- resource \u003cresource ID\u003e --logs \"[{category:\u003cresource specific category\u003e,enabled:true,rentention-policy:{enabled:true,days:180}}]\" --metrics \"[{category:AllMetrics,enabled:true,retention- policy:{enabled:true,days:180}}]\" \u003c[--event-hub \u003cevent hub ID\u003e --event-hub- rule \u003cevent hub auth rule ID\u003e | --storage-account \u003cstorage account ID\u003e |-- workspace \u003clog analytics workspace ID\u003e | --marketplace-partner-id \u003cfull resource ID of third-party solution\u003e]\u003e\n```\n\n### From PowerShell\n\nCreate the `log` settings object\n\n```bash\n$logSettings = @()\n$logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true - RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category \u003cresource specific category\u003e\n$logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true - RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category \u003cresource specific category number 2\u003e\n```\n\nCreate the `metric` settings object\n\n```bash\n$metricSettings = @()\n$metricSettings += New-AzDiagnosticSettingMetricSettingsObject -Enabled $true -RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category AllMetrics\n```\n\nCreate the diagnostic setting for a specific resource\n\n```bash\nNew-AzDiagnosticSetting -Name \"\u003cdiagnostic settings name\u003e\" -ResourceId \u003cresource ID\u003e -Log $logSettings -Metric $metricSettings\n```\n\n### Default Value\n\nBy default, Azure Monitor Resource Logs are 'Disabled' for all resources.", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)" + ], + "control_id": "azure_compliance.control.network_lb_no_basic_sku", + "description": "The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.", + "title": "Network load balancers should use standard SKUs as a minimum", + "tags": { + "cis": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_5", + "executable": false + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)" + ], + "control_id": "azure_compliance.control.network_public_ip_no_basic_sku", + "description": "The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.", + "title": "Network public IPs should use standard SKUs as a minimum", + "tags": { + "cis": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_5", + "executable": false + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)" + ], + "control_id": "azure_compliance.control.network_virtual_network_gateway_no_basic_sku", + "description": "The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.", + "title": "Virtual network gateways should use standard SKUs as a minimum", + "tags": { + "cis": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_5", + "executable": false + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Logging and Monitoring \u003e 5.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Logging and Monitoring", + "5.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)" + ], + "control_id": "azure_compliance.control.redis_cache_no_basic_sku", + "description": "The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.", + "title": "Azure Cache for Redis should use standard SKUs as a minimum", + "tags": { + "cis": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_5_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_5/azure_compliance.benchmark.cis_v200_5_5", + "executable": false + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Networking", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Networking" + ], + "control_id": "azure_compliance.control.cis_v200_6_1", + "description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.", + "title": "6.1 Ensure that RDP access from the Internet is evaluated and restricted", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "6.1", + "cis_level": "1", + "cis_section_id": "6", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Network" + }, + "documentation": "## Description\n\nNetwork security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.\n\nThe potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nWhere RDP is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated.\n\nFor internal access to relevant resources, configure an encrypted network tunnel such as:\n\n1. [ExpressRoute](https://docs.microsoft.com/en-us/azure/expressroute/)\n2. [Site-to-site VPN](https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal)\n3. [Point-to-site VPN](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal)\n\n\n### Default Value\n\nBy default, RDP access from internet is not `enabled`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_6", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Networking", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Networking" + ], + "control_id": "azure_compliance.control.cis_v200_6_2", + "description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.", + "title": "6.2 Ensure that SSH access from the Internet is evaluated and restricted", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "6.2", + "cis_level": "1", + "cis_section_id": "6", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Network" + }, + "documentation": "## Description\n\nNetwork security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.\n\nThe potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nWhere SSH is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated.\n\nFor internal access to relevant resources, configure an encrypted network tunnel such as:\n\n1. [ExpressRoute](https://docs.microsoft.com/en-us/azure/expressroute/)\n2. [Site-to-site VPN](https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal)\n3. [Point-to-site VPN](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal)\n\n### Default Value\n\nBy default, SSH access from internet is not `enabled`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_6", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Networking", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Networking" + ], + "control_id": "azure_compliance.control.cis_v200_6_3", + "description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.", + "title": "6.3 Ensure that UDP access from the Internet is evaluated and restricted", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "6.3", + "cis_level": "1", + "cis_section_id": "6", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Network" + }, + "documentation": "## Description\n\nNetwork security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.\n\nThe potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification sources for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nWhere UDP is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated.\n\nFor internal access to relevant resources, configure an encrypted network tunnel such as:\n\n1. [ExpressRoute](https://docs.microsoft.com/en-us/azure/expressroute/)\n2. [Site-to-site VPN](https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal)\n3. [Point-to-site VPN](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal)\n\n\n### Default Value\n\nBy default, UDP access from internet is not `enabled`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_6", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Networking", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Networking" + ], + "control_id": "azure_compliance.control.cis_v200_6_4", + "description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.", + "title": "6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "6.4", + "cis_level": "1", + "cis_section_id": "6", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Network" + }, + "documentation": "## Description\n\nNetwork security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.\n\nThe potential security problem with using HTTP(S) over the Internet is that attackers can use various brute force techniques to gain access to Azure resources. Once the attackers gain access, they can use the resource as a launch point for compromising other resources within the Azure tenant.\n\n## Remediation\n\nWhere HTTP(S) is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated.\n\nFor internal access to relevant resources, configure an encrypted network tunnel such as:\n\n1. [ExpressRoute](https://docs.microsoft.com/en-us/azure/expressroute/)\n2. [Site-to-site VPN](https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal)\n3. [Point-to-site VPN](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal)\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_6", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Networking", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Networking" + ], + "control_id": "azure_compliance.control.cis_v200_6_5", + "description": "Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days.", + "title": "6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "6.5", + "cis_level": "2", + "cis_section_id": "6", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Network" + }, + "documentation": "## Description\n\nNetwork Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days.\n\nFlow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.\n\n## Remediation\n\n### From Azure Console\n\n1. Go to `Network Watcher`.\n2. Select `NSG flow logs` blade in the Logs section.\n3. Select each Network Security Group from the list.\n4. Ensure `Status` is set to `On`.\n5. Ensure `Retention(days)` setting `greater than 90 days`.\n6. Select your storage account in the `Storage account` field.\n7. Select `Save`.\n\n### From Azure CLI\n\nEnable the `NSG flow logs` and set the Retention (days) to greater than or equal to 90 days.\n\n```bash\naz network watcher flow-log configure --nsg \u003cNameorID of the Network Security Group\u003e --enabled true --resource-group \u003cresourceGroupName\u003e --retention 91 -- storage-account \u003cNameorID of the storage account to save flow logs\u003e\n```\n\n### Default Value\n\nBy default, Network Security Group Flow Logs are `disabled`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_6", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Networking", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Networking" + ], + "control_id": "azure_compliance.control.cis_v200_6_6", + "description": "Enable Network Watcher for Azure subscriptions.", + "title": "6.6 Ensure that Network Watcher is 'Enabled'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "6.6", + "cis_level": "2", + "cis_section_id": "6", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Network" + }, + "documentation": "## Description\n\nEnable Network Watcher for Azure subscriptions.\n\nNetwork diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure.\n\n## Remediation\n\nOpting out of Network Watcher automatic enablement is a permanent change. Once you opt-out you cannot opt-in without contacting support.\n\n### Default Value\n\nNetwork Watcher is automatically enabled. When you create or update a virtual network in your subscription, Network Watcher will be enabled automatically in your Virtual Network's region. There is no impact to your resources or associated charge for automatically enabling Network Watcher.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_6", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Networking", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Networking" + ], + "control_id": "azure_compliance.control.cis_v200_6_7", + "description": "Public IP Addresses provide tenant accounts with Internet connectivity for resources contained within the tenant. During the creation of certain resources in Azure, a Public IP Address may be created. All Public IP Addresses within the tenant should be periodically reviewed for accuracy and necessity.", + "title": "6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "6.7", + "cis_level": "1", + "cis_section_id": "6", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Network" + }, + "documentation": "## Description\n\nPublic IP Addresses provide tenant accounts with Internet connectivity for resources contained within the tenant. During the creation of certain resources in Azure, a Public IP Address may be created. All Public IP Addresses within the tenant should be periodically reviewed for accuracy and necessity.\n\nPublic IP Addresses allocated to the tenant should be periodically reviewed for necessity. Public IP Addresses that are not intentionally assigned and controlled present a publicly facing vector for threat actors and significant risk to the tenant.\n\n## Remediation\n\nRemediation will vary significantly depending on your organization's security requirements for the resources attached to each individual Public IP address.\n\n### Default Value\n\nDuring Virtual Machine and Application creation, a setting may create and attach a public IP.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_6", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 7 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "7 Virtual Machines" + ], + "control_id": "azure_compliance.control.cis_v200_7_1", + "description": "The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service.", + "title": "7.1 Ensure an Azure Bastion Host Exists", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "7.1", + "cis_level": "2", + "cis_section_id": "7", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Compute" + }, + "documentation": "## Description\n\nThe Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service.\n\nThe Azure Bastion service allows organizations a more secure means of accessing Azure Virtual Machines over the Internet without assigning public IP addresses to those Virtual Machines. The Azure Bastion service provides Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to Virtual Machines using TLS within a web browser, thus preventing organizations from opening up 3389/TCP and 22/TCP to the Internet on Azure Virtual Machines. Additional benefits of the Bastion service includes Multi-Factor Authentication, Conditional Access Policies, and any other hardening measures configured within Azure Active Directory using a central point of access.\n\n## Remediation\n\n### From Azure Portal\n\n1. Click on `Bastions`.\n2. Select the `Subscription`.\n3. Select the `Resource group`.\n4. Type a `Name` for the new Bastion host.\n5. Select a `Region`.\n6. Choose `Standard` next to `Tier`.\n7. Use the slider to set the `Instance count`.\n8. Select the `Virtual network` or `Create new`.\n9. Select the `Subnet` named `AzureBastionSubnet`. Create a `Subnet` named `AzureBastionSubnet` using a `/26` CIDR range if it doesn't already exist.\n10. Selct the appropriate `Public IP address` option.\n11. If `Create new` is selected for the `Public IP address` option, provide a `Public IP address name`.\n12. If Use existing is selected for Public IP address option, select an IP address from `Choose public IP address`.\n13. Click `Next: Tags \u003e`.\n14. Configure the appropriate `Tags`.\n15. Click `Next: Advanced \u003e`.\n16. Select the appropriate `Advanced` options.\n17. Click `Next: Review + create \u003e`.\n18. Click `Create`.\n\n### From Azure CLI\n\n```bash\naz network bastion create --location \u003clocation\u003e --name \u003cname of bastion host\u003e --public-ip-address \u003cpublic IP address name or ID\u003e --resource-group \u003cresource group name or ID\u003e --vnet-name \u003cvirtual network containing subnet called \"AzureBastionSubnet\"\u003e --scale-units \u003cinteger\u003e --sku Standard [--disable-copy- paste true|false] [--enable-ip-connect true|false] [--enable-tunneling true|false]\n```\n\n### Using Powershell\n\nCreate the appropriate `Virtual network` settings and `Public IP Address` settings.\n\n```bash\n$subnetName = \"AzureBastionSubnet\"\n$subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix \u003cIP address range in CIDR notation making sure to use a /26\u003e\n$virtualNet = New-AzVirtualNetwork -Name \u003cvirtual network name\u003e - ResourceGroupName \u003cresource group name\u003e -Location \u003clocation\u003e -AddressPrefix \u003cIP address range in CIDR notation\u003e -Subnet $subnet\n$publicip = New-AzPublicIpAddress -ResourceGroupName \u003cresource group name\u003e - Name \u003cpublic IP address name\u003e -Location \u003clocation\u003e -AllocationMethod Dynamic -Sku Standard\n```\n\nCreate the `Azure Bastion` service using the information within the created variables from above.\n\n```bash\nNew-AzBastion -ResourceGroupName \u003cresource group name\u003e -Name \u003cbastion name\u003e - PublicIpAddress $publicip -VirtualNetwork $virtualNet -Sku \"Standard\" - ScaleUnit \u003cinteger\u003e\n```\n\n### Default Value\n\nBy default, the Azure Bastion service is not configured.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_7", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 7 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "7 Virtual Machines" + ], + "control_id": "azure_compliance.control.cis_v200_7_2", + "description": "Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration.", + "title": "7.2 Ensure Virtual Machines are utilizing Managed Disks", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "7.2", + "cis_level": "1", + "cis_section_id": "7", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Compute" + }, + "documentation": "## Description\n\nMigrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include:\n\n1. Default Disk Encryption\n2. Resilience, as Microsoft will managed the disk storage and move around if underlying hardware goes faulty\n3. Reduction of costs over storage accounts\n\nManaged disks are by default encrypted on the underlying hardware, so no additional encryption is required for basic protection. It is available if additional encryption is required. Managed disks are by design more resilient that storage accounts.\n\nFor ARM-deployed Virtual Machines, Azure Adviser will at some point recommend moving VHDs to managed disks both from a security and cost management perspective.\n\n## Remediation\n\n### From Azure Portal\n\n1. Using the search feature, go to `Virtual Machines`.\n2. Select the virtual machine you would like to convert.\n3. Select `Disks` in the menu for the VM.\n4. At the top select `Migrate to managed disks`.\n5. You may follow the prompts to convert the disk and finish by selecting `Migrate` to start the process.\n\n**NOTE** VMs will be stopped and restarted after migration is complete.\n\n### From PowerShell\n\n```bash\nStop-AzVM -ResourceGroupName $rgName -Name $vmName -Force ConvertTo-AzVMManagedDisk -ResourceGroupName $rgName -VMName $vmName Start-AzVM -ResourceGroupName $rgName -Name $vmName\n```\n\n### Default Value\n\nManaged disks or are an option upon the creation of VMs.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_7", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 7 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "7 Virtual Machines" + ], + "control_id": "azure_compliance.control.cis_v200_7_3", + "description": "Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption(SSE).", + "title": "7.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "7.3", + "cis_level": "2", + "cis_section_id": "7", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Compute" + }, + "documentation": "## Description\n\nEnsure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption (SSE).\n\nEncrypting the IaaS VM's OS disk (boot volume) and Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key, thus protecting the volume from unwanted reads. PMK (Platform Managed Keys) are enabled by default in Azure-managed disks and allow encryption at rest. CMK is recommended because it gives the customer the option to control which specific keys are used for the encryption and decryption of the disk. The customer can then change keys and increase security by disabling them instead of relying on the PMK key that remains unchanging. There is also the option to increase security further by using automatically rotating keys so that access to disk is ensured to be limited. Organizations should evaluate what their security requirements are, however, for the data stored on the disk. For high-risk data using CMK is a must, as it provides extra steps of security. If the data is low risk, PMK is enabled by default and provides sufficient data security.\n\n## Remediation\n\n### From Azure Portal\n\n**Note:** Disks must be detached from VMs to have encryption changed.\n\n1. Go to `Virtual machines`.\n2. For each virtual machine, go to `Settings`.\n3. Click on `Disks`.\n4. Click the ellipsis (...), then click `Detach` to detach the disk from the VM.\n5. Now search for `Disks` and locate the unattached disk.\n6. Click the disk then select `Encryption`.\n7. Change your encryption type, then select your encryption set.\n8. Click `Save`.\n9. Go back to the VM and re-attach the disk.\n\n### From PowerShell\n\n```bash\n$KVRGname = 'MyKeyVaultResourceGroup';\n$VMRGName = 'MyVirtualMachineResourceGroup';\n$vmName = 'MySecureVM';\n$KeyVaultName = 'MySecureVault';\n$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName\n$KVRGname;\n$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId;\nSet-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl - DiskEncryptionKeyVaultId $KeyVaultResourceId;\n```\n\n**NOTE:** During encryption it is likely that a reboot will be required. It may take up to 15 minutes to complete the process.\n\n**NOTE 2:** This may differ for Linux machines as you may need to set the `-skipVmBackup` parameter\n\n### Default Value\n\nBy default, Azure disks are encrypted using SSE with PMK.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_7", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 7 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "7 Virtual Machines" + ], + "control_id": "azure_compliance.control.cis_v200_7_4", + "description": "Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).", + "title": "7.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "7.4", + "cis_level": "2", + "cis_section_id": "7", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Compute" + }, + "documentation": "## Description\n\nEnsure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).\n\nManaged disks are encrypted by default with Platform-managed keys. Using Customer- managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks, which may lead to sensitive information disclosure and tampering.\n\n## Remediation\n\nIf data stored in the disk is no longer useful, refer to Azure documentation to delete unattached data disks at:\n\n```bash\n-https://docs.microsoft.com/en-us/rest/api/compute/disks/delete -https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az- disk-delete\n```\n\nIf data stored in the disk is important, To encrypt the disk refer azure documentation at:\n\n```bash\n-https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable- customer-managed-keys-portal\n-https://docs.microsoft.com/en- us/rest/api/compute/disks/update#encryptionsettings\n```\n\n### Default Value\n\nBy default, managed disks are encrypted with a Platform-managed key.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_7", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 7 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "7 Virtual Machines" + ], + "control_id": "azure_compliance.control.cis_v200_7_5", + "description": "For added security, only install organization-approved extensions on VMs.", + "title": "7.5 Ensure that Only Approved Extensions Are Installed", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "7.5", + "cis_level": "1", + "cis_section_id": "7", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Compute" + }, + "documentation": "## Description\n\nFor added security, only install organization-approved extensions on VMs.\n\nAzure virtual machine extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. These extensions run with administrative privileges and could potentially access anything on a virtual machine. The Azure Portal and community provide several such extensions. Each organization should carefully evaluate these extensions and ensure that only those that are approved for use are actually implemented.\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Virtual machines`.\n2. For each virtual machine, go to `Settings`.\n3. Click on `Extensions + applications`.\n4. If there are unapproved extensions, uninstall them.\n\n### From Azure CLI\n\nFrom the audit command identify the unapproved extensions, and use the below CLI command to remove an unapproved extension attached to VM.\n\n```bash\naz vm extension delete --resource-group \u003cresourceGroupName\u003e --vm-name \u003cvmName\u003e --name \u003cextensionName\u003e\n```\n\n### From PowerShell\n\nFor each VM and each insecure extension from the Audit Procedure run the following command.\n\n```bash\nRemove-AzVMExtension -ResourceGroupName \u003cResourceGroupName\u003e -Name \u003cExtensionName\u003e -VMName \u003cVirtualMachineName\u003e\n```\n\n### Default Value\n\nBy default, no extensions are added to the virtual machines.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_7", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 7 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "7 Virtual Machines" + ], + "control_id": "azure_compliance.control.cis_v200_7_6", + "description": "Install endpoint protection for all virtual machines.", + "title": "7.6 Ensure that Endpoint Protection for all Virtual Machines is installed", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "7.6", + "cis_level": "2", + "cis_section_id": "7", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Compute" + }, + "documentation": "## Description\n\nInstall endpoint protection for all virtual machines.\n\nInstalling endpoint protection systems (like anti-malware for Azure) provides for real- time protection capability that helps identify and remove viruses, spyware, and other malicious software. These also offer configurable alerts when known-malicious or unwanted software attempts to install itself or run on Azure systems.\n\n## Remediation\n\nFollow Microsoft Azure documentation to install endpoint protection from the security center. Alternatively, you can employ your own endpoint protection tool for your OS.\n\n### Default Value\n\nBy default Endpoint Protection is disabled.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_7", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 7 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "7 Virtual Machines" + ], + "control_id": "azure_compliance.control.cis_v200_7_7", + "description": "VHD (Virtual Hard Disks) are stored in blob storage and are the old-style disks that were attached to Virtual Machines. The blob VHD was then leased to the VM. By default, storage accounts are not encrypted, and Microsoft Defender will then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK. This should be turned on for storage accounts containing VHDs.", + "title": "7.7 Ensure that VHDs are Encrypted", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "7.7", + "cis_level": "2", + "cis_section_id": "7", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Compute" + }, + "documentation": "## Description\n\n**NOTE: This is a legacy recommendation. Managed Disks are encrypted by default and recommended for all new VM implementations.**\n\nVHD (Virtual Hard Disks) are stored in blob storage and are the old-style disks that were attached to Virtual Machines. The blob VHD was then leased to the VM. By default, storage accounts are not encrypted, and Microsoft Defender will then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK. This should be turned on for storage accounts containing VHDs.\n\nWhile it is recommended to use Managed Disks which are encrypted by default, \"legacy\" VHDs may exist for a variety of reasons and may need to remain in VHD format. VHDs are not encrypted by default, so this recommendation intends to address the security of these disks. In these niche cases, VHDs should be encrypted using the procedures in this recommendation to encrypt and protect the data content.\n\nIf a virtual machine is using a VHD and can be converted to a managed disk, instructions for this procedure can be found in the resources section of this recommendation under the title \"Convert VHD to Managed Disk.\n\n## Remediation\n\n### From Azure Portal\n\n1. Navigate to the `storage account` that you wish to encrypt.\n2. Select `encryption`.\n3. Select the `encryption type` that you wish to use.\n\nIf you wish to use a Microsoft-managed key (the default), you can save at this point and encryption will be applied to the account.\n\nIf you select `Customer-managed keys`, it will ask for the location of the key (The default is an Azure Key Vault) and the key name.\n\nOnce these are captured, save the configuration and the account will be encrypted using the provided key.\n\n### From Azure CLI\n\n**Create the Key Vault**\n\n```bash\naz keyvault create --name \u003cname\u003e --resource-group \u003cresourceGroup\u003e --location \u003clocation\u003e --enabled-for-disk-encryption\n```\n\n**Encrypt the disk and store the key in Key Vault**\n\n```bash\naz vm encryption enable -g \u003cresourceGroup\u003e --name \u003cname\u003e --disk-encryption- keyvault myKV\n```\n\n### From PowerShell\n\nThis process uses a Key Vault to store the keys\n\n**Create the Key Vault**\n\n```bash\nNew-AzKeyvault -name \u003cname\u003e -ResourceGroupName \u003cresourceGroup\u003e -Location \u003clocation\u003e -EnabledForDiskEncryption\n```\n\n**Encrypt the disk and store the key in Key Vault**\n\n```bash\n$KeyVault = Get-AzKeyVault -VaultName \u003cname\u003e -ResourceGroupName \u003cresourceGroup\u003e\nSet-AzVMDiskEncryptionExtension -ResourceGroupName \u003cresourceGroup\u003e -VMName \u003cname\u003e -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri - DiskEncryptionKeyVaultId $KeyVault.ResourceId\n```\n\n### Default Value\n\nThe default value for encryption is \"NO Encryption\"\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_7", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 8 Key Vault", + "category_hierarchy": [ + "CIS v2.0.0", + "8 Key Vault" + ], + "control_id": "azure_compliance.control.cis_v200_8_1", + "description": "Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", + "title": "8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "8.1", + "cis_level": "1", + "cis_section_id": "8", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/KeyVault" + }, + "documentation": "## Description\n\nEnsure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.\n\nAzure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for encryption of new data, wrapping of new keys, and signing. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys to help enforce the key rotation. This ensures that the keys cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Key vaults`.\n2. For each Key vault, click on `Keys`.\n3. In the main pane, ensure that an appropriate `Expiration date` is set for any keys that are `Enabled`.\n\n### From Azure CLI\n\nUpdate the `Expiration date` for the secret using the below command:\n\n```bash\naz keyvault key set-attributes --name \u003ckeyName\u003e --vault-name \u003cvaultName\u003e -- expires Y-m-d'T'H:M:S'Z'\n```\n\n**Note:** To view the expiration date on all keys in a Key Vault using Microsoft API, the \"List\" Key permission is required.\n\nTo update the expiration date for the keys:\n1. Go to the Key vault, click on Access Control (IAM).\n2. Click on Add role assignment and assign the role of Key Vault Crypto Officer to the appropriate user.\n\n### From PowerShell\n\n```bash\nSet-AzKeyVaultKeyAttribute -VaultName \u003cVaultName\u003e -Name \u003cKeyName\u003e -Expires \u003cDateTime\u003e\n```\n\n### Default Value\n\nBy default, keys do not expire.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_8", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 8 Key Vault", + "category_hierarchy": [ + "CIS v2.0.0", + "8 Key Vault" + ], + "control_id": "azure_compliance.control.cis_v200_8_2", + "description": "Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", + "title": "8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "8.2", + "cis_level": "1", + "cis_section_id": "8", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/KeyVault" + }, + "documentation": "## Description\n\nEnsure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.\n\nAzure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for a cryptographic operation. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Key vaults`.\n2. For each Key vault, click on `Keys`.\n3. In the main pane, ensure that an appropriate `Expiration date` is set for any keys that are `Enabled`.\n4. For each enabled key, ensure that an appropriate `Expiration date` is set.\n\n### From Azure CLI\n\nUpdate the `Expiration date` for the secret using the below command:\n\n```bash\naz keyvault key set-attributes --name \u003ckeyName\u003e --vault-name \u003cvaultName\u003e -- expires Y-m-d'T'H:M:S'Z'\n```\n\n**Note:** To view the expiration date on all keys in a Key Vault using Microsoft API, the `List` Key permission is required.\n\nTo update the expiration date for the keys:\n1. Go to Key vault, click on `Access policies`.\n2. Click on `Create` and add an access policy with the `Update` permission (in the Key Permissions - Key Management Operations section).\n\n### From PowerShell\n\n```bash\nSet-AzKeyVaultKeyAttribute -VaultName \u003cVault Name\u003e -Name \u003cKey Name\u003e -Expires \u003cDateTime\u003e\n```\n\n### Default Value\n\nBy default, keys do not expire.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_8", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 8 Key Vault", + "category_hierarchy": [ + "CIS v2.0.0", + "8 Key Vault" + ], + "control_id": "azure_compliance.control.cis_v200_8_3", + "description": "Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", + "title": "8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "8.3", + "cis_level": "1", + "cis_section_id": "8", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/KeyVault" + }, + "documentation": "## Description\n\nEnsure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.\n\nThe Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Key vaults`.\n2. For each Key vault, click on `Secrets`.\n3. In the main pane, ensure that the status of the secret is `Enabled`.\n4. For each enabled secret, ensure that an appropriate `Expiration dat`e is set.\n\n### From Azure CLI\n\nUpdate the `Expiration date` for the secret using the below command:\n\n```bash\naz keyvault secret set-attributes --name \u003csecretName\u003e --vault-name \u003cvaultName\u003e --expires Y-m-d'T'H:M:S'Z'\n```\n\n**Note** To view the expiration date on all secrets in a Key Vault using Microsoft API, the `List` Key permission is required.\n\nTo update the expiration date for the secrets:\n1. Go to the Key vault, click on `Access Control (IAM)`.\n2. Click on `Add role assignment` and assign the role of `Key Vault Secrets Officer` to the appropriate user.\n\n### From Powershell\n\n```bash\nSet-AzKeyVaultSecretAttribute -VaultName \u003cVault Name\u003e -Name \u003cSecret Name\u003e - Expires \u003cDateTime\u003e\n```\n\n### Default Value\n\nBy default, secrets do not expire.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_8", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 8 Key Vault", + "category_hierarchy": [ + "CIS v2.0.0", + "8 Key Vault" + ], + "control_id": "azure_compliance.control.cis_v200_8_4", + "description": "Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", + "title": "8.4 Ensure that the Expiration Date is set for all Secrets in Non- RBAC Key Vaults", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "8.4", + "cis_level": "1", + "cis_section_id": "8", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/KeyVault" + }, + "documentation": "## Description\n\nEnsure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.\n\nThe Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to `Key vaults`.\n2. For each Key vault, click on `Secrets`.\n3. In the main pane, ensure that the status of the secret is `Enabled`.\n4. Set an appropriate `Expiration date` on all secrets.\n\n### From Azure CLI\n\nUpdate the `Expiration date` for the secret using the below command:\n\n```bash\naz keyvault secret set-attributes --name \u003csecretName\u003e --vault-name \u003cvaultName\u003e --expires Y-m-d'T'H:M:S'Z'\n```\n\n**Note** To view the expiration date on all secrets in a Key Vault using Microsoft API, the `List` Key permission is required.\n\nTo update the expiration date for the secrets:\n1. Go to the Key vault, click on `Access policies`.\n2. Click on `Create` and add an access policy with the `Update` permission (in the Secret Permissions - Secret Management Operations section).\n\n### From Powershell\n\nFor each Key vault with the `EnableRbacAuthorization` setting set to `False` or empty, run the following command.\n\n```bash\nSet-AzKeyVaultSecret -VaultName \u003cVault Name\u003e -Name \u003cSecret Name\u003e -Expires \u003cDateTime\u003e\n```\n\n### Default Value\n\nBy default, secrets do not expire.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_8", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 8 Key Vault", + "category_hierarchy": [ + "CIS v2.0.0", + "8 Key Vault" + ], + "control_id": "azure_compliance.control.cis_v200_8_5", + "description": "The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the \"Do Not Purge\" and \"Soft Delete\" functions.", + "title": "8.5 Ensure the Key Vault is Recoverable", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "8.5", + "cis_level": "1", + "cis_section_id": "8", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/KeyVault" + }, + "documentation": "## Description\n\nThe Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects.\n\nIt is recommended the Key Vault be made recoverable by enabling the \"Do Not Purge\" and \"Soft Delete\" functions. This is in order to prevent loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates) etc. This may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.\n\n**WARNING:** A current limitation of the soft-delete feature across all Azure services is role assignments disappearing when Key Vault is deleted. All role assignments will need to be recreated after recovery.\n\nThere could be scenarios where users accidentally run delete/purge commands on Key Vault or an attacker/malicious user deliberately does so in order to cause disruption. Deleting or purging a Key Vault leads to immediate data loss, as keys encrypting data and secrets/certificates allowing access/services will become non-accessible. There are 2 Key Vault properties that play a role in permanent unavailability of a Key Vault:\n\n1. `enableSoftDelete`:\n\nSetting this parameter to \"true\" for a Key Vault ensures that even if Key Vault is deleted, Key Vault itself or its objects remain recoverable for the next 90 days. Key Vault/objects can either be recovered or purged (permanent deletion) during those 90 days. If no action is taken, key vault and its objects will subsequently be purged.\n\n2. `enablePurgeProtection`:\n\nenableSoftDelete only ensures that Key Vault is not deleted permanently and will be recoverable for 90 days from date of deletion. However, there are scenarios in which the Key Vault and/or its objects are accidentally purged and hence will not be recoverable. Setting enablePurgeProtection to \"true\" ensures that the Key Vault and its objects cannot be purged.\n\nEnabling both the parameters on Key Vaults ensures that Key Vaults and their objects cannot be deleted/purged permanently.\n\n## Remediation\n\nTo enable \"Do Not Purge\" and \"Soft Delete\" for a Key Vault:\n\n### From Azure Portal\n\n1. Go to `Key Vaults`.\n2. For each Key Vault.\n3. Click `Properties`.\n4. Ensure the status of soft-delete reads `Soft delete has been enabled on this key vault`.\n5. At the bottom of the page, click 'Enable Purge Protection' Note, once enabled you cannot disable it.\n\n### From Azure CLI\n\n```bash\naz resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx- xxxxxxxxxxxx/resourceGroups/\u003cresourceGroupName\u003e/providers/Microsoft.KeyVault /vaults/\u003ckeyVaultName\u003e --set properties.enablePurgeProtection=true properties.enableSoftDelete=true\n```\n\n### From Powershell\n\n```bash\nUpdate-AzKeyVault -VaultName \u003cvaultName -ResourceGroupName \u003cresourceGroupName -EnablePurgeProtection\n```\n\n### Default Value\n\nWhen a new Key Vault is created, both the parameters `enableSoftDelete` and `enablePurgeProtection` are set to `null`, disabling both the features.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_8", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 8 Key Vault", + "category_hierarchy": [ + "CIS v2.0.0", + "8 Key Vault" + ], + "control_id": "azure_compliance.control.cis_v200_8_6", + "description": "Role assignments disappear when a Key Vault has been deleted (soft- delete) and recovered. Afterwards it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services.", + "title": "8.6 Enable Role Based Access Control for Azure Key Vault", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "8.6", + "cis_level": "2", + "cis_section_id": "8", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/KeyVault" + }, + "documentation": "## Description\n\n**WARNING:** Role assignments disappear when a Key Vault has been deleted (soft- delete) and recovered. Afterwards it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services.\n\nThe new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management.\n\n## Remediation\n\n### From Azure Portal\n\nKey Vaults can be configured to use `Azure role-based access control` on creation. For existing Key Vaults:\n\n1. From Azure Home open the Portal Menu in the top left corner.\n2. Select `Key Vaults`.\n3. Open every Key Vault you wish to audit.\n4. Select `Access configuration`.\n5. Set the Permission model radio button to `Azure role-based access control`, taking note of the warning message.\n6. Click `Save`.\n7. Select `Access Control (IAM)`.\n8. Select the `Role Assignments` tab.\n9. Reapply permissions as needed to groups or users.\n\n### Default Value\n\nThe default value for Access control in Key Vaults is Vault Policy.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_8", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 8 Key Vault", + "category_hierarchy": [ + "CIS v2.0.0", + "8 Key Vault" + ], + "control_id": "azure_compliance.control.cis_v200_8_7", + "description": "Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.", + "title": "8.7 Ensure that Private Endpoints are Used for Azure Key Vault", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "8.7", + "cis_level": "2", + "cis_section_id": "8", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/KeyVault" + }, + "documentation": "## Description\n\nPrivate endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.\n\nPrivate endpoints will keep network requests to Azure Key Vault limited to the endpoints attached to the resources that are whitelisted to communicate with each other. Assigning the Key Vault to a network without an endpoint will allow other resources on that network to view all traffic from the Key Vault to its destination. In spite of the complexity in configuration, this is recommended for high security secrets.\n\n## Remediation\n\nPlease see the additional information about the requirements needed before starting this remediation procedure.\n\n### From Azure Portal\n\n1. From Azure Home open the Portal Menu in the top left.\n2. Select Key Vaults.\n3. Select a Key Vault to audit.\n4. Select `Networking` in the left column.\n5. Select `Private endpoint connections` from the top row.\n6. Select `+ Create.`\n7. Select the subscription the Key Vault is within, and other desired configuration.\n8. Select `Next`.\n9. For resource type select `Microsoft.KeyVault/vaults`.\n10. Select the Key Vault to associate the Private Endpoint with.\n11. Select `Next`.\n12. In the `Virtual Networking` field, select the network to assign the Endpoint. 13.Select other configuration options as desired, including an existing or new application security group.\n13. Select `Next`.\n14. Select the private DNS the Private Endpoints will use.\n15. Select `Next`.\n16. Optionally add `Tags`.\n17. Select `Next : Review + Create`.\n18. Review the information and select `Create`. Follow the Audit Procedure to determine if it has successfully applied.\n19. Repeat steps 3-19 for each Key Vault.\n\n### From Azure CLI\n\n1. To create an end point, run the following command:\n\n```bash\naz network private-endpoint create --resource-group \u003cresourceGroup --vnet- name \u003cvnetName\u003e --subnet \u003csubnetName\u003e --name \u003cPrivateEndpointName\u003e -- private-connection-resource-id \"/subscriptions/\u003cAZURE SUBSCRIPTION ID\u003e/resourceGroups/\u003cresourceGroup\u003e/providers/Microsoft.KeyVault/vaults/\u003ckeyVa\nultName\u003e\" --group-ids vault --connection-name \u003cprivateLinkConnectionName\u003e -- location \u003cazureRegion\u003e --manual-request\n```\n\n2. To manually approve the end point request, run the following command:\n\n```bash\naz keyvault private-endpoint-connection approve --resource-group \u003cresourceGroup\u003e --vault-name \u003ckeyVaultName\u003e –name \u003cprivateLinkName\u003e\n```\n\n3. Determine the Private Endpoint's IP address to connect the Key Vault to the Private DNS you have previously created:\n\n4. Look for the property networkInterfaces then id; the value must be placed in the variable \u0026lt;privateEndpointNIC\u0026gt; within step 6.\n\n```bash\naz network private-endpoint show -g \u003cresourceGroupName\u003e -n \u003cprivateEndpointName\u003e\n```\n\n5. Look for the property networkInterfaces then id; the value must be placed on \u0026lt;privateEndpointNIC\u0026gt; in step 6.\n\n```bash\naz network nic show --ids \u003cprivateEndpointName\u003e\n```\n\n6. Create a Private DNS record within the DNS Zone you created for the Private Endpoint:\n\n```bash\naz network private-dns record-set a add-record -g \u003cresourcecGroupName\u003e -z \"privatelink.vaultcore.azure.net\" -n \u003ckeyVaultName\u003e -a \u003cprivateEndpointNIC\u003e\n```\n\n7. nslookup the private endpoint to determine if the DNS record is correct:\n\n```bash\nnslookup \u003ckeyVaultName\u003e.vault.azure.net\nnslookup \u003ckeyVaultName\u003e.privatelink.vaultcore.azure.n\n```\n\n### Default Value\n\nBy default, Private Endpoints are not enabled for any services within Azure.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_8", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 8 Key Vault", + "category_hierarchy": [ + "CIS v2.0.0", + "8 Key Vault" + ], + "control_id": "azure_compliance.control.cis_v200_8_8", + "description": "Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased.", + "title": "8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "8.8", + "cis_level": "2", + "cis_section_id": "8", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/KeyVault" + }, + "documentation": "## Description\n\nAutomatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased.\n\nOnce set up, Automatic Private Key Rotation removes the need for manual administration when keys expire at intervals determined by your organization's policy. The recommended key lifetime is 2 years. Your organization should determine its own key expiration policy.\n\n## Remediation\n\n**Note:** Azure CLI and Powershell use ISO8601 flags to input timespans. Every timespan input will be in the format P\u0026lt;timespanInISO8601Format\u0026gt;(Y,M,D). The leading P is required with it denoting `period`. The (Y,M,D) are for the duration of Year, Month,and Day respectively. A time frame of 2 years, 2 months, 2 days would be (P2Y2M2D).\n\n### From Azure Portal\n\n1. From Azure Portal select the Portal Menu in the top left.\n2. Select Key Vaults.\n3. Select a Key Vault to audit.\n4. Under `Objects` select `Keys`.\n5. Select a key to audit.\n6. In the top row select `Rotation policy`.\n7. Select an `Expiry time`.\n8. Set `Enable auto rotation` to `Enabled`.\n9. Set an appropriate `Rotation option` and `Rotation time`.\n10. Optionally set the `Notification time`.\n11. Select `Save`.\n12. Repeat steps 3-11 for each Key Vault and Key.\n\n### From Azure CLI\n\nRun the following command for each key to update its policy to be auto-rotated:\n\n```bash\naz keyvault key rotation-policy update -n \u003ckeyName\u003e --vault-name \u003cvaultName\u003e --value \u003cpath/to/policy.json\u003e\n\nNote: It is easiest to supply the policy flags in a .json file. An example json file would be:\n\n{\n \"lifetimeActions\": [\n {\n \"trigger\": {\n \"timeAfterCreate\": \"\u003ctimespanInISO8601Format\u003e\",\n \"timeBeforeExpiry\" : null\n },\n \"action\": {\n \"type\": \"Rotate\"\n }\n },\n {\n \"trigger\": {\n \"timeBeforeExpiry\" : \"\u003ctimespanInISO8601Format\u003e\"\n },\n \"action\": {\n \"type\": \"Notify\"\n }\n }\n ],\n \"attributes\": {\n \"expiryTime\": \"\u003ctimespanInISO8601Format\u003e\"\n }\n}\n```\n\n### From Powershell\n\nRun the following command for each key to update its policy:\n\n```bash\nSet-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key -PolicyPath rotation_policy.json\n```\n\n**Note**: It is easiest to supply the policy flags in a .json file. An example json file would be:\n\n```bash\n\u003c#\nrotation_policy.json\n{\n \"lifetimeActions\": [\n {\n \"trigger\": {\n \"timeAfterCreate\": \"P\u003ctimespanInISO8601Format\u003eM\",\n \"timeBeforeExpiry\": null\n },\n \"action\": {\n \"type\": \"Rotate\"\n }\n },\n {\n \"trigger\": {\n \"timeBeforeExpiry\": \"P\u003ctimespanInISO8601Format\u003eD\"\n },\n \"action\": {\n \"type\": \"Notify\"\n }\n }\n ],\n \"attributes\": {\n \"expiryTime\": \"P\u003ctimespanInISO8601Format\u003eY\"\n }\n}\n#\u003e\n```\n\n### Default Value:\n\nBy default, Automatic Key Rotation is not enabled.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_8", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 9 AppService", + "category_hierarchy": [ + "CIS v2.0.0", + "9 AppService" + ], + "control_id": "azure_compliance.control.cis_v200_9_1", + "description": "Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.", + "title": "9.1 Ensure App Service Authentication is set up for apps in Azure App Service", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "9.1", + "cis_level": "2", + "cis_section_id": "9", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/AppService" + }, + "documentation": "## Description\n\nAzure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.\n\nBy Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers.\n\n## Remediation\n\n### From Azure Portal\n\n1. Login to Azure Portal using [https://portal.azure.com](https://portal.azure.com).\n2. Go to `App Services`.\n3. Click on each App.\n4. Under `Setting` section, click on `Authentication`.\n5. If no identity providers are set up, then click `Add identity provider`.\n6. Choose other parameters as per your requirements and click on `Add`.\n\n### From Azure CLI\n\nTo set App Service Authentication for an existing app, run the following command:\n\n```bash\naz webapp auth update --resource-group \u003cRESOURCE_GROUP_NAME\u003e --name \u003cAPP_NAME\u003e --enabled true\n```\n\n**Note:** In order to access `App Service authentication` settings for Web app using Microsoft API requires `Website contributor` permission at subscription level. A custom role can be created in place of `Website contributor` to provide more specific permission and maintain the principle of least privileged access.\n\n### Default Value\n\nBy default, App Service Authentication is disabled when a new app is created using the command-line tool or Azure Portal console.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_9" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_9", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 9 AppService", + "category_hierarchy": [ + "CIS v2.0.0", + "9 AppService" + ], + "control_id": "azure_compliance.control.cis_v200_9_2", + "description": "Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.", + "title": "9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "9.2", + "cis_level": "1", + "cis_section_id": "9", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/AppService" + }, + "documentation": "## Description\n\nAzure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.\n\nEnabling HTTPS-only traffic will redirect all non-secure HTTP requests to HTTPS ports. HTTPS uses the TLS/SSL protocol to provide a secure connection which is both encrypted and authenticated. It is therefore important to support HTTPS for the security benefits.\n\n## Remediation\n\n### From Azure Portal\n\n1. Login to Azure Portal using [https://portal.azure.com](https://portal.azure.com).\n2. Go to `App Services`.\n3. Click on each App.\n4. Under `Setting` section, Click on `TLS/SSL settings`.\n5. Under the `Bindings` pane, set `HTTPS Only` to `On` under `Protocol Settings` section.\n\n### From Azure CLI\n\nTo set HTTPS-only traffic value for an existing app, run the following command:\n\n```bash\naz webapp update --resource-group \u003cRESOURCE_GROUP_NAME\u003e --name \u003cAPP_NAME\u003e -- set httpsOnly=true\n```\n\n### From Powershell\n\n```bash\nSet-AzWebApp -ResourceGroupName \u003cRESOURCE_GROUP_NAME\u003e -Name \u003cAPP_NAME\u003e - HttpsOnly $true\n```\n\n### Default Value\n\nBy default, HTTPS-only feature will be disabled when a new app is created using the command-line tool or Azure Portal console.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_9" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_9", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 9 AppService", + "category_hierarchy": [ + "CIS v2.0.0", + "9 AppService" + ], + "control_id": "azure_compliance.control.cis_v200_9_3", + "description": "The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.", + "title": "9.3 Ensure Web App is using the latest version of TLS encryption", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "9.3", + "cis_level": "1", + "cis_section_id": "9", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/AppService" + }, + "documentation": "## Description\n\nThe TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.\n\nApp service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections.\n\n## Remediation\n\n### From Azure Portal\n\n1. Login to Azure Portal using [https://portal.azure.com](https://portal.azure.com).\n2. Go to `App Services`.\n3. Click on each App.\n4. Under `Setting` section, Click on `SSL settings`.\n5. Under the `Bindings` pane, set `Minimum TLS Version` to `1.2` under `Protocol Settings` section.\n\n### From Azure CLI\n\nTo set TLS Version for an existing app, run the following command:\n\n```bash\naz webapp config set --resource-group \u003cRESOURCE_GROUP_NAME\u003e --name \u003cAPP_NAME\u003e --min-tls-version 1.2\n```\n\n### From Powershell\n\n```bash\nSet-AzWebApp -ResourceGroupName \u003cRESOURCE_GROUP_NAME\u003e -Name \u003cAPP_NAME\u003e - MinTlsVersion 1.2\n```\n\n### Default Value\n\nBy default, TLS Version feature will be set to 1.2 when a new app is created using the command-line tool or Azure Portal console.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_9" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_9", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 9 AppService", + "category_hierarchy": [ + "CIS v2.0.0", + "9 AppService" + ], + "control_id": "azure_compliance.control.cis_v200_9_4", + "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.", + "title": "9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "9.4", + "cis_level": "2", + "cis_section_id": "9", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/AppService" + }, + "documentation": "## Description\n\nClient certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.\n\nThe TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, then only an authenticated client who has valid certificates can access the app.\n\n## Remediation\n\n### From Azure Portal\n\n1. Login to Azure Portal using [https://portal.azure.com](https://portal.azure.com).\n2. Go to `App Services`.\n3. Click on each App.\n4. Under the Settings section, Click on `Configuration`, then `General settings`.\n5. Set the option `Client certificate mode` located under Incoming client certificates is set to `Require`.\n\n\n### From Azure CLI\n\nTo set Incoming client certificates value for an existing app, run the following command:\n\n```bash\naz webapp update --resource-group \u003cRESOURCE_GROUP_NAME\u003e --name \u003cAPP_NAME\u003e -- set clientCertEnabled=true\n```\n\n### Default Value\n\nBy default, incoming client certificates will be disabled when a new app is created using the command-line tool or Azure Portal console.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_9" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_9", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 9 AppService", + "category_hierarchy": [ + "CIS v2.0.0", + "9 AppService" + ], + "control_id": "azure_compliance.control.cis_v200_9_5", + "description": "Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords.", + "title": "9.5 Ensure that Register with Azure Active Directory is enabled on App Service", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "9.5", + "cis_level": "1", + "cis_section_id": "9", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/AppService" + }, + "documentation": "## Description\n\nManaged service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords.\n\nApp Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.\n\n## Remediation\n\n### From Azure Portal\n\n1. Login to Azure Portal using [https://portal.azure.com](https://portal.azure.com).\n2. Go to `App Services`.\n3. Click on each App.\n4. Under `Setting` section, Click on `Identity`.\n5. Under the `System assigned` pane, set `Status` to `On`.\n\n### From Azure CLI\n\nTo set Register with Azure Active Directory feature for an existing app, run the following command\n\n```bash\naz webapp identity assign --resource-group \u003cRESOURCE_GROUP_NAME\u003e --name \u003cAPP_NAME\u003e\n```\n\n### From PowerShell\n\nTo register with Azure Active Directory feature for an existing app, run the following command:\n\n```bash\nSet-AzWebApp -AssignIdentity $True -ResourceGroupName \u003cresource_Group_Name\u003e - Name \u003cApp_Name\u003e\n```\n\n### Default Value\n\nBy default, Managed service identity via Azure AD is disabled.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_9" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_9", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 9 AppService", + "category_hierarchy": [ + "CIS v2.0.0", + "9 AppService" + ], + "control_id": "azure_compliance.control.cis_v200_9_6", + "description": "Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.", + "title": "9.6 Ensure That 'PHP version' is the Latest, If Used to Run the Web App", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "9.6", + "cis_level": "1", + "cis_section_id": "9", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/AppService" + }, + "documentation": "## Description\n\nPeriodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home open the Portal Menu in the top left.\n2. Go to `App Services`.\n3. Click on each App.\n4. Under `Settings` section, click on `Configuration`.\n5. Click on the `General settings` pane, ensure that for a `Stack` of `PHP` the `Major Version` and `Minor Version` reflect the latest stable and supported release.\n\n**Note:** No action is required If `PHP version` is set to `Off` or is set with an empty value as PHP is not used by your web app.\n\n### From Azure CLI\n\nList the available PHP runtimes:\n\n```bash\naz webapp list-runtimes\n```\n\nTo set latest PHP version for an existing app, run the following command:\n\n```bash\naz webapp config set --resource-group \u003cresource group name\u003e --name \u003capp name\u003e [--linux-fx-version \u003cphp runtime version\u003e][--php-version \u003cphp version\u003e]\n```\n\n### From Powershell\n\nTo set latest PHP version for an existing app, run the following command:\n\n```bash\nSet-AzWebApp -ResourceGroupName \u003cresource group name\u003e -Name \u003capp name\u003e - phpVersion \u003cphp version\u003e\n```\n\n**Note:** Currently there is no way to update an existing web app `Linux FX Version` setting using PowerShell, nor is there a way to create a new web app using PowerShell that configures the PHP runtime in the `Linux FX Version` setting.\n\n### Default Value\n\nThe version of PHP is whatever was selected upon App creation.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_9" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_9", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 9 AppService", + "category_hierarchy": [ + "CIS v2.0.0", + "9 AppService" + ], + "control_id": "azure_compliance.control.cis_v200_9_7", + "description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.", + "title": "9.7 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "9.7", + "cis_level": "1", + "cis_section_id": "9", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/AppService" + }, + "documentation": "## Description\n\nPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected. Using the latest full version will keep your stack secure to vulnerabilities and exploits.\n\n## Remediation\n\n### From Azure Portal\n\n1. From Azure Home open the Portal Menu in the top left.\n2. Go to `App Services`.\n3. Click on each App.\n4. Under `Settings` section, click on `Configuration`.\n5. Click on the General settings pane and ensure that the Major Version and the Minor Version is set to the latest stable version available (Python 3.11, at the time of writing).\n\n**NOTE:** No action is required if `Python version` is set to `Off`, as Python is not used by your web app.\n\n### From Azure CLI\n\nTo see the list of supported runtimes:\n\n```bash\naz webapp list-runtimes\n```\n\nTo set latest Python version for an existing app, run the following command:\n\n```bash\naz webapp config set --resource-group \u003cRESOURCE_GROUP_NAME\u003e --name \u003cAPP_NAME\u003e [--windows-fx-version \"PYTHON|3.11\"] [--linux-fx-version \"PYTHON|3.11\"]\n```\n\n### From PowerShell\n\nAs of this writing, there is no way to update an existing application's `SiteConfig` or set the a new application's `SiteConfig` settings during creation via PowerShell.\n\n### Default Value\n\nThe version of Python is whatever was selected upon App creation.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_9" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_9", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 9 AppService", + "category_hierarchy": [ + "CIS v2.0.0", + "9 AppService" + ], + "control_id": "azure_compliance.control.cis_v200_9_8", + "description": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version.", + "title": "9.8 Ensure that 'Java version' is the latest, if used to run the Web App", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "9.8", + "cis_level": "1", + "cis_section_id": "9", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/AppService" + }, + "documentation": "## Description\n\nPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version.\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected.\n\n## Remediation\n\n### From Azure Portal\n\n1. Login to Azure Portal using [https://portal.azure.com](https://portal.azure.com)\n2. Go to `App Services`\n3. Click on each App\n4. Under `Settings` section, click on `Configuration`\n5. Click on the `General settings` pane and ensure that for a `Stack` of `Java` the `Major Version` and `Minor Version` reflect the latest stable and supported release, and that the `Java web server version` is set to the `auto-update` option.\n\n**Note** No action is required if `Java version` is set to `Off`, as Java is not used by your web app.\n\n### From Azure CLI\n\nTo see the list of supported runtimes:\n\n```bash\naz webapp list-runtimes\n```\n\nTo set latest Java version for an existing app, run the following command:\n\n```bash\naz webapp config set --resource-group \u003cRESOURCE_GROUP_NAME\u003e --name \u003cAPP_NAME\u003e [--java-version \u003cJAVA_VERSION\u003e --java-container \u003cJAVA_CONTAINER\u003e --java- container-version \u003cJAVA_CONTAINER_VERSION\u003e [--windows-fx-version \u003cjava runtime version\u003e] [--linux-fx-version \u003cjava runtime version version\u003e]\n```\n\nIf creating a new web application to use a currently supported version of Java, run the following commands.\n\nTo create an app service plan:\n\n```bash\naz appservice plan create --resource-group \u003cresource group name\u003e --name \u003cplan name\u003e --location \u003clocation\u003e [--is-linux --number-of-workers \u003cint\u003e --sku \u003cpricing tier\u003e] [--hyper-v --sku \u003cpricing tier\u003e]\n```\n\nGet the app service plan ID:\n\n```bash\naz appservice plan list --query \"[].{Name:name, ID:id, SKU:sku, Location:location}\"\n```\n\nTo create a new Java web application using the retrieved app service ID:\n\n```bash\naz webapp create --resource-group \u003cresource group name\u003e --plan \u003capp service plan ID\u003e --name \u003capp name\u003e [--linux-fx-version \u003cjava run time version\u003e] [--\nwindows-fx-version \u003cjava run time version\u003e]\n```\n\n### From PowerShell\n\nAs of this writing, there is no way to update an existing application's `SiteConfig` or set a new application's `SiteConfig` settings during creation via PowerShell.\n\n### Default Value\n\nThe default setting is whichever setting was chosen in the creation of the webapp.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_9" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_9", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 9 AppService", + "category_hierarchy": [ + "CIS v2.0.0", + "9 AppService" + ], + "control_id": "azure_compliance.control.cis_v200_9_9", + "description": "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.", + "title": "9.9 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "9.9", + "cis_level": "1", + "cis_section_id": "9", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/AppService" + }, + "documentation": "## Description\n\nPeriodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.\n\nNewer versions may contain security enhancements and additional functionality. Using the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected.\n\nHTTP 2.0 has additional performance improvements on the head-of-line blocking problem of old HTTP version, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism, as it provides its own, more efficient, mechanisms for data streaming.\n\n## Remediation\n\n### Azure Portal\n\n1. Login to Azure Portal using [https://portal.azure.com](https://portal.azure.com).\n2. Go to `App Services`.\n3. Click on each App.\n4. Under `Setting` section, Click on `Configuration`.\n5. Set `HTTP version` to `2.0` under `General settings`.\n\n**NOTE:** Most modern browsers support HTTP 2.0 protocol over TLS only, while non- encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate.\n\n### From Azure CLI\n\nTo set HTTP 2.0 version for an existing app, run the following command:\n\n```bash\naz webapp config set --resource-group \u003cRESOURCE_GROUP_NAME\u003e --name \u003cAPP_NAME\u003e --http20-enabled true\n```\n\n### From PowerShell\n\nTo enable HTTP 2.0 version support, run the following command:\n\n```bash\nSet-AzWebApp -ResourceGroupName \u003capp resource group\u003e -Name \u003capp name\u003e - Http20Enabled $true\n```\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_9" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_9", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 9 AppService", + "category_hierarchy": [ + "CIS v2.0.0", + "9 AppService" + ], + "control_id": "azure_compliance.control.cis_v200_9_10", + "description": "By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.", + "title": "9.10 Ensure FTP deployments are Disabled", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "9.10", + "cis_level": "1", + "cis_section_id": "9", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/AppService" + }, + "documentation": "## Description\n\nBy default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.\n\nAzure FTP deployment endpoints are public. An attacker listening to traffic on a wifi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if User Credentials for deployment are set at the subscription level rather than using the default Application Credentials which are unique per App.\n\n## Remediation\n\n### From Azure Portal\n\n1. Go to the Azure Portal.\n2. Select `App Services`.\n3. Click on an app.\n4. Select `Settings` and then `Configuration`.\n5. Under `General Settings`, for the `Platform Settings`, the `FTP state` should be set to `Disabled` or `FTPS Only`.\n\n### From Azure CLI\n\nFor each out of compliance application, run the following choosing either 'disabled' or 'FtpsOnly' as appropriate:\n\n```bash\naz webapp config set --resource-group \u003cresource group name\u003e --name \u003capp name\u003e --ftps-state [disabled|FtpsOnly]\n```\n\n### From PowerShell\n\nFor each out of compliance application, run the following:\n\n```bash\nSet-AzWebApp -ResourceGroupName \u003cresource group name\u003e -Name \u003capp name\u003e - FtpsState \u003cDisabled or FtpsOnly\u003e\n```\n\n### Default Value\n\nBy default, FTP based deployment is `All allowed`.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_9" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_9", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 9 AppService", + "category_hierarchy": [ + "CIS v2.0.0", + "9 AppService" + ], + "control_id": "azure_compliance.control.cis_v200_9_11", + "description": "Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions.", + "title": "9.11 Ensure Azure Key Vaults are Used to Store Secrets", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "9.11", + "cis_level": "2", + "cis_section_id": "9", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/AppService" + }, + "documentation": "## Description\n\nAzure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions.\n\nThe credentials given to an application have permissions to create, delete, or modify data stored within the systems they access. If these credentials are stored within the application itself, anyone with access to the application or a copy of the code has access to them. Storing within Azure Key Vault as secrets increases security by controlling access. This also allows for updates of the credentials without redeploying the entire application.\n\n## Remediation\n\nRemediation has 2 steps\n\n1. Set up the Key Vault\n2. Set up the App Service to use the Key Vault\n\n### Step 1: Set up the Key Vault\n\n### From Azure CLI\n\n```bash\naz keyvault create --name \"\u003cname\u003e\" --resource-group \"\u003cmyResourceGroup\u003e\" -- location myLocation\n```\n\n### From Powershell\n\n```bash\nNew-AzKeyvault -name \u003cname\u003e -ResourceGroupName \u003cmyResourceGroup\u003e -Location \u003cmyLocation\u003e\n```\n\n### Step 2: Set up the App Service to use the Key Vault\n\nSample JSON Template for App Service Configuration:\n\n```bash\n{\n \"resources\":[\n {\n \"type\":\"Microsoft.Storage/storageAccounts\",\n \"name\":\"[variables('storageAccountName')]\",\n },\n {\n \"type\":\"Microsoft.Insights/components\",\n \"name\":\"[variables('appInsightsName')]\",\n },\n {\n \"type\":\"Microsoft.Web/sites\",\n \"name\":\"[variables('functionAppName')]\",\n \"identity\":{\n \"type\":\"SystemAssigned\"\n },\n \"resources\":[\n {\n \"type\":\"config\",\n \"name\":\"appsettings\",\n \"dependsOn\":[\n \"[resourceId('Microsoft.Web/sites', variables('functionAppName'))]\",\n \"[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]\",\n \"[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('storageConnectionStringName'))]\",\n \"[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('appInsightsKeyName'))]\"\n ],\n \"properties\":{\n \"AzureWebJobsStorage\":\"[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('storageConnectionStringResourceId')).secretUriWithVersio n, ')')]\",\n \"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING\":\"[concat('@Microsoft.KeyVault(SecretUri=',\n reference(variables('storageConnectionStringResourceId')).secretUriWithVersio n, ')')]\",\n \"APPINSIGHTS_INSTRUMENTATIONKEY\":\"[concat('@Microsoft.KeyVault(SecretUri=',\n reference(variables('appInsightsKeyResourceId')).secretUriWithVersion, ')')]\",\n \"WEBSITE_ENABLE_SYNC_UPDATE_SITE\":\"true\"\n }\n },\n {\n \"type\":\"sourcecontrols\",\n \"name\":\"web\",\n \"dependsOn\":[\n \"[resourceId('Microsoft.Web/sites', variables('functionAppName'))]\",\n \"[resourceId('Microsoft.Web/sites/config', variables('functionAppName'), 'appsettings')]\"\n ]\n }{\n \"type\":\"Microsoft.KeyVault/vaults\",\n \"name\":\"[variables('keyVaultName')]\",\n ]\n },\n \"dependsOn\":[\n \"[resourceId('Microsoft.Web/sites',\n variables('functionAppName'))]\"\n ],\n \"properties\":{\n \"accessPolicies\":[\n {\n \"tenantId\":\"[reference(concat('Microsoft.Web/sites/', variables('functionAppName'),\n '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31- PREVIEW').tenantId]\",\n \"objectId\":\"[reference(concat('Microsoft.Web/sites/', variables('functionAppName'),\n '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31- PREVIEW').principalId]\",\n \"permissions\":{\n \"secrets\":[\n \"get\"\n ]\n }\n }\"resources\":[\n {\n \"type\":\"secrets\"\n ]\n },\n \"name\":\"[variables('storageConnectionStringName')]\",\n \"dependsOn\":[\n \"[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]\",\n \"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]\"\n ],\n \"properties\":{\n \"value\":\"[concat('DefaultEndpointsProtocol=https;AccountName=',\n variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'),'2015-05-01-preview').key1)]\"\n }\n },\n {\n \"type\":\"secrets\",\n \"name\":\"[variables('appInsightsKeyName')]\",\n \"dependsOn\":[\n \"[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]\",\n \"[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]\"\n ],\n \"properties\":{\n \"value\":\"[reference(resourceId('microsoft.insights/components/',\n variables('appInsightsName')), '2015-05-01').InstrumentationKey]\"\n }\n }\n ]\n }\n ]\n}\n```\n\n### Default Value\n\nBy default, no Azure Key Vaults are created.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_9" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_9", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 10 Miscellaneous", + "category_hierarchy": [ + "CIS v2.0.0", + "10 Miscellaneous" + ], + "control_id": "azure_compliance.control.cis_v200_10_1", + "description": "Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users.", + "title": "10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "10.1", + "cis_level": "2", + "cis_section_id": "8", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure" + }, + "documentation": "## Description\n\nResource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion.\n\nAs an administrator, it may be necessary to lock a subscription, resource group, or resource to prevent other users in the organization from accidentally deleting or modifying critical resources. The lock level can be set to to `CanNotDelete` or `ReadOnly` to achieve this purpose.\n\n- `CanNotDelete` means authorized users can still read and modify a resource, but they cannot delete the resource.\n- `ReadOnly` means authorized users can read a resource, but they cannot delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.\n\n## Remediation\n\n### From Azure Portal\n\n1. Navigate to the specific Azure Resource or Resource Group.\n2. For each of the mission critical resource, click on `Locks`.\n3. Click `Add`.\n4. Give the lock a name and a description, then select the type, `Read-only` or `Delete` as appropriate.\n5. Click OK.\n\n### From Azure CLI\n\nTo lock a resource, provide the name of the resource, its resource type, and its resource group name.\n\n```bash\naz lock create --name \u003cLockName\u003e --lock-type \u003cCanNotDelete/Read-only\u003e -- resource-group \u003cresourceGroupName\u003e --resource-name \u003cresourceName\u003e --resource- type \u003cresourceType\u003e\n```\n\n### From Powershel\n\n```bash\nGet-AzResourceLock -ResourceName \u003cResource Name\u003e -ResourceType \u003cResource Type\u003e -ResourceGroupName \u003cResource Group Name\u003e -Locktype \u003cCanNotDelete/Read- only\u003e\n```\n\n### Default Value\n\nBy default, no locks are set.\n", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.cis_v200", + "azure_compliance.benchmark.cis_v200_10" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.cis_v200/azure_compliance.benchmark.cis_v200_10", + "executable": true + } +] \ No newline at end of file diff --git a/deepfence_server/cloud_controls/azure/cis_benchmarks.json b/deepfence_server/cloud_controls/azure/cis_benchmarks.json new file mode 100644 index 0000000000..25dc3f2122 --- /dev/null +++ b/deepfence_server/cloud_controls/azure/cis_benchmarks.json @@ -0,0 +1,589 @@ +[ + { + "benchmark_id": "azure_compliance.benchmark.cis_v200", + "description": "The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure.", + "title": "CIS v2.0.0", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "To obtain the latest version of the official guide, please visit http://benchmarks.cisecurity.org.\n\n## Overview\n\nThe CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure.\n\n## Profiles\n\n### Level 1\n\nItems in this profile intend to:\n- be practical and prudent;\n- provide security focused best practice hardening of a technology; and\n- limit impact to the utility of the technology beyond acceptable means.\n\n### Level 2 (extends Level 1)\n\nThis profile extends the \"Level 1\" profile. Items in this profile exhibit one or more of the following characteristics:\n- are intended for environments or use cases where security is more critical than manageability and usability\n- acts as defense in depth measure\n- may impact the utility or performance of the technology\n- may include additional licensing, cost, or addition of third party software.\n", + "children": [ + "azure_compliance.benchmark.cis_v200_1", + "azure_compliance.benchmark.cis_v200_2", + "azure_compliance.benchmark.cis_v200_3", + "azure_compliance.benchmark.cis_v200_4", + "azure_compliance.benchmark.cis_v200_5", + "azure_compliance.benchmark.cis_v200_6", + "azure_compliance.benchmark.cis_v200_7", + "azure_compliance.benchmark.cis_v200_8", + "azure_compliance.benchmark.cis_v200_9", + "azure_compliance.benchmark.cis_v200_10" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_1", + "description": "", + "title": "1 Identity and Access Management", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "1", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers security recommendations to set identity and access management policies on an Azure Subscription. Identity and Access Management policies are the first step towards a defense-in-depth approach to securing an Azure Cloud Platform environment.\n\nMany of the recommendations from this section are marked as \"Manual\" while the existing Azure CLI and Azure AD PowerShell support through the Azure AD Graph are being depreciated. It is now recommended to use the new Microsoft Graph in replacement of Azure AD Graph for PowerShell and API level access. From a security posture standpoint, these recommendations are still very important and should not be discounted because they are \"Manual.\" As automation capability using Rest API is developed for this Benchmark, the related recommendations will be updated with the respective audit and remediation steps and changed to an \"automated\" assessment status.\n\nIf any problems are encountered running Azure CLI or PowerShell methodologies, please refer to the Overview for this benchmark where you will find additional detail on permission and required cmdlets.", + "children": [ + "azure_compliance.benchmark.cis_v200_1_1", + "azure_compliance.benchmark.cis_v200_1_2", + "azure_compliance.control.cis_v200_1_3", + "azure_compliance.control.cis_v200_1_4", + "azure_compliance.control.cis_v200_1_5", + "azure_compliance.control.cis_v200_1_6", + "azure_compliance.control.cis_v200_1_7", + "azure_compliance.control.cis_v200_1_8", + "azure_compliance.control.cis_v200_1_9", + "azure_compliance.control.cis_v200_1_10", + "azure_compliance.control.cis_v200_1_11", + "azure_compliance.control.cis_v200_1_12", + "azure_compliance.control.cis_v200_1_13", + "azure_compliance.control.cis_v200_1_14", + "azure_compliance.control.cis_v200_1_15", + "azure_compliance.control.cis_v200_1_16", + "azure_compliance.control.cis_v200_1_17", + "azure_compliance.control.cis_v200_1_18", + "azure_compliance.control.cis_v200_1_19", + "azure_compliance.control.cis_v200_1_20", + "azure_compliance.control.cis_v200_1_21", + "azure_compliance.control.cis_v200_1_22", + "azure_compliance.control.cis_v200_1_23", + "azure_compliance.control.cis_v200_1_24", + "azure_compliance.control.cis_v200_1_25" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_1_1", + "description": "", + "title": "1.1 Security Defaults", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "1.1", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThe Azure \"Security Defaults\" recommendations represent an entry-level set of recommendations which will be relevant to organizations and tenants that are either just starting to use Azure as an IaaS solution, or are only utilizing a bare minimum feature set such as the freely licensed tier of Azure Active Directory. Security Defaults recommendations are intended to ensure that these entry-level use cases are still capable of establishing a strong baseline of secure configuration.", + "children": [ + "azure_compliance.control.cis_v200_1_1_1", + "azure_compliance.control.cis_v200_1_1_2", + "azure_compliance.control.cis_v200_1_1_3", + "azure_compliance.control.cis_v200_1_1_4" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_1_2", + "description": "", + "title": "1.2 Conditional Access", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "1.2", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nFor most Azure tenants, and certainly for organizations with a significant use of Azure Active Directory, Conditional Access policies are recommended and preferred. To use conditional access policies, a licensing plan is required, and Security Defaults must be disabled.\n\nConditional Access requires one of the following plans:\n\n- Azure Active Directory Premium P1 or P2\n- Microsoft 365 Business Premium\n- Microsoft 365 E3 or E5\n- Microsoft 365 F1, F3, F5 Security and F5 Security + Compliance\n- Enterprise Mobility \u0026 Security E3 or E5.", + "children": [ + "azure_compliance.control.cis_v200_1_2_1", + "azure_compliance.control.cis_v200_1_2_2", + "azure_compliance.control.cis_v200_1_2_3", + "azure_compliance.control.cis_v200_1_2_4", + "azure_compliance.control.cis_v200_1_2_5", + "azure_compliance.control.cis_v200_1_2_6" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_2", + "description": "", + "title": "2 Microsoft Defender", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "2", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers recommendations to consider for tenant-wide security policies and plans related to Microsoft Defender. Please note that because Microsoft Defender products require additional licensing, all Microsoft Defender plan recommendations in subsection 2.1 are assigned as “Level 2.”\n\nMicrosoft Defender products addressed in this section include:\n\n- Microsoft Defender for Cloud\n- Microsoft Defender for IoT\n- Microsoft Defender External Attack Surface Management", + "children": [ + "azure_compliance.benchmark.cis_v200_2_1", + "azure_compliance.benchmark.cis_v200_2_2", + "azure_compliance.benchmark.cis_v200_2_3" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_2_1", + "description": "", + "title": "2.1 Microsoft Defender for Cloud", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "2", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis subsection is dedicated to providing guidance on Microsoft Defender for Cloud product plans. This guidance is intended to ensure that - at a minimum - the protective measures offered by these plans are being considered. Organizations may find that they have existing products or services that provide the same utility as some Microsoft Defender for Cloud products. Security and Administrative personnel need to make the determination on their organization's behalf regarding which - if any - of these recommendations are relevant to their organization's needs. In consideration of the above, and because of the potential for increased cost and complexity, please be aware that all Defender Plan recommendations are profiled as \"Level 2\" recommendations.\n", + "children": [ + "azure_compliance.control.cis_v200_2_1_1", + "azure_compliance.control.cis_v200_2_1_2", + "azure_compliance.control.cis_v200_2_1_3", + "azure_compliance.control.cis_v200_2_1_4", + "azure_compliance.control.cis_v200_2_1_5", + "azure_compliance.control.cis_v200_2_1_6", + "azure_compliance.control.cis_v200_2_1_7", + "azure_compliance.control.cis_v200_2_1_8", + "azure_compliance.control.cis_v200_2_1_9", + "azure_compliance.control.cis_v200_2_1_10", + "azure_compliance.control.cis_v200_2_1_11", + "azure_compliance.control.cis_v200_2_1_12", + "azure_compliance.control.cis_v200_2_1_13", + "azure_compliance.control.cis_v200_2_1_14", + "azure_compliance.control.cis_v200_2_1_15", + "azure_compliance.control.cis_v200_2_1_16", + "azure_compliance.control.cis_v200_2_1_17", + "azure_compliance.control.cis_v200_2_1_18", + "azure_compliance.control.cis_v200_2_1_19", + "azure_compliance.control.cis_v200_2_1_20", + "azure_compliance.control.cis_v200_2_1_21", + "azure_compliance.control.cis_v200_2_1_22" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_2_2", + "description": "", + "title": "2.2 Microsoft Defender for IoT", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "2", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SecurityCenter", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers requirements for Microsoft Defender for IoT\n", + "children": [ + "azure_compliance.control.cis_v200_2_2_1" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_3", + "description": "", + "title": "3 Storage Accounts", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "3", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Storage", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers security recommendations to follow to set storage account policies on an Azure Subscription. An Azure storage account provides a unique namespace to store and access Azure Storage data objects.\n", + "children": [ + "azure_compliance.control.cis_v200_3_1", + "azure_compliance.control.cis_v200_3_2", + "azure_compliance.control.cis_v200_3_3", + "azure_compliance.control.cis_v200_3_4", + "azure_compliance.control.cis_v200_3_5", + "azure_compliance.control.cis_v200_3_6", + "azure_compliance.control.cis_v200_3_7", + "azure_compliance.control.cis_v200_3_8", + "azure_compliance.control.cis_v200_3_9", + "azure_compliance.control.cis_v200_3_10", + "azure_compliance.control.cis_v200_3_11", + "azure_compliance.control.cis_v200_3_12", + "azure_compliance.control.cis_v200_3_13", + "azure_compliance.control.cis_v200_3_14", + "azure_compliance.control.cis_v200_3_15" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_4", + "description": "", + "title": "4 Database Services", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "4", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers security recommendations to follow to set general database services policies on an Azure Subscription. Subsections will address specific database types.\n", + "children": [ + "azure_compliance.benchmark.cis_v200_4_1", + "azure_compliance.benchmark.cis_v200_4_2", + "azure_compliance.benchmark.cis_v200_4_3", + "azure_compliance.benchmark.cis_v200_4_4", + "azure_compliance.benchmark.cis_v200_4_5" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_4_1", + "description": "", + "title": "4.1 SQL Server - Auditing", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "4.1", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SQL", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nAuditing for Azure SQL Servers and SQL Databases tracks database events and writes them to an audit log Azure storage account, Log Analytics workspace or Event Hubs. Auditing helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations. Auditing enables and facilitates adherence to compliance standards, although it doesn't guarantee compliance.\n\nThe Default SQL Server Auditing profile set for SQL server is inherited by all the SQL Databases which are part of the SQL server.\n", + "children": [ + "azure_compliance.control.cis_v200_4_1_1", + "azure_compliance.control.cis_v200_4_1_2", + "azure_compliance.control.cis_v200_4_1_3", + "azure_compliance.control.cis_v200_4_1_4", + "azure_compliance.control.cis_v200_4_1_5", + "azure_compliance.control.cis_v200_4_1_6" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_4_2", + "description": "", + "title": "4.2 SQL Server - Microsoft Defender for SQL", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "4.2", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SQL", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nMicrosoft Defender for SQL provides a layer of security which enables customers to detect and respond to potential threats as they occur through security alerts on anomalous activities. Users will receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Server Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat.\n\nMicrosoft Defender for SQL may incur additional cost per SQL server.\n", + "children": [ + "azure_compliance.control.cis_v200_4_2_1", + "azure_compliance.control.cis_v200_4_2_2", + "azure_compliance.control.cis_v200_4_2_3", + "azure_compliance.control.cis_v200_4_2_4", + "azure_compliance.control.cis_v200_4_2_5" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_4_3", + "description": "", + "title": "4.3 PostgreSQL Database Server", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "4.3", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section groups security best practices/recommendations for Azure PostgreSQL Database Servers.", + "children": [ + "azure_compliance.control.cis_v200_4_3_1", + "azure_compliance.control.cis_v200_4_3_2", + "azure_compliance.control.cis_v200_4_3_3", + "azure_compliance.control.cis_v200_4_3_4", + "azure_compliance.control.cis_v200_4_3_5", + "azure_compliance.control.cis_v200_4_3_6", + "azure_compliance.control.cis_v200_4_3_7", + "azure_compliance.control.cis_v200_4_3_8" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_4_4", + "description": "", + "title": "4.4 MySQL Database", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "4.4", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SQL", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section groups security best practices/recommendations for Azure MySQL Database Servers.\n", + "children": [ + "azure_compliance.control.cis_v200_4_4_1", + "azure_compliance.control.cis_v200_4_4_2", + "azure_compliance.control.cis_v200_4_4_3", + "azure_compliance.control.cis_v200_4_4_4" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_4_5", + "description": "", + "title": "4.5 Cosmos DB", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "4", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/SQL", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section groups security best practices/recommendations for Azure Cosmos DB Database Servers.", + "children": [ + "azure_compliance.control.cis_v200_4_5_1", + "azure_compliance.control.cis_v200_4_5_2", + "azure_compliance.control.cis_v200_4_5_3" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_5", + "description": "", + "title": "5 Logging and Monitoring", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "5", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers security recommendations to follow to set logging and monitoring policies on an Azure Subscription.\n", + "children": [ + "azure_compliance.benchmark.cis_v200_5_1", + "azure_compliance.benchmark.cis_v200_5_2", + "azure_compliance.benchmark.cis_v200_5_3", + "azure_compliance.control.cis_v200_5_4", + "azure_compliance.benchmark.cis_v200_5_5" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_5_1", + "description": "", + "title": "5.1 Configuring Diagnostic Settings", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "5", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThe Azure Diagnostic Settings capture control/management activities performed on a subscription or Azure AD Tenant. By default, the Azure Portal retains activity logs only for 90 days. The Diagnostic Settings define the type of events that are stored or streamed and the outputs—storage account, log analytics workspace, event hub, and others. The Diagnostic Settings, if configured properly, can ensure that all logs are retained for longer duration. This section has recommendations for correctly configuring the Diagnostic Settings so that all logs captured are retained for longer periods.\n\n### Azure Subscriptions\n\nWhen configuring Diagnostic Settings, you may choose to export in one of four ways in which you need to ensure appropriate data retention. The options are Log Analytics, Event Hub, Storage Account, and Partner Solutions. It is important to ensure you are aware and have set retention as your organization sees fit.\n\n### Azure AD Logs\n\nIn order to retain sign in logs, user account changes, application provisioning logs, or other logs that are visible to only on the Tenant in Azure AD, separate Diagnostic settings must be specified.\n\n### Deployment by Policy\n\nDeploying Azure diagnostics should ideally be done by policy to ensure a consistent configuration, Microsoft provide a full set of policies for all diagnostic capable resource types in their github repository. If you chose to deploy by policy, it is best to route the diagnostics to a Log Analytics Workspace so that they can be used in Azure Monitor or Azure Sentinel. Be aware that this has a cost attached to it. Future versions of the CIS Azure Foundations Benchmark will aim to cover the use of policy in greater detail.\n", + "children": [ + "azure_compliance.control.cis_v200_5_1_1", + "azure_compliance.control.cis_v200_5_1_2", + "azure_compliance.control.cis_v200_5_1_3", + "azure_compliance.control.cis_v200_5_1_4", + "azure_compliance.control.cis_v200_5_1_5", + "azure_compliance.control.cis_v200_5_1_6", + "azure_compliance.control.cis_v200_5_1_7" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_5_2", + "description": "", + "title": "5.2 Monitoring using Activity Log Alerts", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "5", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Monitor", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThe recommendations provided in this section are intended to provide entry-level alerting for crucial activities on a tenant account. These recommended activities should be tuned to your needs. By default, each of these Activity Log Alerts tends to guide the reader to alerting at the \"Subscription-wide\" level which will capture and alert on rules triggered by all resources and resource groups contained within a subscription. This is not an ideal rule set for Alerting within larger and more complex organizations.\n\nWhile this section provides recommendations for the creation of **Activity Log Alerts** specifically, Microsoft Azure supports four different types of alerts:\n\n- Metric Alerts\n- Log Alerts\n- Activity Log Alerts\n- Smart Detection Alerts\n\nAll Azure services (Microsoft provided or otherwise) that can generate alerts are assigned a \"Resource provider namespace\" when they are registered in an Azure tenant. The recommendations in this section are in no way exhaustive of the plethora of available \"Providers\" or \"Resource Types.\" The Resource Providers that are registered in your Azure Tenant can be located in your Subscription. Each registered Provider in your environment **may** have available \"Conditions\" to raise alerts via Activity Log Alerts. These providers should be considered for inclusion in Activity Log Alert rules of your own making.\n\nTo view the registered resource providers in your Subscription(s), use this guide:\n\n- [https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types)\n\nIf you wish to create custom alerting rules for Activity Log Alerts or other alert types, please refer to Microsoft documentation:\n\n- [https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-new-alert-rule](https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-new-alert-rule)", + "children": [ + "azure_compliance.control.cis_v200_5_2_1", + "azure_compliance.control.cis_v200_5_2_2", + "azure_compliance.control.cis_v200_5_2_3", + "azure_compliance.control.cis_v200_5_2_4", + "azure_compliance.control.cis_v200_5_2_5", + "azure_compliance.control.cis_v200_5_2_6", + "azure_compliance.control.cis_v200_5_2_7", + "azure_compliance.control.cis_v200_5_2_8", + "azure_compliance.control.cis_v200_5_2_9", + "azure_compliance.control.cis_v200_5_2_10" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_5_3", + "description": "", + "title": "5.3 Configuring Application Insights", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "5", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Monitor", + "type": "Benchmark" + }, + "documentation": "## Description\n\nConfiguring Application Insights\n", + "children": [ + "azure_compliance.control.cis_v200_5_3_1" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_5_5", + "description": "The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU's do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.", + "title": "5.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_item_id": "5.5", + "cis_level": "2", + "cis_section_id": "5", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Monitor" + }, + "documentation": "## Description\n\nThe use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.\n\nTypically, production workloads need to be monitored and should have an SLA with Microsoft, using Basic SKUs for any deployed product will mean that that these capabilities do not exist.\n\nThe following resource types should use standard SKUs as a minimum.\n- Public IP Addresses\n- Network Load Balancers\n- REDIS Cache\n- SQL PaaS Databases\n- VPN Gateways\n\n## Remediation\n\nEach artifact has its own process for upgrading from basic to standard SKU's and this should be followed if required.\n\n### Default Value\n\nPolicy should enforce standard SKUs for the following artifacts:\n- Public IP Addresses\n- Network Load Balancers\n- REDIS Cache\n- SQL PaaS Databases\n- VPN Gateways\n", + "children": [ + "azure_compliance.control.network_lb_no_basic_sku", + "azure_compliance.control.network_public_ip_no_basic_sku", + "azure_compliance.control.network_virtual_network_gateway_no_basic_sku", + "azure_compliance.control.redis_cache_no_basic_sku" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_6", + "description": "", + "title": "6 Networking", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "6", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Network", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers security recommendations to follow in order to set networking policies on an Azure subscription.\n", + "children": [ + "azure_compliance.control.cis_v200_6_1", + "azure_compliance.control.cis_v200_6_2", + "azure_compliance.control.cis_v200_6_3", + "azure_compliance.control.cis_v200_6_4", + "azure_compliance.control.cis_v200_6_5", + "azure_compliance.control.cis_v200_6_6", + "azure_compliance.control.cis_v200_6_7" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_7", + "description": "", + "title": "7 Virtual Machines", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "7", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers security recommendations to follow for the configuration of Virtual Machines on an Azure subscription.\n", + "children": [ + "azure_compliance.control.cis_v200_7_1", + "azure_compliance.control.cis_v200_7_2", + "azure_compliance.control.cis_v200_7_3", + "azure_compliance.control.cis_v200_7_4", + "azure_compliance.control.cis_v200_7_5", + "azure_compliance.control.cis_v200_7_6", + "azure_compliance.control.cis_v200_7_7" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_8", + "description": "", + "title": "8 Key Vault", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "8", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers security recommendations to follow for the configuration and use of Azure Key Vault.", + "children": [ + "azure_compliance.control.cis_v200_8_1", + "azure_compliance.control.cis_v200_8_2", + "azure_compliance.control.cis_v200_8_3", + "azure_compliance.control.cis_v200_8_4", + "azure_compliance.control.cis_v200_8_5", + "azure_compliance.control.cis_v200_8_6", + "azure_compliance.control.cis_v200_8_7", + "azure_compliance.control.cis_v200_8_8" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_9", + "description": "", + "title": "9 AppService", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "9", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers security recommendations for Azure AppService.\n", + "children": [ + "azure_compliance.control.cis_v200_9_1", + "azure_compliance.control.cis_v200_9_2", + "azure_compliance.control.cis_v200_9_3", + "azure_compliance.control.cis_v200_9_4", + "azure_compliance.control.cis_v200_9_5", + "azure_compliance.control.cis_v200_9_6", + "azure_compliance.control.cis_v200_9_7", + "azure_compliance.control.cis_v200_9_8", + "azure_compliance.control.cis_v200_9_9", + "azure_compliance.control.cis_v200_9_10", + "azure_compliance.control.cis_v200_9_11" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.cis_v200_10", + "description": "", + "title": "10 Miscellaneous", + "tags": { + "category": "Compliance", + "cis": "true", + "cis_section_id": "10", + "cis_version": "v2.0.0", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers security recommendations for Miscellaneous.", + "children": [ + "azure_compliance.control.cis_v200_10_1" + ] + } +] \ No newline at end of file diff --git a/deepfence_server/cloud_controls/azure/hipaa.json b/deepfence_server/cloud_controls/azure/hipaa.json new file mode 100644 index 0000000000..5c22bcb597 --- /dev/null +++ b/deepfence_server/cloud_controls/azure/hipaa.json @@ -0,0 +1,6503 @@ +[ + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Administrator and Operator Logs \u003e The organization ensures proper logging is enabled in order to audit administrator activities; and reviews system administrator and operator logs on a regular basis", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Administrator and Operator Logs", + "The organization ensures proper logging is enabled in order to audit administrator activities; and reviews system administrator and operator logs on a regular basis" + ], + "control_id": "azure_compliance.control.monitor_log_alert_for_administrative_operations", + "description": "This policy audits specific Administrative operations with no activity log alerts configured.", + "title": "An activity log alert should exist for specific Administrative operations", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Monitor" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_administrator_and_operator_logs", + "azure_compliance.benchmark.hipaa_hitrust_v92_1270_09ad1system_12_09_ad" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_administrator_and_operator_logs/azure_compliance.benchmark.hipaa_hitrust_v92_1270_09ad1system_12_09_ad", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Administrator and Operator Logs \u003e An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Administrator and Operator Logs", + "An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance" + ], + "control_id": "azure_compliance.control.monitor_log_alert_for_administrative_operations", + "description": "This policy audits specific Administrative operations with no activity log alerts configured.", + "title": "An activity log alert should exist for specific Administrative operations", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Monitor" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_administrator_and_operator_logs", + "azure_compliance.benchmark.hipaa_hitrust_v92_1271_09ad1system_1_09_ad" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_administrator_and_operator_logs/azure_compliance.benchmark.hipaa_hitrust_v92_1271_09ad1system_1_09_ad", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Audit Logging \u003e A secure audit record is created for all activities on the system (create, read, update, delete) involving covered information", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Audit Logging", + "A secure audit record is created for all activities on the system (create, read, update, delete) involving covered information" + ], + "control_id": "azure_compliance.control.datalake_store_account_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Azure Data Lake Store should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataLakeStorage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging", + "azure_compliance.benchmark.hipaa_hitrust_v92_1202_09aa1system_1_09_aa" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging/azure_compliance.benchmark.hipaa_hitrust_v92_1202_09aa1system_1_09_aa", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Audit Logging \u003e Audit records include the unique user ID, unique data subject ID, function performed, and date/time the event was performed", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Audit Logging", + "Audit records include the unique user ID, unique data subject ID, function performed, and date/time the event was performed" + ], + "control_id": "azure_compliance.control.logic_app_workflow_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Logic Apps should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Logic" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging", + "azure_compliance.benchmark.hipaa_hitrust_v92_1203_09aa1system_2_09_aa" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging/azure_compliance.benchmark.hipaa_hitrust_v92_1203_09aa1system_2_09_aa", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Audit Logging \u003e The activities of privileged users (administrators, operators, etc.) include the success/failure of the event, time the event occurred, the account involved, the processes involved, and additional information about the event", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Audit Logging", + "The activities of privileged users (administrators, operators, etc.) include the success/failure of the event, time the event occurred, the account involved, the processes involved, and additional information about the event" + ], + "control_id": "azure_compliance.control.iot_hub_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in IoT Hub should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/IoTHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging", + "azure_compliance.benchmark.hipaa_hitrust_v92_1204_09aa1system_3_09_aa" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging/azure_compliance.benchmark.hipaa_hitrust_v92_1204_09aa1system_3_09_aa", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Audit Logging \u003e Logs of messages sent and received are maintained including the date, time, origin and destination of the message, but not its contents", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Audit Logging", + "Logs of messages sent and received are maintained including the date, time, origin and destination of the message, but not its contents" + ], + "control_id": "azure_compliance.control.batch_account_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Batch accounts should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Batch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging", + "azure_compliance.benchmark.hipaa_hitrust_v92_1205_09aa2system_1_09_aa" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging/azure_compliance.benchmark.hipaa_hitrust_v92_1205_09aa2system_1_09_aa", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Audit Logging \u003e Auditing a system while it is active", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Audit Logging", + "Auditing a system while it is active" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_logging_enabled", + "description": "It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.", + "title": "Resource logs in Virtual Machine Scale Sets should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging", + "azure_compliance.benchmark.hipaa_hitrust_v92_1206_09aa2system_23_09_aa" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging/azure_compliance.benchmark.hipaa_hitrust_v92_1206_09aa2system_23_09_aa", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Audit Logging \u003e Audit records are retained for 90 days and older audit records are archived for one year", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Audit Logging", + "Audit records are retained for 90 days and older audit records are archived for one year" + ], + "control_id": "azure_compliance.control.eventhub_namespace_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Event Hub should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging", + "azure_compliance.benchmark.hipaa_hitrust_v92_1207_09aa2system_4_09_aa" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging/azure_compliance.benchmark.hipaa_hitrust_v92_1207_09aa2system_4_09_aa", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Audit Logging \u003e Audit records are retained for 90 days and older audit records are archived for one year", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Audit Logging", + "Audit records are retained for 90 days and older audit records are archived for one year" + ], + "control_id": "azure_compliance.control.stream_analytics_job_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Azure Stream Analytics should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/StreamAnalytics" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging", + "azure_compliance.benchmark.hipaa_hitrust_v92_1207_09aa2system_4_09_aa" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging/azure_compliance.benchmark.hipaa_hitrust_v92_1207_09aa2system_4_09_aa", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Audit Logging \u003e Audit logs are maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Audit Logging", + "Audit logs are maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes" + ], + "control_id": "azure_compliance.control.search_service_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Search services should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveSearch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging", + "azure_compliance.benchmark.hipaa_hitrust_v92_1208_09aa3system_1_09_aa" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging/azure_compliance.benchmark.hipaa_hitrust_v92_1208_09aa3system_1_09_aa", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Audit Logging \u003e Audit logs are maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Audit Logging", + "Audit logs are maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes" + ], + "control_id": "azure_compliance.control.servicebus_namespace_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Service Bus should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ServiceBus" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging", + "azure_compliance.benchmark.hipaa_hitrust_v92_1208_09aa3system_1_09_aa" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging/azure_compliance.benchmark.hipaa_hitrust_v92_1208_09aa3system_1_09_aa", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Audit Logging \u003e The information system generates audit records containing detailed information", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Audit Logging", + "The information system generates audit records containing detailed information" + ], + "control_id": "azure_compliance.control.appservice_web_app_diagnostic_logs_enabled", + "description": "Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.", + "title": "Diagnostic logs in App Services should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging", + "azure_compliance.benchmark.hipaa_hitrust_v92_1209_09aa3system_2_09_aa" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging/azure_compliance.benchmark.hipaa_hitrust_v92_1209_09aa3system_2_09_aa", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Audit Logging \u003e All disclosures of covered information within or outside of the organization are logged including type of disclosure, date/time of the event, recipient, and sender", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Audit Logging", + "All disclosures of covered information within or outside of the organization are logged including type of disclosure, date/time of the event, recipient, and sender" + ], + "control_id": "azure_compliance.control.datalake_analytics_account_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Data Lake Analytics should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataLakeAnalytics" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging", + "azure_compliance.benchmark.hipaa_hitrust_v92_1210_09aa3system_3_09_aa" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging/azure_compliance.benchmark.hipaa_hitrust_v92_1210_09aa3system_3_09_aa", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Audit Logging \u003e All disclosures of covered information within or outside of the organization are logged including type of disclosure, date/time of the event, recipient, and sender", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Audit Logging", + "All disclosures of covered information within or outside of the organization are logged including type of disclosure, date/time of the event, recipient, and sender" + ], + "control_id": "azure_compliance.control.audit_diagnostic_setting", + "description": "Audit diagnostic setting for selected resource types.", + "title": "Audit diagnostic setting", + "tags": { + "hipaa_hitrust_v92": "true", + "pci_dss_v321": "true", + "service": "Azure/Monitor" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging", + "azure_compliance.benchmark.hipaa_hitrust_v92_1210_09aa3system_3_09_aa" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging/azure_compliance.benchmark.hipaa_hitrust_v92_1210_09aa3system_3_09_aa", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Audit Logging \u003e The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Audit Logging", + "The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required" + ], + "control_id": "azure_compliance.control.keyvault_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Key Vault should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging", + "azure_compliance.benchmark.hipaa_hitrust_v92_1211_09aa3system_4_09_aa" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging/azure_compliance.benchmark.hipaa_hitrust_v92_1211_09aa3system_4_09_aa", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Audit Logging \u003e The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Audit Logging", + "The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required" + ], + "control_id": "azure_compliance.control.keyvault_managed_hms_logging_enabled", + "description": "To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs.", + "title": "Resource logs in Azure Key Vault Managed HSM should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging", + "azure_compliance.benchmark.hipaa_hitrust_v92_1211_09aa3system_4_09_aa" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging/azure_compliance.benchmark.hipaa_hitrust_v92_1211_09aa3system_4_09_aa", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Audit Logging \u003e The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Audit Logging", + "The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required" + ], + "control_id": "azure_compliance.control.sql_server_auditing_on", + "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", + "title": "Auditing on SQL server should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging", + "azure_compliance.benchmark.hipaa_hitrust_v92_1211_09aa3system_4_09_aa" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging/azure_compliance.benchmark.hipaa_hitrust_v92_1211_09aa3system_4_09_aa", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Back-up \u003e A formal definition of the level of backup", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Back-up", + "A formal definition of the level of backup" + ], + "control_id": "azure_compliance.control.mysql_db_server_geo_redundant_backup_enabled", + "description": "Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.", + "title": "Geo-redundant backup should be enabled for Azure Database for MySQL", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_back_up", + "azure_compliance.benchmark.hipaa_hitrust_v92_11617_09l1organizational_23_09_l" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_back_up/azure_compliance.benchmark.hipaa_hitrust_v92_11617_09l1organizational_23_09_l", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Back-up \u003e Backup copies of information and software are made and tests of the media and restoration procedures are regularly performed at appropriate intervals", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Back-up", + "Backup copies of information and software are made and tests of the media and restoration procedures are regularly performed at appropriate intervals" + ], + "control_id": "azure_compliance.control.sql_database_long_term_geo_redundant_backup_enabled", + "description": "This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled.", + "title": "Long-term geo-redundant backup should be enabled for Azure SQL Databases", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_back_up", + "azure_compliance.benchmark.hipaa_hitrust_v92_1616_09l1organizational_16_09_l" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_back_up/azure_compliance.benchmark.hipaa_hitrust_v92_1616_09l1organizational_16_09_l", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Back-up \u003e Storing and protecting the backups at the remote location", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Back-up", + "Storing and protecting the backups at the remote location" + ], + "control_id": "azure_compliance.control.postgres_db_server_geo_redundant_backup_enabled", + "description": "Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.", + "title": "Geo-redundant backup should be enabled for Azure Database for PostgreSQL", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_back_up", + "azure_compliance.benchmark.hipaa_hitrust_v92_1618_09l1organizational_45_09_l" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_back_up/azure_compliance.benchmark.hipaa_hitrust_v92_1618_09l1organizational_45_09_l", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Back-up \u003e Inventory records for the backup copies, including content and current location, are maintained", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Back-up", + "Inventory records for the backup copies, including content and current location, are maintained" + ], + "control_id": "azure_compliance.control.mariadb_server_geo_redundant_backup_enabled", + "description": "Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.", + "title": "Geo-redundant backup should be enabled for Azure Database for MariaDB", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MariaDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_back_up", + "azure_compliance.benchmark.hipaa_hitrust_v92_1619_09l1organizational_7_09_l" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_back_up/azure_compliance.benchmark.hipaa_hitrust_v92_1619_09l1organizational_7_09_l", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Back-up \u003e Automated tools are used to track all backups", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Back-up", + "Automated tools are used to track all backups" + ], + "control_id": "azure_compliance.control.sql_database_long_term_geo_redundant_backup_enabled", + "description": "This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled.", + "title": "Long-term geo-redundant backup should be enabled for Azure SQL Databases", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_back_up", + "azure_compliance.benchmark.hipaa_hitrust_v92_1621_09l2organizational_1_09_l" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_back_up/azure_compliance.benchmark.hipaa_hitrust_v92_1621_09l2organizational_1_09_l", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Back-up \u003e Maintaining the integrity and security of the backup copies", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Back-up", + "Maintaining the integrity and security of the backup copies" + ], + "control_id": "azure_compliance.control.mysql_db_server_geo_redundant_backup_enabled", + "description": "Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.", + "title": "Geo-redundant backup should be enabled for Azure Database for MySQL", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_back_up", + "azure_compliance.benchmark.hipaa_hitrust_v92_1622_09l2organizational_23_09_l" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_back_up/azure_compliance.benchmark.hipaa_hitrust_v92_1622_09l2organizational_23_09_l", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Back-up \u003e Covered information is backed-up in an encrypted format to ensure confidentiality", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Back-up", + "Covered information is backed-up in an encrypted format to ensure confidentiality" + ], + "control_id": "azure_compliance.control.postgres_db_server_geo_redundant_backup_enabled", + "description": "Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.", + "title": "Geo-redundant backup should be enabled for Azure Database for PostgreSQL", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_back_up", + "azure_compliance.benchmark.hipaa_hitrust_v92_1623_09l2organizational_4_09_l" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_back_up/azure_compliance.benchmark.hipaa_hitrust_v92_1623_09l2organizational_4_09_l", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Back-up \u003e The organization performs incremental or differential backups daily and full backups weekly to separate media", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Back-up", + "The organization performs incremental or differential backups daily and full backups weekly to separate media" + ], + "control_id": "azure_compliance.control.mariadb_server_geo_redundant_backup_enabled", + "description": "Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.", + "title": "Geo-redundant backup should be enabled for Azure Database for MariaDB", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MariaDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_back_up", + "azure_compliance.benchmark.hipaa_hitrust_v92_1624_09l3organizational_12_09_l" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_back_up/azure_compliance.benchmark.hipaa_hitrust_v92_1624_09l3organizational_12_09_l", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Back-up \u003e The organization ensures a current, retrievable copy of covered information is available before movement of servers", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Back-up", + "The organization ensures a current, retrievable copy of covered information is available before movement of servers" + ], + "control_id": "azure_compliance.control.postgres_db_server_geo_redundant_backup_enabled", + "description": "Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.", + "title": "Geo-redundant backup should be enabled for Azure Database for PostgreSQL", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_back_up", + "azure_compliance.benchmark.hipaa_hitrust_v92_1626_09l3organizational_5_09_l" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_back_up/azure_compliance.benchmark.hipaa_hitrust_v92_1626_09l3organizational_5_09_l", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Back-up \u003e The organization tests backup information following each backup to verify media reliability and information integrity, and at least annually thereafter", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Back-up", + "The organization tests backup information following each backup to verify media reliability and information integrity, and at least annually thereafter" + ], + "control_id": "azure_compliance.control.mysql_db_server_geo_redundant_backup_enabled", + "description": "Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.", + "title": "Geo-redundant backup should be enabled for Azure Database for MySQL", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_back_up", + "azure_compliance.benchmark.hipaa_hitrust_v92_1627_09l3organizational_6_09_l" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_back_up/azure_compliance.benchmark.hipaa_hitrust_v92_1627_09l3organizational_6_09_l", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Business Continuity and Risk Assessment \u003e The organization identifies the critical business processes requiring business continuity", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Business Continuity and Risk Assessment", + "The organization identifies the critical business processes requiring business continuity" + ], + "control_id": "azure_compliance.control.compute_vm_disaster_recovery_enabled", + "description": "Audit virtual machines which do not have disaster recovery configured.", + "title": "Audit virtual machines without disaster recovery configured", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_business_continuity_and_risk_assessment", + "azure_compliance.benchmark.hipaa_hitrust_v92_1634_12b1organizational_1_12_b" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_business_continuity_and_risk_assessment/azure_compliance.benchmark.hipaa_hitrust_v92_1634_12b1organizational_1_12_b", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Business Continuity and Risk Assessment \u003e Information security aspects of business continuity", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Business Continuity and Risk Assessment", + "Information security aspects of business continuity" + ], + "control_id": "azure_compliance.control.keyvault_managed_hms_purge_protection_enabled", + "description": "Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period.", + "title": "Azure Key Vault Managed HSM should have purge protection enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_business_continuity_and_risk_assessment", + "azure_compliance.benchmark.hipaa_hitrust_v92_1635_12b1organizational_2_12_b" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_business_continuity_and_risk_assessment/azure_compliance.benchmark.hipaa_hitrust_v92_1635_12b1organizational_2_12_b", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Business Continuity and Risk Assessment \u003e Information security aspects of business continuity", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Business Continuity and Risk Assessment", + "Information security aspects of business continuity" + ], + "control_id": "azure_compliance.control.keyvault_purge_protection_enabled", + "description": "Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.", + "title": "Key vaults should have purge protection enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_business_continuity_and_risk_assessment", + "azure_compliance.benchmark.hipaa_hitrust_v92_1635_12b1organizational_2_12_b" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_business_continuity_and_risk_assessment/azure_compliance.benchmark.hipaa_hitrust_v92_1635_12b1organizational_2_12_b", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Business Continuity and Risk Assessment \u003e Business continuity risk assessments", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Business Continuity and Risk Assessment", + "Business continuity risk assessments" + ], + "control_id": "azure_compliance.control.compute_vm_disaster_recovery_enabled", + "description": "Audit virtual machines which do not have disaster recovery configured.", + "title": "Audit virtual machines without disaster recovery configured", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_business_continuity_and_risk_assessment", + "azure_compliance.benchmark.hipaa_hitrust_v92_1638_12b2organizational_345_12_b" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_business_continuity_and_risk_assessment/azure_compliance.benchmark.hipaa_hitrust_v92_1638_12b2organizational_345_12_b", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Change Control Procedures \u003e Managers responsible for application systems are also responsible for the strict control (security) of the project or support environment", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Change Control Procedures", + "Managers responsible for application systems are also responsible for the strict control (security) of the project or support environment" + ], + "control_id": "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows", + "description": "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.", + "title": "Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0635_10k1organizational_12_10_k" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0635_10k1organizational_12_10_k", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Change Control Procedures \u003e The organization formally addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Change Control Procedures", + "The organization formally addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management" + ], + "control_id": "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows", + "description": "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.", + "title": "Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0636_10k2organizational_1_10_k" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0636_10k2organizational_1_10_k", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Change Control Procedures \u003e The organization has developed, documented, and implemented a configuration management plan for the information system", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Change Control Procedures", + "The organization has developed, documented, and implemented a configuration management plan for the information system" + ], + "control_id": "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows", + "description": "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.", + "title": "Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0637_10k2organizational_2_10_k" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0637_10k2organizational_2_10_k", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Change Control Procedures \u003e Changes are formally controlled, documented and enforced in order to minimize the corruption of information systems", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Change Control Procedures", + "Changes are formally controlled, documented and enforced in order to minimize the corruption of information systems" + ], + "control_id": "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows", + "description": "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.", + "title": "Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0638_10k2organizational_34569_10_k" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0638_10k2organizational_34569_10_k", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Change Control Procedures \u003e Installation checklists and vulnerability scans are used to validate the configuration of servers, workstations, devices and appliances and ensure the configuration meets minimum standards", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Change Control Procedures", + "Installation checklists and vulnerability scans are used to validate the configuration of servers, workstations, devices and appliances and ensure the configuration meets minimum standards" + ], + "control_id": "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows", + "description": "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.", + "title": "Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0639_10k2organizational_78_10_k" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0639_10k2organizational_78_10_k", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Change Control Procedures \u003e Change control procedures to address security are included in the contract(s) where development is outsourced", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Change Control Procedures", + "Change control procedures to address security are included in the contract(s) where development is outsourced" + ], + "control_id": "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows", + "description": "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.", + "title": "Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0640_10k2organizational_1012_10_k" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0640_10k2organizational_1012_10_k", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Change Control Procedures \u003e The organization does not use automated updates on critical systems", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Change Control Procedures", + "The organization does not use automated updates on critical systems" + ], + "control_id": "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows", + "description": "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.", + "title": "Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0641_10k2organizational_11_10_k" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0641_10k2organizational_11_10_k", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Change Control Procedures \u003e The organization develops, documents, and maintains, under configuration control, a current baseline configuration of the information system, and reviews and updates the baseline as required", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Change Control Procedures", + "The organization develops, documents, and maintains, under configuration control, a current baseline configuration of the information system, and reviews and updates the baseline as required" + ], + "control_id": "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows", + "description": "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.", + "title": "Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0642_10k3organizational_12_10_k" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0642_10k3organizational_12_10_k", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Change Control Procedures \u003e Establishing and documenting the mandatory configuration settings for information technology products", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Change Control Procedures", + "Establishing and documenting the mandatory configuration settings for information technology products" + ], + "control_id": "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows", + "description": "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.", + "title": "Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0643_10k3organizational_3_10_k" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0643_10k3organizational_3_10_k", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Change Control Procedures \u003e Automated mechanisms to centrally manage and verify configuration settings", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Change Control Procedures", + "Automated mechanisms to centrally manage and verify configuration settings" + ], + "control_id": "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows", + "description": "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.", + "title": "Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0644_10k3organizational_4_10_k" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0644_10k3organizational_4_10_k", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Control of Operational Software \u003e Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Control of Operational Software", + "Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release" + ], + "control_id": "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated", + "description": "Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations.", + "title": "Vulnerabilities in security configuration on your machines should be remediated", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_operational_software", + "azure_compliance.benchmark.hipaa_hitrust_v92_0605_10h1system_12_10_h" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_control_of_operational_software/azure_compliance.benchmark.hipaa_hitrust_v92_0605_10h1system_12_10_h", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Control of Operational Software \u003e The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation.", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Control of Operational Software", + "The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation." + ], + "control_id": "azure_compliance.control.compute_vm_adaptive_application_controls_enabled", + "description": "Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.", + "title": "Adaptive application controls for defining safe applications should be enabled on your machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_operational_software", + "azure_compliance.benchmark.hipaa_hitrust_v92_0607_10h2system_23_10_h" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_control_of_operational_software/azure_compliance.benchmark.hipaa_hitrust_v92_0607_10h2system_23_10_h", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Control of Operational Software \u003e The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation.", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Control of Operational Software", + "The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation." + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_security_configuration_vulnerabilities_remediated", + "description": "Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.", + "title": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_operational_software", + "azure_compliance.benchmark.hipaa_hitrust_v92_0607_10h2system_23_10_h" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_control_of_operational_software/azure_compliance.benchmark.hipaa_hitrust_v92_0607_10h2system_23_10_h", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Control of Technical Vulnerabilities \u003e Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Control of Technical Vulnerabilities", + "Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner" + ], + "control_id": "azure_compliance.control.sql_server_and_databases_va_enabled", + "description": "Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.", + "title": "Vulnerability assessment should be enabled on your SQL servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities", + "azure_compliance.benchmark.hipaa_hitrust_v92_0709_10m1organizational_1_10_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities/azure_compliance.benchmark.hipaa_hitrust_v92_0709_10m1organizational_1_10_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Control of Technical Vulnerabilities \u003e Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Control of Technical Vulnerabilities", + "Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner" + ], + "control_id": "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated", + "description": "Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations.", + "title": "Vulnerabilities in security configuration on your machines should be remediated", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities", + "azure_compliance.benchmark.hipaa_hitrust_v92_0709_10m1organizational_1_10_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities/azure_compliance.benchmark.hipaa_hitrust_v92_0709_10m1organizational_1_10_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Control of Technical Vulnerabilities \u003e Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Control of Technical Vulnerabilities", + "Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_security_configuration_vulnerabilities_remediated", + "description": "Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.", + "title": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities", + "azure_compliance.benchmark.hipaa_hitrust_v92_0709_10m1organizational_1_10_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities/azure_compliance.benchmark.hipaa_hitrust_v92_0709_10m1organizational_1_10_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Control of Technical Vulnerabilities \u003e Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Control of Technical Vulnerabilities", + "Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner" + ], + "control_id": "azure_compliance.control.mssql_managed_instance_vulnerability_assessment_enabled", + "description": "Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.", + "title": "Vulnerability assessment should be enabled on SQL Managed Instance", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities", + "azure_compliance.benchmark.hipaa_hitrust_v92_0709_10m1organizational_1_10_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities/azure_compliance.benchmark.hipaa_hitrust_v92_0709_10m1organizational_1_10_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Control of Technical Vulnerabilities \u003e Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Control of Technical Vulnerabilities", + "Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner" + ], + "control_id": "azure_compliance.control.sql_database_vulnerability_findings_resolved", + "description": "Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.", + "title": "SQL databases should have vulnerability findings resolved", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities", + "azure_compliance.benchmark.hipaa_hitrust_v92_0709_10m1organizational_1_10_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities/azure_compliance.benchmark.hipaa_hitrust_v92_0709_10m1organizational_1_10_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Control of Technical Vulnerabilities \u003e Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Control of Technical Vulnerabilities", + "Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner" + ], + "control_id": "azure_compliance.control.compute_vm_vulnerability_assessment_solution_enabled", + "description": "Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.", + "title": "A vulnerability assessment solution should be enabled on your virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities", + "azure_compliance.benchmark.hipaa_hitrust_v92_0709_10m1organizational_1_10_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities/azure_compliance.benchmark.hipaa_hitrust_v92_0709_10m1organizational_1_10_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Control of Technical Vulnerabilities \u003e Patches are tested and evaluated before they are installed", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Control of Technical Vulnerabilities", + "Patches are tested and evaluated before they are installed" + ], + "control_id": "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated", + "description": "Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations.", + "title": "Vulnerabilities in security configuration on your machines should be remediated", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities", + "azure_compliance.benchmark.hipaa_hitrust_v92_0713_10m2organizational_5_10_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities/azure_compliance.benchmark.hipaa_hitrust_v92_0713_10m2organizational_5_10_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Control of Technical Vulnerabilities \u003e The technical vulnerability management program is evaluated on a quarterly basis", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Control of Technical Vulnerabilities", + "The technical vulnerability management program is evaluated on a quarterly basis" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_security_configuration_vulnerabilities_remediated", + "description": "Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.", + "title": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities", + "azure_compliance.benchmark.hipaa_hitrust_v92_0714_10m2organizational_7_10_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities/azure_compliance.benchmark.hipaa_hitrust_v92_0714_10m2organizational_7_10_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Control of Technical Vulnerabilities \u003e Vulnerability scanning tools include the capability to readily update the information system vulnerabilities scanned", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Control of Technical Vulnerabilities", + "Vulnerability scanning tools include the capability to readily update the information system vulnerabilities scanned" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_security_configuration_vulnerabilities_remediated", + "description": "Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.", + "title": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities", + "azure_compliance.benchmark.hipaa_hitrust_v92_0717_10m3organizational_2_10_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities/azure_compliance.benchmark.hipaa_hitrust_v92_0717_10m3organizational_2_10_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Control of Technical Vulnerabilities \u003e The organization scans for vulnerabilities in the information system and hosted applications", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Control of Technical Vulnerabilities", + "The organization scans for vulnerabilities in the information system and hosted applications" + ], + "control_id": "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated", + "description": "Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations.", + "title": "Vulnerabilities in security configuration on your machines should be remediated", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities", + "azure_compliance.benchmark.hipaa_hitrust_v92_0718_10m3organizational_34_10_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities/azure_compliance.benchmark.hipaa_hitrust_v92_0718_10m3organizational_34_10_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Control of Technical Vulnerabilities \u003e The organization updates the list of information system vulnerabilities scanned within every thirty (30) days or when new vulnerabilities are identified and reported", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Control of Technical Vulnerabilities", + "The organization updates the list of information system vulnerabilities scanned within every thirty (30) days or when new vulnerabilities are identified and reported" + ], + "control_id": "azure_compliance.control.mssql_managed_instance_vulnerability_assessment_enabled", + "description": "Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.", + "title": "Vulnerability assessment should be enabled on SQL Managed Instance", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities", + "azure_compliance.benchmark.hipaa_hitrust_v92_0719_10m3organizational_5_10_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities/azure_compliance.benchmark.hipaa_hitrust_v92_0719_10m3organizational_5_10_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Control of Technical Vulnerabilities \u003e A hardened configuration standard exists for all system and network components", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Control of Technical Vulnerabilities", + "A hardened configuration standard exists for all system and network components" + ], + "control_id": "azure_compliance.control.mssql_managed_instance_vulnerability_assessment_enabled", + "description": "Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.", + "title": "Vulnerability assessment should be enabled on SQL Managed Instance", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities", + "azure_compliance.benchmark.hipaa_hitrust_v92_0710_10m2organizational_1_10_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities/azure_compliance.benchmark.hipaa_hitrust_v92_0710_10m2organizational_1_10_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Control of Technical Vulnerabilities \u003e The organization conducts an enterprise security posture review as needed but no less than once within every three-hundred-sixty-five (365) days, in accordance with organizational IS procedures", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Control of Technical Vulnerabilities", + "The organization conducts an enterprise security posture review as needed but no less than once within every three-hundred-sixty-five (365) days, in accordance with organizational IS procedures" + ], + "control_id": "azure_compliance.control.sql_database_vulnerability_findings_resolved", + "description": "Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.", + "title": "SQL databases should have vulnerability findings resolved", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities", + "azure_compliance.benchmark.hipaa_hitrust_v92_0716_10m3organizational_1_10_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities/azure_compliance.benchmark.hipaa_hitrust_v92_0716_10m3organizational_1_10_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Control of Technical Vulnerabilities \u003e A technical vulnerability management program is in place to monitor, assess, rank, and remediate vulnerabilities identified in systems", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Control of Technical Vulnerabilities", + "A technical vulnerability management program is in place to monitor, assess, rank, and remediate vulnerabilities identified in systems" + ], + "control_id": "azure_compliance.control.compute_vm_vulnerability_assessment_solution_enabled", + "description": "Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.", + "title": "A vulnerability assessment solution should be enabled on your virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities", + "azure_compliance.benchmark.hipaa_hitrust_v92_0711_10m2organizational_23_10_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities/azure_compliance.benchmark.hipaa_hitrust_v92_0711_10m2organizational_23_10_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Controls Against Malicious Code \u003e Anti-virus and anti-spyware are installed, operating and updated on all end-user devices", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Controls Against Malicious Code", + "Anti-virus and anti-spyware are installed, operating and updated on all end-user devices" + ], + "control_id": "azure_compliance.control.compute_vm_adaptive_application_controls_enabled", + "description": "Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.", + "title": "Adaptive application controls for defining safe applications should be enabled on your machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_controls_against_malicious_code", + "azure_compliance.benchmark.hipaa_hitrust_v92_0201_09j1organizational_124_09_j" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_controls_against_malicious_code/azure_compliance.benchmark.hipaa_hitrust_v92_0201_09j1organizational_124_09_j", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Controls Against Malicious Code \u003e Anti-virus and anti-spyware are installed, operating and updated on all end-user devices", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Controls Against Malicious Code", + "Anti-virus and anti-spyware are installed, operating and updated on all end-user devices" + ], + "control_id": "azure_compliance.control.compute_vm_malware_agent_automatic_upgrade_enabled", + "description": "This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures.", + "title": "Microsoft Antimalware for Azure should be configured to automatically update protection signatures", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_controls_against_malicious_code", + "azure_compliance.benchmark.hipaa_hitrust_v92_0201_09j1organizational_124_09_j" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_controls_against_malicious_code/azure_compliance.benchmark.hipaa_hitrust_v92_0201_09j1organizational_124_09_j", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Controls Against Malicious Code \u003e Anti-virus and anti-spyware are installed, operating and updated on all end-user devices", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Controls Against Malicious Code", + "Anti-virus and anti-spyware are installed, operating and updated on all end-user devices" + ], + "control_id": "azure_compliance.control.compute_vm_malware_agent_installed", + "description": "This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension.", + "title": "Deploy default Microsoft IaaSAntimalware extension for Windows Server", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_controls_against_malicious_code", + "azure_compliance.benchmark.hipaa_hitrust_v92_0201_09j1organizational_124_09_j" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_controls_against_malicious_code/azure_compliance.benchmark.hipaa_hitrust_v92_0201_09j1organizational_124_09_j", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Controls Against Malicious Code \u003e Anti-virus and anti-spyware are installed, operating and updated on all end-user devices", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Controls Against Malicious Code", + "Anti-virus and anti-spyware are installed, operating and updated on all end-user devices" + ], + "control_id": "azure_compliance.control.compute_vm_system_updates_installed", + "description": "Missing security system updates on your servers will be monitored by Azure Security Center as recommendations.", + "title": "System updates should be installed on your machines", + "tags": { + "hipaa_hitrust_v92": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_controls_against_malicious_code", + "azure_compliance.benchmark.hipaa_hitrust_v92_0201_09j1organizational_124_09_j" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_controls_against_malicious_code/azure_compliance.benchmark.hipaa_hitrust_v92_0201_09j1organizational_124_09_j", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Controls Against Malicious Code \u003e Anti-virus and anti-spyware are installed, operating and updated on all end-user devices", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Controls Against Malicious Code", + "Anti-virus and anti-spyware are installed, operating and updated on all end-user devices" + ], + "control_id": "azure_compliance.control.compute_vm_endpoint_protection_agent_installed", + "description": "Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations.", + "title": "Monitor missing Endpoint Protection in Azure Security Center", + "tags": { + "hipaa_hitrust_v92": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_controls_against_malicious_code", + "azure_compliance.benchmark.hipaa_hitrust_v92_0201_09j1organizational_124_09_j" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_controls_against_malicious_code/azure_compliance.benchmark.hipaa_hitrust_v92_0201_09j1organizational_124_09_j", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Identification of Risks Related to External Parties \u003e Access to the organizations information and systems by external parties", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Identification of Risks Related to External Parties", + "Access to the organizations information and systems by external parties" + ], + "control_id": "azure_compliance.control.storage_account_secure_transfer_required_enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Secure transfer to storage accounts should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_identification_of_risks_related_to_external_parties", + "azure_compliance.benchmark.hipaa_hitrust_v92_1401_05i1organizational_1239_05_i" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_identification_of_risks_related_to_external_parties/azure_compliance.benchmark.hipaa_hitrust_v92_1401_05i1organizational_1239_05_i", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Identification of Risks Related to External Parties \u003e Remote access connections between the organization and external parties are encrypted", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Identification of Risks Related to External Parties", + "Remote access connections between the organization and external parties are encrypted" + ], + "control_id": "azure_compliance.control.appservice_function_app_only_https_accessible", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Function App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_identification_of_risks_related_to_external_parties", + "azure_compliance.benchmark.hipaa_hitrust_v92_1402_05i1organizational_45_05_i" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_identification_of_risks_related_to_external_parties/azure_compliance.benchmark.hipaa_hitrust_v92_1402_05i1organizational_45_05_i", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Identification of Risks Related to External Parties \u003e Access granted to external parties is limited to the minimum necessary and granted only for the duration required", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Identification of Risks Related to External Parties", + "Access granted to external parties is limited to the minimum necessary and granted only for the duration required" + ], + "control_id": "azure_compliance.control.appservice_web_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Web Application should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_identification_of_risks_related_to_external_parties", + "azure_compliance.benchmark.hipaa_hitrust_v92_1403_05i1organizational_67_05_i" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_identification_of_risks_related_to_external_parties/azure_compliance.benchmark.hipaa_hitrust_v92_1403_05i1organizational_67_05_i", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Identification of Risks Related to External Parties \u003e Due diligence of the external party includes interviews, document review, checklists, certification reviews (e.g. HITRUST) or other remote means", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Identification of Risks Related to External Parties", + "Due diligence of the external party includes interviews, document review, checklists, certification reviews (e.g. HITRUST) or other remote means" + ], + "control_id": "azure_compliance.control.appservice_api_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "API App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_identification_of_risks_related_to_external_parties", + "azure_compliance.benchmark.hipaa_hitrust_v92_1404_05i2organizational_1_05_i" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_identification_of_risks_related_to_external_parties/azure_compliance.benchmark.hipaa_hitrust_v92_1404_05i2organizational_1_05_i", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Identification of Risks Related to External Parties \u003e The identification of risks related to external party access takes into account a minimal set of specifically defined issues", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Identification of Risks Related to External Parties", + "The identification of risks related to external party access takes into account a minimal set of specifically defined issues" + ], + "control_id": "azure_compliance.control.mysql_ssl_enabled", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "title": "Enforce SSL connection should be enabled for MySQL database servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_identification_of_risks_related_to_external_parties", + "azure_compliance.benchmark.hipaa_hitrust_v92_1418_05i1organizational_8_05_i" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_identification_of_risks_related_to_external_parties/azure_compliance.benchmark.hipaa_hitrust_v92_1418_05i1organizational_8_05_i", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Identification of Risks Related to External Parties \u003e The organization obtains satisfactory assurances that reasonable information security exists across their information supply chain", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Identification of Risks Related to External Parties", + "The organization obtains satisfactory assurances that reasonable information security exists across their information supply chain" + ], + "control_id": "azure_compliance.control.postgres_sql_ssl_enabled", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server", + "title": "Enforce SSL connection should be enabled for PostgreSQL database servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_identification_of_risks_related_to_external_parties", + "azure_compliance.benchmark.hipaa_hitrust_v92_1450_05i2organizational_2_05_i" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_identification_of_risks_related_to_external_parties/azure_compliance.benchmark.hipaa_hitrust_v92_1450_05i2organizational_2_05_i", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Identification of Risks Related to External Parties \u003e Cloud service providers design and implement controls to mitigate and contain data security risks", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Identification of Risks Related to External Parties", + "Cloud service providers design and implement controls to mitigate and contain data security risks" + ], + "control_id": "azure_compliance.control.azure_redis_cache_ssl_enabled", + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Only secure connections to your Azure Cache for Redis should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_identification_of_risks_related_to_external_parties", + "azure_compliance.benchmark.hipaa_hitrust_v92_1451_05icsporganizational_2_05_i" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_identification_of_risks_related_to_external_parties/azure_compliance.benchmark.hipaa_hitrust_v92_1451_05icsporganizational_2_05_i", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Information Exchange Policies and Procedures \u003e Cloud service providers use an industry-recognized virtualization platform and standard virtualization formats", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Information Exchange Policies and Procedures", + "Cloud service providers use an industry-recognized virtualization platform and standard virtualization formats" + ], + "control_id": "azure_compliance.control.appservice_web_app_incoming_client_cert_on", + "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.", + "title": "Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0662_09scsporganizational_2_09_s" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0662_09scsporganizational_2_09_s", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Information Exchange Policies and Procedures \u003e The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Information Exchange Policies and Procedures", + "The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange" + ], + "control_id": "azure_compliance.control.appservice_web_app_cors_no_star", + "description": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.", + "title": "CORS should not allow every resource to access your Web Applications", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0901_09s1organizational_1_09_s" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0901_09s1organizational_1_09_s", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Information Exchange Policies and Procedures \u003e Remote (external) access to the organization's information assets and access to external information assets (for which the organization has no control) is based on clearly defined terms and conditions", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Information Exchange Policies and Procedures", + "Remote (external) access to the organization's information assets and access to external information assets (for which the organization has no control) is based on clearly defined terms and conditions" + ], + "control_id": "azure_compliance.control.appservice_function_app_cors_no_star", + "description": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.", + "title": "CORS should not allow every resource to access your Function Apps", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0902_09s2organizational_13_09_s" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0902_09s2organizational_13_09_s", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Information Exchange Policies and Procedures \u003e The organization establishes terms and conditions, consistent with any trust relationship established with other organizations owning, operating, and/or maintaining external information systems", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Information Exchange Policies and Procedures", + "The organization establishes terms and conditions, consistent with any trust relationship established with other organizations owning, operating, and/or maintaining external information systems" + ], + "control_id": "azure_compliance.control.appservice_api_app_cors_no_star", + "description": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.", + "title": "CORS should not allow every resource to access your API App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0911_09s1organizational_2_09_s" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0911_09s1organizational_2_09_s", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Information Exchange Policies and Procedures \u003e Cryptography is used to protect the confidentiality and integrity of remote access sessions to the internal network and to external systems", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Information Exchange Policies and Procedures", + "Cryptography is used to protect the confidentiality and integrity of remote access sessions to the internal network and to external systems" + ], + "control_id": "azure_compliance.control.appservice_web_app_remote_debugging_disabled", + "description": "Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off.", + "title": "Remote debugging should be turned off for Web Applications", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0912_09s1organizational_4_09_s" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0912_09s1organizational_4_09_s", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Information Exchange Policies and Procedures \u003e Strong cryptography protocols are used to safeguard covered information during transmission over less trusted / open public networks", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Information Exchange Policies and Procedures", + "Strong cryptography protocols are used to safeguard covered information during transmission over less trusted / open public networks" + ], + "control_id": "azure_compliance.control.appservice_function_app_remote_debugging_disabled", + "description": "Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off.", + "title": "Remote debugging should be turned off for Function Apps", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0913_09s1organizational_5_09_s" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0913_09s1organizational_5_09_s", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Information Exchange Policies and Procedures \u003e The organization ensures that communication protection requirements, including the security of exchanges of information, is the subject of policy development and compliance audits", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Information Exchange Policies and Procedures", + "The organization ensures that communication protection requirements, including the security of exchanges of information, is the subject of policy development and compliance audits" + ], + "control_id": "azure_compliance.control.appservice_api_app_remote_debugging_disabled", + "description": "Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off.", + "title": "Remote debugging should be turned off for API Apps", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0914_09s1organizational_6_09_s" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0914_09s1organizational_6_09_s", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Information Exchange Policies and Procedures \u003e The organization limits the use of organization-controlled portable storage media by authorized individuals on external information systems", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Information Exchange Policies and Procedures", + "The organization limits the use of organization-controlled portable storage media by authorized individuals on external information systems" + ], + "control_id": "azure_compliance.control.appservice_web_app_incoming_client_cert_on", + "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.", + "title": "Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0915_09s2organizational_2_09_s" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0915_09s2organizational_2_09_s", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Information Exchange Policies and Procedures \u003e The information system prohibits remote activation of collaborative computing devices and provides an explicit indication of use to users physically present at the devices", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Information Exchange Policies and Procedures", + "The information system prohibits remote activation of collaborative computing devices and provides an explicit indication of use to users physically present at the devices" + ], + "control_id": "azure_compliance.control.appservice_web_app_cors_no_star", + "description": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.", + "title": "CORS should not allow every resource to access your Web Applications", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0916_09s2organizational_4_09_s" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0916_09s2organizational_4_09_s", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Information Exchange Policies and Procedures \u003e Cloud service providers use secure standardized network protocols for the import and export of data", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Information Exchange Policies and Procedures", + "Cloud service providers use secure standardized network protocols for the import and export of data" + ], + "control_id": "azure_compliance.control.appservice_function_app_cors_no_star", + "description": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.", + "title": "CORS should not allow every resource to access your Function Apps", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_0960_09scsporganizational_1_09_s" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_0960_09scsporganizational_1_09_s", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Information Exchange Policies and Procedures \u003e Personnel are appropriately trained on leading principles and practices for all types of information exchange (oral, paper and electronic)", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Information Exchange Policies and Procedures", + "Personnel are appropriately trained on leading principles and practices for all types of information exchange (oral, paper and electronic)" + ], + "control_id": "azure_compliance.control.appservice_function_app_remote_debugging_disabled", + "description": "Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off.", + "title": "Remote debugging should be turned off for Function Apps", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_1325_09s1organizational_3_09_s" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures/azure_compliance.benchmark.hipaa_hitrust_v92_1325_09s1organizational_3_09_s", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Management of Removable Media \u003e The organization media registration, restrictions and protection", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Management of Removable Media", + "The organization media registration, restrictions and protection" + ], + "control_id": "azure_compliance.control.sql_server_transparent_data_encryption_enabled", + "description": "Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements.", + "title": "Transparent Data Encryption on SQL databases should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_management_of_removable_media", + "azure_compliance.benchmark.hipaa_hitrust_v92_0301_09o1organizational_123_09_o" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_management_of_removable_media/azure_compliance.benchmark.hipaa_hitrust_v92_0301_09o1organizational_123_09_o", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Management of Removable Media \u003e The organization protects and controls media containing sensitive information during transport outside of controlled areas", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Management of Removable Media", + "The organization protects and controls media containing sensitive information during transport outside of controlled areas" + ], + "control_id": "azure_compliance.control.compute_os_and_data_disk_encrypted_with_cmk", + "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.", + "title": "Disk encryption should be applied on virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_management_of_removable_media", + "azure_compliance.benchmark.hipaa_hitrust_v92_0302_09o2organizational_1_09_o" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_management_of_removable_media/azure_compliance.benchmark.hipaa_hitrust_v92_0302_09o2organizational_1_09_o", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Management of Removable Media \u003e Digital and non-digital media requiring restricted use and the specific safeguards used to restrict their use are identified", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Management of Removable Media", + "Digital and non-digital media requiring restricted use and the specific safeguards used to restrict their use are identified" + ], + "control_id": "azure_compliance.control.compute_unattached_disk_encrypted_with_cmk", + "description": "This policy audits any unattached disk without encryption enabled.", + "title": "Unattached disks should be encrypted", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_management_of_removable_media", + "azure_compliance.benchmark.hipaa_hitrust_v92_0303_09o2organizational_2_09_o" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_management_of_removable_media/azure_compliance.benchmark.hipaa_hitrust_v92_0303_09o2organizational_2_09_o", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Management of Removable Media \u003e The organization restricts the use of writable removable media and personally-owned removable media in organizational systems", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Management of Removable Media", + "The organization restricts the use of writable removable media and personally-owned removable media in organizational systems" + ], + "control_id": "azure_compliance.control.datalake_store_account_encryption_enabled", + "description": "This policy ensures encryption is enabled on all Data Lake Store accounts.", + "title": "Require encryption on Data Lake Store accounts", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/DataLakeStorage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_management_of_removable_media", + "azure_compliance.benchmark.hipaa_hitrust_v92_0304_09o3organizational_1_09_o" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_management_of_removable_media/azure_compliance.benchmark.hipaa_hitrust_v92_0304_09o3organizational_1_09_o", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Management of Removable Media \u003e The organization restricts the use of writable removable media and personally-owned removable media in organizational systems", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Management of Removable Media", + "The organization restricts the use of writable removable media and personally-owned removable media in organizational systems" + ], + "control_id": "azure_compliance.control.sql_server_tde_protector_cmk_encrypted", + "description": "Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.", + "title": "SQL servers should use customer-managed keys to encrypt data at rest", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_management_of_removable_media", + "azure_compliance.benchmark.hipaa_hitrust_v92_0304_09o3organizational_1_09_o" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_management_of_removable_media/azure_compliance.benchmark.hipaa_hitrust_v92_0304_09o3organizational_1_09_o", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Management of Removable Media \u003e The organization restricts the use of writable removable media and personally-owned removable media in organizational systems", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Management of Removable Media", + "The organization restricts the use of writable removable media and personally-owned removable media in organizational systems" + ], + "control_id": "azure_compliance.control.mssql_managed_instance_encryption_at_rest_using_cmk", + "description": "Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.", + "title": "SQL managed instances should use customer-managed keys to encrypt data at rest", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_management_of_removable_media", + "azure_compliance.benchmark.hipaa_hitrust_v92_0304_09o3organizational_1_09_o" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_management_of_removable_media/azure_compliance.benchmark.hipaa_hitrust_v92_0304_09o3organizational_1_09_o", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Monitoring System Use \u003e Unauthorized remote connections to the information systems are monitored and reviewed at least quarterly, and appropriate action is taken if an unauthorized connection is discovered", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Monitoring System Use", + "Unauthorized remote connections to the information systems are monitored and reviewed at least quarterly, and appropriate action is taken if an unauthorized connection is discovered" + ], + "control_id": "azure_compliance.control.monitor_log_profile_enabled_for_all_regions", + "description": "This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global.", + "title": "Azure Monitor should collect activity logs from all regions", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Monitor" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use", + "azure_compliance.benchmark.hipaa_hitrust_v92_1120_09ab3system_9_09_ab" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use/azure_compliance.benchmark.hipaa_hitrust_v92_1120_09ab3system_9_09_ab", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Monitoring System Use \u003e The organization monitors the information system to identify irregularities or anomalies", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Monitoring System Use", + "The organization monitors the information system to identify irregularities or anomalies" + ], + "control_id": "azure_compliance.control.compute_vm_log_analytics_agent_installed", + "description": "This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed.", + "title": "The Log Analytics agent should be installed on virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use", + "azure_compliance.benchmark.hipaa_hitrust_v92_12100_09ab2system_15_09_ab" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use/azure_compliance.benchmark.hipaa_hitrust_v92_12100_09ab2system_15_09_ab", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Monitoring System Use \u003e The organization should specify the audit log review process", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Monitoring System Use", + "The organization should specify the audit log review process" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_log_analytics_agent_installed", + "description": "This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed.", + "title": "The Log Analytics agent should be installed on Virtual Machine Scale Sets", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use", + "azure_compliance.benchmark.hipaa_hitrust_v92_12101_09ab1organizational_3_09_ab" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use/azure_compliance.benchmark.hipaa_hitrust_v92_12101_09ab1organizational_3_09_ab", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Monitoring System Use \u003e All applicable legal requirements related to monitoring authorized access and unauthorized access attempts are met", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Monitoring System Use", + "All applicable legal requirements related to monitoring authorized access and unauthorized access attempts are met" + ], + "control_id": "azure_compliance.control.monitor_log_profile_enabled_for_all_categories", + "description": "This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action'.", + "title": "Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Monitor" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use", + "azure_compliance.benchmark.hipaa_hitrust_v92_1212_09ab1system_1_09_ab" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use/azure_compliance.benchmark.hipaa_hitrust_v92_1212_09ab1system_1_09_ab", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Monitoring System Use \u003e Automated systems deployed throughout the organization's environment are used to monitor key events and anomalous activities", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Monitoring System Use", + "Automated systems deployed throughout the organization's environment are used to monitor key events and anomalous activities" + ], + "control_id": "azure_compliance.control.securitycenter_automatic_provisioning_monitoring_agent_on", + "description": "To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.", + "title": "Auto provisioning of the Log Analytics agent should be enabled on your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use", + "azure_compliance.benchmark.hipaa_hitrust_v92_1213_09ab2system_128_09_ab" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use/azure_compliance.benchmark.hipaa_hitrust_v92_1213_09ab2system_128_09_ab", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Monitoring System Use \u003e Monitoring includes privileged operations, authorized access or unauthorized access attempts, including attempts to access deactivated accounts, and system alerts or failures", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Monitoring System Use", + "Monitoring includes privileged operations, authorized access or unauthorized access attempts, including attempts to access deactivated accounts, and system alerts or failures" + ], + "control_id": "azure_compliance.control.monitor_log_profile_enabled_for_all_regions", + "description": "This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global.", + "title": "Azure Monitor should collect activity logs from all regions", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Monitor" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use", + "azure_compliance.benchmark.hipaa_hitrust_v92_1214_09ab2system_3456_09_ab" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use/azure_compliance.benchmark.hipaa_hitrust_v92_1214_09ab2system_3456_09_ab", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Monitoring System Use \u003e Auditing and monitoring systems employed by the organization support audit reduction and report generation", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Monitoring System Use", + "Auditing and monitoring systems employed by the organization support audit reduction and report generation" + ], + "control_id": "azure_compliance.control.compute_vm_log_analytics_agent_installed", + "description": "This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed.", + "title": "The Log Analytics agent should be installed on virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use", + "azure_compliance.benchmark.hipaa_hitrust_v92_1215_09ab2system_7_09_ab" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use/azure_compliance.benchmark.hipaa_hitrust_v92_1215_09ab2system_7_09_ab", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Monitoring System Use \u003e Automated systems are used to review monitoring activities of security systems (e.g., IPS/IDS) and system records on a daily basis, and identify and document anomalies", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Monitoring System Use", + "Automated systems are used to review monitoring activities of security systems (e.g., IPS/IDS) and system records on a daily basis, and identify and document anomalies" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_log_analytics_agent_installed", + "description": "This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed.", + "title": "The Log Analytics agent should be installed on Virtual Machine Scale Sets", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use", + "azure_compliance.benchmark.hipaa_hitrust_v92_1216_09ab3system_12_09_ab" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use/azure_compliance.benchmark.hipaa_hitrust_v92_1216_09ab3system_12_09_ab", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Monitoring System Use \u003e Alerts are generated for technical personnel to analyze and investigate suspicious activity or suspected violations", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Monitoring System Use", + "Alerts are generated for technical personnel to analyze and investigate suspicious activity or suspected violations" + ], + "control_id": "azure_compliance.control.compute_vm_log_analytics_agent_installed_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter.", + "title": "Audit Windows machines on which the Log Analytics agent is not connected as expected", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use", + "azure_compliance.benchmark.hipaa_hitrust_v92_1217_09ab3system_3_09_ab" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use/azure_compliance.benchmark.hipaa_hitrust_v92_1217_09ab3system_3_09_ab", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Monitoring System Use \u003e The information system is able to automatically process audit records for events of interest based on selectable criteria", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Monitoring System Use", + "The information system is able to automatically process audit records for events of interest based on selectable criteria" + ], + "control_id": "azure_compliance.control.monitor_log_profile_enabled_for_all_categories", + "description": "This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action'.", + "title": "Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Monitor" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use", + "azure_compliance.benchmark.hipaa_hitrust_v92_1219_09ab3system_10_09_ab" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use/azure_compliance.benchmark.hipaa_hitrust_v92_1219_09ab3system_10_09_ab", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Monitoring System Use \u003e Monitoring includes inbound and outbound communications and file integrity monitoring", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Monitoring System Use", + "Monitoring includes inbound and outbound communications and file integrity monitoring" + ], + "control_id": "azure_compliance.control.securitycenter_automatic_provisioning_monitoring_agent_on", + "description": "To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.", + "title": "Auto provisioning of the Log Analytics agent should be enabled on your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use", + "azure_compliance.benchmark.hipaa_hitrust_v92_1220_09ab3system_56_09_ab" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use/azure_compliance.benchmark.hipaa_hitrust_v92_1220_09ab3system_56_09_ab", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Monitoring System Use \u003e The organization shall periodically test its monitoring and detection processes, remediate deficiencies, and improve its processes", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Monitoring System Use", + "The organization shall periodically test its monitoring and detection processes, remediate deficiencies, and improve its processes" + ], + "control_id": "azure_compliance.control.compute_vm_log_analytics_agent_installed_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter.", + "title": "Audit Windows machines on which the Log Analytics agent is not connected as expected", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use", + "azure_compliance.benchmark.hipaa_hitrust_v92_12102_09ab1organizational_4_09_ab" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use/azure_compliance.benchmark.hipaa_hitrust_v92_12102_09ab1organizational_4_09_ab", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Network traffic is controlled in accordance with the organizations access control policy", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Network traffic is controlled in accordance with the organizations access control policy" + ], + "control_id": "azure_compliance.control.appservice_api_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your API App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Network traffic is controlled in accordance with the organizations access control policy", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Network traffic is controlled in accordance with the organizations access control policy" + ], + "control_id": "azure_compliance.control.appservice_api_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "API App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Network traffic is controlled in accordance with the organizations access control policy", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Network traffic is controlled in accordance with the organizations access control policy" + ], + "control_id": "azure_compliance.control.appservice_function_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your Function App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Network traffic is controlled in accordance with the organizations access control policy", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Network traffic is controlled in accordance with the organizations access control policy" + ], + "control_id": "azure_compliance.control.appservice_function_app_only_https_accessible", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Function App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Network traffic is controlled in accordance with the organizations access control policy", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Network traffic is controlled in accordance with the organizations access control policy" + ], + "control_id": "azure_compliance.control.appservice_web_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your Web App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Network traffic is controlled in accordance with the organizations access control policy", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Network traffic is controlled in accordance with the organizations access control policy" + ], + "control_id": "azure_compliance.control.appservice_web_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Web Application should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Network traffic is controlled in accordance with the organizations access control policy", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Network traffic is controlled in accordance with the organizations access control policy" + ], + "control_id": "azure_compliance.control.azure_redis_cache_ssl_enabled", + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Only secure connections to your Azure Cache for Redis should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Network traffic is controlled in accordance with the organizations access control policy", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Network traffic is controlled in accordance with the organizations access control policy" + ], + "control_id": "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "description": "Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface.", + "title": "Adaptive network hardening recommendations should be applied on internet facing virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Network traffic is controlled in accordance with the organizations access control policy", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Network traffic is controlled in accordance with the organizations access control policy" + ], + "control_id": "azure_compliance.control.compute_vm_attached_with_network", + "description": "This policy audits any virtual machine connected to a virtual network that is not approved.", + "title": "Virtual machines should be connected to an approved virtual network", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Network traffic is controlled in accordance with the organizations access control policy", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Network traffic is controlled in accordance with the organizations access control policy" + ], + "control_id": "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "description": "Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG).", + "title": "Internet-facing virtual machines should be protected with network security groups", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Network traffic is controlled in accordance with the organizations access control policy", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Network traffic is controlled in accordance with the organizations access control policy" + ], + "control_id": "azure_compliance.control.mysql_ssl_enabled", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "title": "Enforce SSL connection should be enabled for MySQL database servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Network traffic is controlled in accordance with the organizations access control policy", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Network traffic is controlled in accordance with the organizations access control policy" + ], + "control_id": "azure_compliance.control.network_security_group_subnet_associated", + "description": "This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.", + "title": "Subnets should be associated with a Network Security Group", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Network traffic is controlled in accordance with the organizations access control policy", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Network traffic is controlled in accordance with the organizations access control policy" + ], + "control_id": "azure_compliance.control.postgres_sql_ssl_enabled", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server", + "title": "Enforce SSL connection should be enabled for PostgreSQL database servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Network traffic is controlled in accordance with the organizations access control policy", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Network traffic is controlled in accordance with the organizations access control policy" + ], + "control_id": "azure_compliance.control.storage_account_secure_transfer_required_enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Secure transfer to storage accounts should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Transmitted information is secured and, at a minimum, encrypted over open, public networks", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Transmitted information is secured and, at a minimum, encrypted over open, public networks" + ], + "control_id": "azure_compliance.control.appservice_api_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your API App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Transmitted information is secured and, at a minimum, encrypted over open, public networks", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Transmitted information is secured and, at a minimum, encrypted over open, public networks" + ], + "control_id": "azure_compliance.control.appservice_api_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "API App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Transmitted information is secured and, at a minimum, encrypted over open, public networks", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Transmitted information is secured and, at a minimum, encrypted over open, public networks" + ], + "control_id": "azure_compliance.control.appservice_function_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your Function App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Transmitted information is secured and, at a minimum, encrypted over open, public networks", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Transmitted information is secured and, at a minimum, encrypted over open, public networks" + ], + "control_id": "azure_compliance.control.appservice_function_app_only_https_accessible", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Function App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Transmitted information is secured and, at a minimum, encrypted over open, public networks", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Transmitted information is secured and, at a minimum, encrypted over open, public networks" + ], + "control_id": "azure_compliance.control.appservice_web_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your Web App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Transmitted information is secured and, at a minimum, encrypted over open, public networks", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Transmitted information is secured and, at a minimum, encrypted over open, public networks" + ], + "control_id": "azure_compliance.control.appservice_web_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Web Application should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Transmitted information is secured and, at a minimum, encrypted over open, public networks", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Transmitted information is secured and, at a minimum, encrypted over open, public networks" + ], + "control_id": "azure_compliance.control.azure_redis_cache_ssl_enabled", + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Only secure connections to your Azure Cache for Redis should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Transmitted information is secured and, at a minimum, encrypted over open, public networks", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Transmitted information is secured and, at a minimum, encrypted over open, public networks" + ], + "control_id": "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "description": "Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface.", + "title": "Adaptive network hardening recommendations should be applied on internet facing virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Transmitted information is secured and, at a minimum, encrypted over open, public networks", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Transmitted information is secured and, at a minimum, encrypted over open, public networks" + ], + "control_id": "azure_compliance.control.compute_vm_attached_with_network", + "description": "This policy audits any virtual machine connected to a virtual network that is not approved.", + "title": "Virtual machines should be connected to an approved virtual network", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Transmitted information is secured and, at a minimum, encrypted over open, public networks", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Transmitted information is secured and, at a minimum, encrypted over open, public networks" + ], + "control_id": "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "description": "Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG).", + "title": "Internet-facing virtual machines should be protected with network security groups", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Transmitted information is secured and, at a minimum, encrypted over open, public networks", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Transmitted information is secured and, at a minimum, encrypted over open, public networks" + ], + "control_id": "azure_compliance.control.mysql_ssl_enabled", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "title": "Enforce SSL connection should be enabled for MySQL database servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Transmitted information is secured and, at a minimum, encrypted over open, public networks", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Transmitted information is secured and, at a minimum, encrypted over open, public networks" + ], + "control_id": "azure_compliance.control.network_security_group_subnet_associated", + "description": "This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.", + "title": "Subnets should be associated with a Network Security Group", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Transmitted information is secured and, at a minimum, encrypted over open, public networks", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Transmitted information is secured and, at a minimum, encrypted over open, public networks" + ], + "control_id": "azure_compliance.control.postgres_sql_ssl_enabled", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server", + "title": "Enforce SSL connection should be enabled for PostgreSQL database servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Transmitted information is secured and, at a minimum, encrypted over open, public networks", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Transmitted information is secured and, at a minimum, encrypted over open, public networks" + ], + "control_id": "azure_compliance.control.storage_account_secure_transfer_required_enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Secure transfer to storage accounts should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually" + ], + "control_id": "azure_compliance.control.appservice_api_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your API App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually" + ], + "control_id": "azure_compliance.control.appservice_api_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "API App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually" + ], + "control_id": "azure_compliance.control.appservice_function_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your Function App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually" + ], + "control_id": "azure_compliance.control.appservice_function_app_only_https_accessible", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Function App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually" + ], + "control_id": "azure_compliance.control.appservice_web_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your Web App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually" + ], + "control_id": "azure_compliance.control.appservice_web_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Web Application should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually" + ], + "control_id": "azure_compliance.control.azure_redis_cache_ssl_enabled", + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Only secure connections to your Azure Cache for Redis should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually" + ], + "control_id": "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "description": "Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface.", + "title": "Adaptive network hardening recommendations should be applied on internet facing virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually" + ], + "control_id": "azure_compliance.control.compute_vm_attached_with_network", + "description": "This policy audits any virtual machine connected to a virtual network that is not approved.", + "title": "Virtual machines should be connected to an approved virtual network", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually" + ], + "control_id": "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "description": "Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG).", + "title": "Internet-facing virtual machines should be protected with network security groups", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually" + ], + "control_id": "azure_compliance.control.mysql_ssl_enabled", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "title": "Enforce SSL connection should be enabled for MySQL database servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually" + ], + "control_id": "azure_compliance.control.network_security_group_subnet_associated", + "description": "This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.", + "title": "Subnets should be associated with a Network Security Group", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually" + ], + "control_id": "azure_compliance.control.postgres_sql_ssl_enabled", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server", + "title": "Enforce SSL connection should be enabled for PostgreSQL database servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually" + ], + "control_id": "azure_compliance.control.storage_account_secure_transfer_required_enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Secure transfer to storage accounts should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources" + ], + "control_id": "azure_compliance.control.appservice_api_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your API App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources" + ], + "control_id": "azure_compliance.control.appservice_api_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "API App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources" + ], + "control_id": "azure_compliance.control.appservice_function_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your Function App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources" + ], + "control_id": "azure_compliance.control.appservice_function_app_only_https_accessible", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Function App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources" + ], + "control_id": "azure_compliance.control.appservice_web_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your Web App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources" + ], + "control_id": "azure_compliance.control.appservice_web_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Web Application should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources" + ], + "control_id": "azure_compliance.control.azure_redis_cache_ssl_enabled", + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Only secure connections to your Azure Cache for Redis should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources" + ], + "control_id": "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "description": "Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface.", + "title": "Adaptive network hardening recommendations should be applied on internet facing virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources" + ], + "control_id": "azure_compliance.control.compute_vm_attached_with_network", + "description": "This policy audits any virtual machine connected to a virtual network that is not approved.", + "title": "Virtual machines should be connected to an approved virtual network", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources" + ], + "control_id": "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "description": "Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG).", + "title": "Internet-facing virtual machines should be protected with network security groups", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources" + ], + "control_id": "azure_compliance.control.mysql_ssl_enabled", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "title": "Enforce SSL connection should be enabled for MySQL database servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources" + ], + "control_id": "azure_compliance.control.network_security_group_subnet_associated", + "description": "This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.", + "title": "Subnets should be associated with a Network Security Group", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources" + ], + "control_id": "azure_compliance.control.postgres_sql_ssl_enabled", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server", + "title": "Enforce SSL connection should be enabled for PostgreSQL database servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources" + ], + "control_id": "azure_compliance.control.storage_account_secure_transfer_required_enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Secure transfer to storage accounts should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e The ability of users to connect to the internal network is restricted", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "The ability of users to connect to the internal network is restricted" + ], + "control_id": "azure_compliance.control.appservice_api_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your API App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e The ability of users to connect to the internal network is restricted", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "The ability of users to connect to the internal network is restricted" + ], + "control_id": "azure_compliance.control.appservice_api_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "API App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e The ability of users to connect to the internal network is restricted", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "The ability of users to connect to the internal network is restricted" + ], + "control_id": "azure_compliance.control.appservice_function_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your Function App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e The ability of users to connect to the internal network is restricted", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "The ability of users to connect to the internal network is restricted" + ], + "control_id": "azure_compliance.control.appservice_function_app_only_https_accessible", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Function App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e The ability of users to connect to the internal network is restricted", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "The ability of users to connect to the internal network is restricted" + ], + "control_id": "azure_compliance.control.appservice_web_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your Web App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e The ability of users to connect to the internal network is restricted", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "The ability of users to connect to the internal network is restricted" + ], + "control_id": "azure_compliance.control.appservice_web_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Web Application should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e The ability of users to connect to the internal network is restricted", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "The ability of users to connect to the internal network is restricted" + ], + "control_id": "azure_compliance.control.azure_redis_cache_ssl_enabled", + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Only secure connections to your Azure Cache for Redis should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e The ability of users to connect to the internal network is restricted", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "The ability of users to connect to the internal network is restricted" + ], + "control_id": "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "description": "Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface.", + "title": "Adaptive network hardening recommendations should be applied on internet facing virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e The ability of users to connect to the internal network is restricted", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "The ability of users to connect to the internal network is restricted" + ], + "control_id": "azure_compliance.control.compute_vm_attached_with_network", + "description": "This policy audits any virtual machine connected to a virtual network that is not approved.", + "title": "Virtual machines should be connected to an approved virtual network", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e The ability of users to connect to the internal network is restricted", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "The ability of users to connect to the internal network is restricted" + ], + "control_id": "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "description": "Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG).", + "title": "Internet-facing virtual machines should be protected with network security groups", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e The ability of users to connect to the internal network is restricted", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "The ability of users to connect to the internal network is restricted" + ], + "control_id": "azure_compliance.control.mysql_ssl_enabled", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "title": "Enforce SSL connection should be enabled for MySQL database servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e The ability of users to connect to the internal network is restricted", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "The ability of users to connect to the internal network is restricted" + ], + "control_id": "azure_compliance.control.network_security_group_subnet_associated", + "description": "This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.", + "title": "Subnets should be associated with a Network Security Group", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e The ability of users to connect to the internal network is restricted", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "The ability of users to connect to the internal network is restricted" + ], + "control_id": "azure_compliance.control.postgres_sql_ssl_enabled", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server", + "title": "Enforce SSL connection should be enabled for PostgreSQL database servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Connection Control \u003e The ability of users to connect to the internal network is restricted", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Connection Control", + "The ability of users to connect to the internal network is restricted" + ], + "control_id": "azure_compliance.control.storage_account_secure_transfer_required_enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Secure transfer to storage accounts should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control/azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Controls \u003e The organization monitors for all authorized and unauthorized wireless access to the information system", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Controls", + "The organization monitors for all authorized and unauthorized wireless access to the information system" + ], + "control_id": "azure_compliance.control.compute_vm_jit_access_protected", + "description": "Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations", + "title": "Management ports of virtual machines should be protected with just-in-time network access control.", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_controls", + "azure_compliance.benchmark.hipaa_hitrust_v92_0858_09m1organizational_4_09_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_controls/azure_compliance.benchmark.hipaa_hitrust_v92_0858_09m1organizational_4_09_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Controls \u003e The organization monitors for all authorized and unauthorized wireless access to the information system", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Controls", + "The organization monitors for all authorized and unauthorized wireless access to the information system" + ], + "control_id": "azure_compliance.control.compute_vm_meet_firewall_properties_windows", + "description": "Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.", + "title": "Windows machines should meet requirements for 'Windows Firewall Properties'", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_controls", + "azure_compliance.benchmark.hipaa_hitrust_v92_0858_09m1organizational_4_09_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_controls/azure_compliance.benchmark.hipaa_hitrust_v92_0858_09m1organizational_4_09_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Controls \u003e The organization monitors for all authorized and unauthorized wireless access to the information system", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Controls", + "The organization monitors for all authorized and unauthorized wireless access to the information system" + ], + "control_id": "azure_compliance.control.compute_vm_remote_access_restricted_all_ports", + "description": "Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.", + "title": "All network ports should be restricted on network security groups associated to your virtual machine", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_controls", + "azure_compliance.benchmark.hipaa_hitrust_v92_0858_09m1organizational_4_09_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_controls/azure_compliance.benchmark.hipaa_hitrust_v92_0858_09m1organizational_4_09_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Controls \u003e The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Controls", + "The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access" + ], + "control_id": "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "description": "Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface.", + "title": "Adaptive network hardening recommendations should be applied on internet facing virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_controls", + "azure_compliance.benchmark.hipaa_hitrust_v92_0859_09m1organizational_78_09_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_controls/azure_compliance.benchmark.hipaa_hitrust_v92_0859_09m1organizational_78_09_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Controls \u003e The organization formally manages equipment on the network, including equipment in user areas", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Controls", + "The organization formally manages equipment on the network, including equipment in user areas" + ], + "control_id": "azure_compliance.control.network_security_group_diagnostic_setting_deployed", + "description": "This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created.", + "title": "Deploy Diagnostic Settings for Network Security Groups", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_controls", + "azure_compliance.benchmark.hipaa_hitrust_v92_0860_09m1organizational_9_09_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_controls/azure_compliance.benchmark.hipaa_hitrust_v92_0860_09m1organizational_9_09_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Controls \u003e Identify and authenticate devices on local and/or wide area networks, including wireless networks", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Controls", + "Identify and authenticate devices on local and/or wide area networks, including wireless networks" + ], + "control_id": "azure_compliance.control.appservice_web_app_use_virtual_service_endpoint", + "description": "This policy audits any App Service not configured to use a virtual network service endpoint.", + "title": "App Service should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_controls", + "azure_compliance.benchmark.hipaa_hitrust_v92_0861_09m2organizational_67_09_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_controls/azure_compliance.benchmark.hipaa_hitrust_v92_0861_09m2organizational_67_09_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Controls \u003e The organization ensures information systems protect the confidentiality and integrity of transmitted information, including during preparation for transmission and during reception", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Controls", + "The organization ensures information systems protect the confidentiality and integrity of transmitted information, including during preparation for transmission and during reception" + ], + "control_id": "azure_compliance.control.sql_server_use_virtual_service_endpoint", + "description": "This policy audits any SQL Server not configured to use a virtual network service endpoint.", + "title": "SQL Server should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_controls", + "azure_compliance.benchmark.hipaa_hitrust_v92_0862_09m2organizational_8_09_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_controls/azure_compliance.benchmark.hipaa_hitrust_v92_0862_09m2organizational_8_09_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Controls \u003e The organization builds a firewall configuration that restricts connections between un-trusted networks and any system components in the covered information environment", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Controls", + "The organization builds a firewall configuration that restricts connections between un-trusted networks and any system components in the covered information environment" + ], + "control_id": "azure_compliance.control.eventhub_namespace_use_virtual_service_endpoint", + "description": "This policy audits any Event Hub not configured to use a virtual network service endpoint.", + "title": "Event Hub should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/EventHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_controls", + "azure_compliance.benchmark.hipaa_hitrust_v92_0863_09m2organizational_910_09_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_controls/azure_compliance.benchmark.hipaa_hitrust_v92_0863_09m2organizational_910_09_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Controls \u003e Usage restrictions and implementation guidance are formally defined for VoIP, including the authorization and monitoring of the service", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Controls", + "Usage restrictions and implementation guidance are formally defined for VoIP, including the authorization and monitoring of the service" + ], + "control_id": "azure_compliance.control.cosmosdb_use_virtual_service_endpoint", + "description": "This policy audits any Cosmos DB not configured to use a virtual network service endpoint.", + "title": "Cosmos DB should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/CosmosDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_controls", + "azure_compliance.benchmark.hipaa_hitrust_v92_0864_09m2organizational_12_09_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_controls/azure_compliance.benchmark.hipaa_hitrust_v92_0864_09m2organizational_12_09_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Controls \u003e Authorizing connections from the information system of one organization to the information systems outside of the organization", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Controls", + "Authorizing connections from the information system of one organization to the information systems outside of the organization" + ], + "control_id": "azure_compliance.control.keyvault_vault_use_virtual_service_endpoint", + "description": "This policy audits any Key Vault not configured to use a virtual network service endpoint.", + "title": "Key Vault should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_controls", + "azure_compliance.benchmark.hipaa_hitrust_v92_0865_09m2organizational_13_09_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_controls/azure_compliance.benchmark.hipaa_hitrust_v92_0865_09m2organizational_13_09_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Controls \u003e The organization describes the groups, roles, and responsibilities for the logical management of network components and ensures coordination of and consistency in the elements of the network infrastructure", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Controls", + "The organization describes the groups, roles, and responsibilities for the logical management of network components and ensures coordination of and consistency in the elements of the network infrastructure" + ], + "control_id": "azure_compliance.control.storage_account_default_network_access_rule_denied", + "description": "Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.", + "title": "Storage accounts should restrict network access", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_controls", + "azure_compliance.benchmark.hipaa_hitrust_v92_0866_09m3organizational_1516_09_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_controls/azure_compliance.benchmark.hipaa_hitrust_v92_0866_09m3organizational_1516_09_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Controls \u003e Wireless access points are placed in secure areas and shut down when not in use (e.g. nights, weekends)", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Controls", + "Wireless access points are placed in secure areas and shut down when not in use (e.g. nights, weekends)" + ], + "control_id": "azure_compliance.control.storage_account_use_virtual_service_endpoint", + "description": "This policy audits any Storage Account not configured to use a virtual network service endpoint.", + "title": "Storage Accounts should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_controls", + "azure_compliance.benchmark.hipaa_hitrust_v92_0867_09m3organizational_17_09_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_controls/azure_compliance.benchmark.hipaa_hitrust_v92_0867_09m3organizational_17_09_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Controls \u003e The organization builds a firewall configuration to restrict inbound and outbound traffic to that which is necessary for the covered data environment", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Controls", + "The organization builds a firewall configuration to restrict inbound and outbound traffic to that which is necessary for the covered data environment" + ], + "control_id": "azure_compliance.control.container_registry_use_virtual_service_endpoint", + "description": "This policy audits any Container Registry not configured to use a virtual network service endpoint.", + "title": "Container Registry should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_controls", + "azure_compliance.benchmark.hipaa_hitrust_v92_0868_09m3organizational_18_09_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_controls/azure_compliance.benchmark.hipaa_hitrust_v92_0868_09m3organizational_18_09_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Controls \u003e The router configuration files are secured and synchronized", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Controls", + "The router configuration files are secured and synchronized" + ], + "control_id": "azure_compliance.control.container_registry_use_virtual_service_endpoint", + "description": "This policy audits any Container Registry not configured to use a virtual network service endpoint.", + "title": "Container Registry should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_controls", + "azure_compliance.benchmark.hipaa_hitrust_v92_0869_09m3organizational_19_09_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_controls/azure_compliance.benchmark.hipaa_hitrust_v92_0869_09m3organizational_19_09_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Controls \u003e Access to all proxies is denied, except for those hosts, ports, and services that are explicitly required", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Controls", + "Access to all proxies is denied, except for those hosts, ports, and services that are explicitly required" + ], + "control_id": "azure_compliance.control.container_registry_use_virtual_service_endpoint", + "description": "This policy audits any Container Registry not configured to use a virtual network service endpoint.", + "title": "Container Registry should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_controls", + "azure_compliance.benchmark.hipaa_hitrust_v92_0870_09m3organizational_20_09_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_controls/azure_compliance.benchmark.hipaa_hitrust_v92_0870_09m3organizational_20_09_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Network Controls \u003e Authoritative DNS servers are segregated into internal and external roles", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Network Controls", + "Authoritative DNS servers are segregated into internal and external roles" + ], + "control_id": "azure_compliance.control.container_registry_use_virtual_service_endpoint", + "description": "This policy audits any Container Registry not configured to use a virtual network service endpoint.", + "title": "Container Registry should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_controls", + "azure_compliance.benchmark.hipaa_hitrust_v92_0871_09m3organizational_22_09_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_network_controls/azure_compliance.benchmark.hipaa_hitrust_v92_0871_09m3organizational_22_09_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e On-line Transactions \u003e The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "On-line Transactions", + "The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required" + ], + "control_id": "azure_compliance.control.storage_account_secure_transfer_required_enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Secure transfer to storage accounts should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions", + "azure_compliance.benchmark.hipaa_hitrust_v92_0943_09y1organizational_1_09_y" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions/azure_compliance.benchmark.hipaa_hitrust_v92_0943_09y1organizational_1_09_y", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e On-line Transactions \u003e Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL)", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "On-line Transactions", + "Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL)" + ], + "control_id": "azure_compliance.control.compute_vm_with_no_specified_certificates_in_trusted_root_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the machine Trusted Root certificate store does not contain one or more of the certificates listed by the policy parameter.", + "title": "Audit Windows machines that do not contain the specified certificates in Trusted Root", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions", + "azure_compliance.benchmark.hipaa_hitrust_v92_0945_09y1organizational_3_09_y" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions/azure_compliance.benchmark.hipaa_hitrust_v92_0945_09y1organizational_3_09_y", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e On-line Transactions \u003e The organization requires the use of encryption between, and the use of electronic signatures by, each of the parties involved in the transaction", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "On-line Transactions", + "The organization requires the use of encryption between, and the use of electronic signatures by, each of the parties involved in the transaction" + ], + "control_id": "azure_compliance.control.azure_redis_cache_ssl_enabled", + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Only secure connections to your Azure Cache for Redis should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions", + "azure_compliance.benchmark.hipaa_hitrust_v92_0946_09y2organizational_14_09_y" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions/azure_compliance.benchmark.hipaa_hitrust_v92_0946_09y2organizational_14_09_y", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e On-line Transactions \u003e The organization ensures the storage of the transaction details are located outside of any publicly accessible environment", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "On-line Transactions", + "The organization ensures the storage of the transaction details are located outside of any publicly accessible environment" + ], + "control_id": "azure_compliance.control.postgres_sql_ssl_enabled", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server", + "title": "Enforce SSL connection should be enabled for PostgreSQL database servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions", + "azure_compliance.benchmark.hipaa_hitrust_v92_0947_09y2organizational_2_09_y" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions/azure_compliance.benchmark.hipaa_hitrust_v92_0947_09y2organizational_2_09_y", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e On-line Transactions \u003e Where a trusted authority is used, security is integrated and embedded throughout the entire end-to-end certificate/signature management process", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "On-line Transactions", + "Where a trusted authority is used, security is integrated and embedded throughout the entire end-to-end certificate/signature management process" + ], + "control_id": "azure_compliance.control.mysql_ssl_enabled", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "title": "Enforce SSL connection should be enabled for MySQL database servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions", + "azure_compliance.benchmark.hipaa_hitrust_v92_0948_09y2organizational_3_09_y" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions/azure_compliance.benchmark.hipaa_hitrust_v92_0948_09y2organizational_3_09_y", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e On-line Transactions \u003e The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "On-line Transactions", + "The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible" + ], + "control_id": "azure_compliance.control.appservice_api_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your API App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions", + "azure_compliance.benchmark.hipaa_hitrust_v92_0949_09y2organizational_5_09_y" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions/azure_compliance.benchmark.hipaa_hitrust_v92_0949_09y2organizational_5_09_y", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e On-line Transactions \u003e The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "On-line Transactions", + "The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible" + ], + "control_id": "azure_compliance.control.appservice_api_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "API App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions", + "azure_compliance.benchmark.hipaa_hitrust_v92_0949_09y2organizational_5_09_y" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions/azure_compliance.benchmark.hipaa_hitrust_v92_0949_09y2organizational_5_09_y", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e On-line Transactions \u003e The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "On-line Transactions", + "The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible" + ], + "control_id": "azure_compliance.control.appservice_function_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your Function App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions", + "azure_compliance.benchmark.hipaa_hitrust_v92_0949_09y2organizational_5_09_y" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions/azure_compliance.benchmark.hipaa_hitrust_v92_0949_09y2organizational_5_09_y", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e On-line Transactions \u003e The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "On-line Transactions", + "The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible" + ], + "control_id": "azure_compliance.control.appservice_function_app_only_https_accessible", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Function App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions", + "azure_compliance.benchmark.hipaa_hitrust_v92_0949_09y2organizational_5_09_y" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions/azure_compliance.benchmark.hipaa_hitrust_v92_0949_09y2organizational_5_09_y", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e On-line Transactions \u003e The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "On-line Transactions", + "The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible" + ], + "control_id": "azure_compliance.control.appservice_web_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your Web App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions", + "azure_compliance.benchmark.hipaa_hitrust_v92_0949_09y2organizational_5_09_y" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions/azure_compliance.benchmark.hipaa_hitrust_v92_0949_09y2organizational_5_09_y", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e On-line Transactions \u003e The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "On-line Transactions", + "The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible" + ], + "control_id": "azure_compliance.control.appservice_web_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Web Application should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions", + "azure_compliance.benchmark.hipaa_hitrust_v92_0949_09y2organizational_5_09_y" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions/azure_compliance.benchmark.hipaa_hitrust_v92_0949_09y2organizational_5_09_y", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Privilege Management \u003e Access to management functions or administrative consoles for systems hosting virtualized systems are restricted to personnel based upon the principle of least privilege and supported through technical controls", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Privilege Management", + "Access to management functions or administrative consoles for systems hosting virtualized systems are restricted to personnel based upon the principle of least privilege and supported through technical controls" + ], + "control_id": "azure_compliance.control.compute_vm_jit_access_protected", + "description": "Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations", + "title": "Management ports of virtual machines should be protected with just-in-time network access control.", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management", + "azure_compliance.benchmark.hipaa_hitrust_v92_11180_01c3system_6_01_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management/azure_compliance.benchmark.hipaa_hitrust_v92_11180_01c3system_6_01_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Privilege Management \u003e Privileges are formally authorized and controlled, allocated to users on a need-to-use and event-by-event basis for their functional role (e.g., user or administrator), and documented for each system product/element", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Privilege Management", + "Privileges are formally authorized and controlled, allocated to users on a need-to-use and event-by-event basis for their functional role (e.g., user or administrator), and documented for each system product/element" + ], + "control_id": "azure_compliance.control.network_security_group_remote_access_restricted", + "description": "Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.", + "title": "Management ports should be closed on your virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management", + "azure_compliance.benchmark.hipaa_hitrust_v92_1143_01c1system_23_01_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management/azure_compliance.benchmark.hipaa_hitrust_v92_1143_01c1system_23_01_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Privilege Management \u003e The organization explicitly authorizes access to specific security relevant functions (deployed in hardware, software, and firmware) and security-relevant information", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Privilege Management", + "The organization explicitly authorizes access to specific security relevant functions (deployed in hardware, software, and firmware) and security-relevant information" + ], + "control_id": "azure_compliance.control.iam_subscription_owner_max_3", + "description": "It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.", + "title": "A maximum of 3 owners should be designated for your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management", + "azure_compliance.benchmark.hipaa_hitrust_v92_1144_01c1system_4_01_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management/azure_compliance.benchmark.hipaa_hitrust_v92_1144_01c1system_4_01_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Privilege Management \u003e Role-based access control is implemented and capable of mapping each user to one or more roles, and each role to one or more system functions", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Privilege Management", + "Role-based access control is implemented and capable of mapping each user to one or more roles, and each role to one or more system functions" + ], + "control_id": "azure_compliance.control.iam_subscription_owner_more_than_1", + "description": "It is recommended to designate more than one subscription owner in order to have administrator access redundancy.", + "title": "There should be more than one owner assigned to your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management", + "azure_compliance.benchmark.hipaa_hitrust_v92_1145_01c2system_1_01_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management/azure_compliance.benchmark.hipaa_hitrust_v92_1145_01c2system_1_01_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Privilege Management \u003e The organization promotes the development and use of programs that avoid the need to run with elevated privileges and system routines to avoid the need to grant privileges to users", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Privilege Management", + "The organization promotes the development and use of programs that avoid the need to run with elevated privileges and system routines to avoid the need to grant privileges to users" + ], + "control_id": "azure_compliance.control.iam_external_user_with_owner_role", + "description": "External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.", + "title": "External accounts with owner permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management", + "azure_compliance.benchmark.hipaa_hitrust_v92_1146_01c2system_23_01_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management/azure_compliance.benchmark.hipaa_hitrust_v92_1146_01c2system_23_01_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Privilege Management \u003e Elevated privileges are assigned to a different user ID from those used for normal business use, all users access privileged services in a single role, and such privileged access is minimized", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Privilege Management", + "Elevated privileges are assigned to a different user ID from those used for normal business use, all users access privileged services in a single role, and such privileged access is minimized" + ], + "control_id": "azure_compliance.control.iam_deprecated_account_with_owner_roles", + "description": "Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.", + "title": "Deprecated accounts with owner permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management", + "azure_compliance.benchmark.hipaa_hitrust_v92_1147_01c2system_456_01_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management/azure_compliance.benchmark.hipaa_hitrust_v92_1147_01c2system_456_01_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Privilege Management \u003e The organization restricts access to privileged functions and all security-relevant information", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Privilege Management", + "The organization restricts access to privileged functions and all security-relevant information" + ], + "control_id": "azure_compliance.control.iam_no_custom_role", + "description": "Audit built-in roles such as 'Owner, Contributor, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling.", + "title": "Audit usage of custom RBAC rules", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management", + "azure_compliance.benchmark.hipaa_hitrust_v92_1148_01c2system_78_01_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management/azure_compliance.benchmark.hipaa_hitrust_v92_1148_01c2system_78_01_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Privilege Management \u003e The organization restricts access to privileged functions and all security-relevant information", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Privilege Management", + "The organization restricts access to privileged functions and all security-relevant information" + ], + "control_id": "azure_compliance.control.compute_vm_meet_security_option_requirement_windows", + "description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.", + "title": "Windows machines should meet requirements for 'Security Options - Accounts'", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management", + "azure_compliance.benchmark.hipaa_hitrust_v92_1148_01c2system_78_01_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management/azure_compliance.benchmark.hipaa_hitrust_v92_1148_01c2system_78_01_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Privilege Management \u003e The organization facilitates information sharing by enabling authorized users to determine a business partner's access when discretion is allowed as defined by the organization and by employing manual processes or automated mechanisms to assist users in making information sharing/collaboration decisions", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Privilege Management", + "The organization facilitates information sharing by enabling authorized users to determine a business partner's access when discretion is allowed as defined by the organization and by employing manual processes or automated mechanisms to assist users in making information sharing/collaboration decisions" + ], + "control_id": "azure_compliance.control.kubernetes_instance_rbac_enabled", + "description": "To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.", + "title": "Role-Based Access Control (RBAC) should be used on Kubernetes Services", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management", + "azure_compliance.benchmark.hipaa_hitrust_v92_1149_01c2system_9_01_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management/azure_compliance.benchmark.hipaa_hitrust_v92_1149_01c2system_9_01_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Privilege Management \u003e The access control system for the system components storing, processing or transmitting covered information is set with a default 'deny-all' setting", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Privilege Management", + "The access control system for the system components storing, processing or transmitting covered information is set with a default 'deny-all' setting" + ], + "control_id": "azure_compliance.control.network_security_group_remote_access_restricted", + "description": "Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.", + "title": "Management ports should be closed on your virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management", + "azure_compliance.benchmark.hipaa_hitrust_v92_1150_01c2system_10_01_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management/azure_compliance.benchmark.hipaa_hitrust_v92_1150_01c2system_10_01_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Privilege Management \u003e The organization limits authorization to privileged accounts on information systems to a pre-defined subset of users", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Privilege Management", + "The organization limits authorization to privileged accounts on information systems to a pre-defined subset of users" + ], + "control_id": "azure_compliance.control.iam_subscription_owner_max_3", + "description": "It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.", + "title": "A maximum of 3 owners should be designated for your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management", + "azure_compliance.benchmark.hipaa_hitrust_v92_1151_01c3system_1_01_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management/azure_compliance.benchmark.hipaa_hitrust_v92_1151_01c3system_1_01_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Privilege Management \u003e The organization audits the execution of privileged functions on information systems and ensures information systems prevent non-privileged users from executing privileged functions", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Privilege Management", + "The organization audits the execution of privileged functions on information systems and ensures information systems prevent non-privileged users from executing privileged functions" + ], + "control_id": "azure_compliance.control.iam_subscription_owner_more_than_1", + "description": "It is recommended to designate more than one subscription owner in order to have administrator access redundancy.", + "title": "There should be more than one owner assigned to your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management", + "azure_compliance.benchmark.hipaa_hitrust_v92_1152_01c3system_2_01_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management/azure_compliance.benchmark.hipaa_hitrust_v92_1152_01c3system_2_01_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Privilege Management \u003e All file system access not explicitly required is disabled, and only authorized users are permitted access to only that which is expressly required for the performance of the users' job duties", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Privilege Management", + "All file system access not explicitly required is disabled, and only authorized users are permitted access to only that which is expressly required for the performance of the users' job duties" + ], + "control_id": "azure_compliance.control.kubernetes_instance_rbac_enabled", + "description": "To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.", + "title": "Role-Based Access Control (RBAC) should be used on Kubernetes Services", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management", + "azure_compliance.benchmark.hipaa_hitrust_v92_1153_01c3system_35_01_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management/azure_compliance.benchmark.hipaa_hitrust_v92_1153_01c3system_35_01_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Privilege Management \u003e Contractors are provided with minimal system and physical access only after the organization assesses the contractor's ability to comply with its security requirements and the contractor agrees to comply", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Privilege Management", + "Contractors are provided with minimal system and physical access only after the organization assesses the contractor's ability to comply with its security requirements and the contractor agrees to comply" + ], + "control_id": "azure_compliance.control.iam_subscription_owner_max_3", + "description": "It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.", + "title": "A maximum of 3 owners should be designated for your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management", + "azure_compliance.benchmark.hipaa_hitrust_v92_1154_01c3system_4_01_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management/azure_compliance.benchmark.hipaa_hitrust_v92_1154_01c3system_4_01_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Remote Diagnostic and Configuration Port Protection \u003e Access to network equipment is physically protected", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Remote Diagnostic and Configuration Port Protection", + "Access to network equipment is physically protected" + ], + "control_id": "azure_compliance.control.compute_vm_jit_access_protected", + "description": "Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations", + "title": "Management ports of virtual machines should be protected with just-in-time network access control.", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_remote_diagnostic_and_configuration_port_protection", + "azure_compliance.benchmark.hipaa_hitrust_v92_1192_01l1organizational_1_01_l" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_remote_diagnostic_and_configuration_port_protection/azure_compliance.benchmark.hipaa_hitrust_v92_1192_01l1organizational_1_01_l", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Remote Diagnostic and Configuration Port Protection \u003e Controls for the access to diagnostic and configuration ports include the use of a key lock and the implementation of supporting procedures to control physical access to the port", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Remote Diagnostic and Configuration Port Protection", + "Controls for the access to diagnostic and configuration ports include the use of a key lock and the implementation of supporting procedures to control physical access to the port" + ], + "control_id": "azure_compliance.control.network_security_group_remote_access_restricted", + "description": "Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.", + "title": "Management ports should be closed on your virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_remote_diagnostic_and_configuration_port_protection", + "azure_compliance.benchmark.hipaa_hitrust_v92_1193_01l2organizational_13_01_l" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_remote_diagnostic_and_configuration_port_protection/azure_compliance.benchmark.hipaa_hitrust_v92_1193_01l2organizational_13_01_l", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Remote Diagnostic and Configuration Port Protection \u003e Ports, services, and similar applications installed on a computer or network systems, which are not specifically required for business functionality, are disabled or removed", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Remote Diagnostic and Configuration Port Protection", + "Ports, services, and similar applications installed on a computer or network systems, which are not specifically required for business functionality, are disabled or removed" + ], + "control_id": "azure_compliance.control.appservice_web_app_remote_debugging_disabled", + "description": "Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off.", + "title": "Remote debugging should be turned off for Web Applications", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_remote_diagnostic_and_configuration_port_protection", + "azure_compliance.benchmark.hipaa_hitrust_v92_1194_01l2organizational_2_01_l" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_remote_diagnostic_and_configuration_port_protection/azure_compliance.benchmark.hipaa_hitrust_v92_1194_01l2organizational_2_01_l", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Remote Diagnostic and Configuration Port Protection \u003e The organization reviews the information system within every three hundred and sixty- five (365) days to identify and disables unnecessary and non-secure functions, ports, protocols, and/or services", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Remote Diagnostic and Configuration Port Protection", + "The organization reviews the information system within every three hundred and sixty- five (365) days to identify and disables unnecessary and non-secure functions, ports, protocols, and/or services" + ], + "control_id": "azure_compliance.control.appservice_function_app_remote_debugging_disabled", + "description": "Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off.", + "title": "Remote debugging should be turned off for Function Apps", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_remote_diagnostic_and_configuration_port_protection", + "azure_compliance.benchmark.hipaa_hitrust_v92_1195_01l3organizational_1_01_l" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_remote_diagnostic_and_configuration_port_protection/azure_compliance.benchmark.hipaa_hitrust_v92_1195_01l3organizational_1_01_l", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Remote Diagnostic and Configuration Port Protection \u003e Identify unauthorized (blacklisted) software on the information system", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Remote Diagnostic and Configuration Port Protection", + "Identify unauthorized (blacklisted) software on the information system" + ], + "control_id": "azure_compliance.control.appservice_api_app_remote_debugging_disabled", + "description": "Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off.", + "title": "Remote debugging should be turned off for API Apps", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_remote_diagnostic_and_configuration_port_protection", + "azure_compliance.benchmark.hipaa_hitrust_v92_1196_01l3organizational_24_01_l" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_remote_diagnostic_and_configuration_port_protection/azure_compliance.benchmark.hipaa_hitrust_v92_1196_01l3organizational_24_01_l", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Remote Diagnostic and Configuration Port Protection \u003e The organization disables Bluetooth and peer-to-peer networking protocols within the information system determined to be unnecessary or non-secure", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Remote Diagnostic and Configuration Port Protection", + "The organization disables Bluetooth and peer-to-peer networking protocols within the information system determined to be unnecessary or non-secure" + ], + "control_id": "azure_compliance.control.compute_vm_adaptive_application_controls_enabled", + "description": "Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.", + "title": "Adaptive application controls for defining safe applications should be enabled on your machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_remote_diagnostic_and_configuration_port_protection", + "azure_compliance.benchmark.hipaa_hitrust_v92_1197_01l3organizational_3_01_l" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_remote_diagnostic_and_configuration_port_protection/azure_compliance.benchmark.hipaa_hitrust_v92_1197_01l3organizational_3_01_l", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Security of Network Services \u003e Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Security of Network Services", + "Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely" + ], + "control_id": "azure_compliance.control.compute_vm_network_traffic_data_collection_windows_agent_installed", + "description": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", + "title": "Network traffic data collection agent should be installed on Windows virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_security_of_network_services", + "azure_compliance.benchmark.hipaa_hitrust_v92_0835_09n1organizational_1_09_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_security_of_network_services/azure_compliance.benchmark.hipaa_hitrust_v92_0835_09n1organizational_1_09_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Security of Network Services \u003e Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Security of Network Services", + "Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely" + ], + "control_id": "azure_compliance.control.compute_vm_uses_azure_resource_manager", + "description": "Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.", + "title": "Virtual machines should be migrated to new Azure Resource Manager resources", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_security_of_network_services", + "azure_compliance.benchmark.hipaa_hitrust_v92_0835_09n1organizational_1_09_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_security_of_network_services/azure_compliance.benchmark.hipaa_hitrust_v92_0835_09n1organizational_1_09_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Security of Network Services \u003e The organization formally authorizes and documents the characteristics of each connection from an information system to other information systems outside the organization", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Security of Network Services", + "The organization formally authorizes and documents the characteristics of each connection from an information system to other information systems outside the organization" + ], + "control_id": "azure_compliance.control.compute_vm_network_traffic_data_collection_linux_agent_installed", + "description": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", + "title": "Network traffic data collection agent should be installed on Linux virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_security_of_network_services", + "azure_compliance.benchmark.hipaa_hitrust_v92_0836_09_n2organizational_1_09_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_security_of_network_services/azure_compliance.benchmark.hipaa_hitrust_v92_0836_09_n2organizational_1_09_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Security of Network Services \u003e Formal agreements with external information system providers include specific obligations for security and privacy", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Security of Network Services", + "Formal agreements with external information system providers include specific obligations for security and privacy" + ], + "control_id": "azure_compliance.control.network_watcher_enabled", + "description": "Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.", + "title": "Network Watcher should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_security_of_network_services", + "azure_compliance.benchmark.hipaa_hitrust_v92_0837_09_n2Organizational_2_09_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_security_of_network_services/azure_compliance.benchmark.hipaa_hitrust_v92_0837_09_n2Organizational_2_09_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Security of Network Services \u003e The organization reviews and updates the interconnection security agreements on an ongoing basis verifying enforcement of security requirements", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Security of Network Services", + "The organization reviews and updates the interconnection security agreements on an ongoing basis verifying enforcement of security requirements" + ], + "control_id": "azure_compliance.control.compute_vm_network_traffic_data_collection_linux_agent_installed", + "description": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", + "title": "Network traffic data collection agent should be installed on Linux virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_security_of_network_services", + "azure_compliance.benchmark.hipaa_hitrust_v92_0885_09n2organizational_3_09_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_security_of_network_services/azure_compliance.benchmark.hipaa_hitrust_v92_0885_09n2organizational_3_09_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Security of Network Services \u003e Formal agreement for allowing specific information systems to connect to external information systems", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Security of Network Services", + "Formal agreement for allowing specific information systems to connect to external information systems" + ], + "control_id": "azure_compliance.control.network_watcher_enabled", + "description": "Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.", + "title": "Network Watcher should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_security_of_network_services", + "azure_compliance.benchmark.hipaa_hitrust_v92_0886_09n2Organizational_4_09_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_security_of_network_services/azure_compliance.benchmark.hipaa_hitrust_v92_0886_09n2Organizational_4_09_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Security of Network Services \u003e The organization requires external/outsourced service providers to identify the specific functions, ports, and protocols used in the provision of the external/outsourced services", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Security of Network Services", + "The organization requires external/outsourced service providers to identify the specific functions, ports, and protocols used in the provision of the external/outsourced services" + ], + "control_id": "azure_compliance.control.compute_vm_network_traffic_data_collection_windows_agent_installed", + "description": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", + "title": "Network traffic data collection agent should be installed on Windows virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_security_of_network_services", + "azure_compliance.benchmark.hipaa_hitrust_v92_0887_09n2organizational_5_09_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_security_of_network_services/azure_compliance.benchmark.hipaa_hitrust_v92_0887_09n2organizational_5_09_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Security of Network Services \u003e The contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Security of Network Services", + "The contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared" + ], + "control_id": "azure_compliance.control.network_watcher_enabled", + "description": "Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.", + "title": "Network Watcher should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_security_of_network_services", + "azure_compliance.benchmark.hipaa_hitrust_v92_0888_09n2Organizational_6_09_n" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_security_of_network_services/azure_compliance.benchmark.hipaa_hitrust_v92_0888_09n2Organizational_6_09_n", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains" + ], + "control_id": "azure_compliance.control.appservice_web_app_use_virtual_service_endpoint", + "description": "This policy audits any App Service not configured to use a virtual network service endpoint.", + "title": "App Service should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains" + ], + "control_id": "azure_compliance.control.compute_vm_attached_with_network", + "description": "This policy audits any virtual machine connected to a virtual network that is not approved.", + "title": "Virtual machines should be connected to an approved virtual network", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains" + ], + "control_id": "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "description": "Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG).", + "title": "Internet-facing virtual machines should be protected with network security groups", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains" + ], + "control_id": "azure_compliance.control.container_registry_use_virtual_service_endpoint", + "description": "This policy audits any Container Registry not configured to use a virtual network service endpoint.", + "title": "Container Registry should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains" + ], + "control_id": "azure_compliance.control.cosmosdb_use_virtual_service_endpoint", + "description": "This policy audits any Cosmos DB not configured to use a virtual network service endpoint.", + "title": "Cosmos DB should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/CosmosDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains" + ], + "control_id": "azure_compliance.control.eventhub_namespace_use_virtual_service_endpoint", + "description": "This policy audits any Event Hub not configured to use a virtual network service endpoint.", + "title": "Event Hub should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/EventHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains" + ], + "control_id": "azure_compliance.control.keyvault_vault_use_virtual_service_endpoint", + "description": "This policy audits any Key Vault not configured to use a virtual network service endpoint.", + "title": "Key Vault should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains" + ], + "control_id": "azure_compliance.control.network_security_group_not_configured_gateway_subnets", + "description": "Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.", + "title": "Gateway subnets should not be configured with a network security group", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains" + ], + "control_id": "azure_compliance.control.network_security_group_subnet_associated", + "description": "This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.", + "title": "Subnets should be associated with a Network Security Group", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains" + ], + "control_id": "azure_compliance.control.sql_server_use_virtual_service_endpoint", + "description": "This policy audits any SQL Server not configured to use a virtual network service endpoint.", + "title": "SQL Server should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains" + ], + "control_id": "azure_compliance.control.storage_account_use_virtual_service_endpoint", + "description": "This policy audits any Storage Account not configured to use a virtual network service endpoint.", + "title": "Storage Accounts should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls" + ], + "control_id": "azure_compliance.control.appservice_web_app_use_virtual_service_endpoint", + "description": "This policy audits any App Service not configured to use a virtual network service endpoint.", + "title": "App Service should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls" + ], + "control_id": "azure_compliance.control.compute_vm_attached_with_network", + "description": "This policy audits any virtual machine connected to a virtual network that is not approved.", + "title": "Virtual machines should be connected to an approved virtual network", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls" + ], + "control_id": "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "description": "Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG).", + "title": "Internet-facing virtual machines should be protected with network security groups", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls" + ], + "control_id": "azure_compliance.control.container_registry_use_virtual_service_endpoint", + "description": "This policy audits any Container Registry not configured to use a virtual network service endpoint.", + "title": "Container Registry should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls" + ], + "control_id": "azure_compliance.control.cosmosdb_use_virtual_service_endpoint", + "description": "This policy audits any Cosmos DB not configured to use a virtual network service endpoint.", + "title": "Cosmos DB should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/CosmosDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls" + ], + "control_id": "azure_compliance.control.eventhub_namespace_use_virtual_service_endpoint", + "description": "This policy audits any Event Hub not configured to use a virtual network service endpoint.", + "title": "Event Hub should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/EventHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls" + ], + "control_id": "azure_compliance.control.keyvault_vault_use_virtual_service_endpoint", + "description": "This policy audits any Key Vault not configured to use a virtual network service endpoint.", + "title": "Key Vault should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls" + ], + "control_id": "azure_compliance.control.network_security_group_not_configured_gateway_subnets", + "description": "Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.", + "title": "Gateway subnets should not be configured with a network security group", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls" + ], + "control_id": "azure_compliance.control.network_security_group_subnet_associated", + "description": "This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.", + "title": "Subnets should be associated with a Network Security Group", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls" + ], + "control_id": "azure_compliance.control.sql_server_use_virtual_service_endpoint", + "description": "This policy audits any SQL Server not configured to use a virtual network service endpoint.", + "title": "SQL Server should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls" + ], + "control_id": "azure_compliance.control.storage_account_use_virtual_service_endpoint", + "description": "This policy audits any Storage Account not configured to use a virtual network service endpoint.", + "title": "Storage Accounts should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers" + ], + "control_id": "azure_compliance.control.appservice_web_app_use_virtual_service_endpoint", + "description": "This policy audits any App Service not configured to use a virtual network service endpoint.", + "title": "App Service should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers" + ], + "control_id": "azure_compliance.control.compute_vm_attached_with_network", + "description": "This policy audits any virtual machine connected to a virtual network that is not approved.", + "title": "Virtual machines should be connected to an approved virtual network", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers" + ], + "control_id": "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "description": "Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG).", + "title": "Internet-facing virtual machines should be protected with network security groups", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers" + ], + "control_id": "azure_compliance.control.container_registry_use_virtual_service_endpoint", + "description": "This policy audits any Container Registry not configured to use a virtual network service endpoint.", + "title": "Container Registry should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers" + ], + "control_id": "azure_compliance.control.cosmosdb_use_virtual_service_endpoint", + "description": "This policy audits any Cosmos DB not configured to use a virtual network service endpoint.", + "title": "Cosmos DB should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/CosmosDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers" + ], + "control_id": "azure_compliance.control.eventhub_namespace_use_virtual_service_endpoint", + "description": "This policy audits any Event Hub not configured to use a virtual network service endpoint.", + "title": "Event Hub should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/EventHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers" + ], + "control_id": "azure_compliance.control.keyvault_vault_use_virtual_service_endpoint", + "description": "This policy audits any Key Vault not configured to use a virtual network service endpoint.", + "title": "Key Vault should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers" + ], + "control_id": "azure_compliance.control.network_security_group_not_configured_gateway_subnets", + "description": "Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.", + "title": "Gateway subnets should not be configured with a network security group", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers" + ], + "control_id": "azure_compliance.control.network_security_group_subnet_associated", + "description": "This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.", + "title": "Subnets should be associated with a Network Security Group", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers" + ], + "control_id": "azure_compliance.control.network_watcher_in_regions_with_virtual_network", + "description": "This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances.", + "title": "Deploy network watcher when virtual networks are created", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers" + ], + "control_id": "azure_compliance.control.sql_server_use_virtual_service_endpoint", + "description": "This policy audits any SQL Server not configured to use a virtual network service endpoint.", + "title": "SQL Server should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation in Networks \u003e Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation in Networks", + "Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers" + ], + "control_id": "azure_compliance.control.storage_account_use_virtual_service_endpoint", + "description": "This policy audits any Storage Account not configured to use a virtual network service endpoint.", + "title": "Storage Accounts should use a virtual network service endpoint", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks/azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation of Duties \u003e Separation of duties is used to limit the risk of unauthorized or unintentional modification of information and systems", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation of Duties", + "Separation of duties is used to limit the risk of unauthorized or unintentional modification of information and systems" + ], + "control_id": "azure_compliance.control.kubernetes_instance_rbac_enabled", + "description": "To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.", + "title": "Role-Based Access Control (RBAC) should be used on Kubernetes Services", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_of_duties", + "azure_compliance.benchmark.hipaa_hitrust_v92_1229_09c1organizational_1_09_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_of_duties/azure_compliance.benchmark.hipaa_hitrust_v92_1229_09c1organizational_1_09_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation of Duties \u003e No single person is able to access, modify, or use information systems without authorization or detection", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation of Duties", + "No single person is able to access, modify, or use information systems without authorization or detection" + ], + "control_id": "azure_compliance.control.iam_no_custom_role", + "description": "Audit built-in roles such as 'Owner, Contributor, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling.", + "title": "Audit usage of custom RBAC rules", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_of_duties", + "azure_compliance.benchmark.hipaa_hitrust_v92_1230_09c2organizational_1_09_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_of_duties/azure_compliance.benchmark.hipaa_hitrust_v92_1230_09c2organizational_1_09_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation of Duties \u003e Access for individuals responsible for administering access controls is limited to the minimum necessary", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation of Duties", + "Access for individuals responsible for administering access controls is limited to the minimum necessary" + ], + "control_id": "azure_compliance.control.network_security_group_rdp_access_restricted", + "description": "Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.", + "title": "Windows machines should meet requirements for 'User Rights Assignment'", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_of_duties", + "azure_compliance.benchmark.hipaa_hitrust_v92_1232_09c3organizational_12_09_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_of_duties/azure_compliance.benchmark.hipaa_hitrust_v92_1232_09c3organizational_12_09_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation of Duties \u003e Security audit activities are independent", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation of Duties", + "Security audit activities are independent" + ], + "control_id": "azure_compliance.control.iam_no_custom_subscription_owner_roles_created", + "description": "This policy ensures that no custom subscription owner roles exist.", + "title": "Custom subscription owner roles should not exist", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_of_duties", + "azure_compliance.benchmark.hipaa_hitrust_v92_1276_09c2organizational_2_09_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_of_duties/azure_compliance.benchmark.hipaa_hitrust_v92_1276_09c2organizational_2_09_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e Segregation of Duties \u003e The organization identifies duties that require separation and defines information system access authorizations to support separation of duties", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "Segregation of Duties", + "The organization identifies duties that require separation and defines information system access authorizations to support separation of duties" + ], + "control_id": "azure_compliance.control.iam_no_custom_subscription_owner_roles_created", + "description": "This policy ensures that no custom subscription owner roles exist.", + "title": "Custom subscription owner roles should not exist", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_of_duties", + "azure_compliance.benchmark.hipaa_hitrust_v92_1278_09c2organizational_56_09_c" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_segregation_of_duties/azure_compliance.benchmark.hipaa_hitrust_v92_1278_09c2organizational_56_09_c", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e User Authentication for External Connections \u003e Network equipment is checked for unanticipated dial-up capabilities", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "User Authentication for External Connections", + "Network equipment is checked for unanticipated dial-up capabilities" + ], + "control_id": "azure_compliance.control.compute_vm_jit_access_protected", + "description": "Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations", + "title": "Management ports of virtual machines should be protected with just-in-time network access control.", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_user_authentication_for_external_connections", + "azure_compliance.benchmark.hipaa_hitrust_v92_1119_01j2organizational_3_01_j" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_user_authentication_for_external_connections/azure_compliance.benchmark.hipaa_hitrust_v92_1119_01j2organizational_3_01_j", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e User Authentication for External Connections \u003e Remote access to business information across public networks only takes place after successful identification and authentication", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "User Authentication for External Connections", + "Remote access to business information across public networks only takes place after successful identification and authentication" + ], + "control_id": "azure_compliance.control.compute_vm_jit_access_protected", + "description": "Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations", + "title": "Management ports of virtual machines should be protected with just-in-time network access control.", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_user_authentication_for_external_connections", + "azure_compliance.benchmark.hipaa_hitrust_v92_1175_01j1organizational_8_01_j" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_user_authentication_for_external_connections/azure_compliance.benchmark.hipaa_hitrust_v92_1175_01j1organizational_8_01_j", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e User Authentication for External Connections \u003e The information system monitors and controls remote access methods", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "User Authentication for External Connections", + "The information system monitors and controls remote access methods" + ], + "control_id": "azure_compliance.control.compute_vm_jit_access_protected", + "description": "Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations", + "title": "Management ports of virtual machines should be protected with just-in-time network access control.", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_user_authentication_for_external_connections", + "azure_compliance.benchmark.hipaa_hitrust_v92_1179_01j3organizational_1_01_j" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_user_authentication_for_external_connections/azure_compliance.benchmark.hipaa_hitrust_v92_1179_01j3organizational_1_01_j", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e User Identification and Authentication \u003e The information system employs replay-resistant authentication mechanisms", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "User Identification and Authentication", + "The information system employs replay-resistant authentication mechanisms" + ], + "control_id": "azure_compliance.control.iam_subscription_owner_max_3", + "description": "It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.", + "title": "A maximum of 3 owners should be designated for your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_user_identification_and_authentication", + "azure_compliance.benchmark.hipaa_hitrust_v92_11112_01q2organizational_67_01_q" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_user_identification_and_authentication/azure_compliance.benchmark.hipaa_hitrust_v92_11112_01q2organizational_67_01_q", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e User Identification and Authentication \u003e The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "User Identification and Authentication", + "The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else" + ], + "control_id": "azure_compliance.control.iam_subscription_owner_more_than_1", + "description": "It is recommended to designate more than one subscription owner in order to have administrator access redundancy.", + "title": "There should be more than one owner assigned to your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_user_identification_and_authentication", + "azure_compliance.benchmark.hipaa_hitrust_v92_11208_01q1organizational_8_01_q" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_user_identification_and_authentication/azure_compliance.benchmark.hipaa_hitrust_v92_11208_01q1organizational_8_01_q", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e User Identification and Authentication \u003e Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "User Identification and Authentication", + "Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records" + ], + "control_id": "azure_compliance.control.compute_vm_administrators_group_with_specified_members_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter.", + "title": "Audit Windows machines that have the specified members in the Administrators group", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_user_identification_and_authentication", + "azure_compliance.benchmark.hipaa_hitrust_v92_11210_01q2organizational_10_01_q" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_user_identification_and_authentication/azure_compliance.benchmark.hipaa_hitrust_v92_11210_01q2organizational_10_01_q", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e User Identification and Authentication \u003e Signed electronic records shall contain information associated with the signing in human-readable format", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "User Identification and Authentication", + "Signed electronic records shall contain information associated with the signing in human-readable format" + ], + "control_id": "azure_compliance.control.compute_vm_administrators_group_with_no_specified_members_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter.", + "title": "Audit Windows machines missing any of specified members in the Administrators group", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_user_identification_and_authentication", + "azure_compliance.benchmark.hipaa_hitrust_v92_11211_01q2organizational_11_01_q" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_user_identification_and_authentication/azure_compliance.benchmark.hipaa_hitrust_v92_11211_01q2organizational_11_01_q", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e User Identification and Authentication \u003e Users who performed privileged functions (e.g., system administration) use separate accounts when performing those privileged functions", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "User Identification and Authentication", + "Users who performed privileged functions (e.g., system administration) use separate accounts when performing those privileged functions" + ], + "control_id": "azure_compliance.control.compute_vm_administrators_group_with_extra_accounts_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter.", + "title": "Audit Windows machines that have extra accounts in the Administrators group", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_user_identification_and_authentication", + "azure_compliance.benchmark.hipaa_hitrust_v92_1123_01q1system_2_01_q" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_user_identification_and_authentication/azure_compliance.benchmark.hipaa_hitrust_v92_1123_01q1system_2_01_q", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e User Identification and Authentication \u003e Multi-factor authentication methods are used in accordance with organizational policy, (e.g., for remote network access)", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "User Identification and Authentication", + "Multi-factor authentication methods are used in accordance with organizational policy, (e.g., for remote network access)" + ], + "control_id": "azure_compliance.control.compute_vm_administrators_group_with_specified_members_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter.", + "title": "Audit Windows machines that have the specified members in the Administrators group", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_user_identification_and_authentication", + "azure_compliance.benchmark.hipaa_hitrust_v92_1125_01q2system_1_01_q" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_user_identification_and_authentication/azure_compliance.benchmark.hipaa_hitrust_v92_1125_01q2system_1_01_q", + "executable": false + }, + { + "category_breadcrumb": "HIPAA HITRUST 9.2 \u003e User Identification and Authentication \u003e Where tokens are provided for multi-factor authentication, in-person verification is required prior to granting access", + "category_hierarchy": [ + "HIPAA HITRUST 9.2", + "User Identification and Authentication", + "Where tokens are provided for multi-factor authentication, in-person verification is required prior to granting access" + ], + "control_id": "azure_compliance.control.compute_vm_administrators_group_with_no_specified_members_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter.", + "title": "Audit Windows machines missing any of specified members in the Administrators group", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.hipaa_hitrust_v92", + "azure_compliance.benchmark.hipaa_hitrust_v92_user_identification_and_authentication", + "azure_compliance.benchmark.hipaa_hitrust_v92_1127_01q2system_3_01_q" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.hipaa_hitrust_v92/azure_compliance.benchmark.hipaa_hitrust_v92_user_identification_and_authentication/azure_compliance.benchmark.hipaa_hitrust_v92_1127_01q2system_3_01_q", + "executable": false + } +] \ No newline at end of file diff --git a/deepfence_server/cloud_controls/azure/hipaa_benchmarks.json b/deepfence_server/cloud_controls/azure/hipaa_benchmarks.json new file mode 100644 index 0000000000..12eef52e71 --- /dev/null +++ b/deepfence_server/cloud_controls/azure/hipaa_benchmarks.json @@ -0,0 +1,3042 @@ +[ + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92", + "description": "The HIPAA HITRUST 9.2 provides a combined set of predefined compliance and security best-practice checks for Health Insurance Portability and Accountability Act.", + "title": "HIPAA HITRUST 9.2", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_administrator_and_operator_logs", + "azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging", + "azure_compliance.benchmark.hipaa_hitrust_v92_back_up", + "azure_compliance.benchmark.hipaa_hitrust_v92_business_continuity_and_risk_assessment", + "azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_operational_software", + "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities", + "azure_compliance.benchmark.hipaa_hitrust_v92_controls_against_malicious_code", + "azure_compliance.benchmark.hipaa_hitrust_v92_identification_of_risks_related_to_external_parties", + "azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures", + "azure_compliance.benchmark.hipaa_hitrust_v92_management_of_removable_media", + "azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "azure_compliance.benchmark.hipaa_hitrust_v92_network_controls", + "azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions", + "azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management", + "azure_compliance.benchmark.hipaa_hitrust_v92_remote_diagnostic_and_configuration_port_protection", + "azure_compliance.benchmark.hipaa_hitrust_v92_security_of_network_services", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_of_duties", + "azure_compliance.benchmark.hipaa_hitrust_v92_user_authentication_for_external_connections", + "azure_compliance.benchmark.hipaa_hitrust_v92_user_identification_and_authentication" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_administrator_and_operator_logs", + "description": "", + "title": "Administrator and Operator Logs", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_1270_09ad1system_12_09_ad", + "azure_compliance.benchmark.hipaa_hitrust_v92_1271_09ad1system_1_09_ad" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1270_09ad1system_12_09_ad", + "description": "", + "title": "The organization ensures proper logging is enabled in order to audit administrator activities; and reviews system administrator and operator logs on a regular basis", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Monitor", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.monitor_log_alert_for_administrative_operations" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1271_09ad1system_1_09_ad", + "description": "", + "title": "An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Monitor", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.monitor_log_alert_for_administrative_operations" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_audit_logging", + "description": "", + "title": "Audit Logging", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_1202_09aa1system_1_09_aa", + "azure_compliance.benchmark.hipaa_hitrust_v92_1203_09aa1system_2_09_aa", + "azure_compliance.benchmark.hipaa_hitrust_v92_1204_09aa1system_3_09_aa", + "azure_compliance.benchmark.hipaa_hitrust_v92_1205_09aa2system_1_09_aa", + "azure_compliance.benchmark.hipaa_hitrust_v92_1206_09aa2system_23_09_aa", + "azure_compliance.benchmark.hipaa_hitrust_v92_1207_09aa2system_4_09_aa", + "azure_compliance.benchmark.hipaa_hitrust_v92_1208_09aa3system_1_09_aa", + "azure_compliance.benchmark.hipaa_hitrust_v92_1209_09aa3system_2_09_aa", + "azure_compliance.benchmark.hipaa_hitrust_v92_1210_09aa3system_3_09_aa", + "azure_compliance.benchmark.hipaa_hitrust_v92_1211_09aa3system_4_09_aa" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1202_09aa1system_1_09_aa", + "description": "", + "title": "A secure audit record is created for all activities on the system (create, read, update, delete) involving covered information", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/DataLakeStorage", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.datalake_store_account_logging_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1203_09aa1system_2_09_aa", + "description": "", + "title": "Audit records include the unique user ID, unique data subject ID, function performed, and date/time the event was performed", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Logic", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.logic_app_workflow_logging_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1204_09aa1system_3_09_aa", + "description": "", + "title": "The activities of privileged users (administrators, operators, etc.) include the success/failure of the event, time the event occurred, the account involved, the processes involved, and additional information about the event", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/IoTHub", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iot_hub_logging_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1205_09aa2system_1_09_aa", + "description": "", + "title": "Logs of messages sent and received are maintained including the date, time, origin and destination of the message, but not its contents", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Batch", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.batch_account_logging_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1206_09aa2system_23_09_aa", + "description": "Auditing is always available while the system is active and tracks key events, success/failed data access, system security configuration changes, privileged or utility use, any alarms raised, activation and de-activation of protection systems (e.g., A/V and IDS), activation and deactivation of identification and authentication mechanisms, and creation and deletion of system-level objects.", + "title": "Auditing a system while it is active", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_scale_set_logging_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1207_09aa2system_4_09_aa", + "description": "", + "title": "Audit records are retained for 90 days and older audit records are archived for one year", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.eventhub_namespace_logging_enabled", + "azure_compliance.control.stream_analytics_job_logging_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1208_09aa3system_1_09_aa", + "description": "", + "title": "Audit logs are maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.search_service_logging_enabled", + "azure_compliance.control.servicebus_namespace_logging_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1209_09aa3system_2_09_aa", + "description": "The information system generates audit records containing the following detailed information: filename accessed, program or command used to initiate the event and source and destination addresses.", + "title": "The information system generates audit records containing detailed information", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_web_app_diagnostic_logs_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1210_09aa3system_3_09_aa", + "description": "", + "title": "All disclosures of covered information within or outside of the organization are logged including type of disclosure, date/time of the event, recipient, and sender", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.datalake_analytics_account_logging_enabled", + "azure_compliance.control.audit_diagnostic_setting" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1211_09aa3system_4_09_aa", + "description": "", + "title": "The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.keyvault_logging_enabled", + "azure_compliance.control.keyvault_managed_hms_logging_enabled", + "azure_compliance.control.sql_server_auditing_on" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_back_up", + "description": "", + "title": "Back-up", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_11617_09l1organizational_23_09_l", + "azure_compliance.benchmark.hipaa_hitrust_v92_1616_09l1organizational_16_09_l", + "azure_compliance.benchmark.hipaa_hitrust_v92_1618_09l1organizational_45_09_l", + "azure_compliance.benchmark.hipaa_hitrust_v92_1619_09l1organizational_7_09_l", + "azure_compliance.benchmark.hipaa_hitrust_v92_1621_09l2organizational_1_09_l", + "azure_compliance.benchmark.hipaa_hitrust_v92_1622_09l2organizational_23_09_l", + "azure_compliance.benchmark.hipaa_hitrust_v92_1623_09l2organizational_4_09_l", + "azure_compliance.benchmark.hipaa_hitrust_v92_1624_09l3organizational_12_09_l", + "azure_compliance.benchmark.hipaa_hitrust_v92_1626_09l3organizational_5_09_l", + "azure_compliance.benchmark.hipaa_hitrust_v92_1627_09l3organizational_6_09_l" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_11617_09l1organizational_23_09_l", + "description": "A formal definition of the level of backup required for each system is defined and documented including how each system will be restored, the scope of data to be imaged, frequency of imaging, and duration of retention based on relevant contractual, legal, regulatory and business requirements.", + "title": "A formal definition of the level of backup", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/MySQL", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.mysql_db_server_geo_redundant_backup_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1616_09l1organizational_16_09_l", + "description": "", + "title": "Backup copies of information and software are made and tests of the media and restoration procedures are regularly performed at appropriate intervals", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/SQL", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.sql_database_long_term_geo_redundant_backup_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1618_09l1organizational_45_09_l", + "description": "The backups are stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site, and reasonable physical and environmental controls are in place to ensure their protection at the remote location", + "title": "Storing and protecting the backups at the remote location", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/PostgreSQL", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.postgres_db_server_geo_redundant_backup_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1619_09l1organizational_7_09_l", + "description": "", + "title": "Inventory records for the backup copies, including content and current location, are maintained", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/MariaDB", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.mariadb_server_geo_redundant_backup_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1621_09l2organizational_1_09_l", + "description": "", + "title": "Automated tools are used to track all backups", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/SQL", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.sql_database_long_term_geo_redundant_backup_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1622_09l2organizational_23_09_l", + "description": "The integrity and security of the backup copies are maintained to ensure future availability, and any potential accessibility problems with the backup copies are identified and mitigated in the event of an area-wide disaster.", + "title": "Maintaining the integrity and security of the backup copies", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/MySQL", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.mysql_db_server_geo_redundant_backup_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1623_09l2organizational_4_09_l", + "description": "", + "title": "Covered information is backed-up in an encrypted format to ensure confidentiality", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/PostgreSQL", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.postgres_db_server_geo_redundant_backup_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1624_09l3organizational_12_09_l", + "description": "", + "title": "The organization performs incremental or differential backups daily and full backups weekly to separate media", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/MariaDB", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.mariadb_server_geo_redundant_backup_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1626_09l3organizational_5_09_l", + "description": "", + "title": "The organization ensures a current, retrievable copy of covered information is available before movement of servers", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/PostgreSQL", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.postgres_db_server_geo_redundant_backup_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1627_09l3organizational_6_09_l", + "description": "", + "title": "The organization tests backup information following each backup to verify media reliability and information integrity, and at least annually thereafter", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/MySQL", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.mysql_db_server_geo_redundant_backup_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_business_continuity_and_risk_assessment", + "description": "", + "title": "Business Continuity and Risk Assessment", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_1634_12b1organizational_1_12_b", + "azure_compliance.benchmark.hipaa_hitrust_v92_1635_12b1organizational_2_12_b", + "azure_compliance.benchmark.hipaa_hitrust_v92_1638_12b2organizational_345_12_b" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1634_12b1organizational_1_12_b", + "description": "", + "title": "The organization identifies the critical business processes requiring business continuity", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_disaster_recovery_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1635_12b1organizational_2_12_b", + "description": "Information security aspects of business continuity are (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy.", + "title": "Information security aspects of business continuity", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/KeyVault", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.keyvault_managed_hms_purge_protection_enabled", + "azure_compliance.control.keyvault_purge_protection_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1638_12b2organizational_345_12_b", + "description": "Business continuity risk assessments (i) are carried out annually with full involvement from owners of business resources and processes; (ii) consider all business processes and is not limited to the information assets, but includes the results specific to information security; and (iii) identifies, quantifies, and prioritizes risks against key business objectives and criteria relevant to the organization, including critical resources, impacts of disruptions, allowable outage times, and recovery priorities.", + "title": "Business continuity risk assessments", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_disaster_recovery_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_change_control_procedures", + "description": "", + "title": "Change Control Procedures", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_0635_10k1organizational_12_10_k", + "azure_compliance.benchmark.hipaa_hitrust_v92_0636_10k2organizational_1_10_k", + "azure_compliance.benchmark.hipaa_hitrust_v92_0637_10k2organizational_2_10_k", + "azure_compliance.benchmark.hipaa_hitrust_v92_0638_10k2organizational_34569_10_k", + "azure_compliance.benchmark.hipaa_hitrust_v92_0639_10k2organizational_78_10_k", + "azure_compliance.benchmark.hipaa_hitrust_v92_0640_10k2organizational_1012_10_k", + "azure_compliance.benchmark.hipaa_hitrust_v92_0641_10k2organizational_11_10_k", + "azure_compliance.benchmark.hipaa_hitrust_v92_0642_10k3organizational_12_10_k", + "azure_compliance.benchmark.hipaa_hitrust_v92_0643_10k3organizational_3_10_k", + "azure_compliance.benchmark.hipaa_hitrust_v92_0644_10k3organizational_4_10_k" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0635_10k1organizational_12_10_k", + "description": "Managers responsible for application systems are also responsible for the strict control (security) of the project or support environment and ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment.", + "title": "Managers responsible for application systems are also responsible for the strict control (security) of the project or support environment", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0636_10k2organizational_1_10_k", + "description": "", + "title": "The organization formally addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0637_10k2organizational_2_10_k", + "description": "", + "title": "The organization has developed, documented, and implemented a configuration management plan for the information system", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0638_10k2organizational_34569_10_k", + "description": "", + "title": "Changes are formally controlled, documented and enforced in order to minimize the corruption of information systems", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0639_10k2organizational_78_10_k", + "description": "", + "title": "Installation checklists and vulnerability scans are used to validate the configuration of servers, workstations, devices and appliances and ensure the configuration meets minimum standards", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0640_10k2organizational_1012_10_k", + "description": "Where development is outsourced, change control procedures to address security are included in the contract(s) and specifically require the developer to track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel or roles.", + "title": "Change control procedures to address security are included in the contract(s) where development is outsourced", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0641_10k2organizational_11_10_k", + "description": "", + "title": "The organization does not use automated updates on critical systems", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0642_10k3organizational_12_10_k", + "description": "", + "title": "The organization develops, documents, and maintains, under configuration control, a current baseline configuration of the information system, and reviews and updates the baseline as required", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0643_10k3organizational_3_10_k", + "description": "The organization (i) establishes and documents mandatory configuration settings for information technology products employed within the information system using the latest security configuration baselines; (ii) identifies, documents, and approves exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements; and (iii) monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.", + "title": "Establishing and documenting the mandatory configuration settings for information technology products", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0644_10k3organizational_4_10_k", + "description": "The organization employs automated mechanisms to (i) centrally manage, apply, and verify configuration settings; (ii) respond to unauthorized changes to network and system security-related configuration settings; and (iii) enforce access restrictions and auditing of the enforcement actions.", + "title": "Automated mechanisms to centrally manage and verify configuration settings", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_meet_system_audit_policies_requirement_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_operational_software", + "description": "", + "title": "Control of Operational Software", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_0605_10h1system_12_10_h", + "azure_compliance.benchmark.hipaa_hitrust_v92_0607_10h2system_23_10_h" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0605_10h1system_12_10_h", + "description": "", + "title": "Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0607_10h2system_23_10_h", + "description": "", + "title": "The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation.", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_adaptive_application_controls_enabled", + "azure_compliance.control.compute_vm_scale_set_security_configuration_vulnerabilities_remediated" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_control_of_technical_vulnerabilities", + "description": "", + "title": "Control of Technical Vulnerabilities", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_0709_10m1organizational_1_10_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0713_10m2organizational_5_10_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0714_10m2organizational_7_10_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0717_10m3organizational_2_10_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0718_10m3organizational_34_10_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0719_10m3organizational_5_10_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0710_10m2organizational_1_10_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0716_10m3organizational_1_10_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0711_10m2organizational_23_10_m" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0709_10m1organizational_1_10_m", + "description": "", + "title": "Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.sql_server_and_databases_va_enabled", + "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated", + "azure_compliance.control.compute_vm_scale_set_security_configuration_vulnerabilities_remediated", + "azure_compliance.control.mssql_managed_instance_vulnerability_assessment_enabled", + "azure_compliance.control.sql_database_vulnerability_findings_resolved", + "azure_compliance.control.compute_vm_vulnerability_assessment_solution_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0713_10m2organizational_5_10_m", + "description": "", + "title": "Patches are tested and evaluated before they are installed", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0714_10m2organizational_7_10_m", + "description": "", + "title": "The technical vulnerability management program is evaluated on a quarterly basis", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_scale_set_security_configuration_vulnerabilities_remediated" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0717_10m3organizational_2_10_m", + "description": "", + "title": "Vulnerability scanning tools include the capability to readily update the information system vulnerabilities scanned", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_scale_set_security_configuration_vulnerabilities_remediated" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0718_10m3organizational_34_10_m", + "description": "The organization scans for vulnerabilities in the information system and hosted applications to determine the state of flaw remediation monthly (automatically) and again (manually or automatically) when new vulnerabilities potentially affecting the systems and networked environments are identified and reported.", + "title": "The organization scans for vulnerabilities in the information system and hosted applications", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0719_10m3organizational_5_10_m", + "description": "", + "title": "The organization updates the list of information system vulnerabilities scanned within every thirty (30) days or when new vulnerabilities are identified and reported", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/MySQL", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.mssql_managed_instance_vulnerability_assessment_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0710_10m2organizational_1_10_m", + "description": "", + "title": "A hardened configuration standard exists for all system and network components", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/MySQL", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.mssql_managed_instance_vulnerability_assessment_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0716_10m3organizational_1_10_m", + "description": "", + "title": "The organization conducts an enterprise security posture review as needed but no less than once within every three-hundred-sixty-five (365) days, in accordance with organizational IS procedures", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/SQL", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.sql_database_vulnerability_findings_resolved" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0711_10m2organizational_23_10_m", + "description": "", + "title": "A technical vulnerability management program is in place to monitor, assess, rank, and remediate vulnerabilities identified in systems", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_vulnerability_assessment_solution_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_controls_against_malicious_code", + "description": "", + "title": "Controls Against Malicious Code", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_0201_09j1organizational_124_09_j" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0201_09j1organizational_124_09_j", + "description": "Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software may address the requirement via a network-based malware detection (NBMD) solution.", + "title": "Anti-virus and anti-spyware are installed, operating and updated on all end-user devices", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_adaptive_application_controls_enabled", + "azure_compliance.control.compute_vm_malware_agent_automatic_upgrade_enabled", + "azure_compliance.control.compute_vm_malware_agent_installed", + "azure_compliance.control.compute_vm_system_updates_installed", + "azure_compliance.control.compute_vm_endpoint_protection_agent_installed" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_identification_of_risks_related_to_external_parties", + "description": "", + "title": "Identification of Risks Related to External Parties", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_1401_05i1organizational_1239_05_i", + "azure_compliance.benchmark.hipaa_hitrust_v92_1402_05i1organizational_45_05_i", + "azure_compliance.benchmark.hipaa_hitrust_v92_1403_05i1organizational_67_05_i", + "azure_compliance.benchmark.hipaa_hitrust_v92_1404_05i2organizational_1_05_i", + "azure_compliance.benchmark.hipaa_hitrust_v92_1418_05i1organizational_8_05_i", + "azure_compliance.benchmark.hipaa_hitrust_v92_1450_05i2organizational_2_05_i", + "azure_compliance.benchmark.hipaa_hitrust_v92_1451_05icsporganizational_2_05_i" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1401_05i1organizational_1239_05_i", + "description": "Access to the organizations information and systems by external parties is not permitted until due diligence has been conducted, the appropriate controls have been implemented, and a contract/agreement reflecting the security requirements is signed acknowledging they understand and accept their obligations.", + "title": "Access to the organizations information and systems by external parties", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Storage", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.storage_account_secure_transfer_required_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1402_05i1organizational_45_05_i", + "description": "", + "title": "Remote access connections between the organization and external parties are encrypted", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_function_app_only_https_accessible" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1403_05i1organizational_67_05_i", + "description": "", + "title": "Access granted to external parties is limited to the minimum necessary and granted only for the duration required", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_web_app_use_https" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1404_05i2organizational_1_05_i", + "description": "", + "title": "Due diligence of the external party includes interviews, document review, checklists, certification reviews (e.g. HITRUST) or other remote means", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_api_app_use_https" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1418_05i1organizational_8_05_i", + "description": "", + "title": "The identification of risks related to external party access takes into account a minimal set of specifically defined issues", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/MySQL", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.mysql_ssl_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1450_05i2organizational_2_05_i", + "description": "The organization obtains satisfactory assurances that reasonable information security exists across their information supply chain by performing an annual review, which includes all partners/third party-providers upon which their information supply chain depends.", + "title": "The organization obtains satisfactory assurances that reasonable information security exists across their information supply chain", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/PostgreSQL", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.postgres_sql_ssl_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1451_05icsporganizational_2_05_i", + "description": "Cloud service providers design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain.", + "title": "Cloud service providers design and implement controls to mitigate and contain data security risks", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Redis", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.azure_redis_cache_ssl_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_information_exchange_policies_and_procedures", + "description": "", + "title": "Information Exchange Policies and Procedures", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_0662_09scsporganizational_2_09_s", + "azure_compliance.benchmark.hipaa_hitrust_v92_0901_09s1organizational_1_09_s", + "azure_compliance.benchmark.hipaa_hitrust_v92_0902_09s2organizational_13_09_s", + "azure_compliance.benchmark.hipaa_hitrust_v92_0911_09s1organizational_2_09_s", + "azure_compliance.benchmark.hipaa_hitrust_v92_0912_09s1organizational_4_09_s", + "azure_compliance.benchmark.hipaa_hitrust_v92_0913_09s1organizational_5_09_s", + "azure_compliance.benchmark.hipaa_hitrust_v92_0914_09s1organizational_6_09_s", + "azure_compliance.benchmark.hipaa_hitrust_v92_0915_09s2organizational_2_09_s", + "azure_compliance.benchmark.hipaa_hitrust_v92_0916_09s2organizational_4_09_s", + "azure_compliance.benchmark.hipaa_hitrust_v92_0960_09scsporganizational_1_09_s", + "azure_compliance.benchmark.hipaa_hitrust_v92_1325_09s1organizational_3_09_s" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0662_09scsporganizational_2_09_s", + "description": "Cloud service providers use an industry-recognized virtualization platform and standard virtualization formats (e.g., Open Virtualization Format, OVF) to help ensure interoperability, and has documented custom changes made to any hypervisor in use and all solution-specific virtualization hooks available for customer review.", + "title": "Cloud service providers use an industry-recognized virtualization platform and standard virtualization formats", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_web_app_incoming_client_cert_on" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0901_09s1organizational_1_09_s", + "description": "", + "title": "The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_web_app_cors_no_star" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0902_09s2organizational_13_09_s", + "description": "", + "title": "Remote (external) access to the organization's information assets and access to external information assets (for which the organization has no control) is based on clearly defined terms and conditions", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_function_app_cors_no_star" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0911_09s1organizational_2_09_s", + "description": "The organization establishes terms and conditions, consistent with any trust relationship established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to (i) access the information system from external information systems; and (ii) process, store or transmit organization-controlled information using external information systems.", + "title": "The organization establishes terms and conditions, consistent with any trust relationship established with other organizations owning, operating, and/or maintaining external information systems", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_api_app_cors_no_star" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0912_09s1organizational_4_09_s", + "description": "", + "title": "Cryptography is used to protect the confidentiality and integrity of remote access sessions to the internal network and to external systems", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_web_app_remote_debugging_disabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0913_09s1organizational_5_09_s", + "description": "", + "title": "Strong cryptography protocols are used to safeguard covered information during transmission over less trusted / open public networks", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_function_app_remote_debugging_disabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0914_09s1organizational_6_09_s", + "description": "", + "title": "The organization ensures that communication protection requirements, including the security of exchanges of information, is the subject of policy development and compliance audits", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_api_app_remote_debugging_disabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0915_09s2organizational_2_09_s", + "description": "", + "title": "The organization limits the use of organization-controlled portable storage media by authorized individuals on external information systems", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_web_app_incoming_client_cert_on" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0916_09s2organizational_4_09_s", + "description": "", + "title": "The information system prohibits remote activation of collaborative computing devices and provides an explicit indication of use to users physically present at the devices", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_web_app_cors_no_star" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0960_09scsporganizational_1_09_s", + "description": "Cloud service providers use secure (e.g., non-clear text and authenticated) standardized network protocols for the import and export of data and to manage the service, and make available a document to consumers (tenants) detailing the relevant interoperability and portability standards that are involved.", + "title": "Cloud service providers use secure standardized network protocols for the import and export of data", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_function_app_cors_no_star" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1325_09s1organizational_3_09_s", + "description": "", + "title": "Personnel are appropriately trained on leading principles and practices for all types of information exchange (oral, paper and electronic)", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_function_app_remote_debugging_disabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_management_of_removable_media", + "description": "", + "title": "Management of Removable Media", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_0301_09o1organizational_123_09_o", + "azure_compliance.benchmark.hipaa_hitrust_v92_0302_09o2organizational_1_09_o", + "azure_compliance.benchmark.hipaa_hitrust_v92_0303_09o2organizational_2_09_o", + "azure_compliance.benchmark.hipaa_hitrust_v92_0304_09o3organizational_1_09_o" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0301_09o1organizational_123_09_o", + "description": "The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media be used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized.", + "title": "The organization media registration, restrictions and protection", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/SQL", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.sql_server_transparent_data_encryption_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0302_09o2organizational_1_09_o", + "description": "", + "title": "The organization protects and controls media containing sensitive information during transport outside of controlled areas", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_os_and_data_disk_encrypted_with_cmk" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0303_09o2organizational_2_09_o", + "description": "", + "title": "Digital and non-digital media requiring restricted use and the specific safeguards used to restrict their use are identified", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_unattached_disk_encrypted_with_cmk" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0304_09o3organizational_1_09_o", + "description": "", + "title": "The organization restricts the use of writable removable media and personally-owned removable media in organizational systems", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.datalake_store_account_encryption_enabled", + "azure_compliance.control.sql_server_tde_protector_cmk_encrypted", + "azure_compliance.control.mssql_managed_instance_encryption_at_rest_using_cmk" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_monitoring_system_use", + "description": "", + "title": "Monitoring System Use", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_1120_09ab3system_9_09_ab", + "azure_compliance.benchmark.hipaa_hitrust_v92_12100_09ab2system_15_09_ab", + "azure_compliance.benchmark.hipaa_hitrust_v92_12101_09ab1organizational_3_09_ab", + "azure_compliance.benchmark.hipaa_hitrust_v92_1212_09ab1system_1_09_ab", + "azure_compliance.benchmark.hipaa_hitrust_v92_1213_09ab2system_128_09_ab", + "azure_compliance.benchmark.hipaa_hitrust_v92_1214_09ab2system_3456_09_ab", + "azure_compliance.benchmark.hipaa_hitrust_v92_1215_09ab2system_7_09_ab", + "azure_compliance.benchmark.hipaa_hitrust_v92_1216_09ab3system_12_09_ab", + "azure_compliance.benchmark.hipaa_hitrust_v92_1217_09ab3system_3_09_ab", + "azure_compliance.benchmark.hipaa_hitrust_v92_1219_09ab3system_10_09_ab", + "azure_compliance.benchmark.hipaa_hitrust_v92_1220_09ab3system_56_09_ab", + "azure_compliance.benchmark.hipaa_hitrust_v92_12102_09ab1organizational_4_09_ab" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1120_09ab3system_9_09_ab", + "description": "", + "title": "Unauthorized remote connections to the information systems are monitored and reviewed at least quarterly, and appropriate action is taken if an unauthorized connection is discovered", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Monitor", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.monitor_log_profile_enabled_for_all_regions" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_12100_09ab2system_15_09_ab", + "description": "The organization monitors the information system to identify irregularities or anomalies that are indicators of a system malfunction or compromise and help confirm the system is functioning in an optimal, resilient and secure state.", + "title": "The organization monitors the information system to identify irregularities or anomalies", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_log_analytics_agent_installed" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_12101_09ab1organizational_3_09_ab", + "description": "The organization specifies how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required.", + "title": "The organization should specify the audit log review process", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_scale_set_log_analytics_agent_installed" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1212_09ab1system_1_09_ab", + "description": "", + "title": "All applicable legal requirements related to monitoring authorized access and unauthorized access attempts are met", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Monitor", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.monitor_log_profile_enabled_for_all_categories" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1213_09ab2system_128_09_ab", + "description": "Automated systems deployed throughout the organization's environment are used to monitor key events and anomalous activity, and analyze system logs, the results of which are reviewed regularly.", + "title": "Automated systems deployed throughout the organization's environment are used to monitor key events and anomalous activities", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/SecurityCenter", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.securitycenter_automatic_provisioning_monitoring_agent_on" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1214_09ab2system_3456_09_ab", + "description": "", + "title": "Monitoring includes privileged operations, authorized access or unauthorized access attempts, including attempts to access deactivated accounts, and system alerts or failures", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Monitor", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.monitor_log_profile_enabled_for_all_regions" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1215_09ab2system_7_09_ab", + "description": "", + "title": "Auditing and monitoring systems employed by the organization support audit reduction and report generation", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_log_analytics_agent_installed" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1216_09ab3system_12_09_ab", + "description": "", + "title": "Automated systems are used to review monitoring activities of security systems (e.g., IPS/IDS) and system records on a daily basis, and identify and document anomalies", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_scale_set_log_analytics_agent_installed" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1217_09ab3system_3_09_ab", + "description": "", + "title": "Alerts are generated for technical personnel to analyze and investigate suspicious activity or suspected violations", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_log_analytics_agent_installed_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1219_09ab3system_10_09_ab", + "description": "", + "title": "The information system is able to automatically process audit records for events of interest based on selectable criteria", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Monitor", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.monitor_log_profile_enabled_for_all_categories" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1220_09ab3system_56_09_ab", + "description": "", + "title": "Monitoring includes inbound and outbound communications and file integrity monitoring", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/SecurityCenter", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.securitycenter_automatic_provisioning_monitoring_agent_on" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_12102_09ab1organizational_4_09_ab", + "description": "", + "title": "The organization shall periodically test its monitoring and detection processes, remediate deficiencies, and improve its processes", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_log_analytics_agent_installed_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_network_connection_control", + "description": "", + "title": "Network Connection Control", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n", + "azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n", + "azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n", + "azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n", + "azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0809_01n2organizational_1234_01_n", + "description": "Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface.", + "title": "Network traffic is controlled in accordance with the organizations access control policy", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_api_app_latest_tls_version", + "azure_compliance.control.appservice_api_app_use_https", + "azure_compliance.control.appservice_function_app_latest_tls_version", + "azure_compliance.control.appservice_function_app_only_https_accessible", + "azure_compliance.control.appservice_web_app_latest_tls_version", + "azure_compliance.control.appservice_web_app_use_https", + "azure_compliance.control.azure_redis_cache_ssl_enabled", + "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "azure_compliance.control.compute_vm_attached_with_network", + "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "azure_compliance.control.mysql_ssl_enabled", + "azure_compliance.control.network_security_group_subnet_associated", + "azure_compliance.control.postgres_sql_ssl_enabled", + "azure_compliance.control.storage_account_secure_transfer_required_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0810_01n2organizational_5_01_n", + "description": "", + "title": "Transmitted information is secured and, at a minimum, encrypted over open, public networks", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_api_app_latest_tls_version", + "azure_compliance.control.appservice_api_app_use_https", + "azure_compliance.control.appservice_function_app_latest_tls_version", + "azure_compliance.control.appservice_function_app_only_https_accessible", + "azure_compliance.control.appservice_web_app_latest_tls_version", + "azure_compliance.control.appservice_web_app_use_https", + "azure_compliance.control.azure_redis_cache_ssl_enabled", + "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "azure_compliance.control.compute_vm_attached_with_network", + "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "azure_compliance.control.mysql_ssl_enabled", + "azure_compliance.control.network_security_group_subnet_associated", + "azure_compliance.control.postgres_sql_ssl_enabled", + "azure_compliance.control.storage_account_secure_transfer_required_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0811_01n2organizational_6_01_n", + "description": "Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need.", + "title": "Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_api_app_latest_tls_version", + "azure_compliance.control.appservice_api_app_use_https", + "azure_compliance.control.appservice_function_app_latest_tls_version", + "azure_compliance.control.appservice_function_app_only_https_accessible", + "azure_compliance.control.appservice_web_app_latest_tls_version", + "azure_compliance.control.appservice_web_app_use_https", + "azure_compliance.control.azure_redis_cache_ssl_enabled", + "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "azure_compliance.control.compute_vm_attached_with_network", + "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "azure_compliance.control.mysql_ssl_enabled", + "azure_compliance.control.network_security_group_subnet_associated", + "azure_compliance.control.postgres_sql_ssl_enabled", + "azure_compliance.control.storage_account_secure_transfer_required_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0812_01n2organizational_8_01_n", + "description": "", + "title": "Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_api_app_latest_tls_version", + "azure_compliance.control.appservice_api_app_use_https", + "azure_compliance.control.appservice_function_app_latest_tls_version", + "azure_compliance.control.appservice_function_app_only_https_accessible", + "azure_compliance.control.appservice_web_app_latest_tls_version", + "azure_compliance.control.appservice_web_app_use_https", + "azure_compliance.control.azure_redis_cache_ssl_enabled", + "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "azure_compliance.control.compute_vm_attached_with_network", + "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "azure_compliance.control.mysql_ssl_enabled", + "azure_compliance.control.network_security_group_subnet_associated", + "azure_compliance.control.postgres_sql_ssl_enabled", + "azure_compliance.control.storage_account_secure_transfer_required_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0814_01n1organizational_12_01_n", + "description": "The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications.", + "title": "The ability of users to connect to the internal network is restricted", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_api_app_latest_tls_version", + "azure_compliance.control.appservice_api_app_use_https", + "azure_compliance.control.appservice_function_app_latest_tls_version", + "azure_compliance.control.appservice_function_app_only_https_accessible", + "azure_compliance.control.appservice_web_app_latest_tls_version", + "azure_compliance.control.appservice_web_app_use_https", + "azure_compliance.control.azure_redis_cache_ssl_enabled", + "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "azure_compliance.control.compute_vm_attached_with_network", + "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "azure_compliance.control.mysql_ssl_enabled", + "azure_compliance.control.network_security_group_subnet_associated", + "azure_compliance.control.postgres_sql_ssl_enabled", + "azure_compliance.control.storage_account_secure_transfer_required_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_network_controls", + "description": "", + "title": "Network Controls", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_0858_09m1organizational_4_09_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0859_09m1organizational_78_09_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0860_09m1organizational_9_09_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0861_09m2organizational_67_09_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0862_09m2organizational_8_09_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0863_09m2organizational_910_09_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0864_09m2organizational_12_09_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0865_09m2organizational_13_09_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0866_09m3organizational_1516_09_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0867_09m3organizational_17_09_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0868_09m3organizational_18_09_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0869_09m3organizational_19_09_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0870_09m3organizational_20_09_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0871_09m3organizational_22_09_m" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0858_09m1organizational_4_09_m", + "description": "The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative.", + "title": "The organization monitors for all authorized and unauthorized wireless access to the information system", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_jit_access_protected", + "azure_compliance.control.compute_vm_meet_firewall_properties_windows", + "azure_compliance.control.compute_vm_remote_access_restricted_all_ports" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0859_09m1organizational_78_09_m", + "description": "", + "title": "The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0860_09m1organizational_9_09_m", + "description": "", + "title": "The organization formally manages equipment on the network, including equipment in user areas", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Network", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.network_security_group_diagnostic_setting_deployed" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0861_09m2organizational_67_09_m", + "description": "To identify and authenticate devices on local and/or wide area networks, including wireless networks, the information system uses either a (i) shared known information solution or (ii) an organizational authentication solution, the exact selection and strength of which is dependent on the security categorization of the information system.", + "title": "Identify and authenticate devices on local and/or wide area networks, including wireless networks", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_web_app_use_virtual_service_endpoint" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0862_09m2organizational_8_09_m", + "description": "", + "title": "The organization ensures information systems protect the confidentiality and integrity of transmitted information, including during preparation for transmission and during reception", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/SQL", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.sql_server_use_virtual_service_endpoint" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0863_09m2organizational_910_09_m", + "description": "The organization builds a firewall configuration that restricts connections between un-trusted networks and any system components in the covered information environment; and any changes to the firewall configuration are updated in the network diagram.", + "title": "The organization builds a firewall configuration that restricts connections between un-trusted networks and any system components in the covered information environment", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/EventHub", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.eventhub_namespace_use_virtual_service_endpoint" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0864_09m2organizational_12_09_m", + "description": "", + "title": "Usage restrictions and implementation guidance are formally defined for VoIP, including the authorization and monitoring of the service", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/CosmosDB", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.cosmosdb_use_virtual_service_endpoint" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0865_09m2organizational_13_09_m", + "description": "The organization (i) authorizes connections from the information system to other information systems outside of the organization through the use of interconnection security agreements or other formal agreement; (ii) documents each connection, the interface characteristics, security requirements, and the nature of the information communicated; (iii) employs a deny all, permit by exception policy for allowing connections from the information system to other information systems outside of the organization; and (iv) applies a default-deny rule that drops all traffic via host-based firewalls or port filtering tools on its endpoints (workstations, servers, etc.), except those services and ports that are explicitly allowed.", + "title": "Authorizing connections from the information system of one organization to the information systems outside of the organization", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/KeyVault", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.keyvault_vault_use_virtual_service_endpoint" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0866_09m3organizational_1516_09_m", + "description": "", + "title": "The organization describes the groups, roles, and responsibilities for the logical management of network components and ensures coordination of and consistency in the elements of the network infrastructure", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.storage_account_default_network_access_rule_denied" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0867_09m3organizational_17_09_m", + "description": "", + "title": "Wireless access points are placed in secure areas and shut down when not in use (e.g. nights, weekends)", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Storage", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.storage_account_use_virtual_service_endpoint" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0868_09m3organizational_18_09_m", + "description": "", + "title": "The organization builds a firewall configuration to restrict inbound and outbound traffic to that which is necessary for the covered data environment", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/ContainerRegistry", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.container_registry_use_virtual_service_endpoint" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0869_09m3organizational_19_09_m", + "description": "", + "title": "The router configuration files are secured and synchronized", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/ContainerRegistry", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.container_registry_use_virtual_service_endpoint" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0870_09m3organizational_20_09_m", + "description": "", + "title": "Access to all proxies is denied, except for those hosts, ports, and services that are explicitly required", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/ContainerRegistry", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.container_registry_use_virtual_service_endpoint" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0871_09m3organizational_22_09_m", + "description": "", + "title": "Authoritative DNS servers are segregated into internal and external roles", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/ContainerRegistry", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.container_registry_use_virtual_service_endpoint" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_on_line_transactions", + "description": "", + "title": "On-line Transactions", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_0943_09y1organizational_1_09_y", + "azure_compliance.benchmark.hipaa_hitrust_v92_0945_09y1organizational_3_09_y", + "azure_compliance.benchmark.hipaa_hitrust_v92_0946_09y2organizational_14_09_y", + "azure_compliance.benchmark.hipaa_hitrust_v92_0947_09y2organizational_2_09_y", + "azure_compliance.benchmark.hipaa_hitrust_v92_0948_09y2organizational_3_09_y", + "azure_compliance.benchmark.hipaa_hitrust_v92_0949_09y2organizational_5_09_y" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0943_09y1organizational_1_09_y", + "description": "", + "title": "The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Storage", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.storage_account_secure_transfer_required_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0945_09y1organizational_3_09_y", + "description": "", + "title": "Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL)", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_with_no_specified_certificates_in_trusted_root_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0946_09y2organizational_14_09_y", + "description": "", + "title": "The organization requires the use of encryption between, and the use of electronic signatures by, each of the parties involved in the transaction", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Redis", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.azure_redis_cache_ssl_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0947_09y2organizational_2_09_y", + "description": "The organization ensures the storage of the transaction details are located outside of any publicly accessible environments (e.g., on a storage platform existing on the organization's intranet) and not retained and exposed on a storage medium directly accessible from the Internet.", + "title": "The organization ensures the storage of the transaction details are located outside of any publicly accessible environment", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/PostgreSQL", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.postgres_sql_ssl_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0948_09y2organizational_3_09_y", + "description": "Where a trusted authority is used (e.g., for the purposes of issuing and maintaining digital signatures and/or digital certificates), security is integrated and embedded throughout the entire end-to-end certificate/signature management process.", + "title": "Where a trusted authority is used, security is integrated and embedded throughout the entire end-to-end certificate/signature management process", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/MySQL", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.mysql_ssl_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0949_09y2organizational_5_09_y", + "description": "", + "title": "The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_api_app_latest_tls_version", + "azure_compliance.control.appservice_api_app_use_https", + "azure_compliance.control.appservice_function_app_latest_tls_version", + "azure_compliance.control.appservice_function_app_only_https_accessible", + "azure_compliance.control.appservice_web_app_latest_tls_version", + "azure_compliance.control.appservice_web_app_use_https" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_privilege_management", + "description": "", + "title": "Privilege Management", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_11180_01c3system_6_01_c", + "azure_compliance.benchmark.hipaa_hitrust_v92_1143_01c1system_23_01_c", + "azure_compliance.benchmark.hipaa_hitrust_v92_1144_01c1system_4_01_c", + "azure_compliance.benchmark.hipaa_hitrust_v92_1145_01c2system_1_01_c", + "azure_compliance.benchmark.hipaa_hitrust_v92_1146_01c2system_23_01_c", + "azure_compliance.benchmark.hipaa_hitrust_v92_1147_01c2system_456_01_c", + "azure_compliance.benchmark.hipaa_hitrust_v92_1148_01c2system_78_01_c", + "azure_compliance.benchmark.hipaa_hitrust_v92_1149_01c2system_9_01_c", + "azure_compliance.benchmark.hipaa_hitrust_v92_1150_01c2system_10_01_c", + "azure_compliance.benchmark.hipaa_hitrust_v92_1151_01c3system_1_01_c", + "azure_compliance.benchmark.hipaa_hitrust_v92_1152_01c3system_2_01_c", + "azure_compliance.benchmark.hipaa_hitrust_v92_1153_01c3system_35_01_c", + "azure_compliance.benchmark.hipaa_hitrust_v92_1154_01c3system_4_01_c" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_11180_01c3system_6_01_c", + "description": "", + "title": "Access to management functions or administrative consoles for systems hosting virtualized systems are restricted to personnel based upon the principle of least privilege and supported through technical controls", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_jit_access_protected" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1143_01c1system_23_01_c", + "description": "", + "title": "Privileges are formally authorized and controlled, allocated to users on a need-to-use and event-by-event basis for their functional role (e.g., user or administrator), and documented for each system product/element", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Network", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.network_security_group_remote_access_restricted" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1144_01c1system_4_01_c", + "description": "", + "title": "The organization explicitly authorizes access to specific security relevant functions (deployed in hardware, software, and firmware) and security-relevant information", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_subscription_owner_max_3" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1145_01c2system_1_01_c", + "description": "", + "title": "Role-based access control is implemented and capable of mapping each user to one or more roles, and each role to one or more system functions", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_subscription_owner_more_than_1" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1146_01c2system_23_01_c", + "description": "", + "title": "The organization promotes the development and use of programs that avoid the need to run with elevated privileges and system routines to avoid the need to grant privileges to users", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_external_user_with_owner_role" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1147_01c2system_456_01_c", + "description": "", + "title": "Elevated privileges are assigned to a different user ID from those used for normal business use, all users access privileged services in a single role, and such privileged access is minimized", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_deprecated_account_with_owner_roles" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1148_01c2system_78_01_c", + "description": "", + "title": "The organization restricts access to privileged functions and all security-relevant information", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_no_custom_role", + "azure_compliance.control.compute_vm_meet_security_option_requirement_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1149_01c2system_9_01_c", + "description": "", + "title": "The organization facilitates information sharing by enabling authorized users to determine a business partner's access when discretion is allowed as defined by the organization and by employing manual processes or automated mechanisms to assist users in making information sharing/collaboration decisions", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/KubernetesService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.kubernetes_instance_rbac_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1150_01c2system_10_01_c", + "description": "", + "title": "The access control system for the system components storing, processing or transmitting covered information is set with a default 'deny-all' setting", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Network", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.network_security_group_remote_access_restricted" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1151_01c3system_1_01_c", + "description": "", + "title": "The organization limits authorization to privileged accounts on information systems to a pre-defined subset of users", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_subscription_owner_max_3" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1152_01c3system_2_01_c", + "description": "", + "title": "The organization audits the execution of privileged functions on information systems and ensures information systems prevent non-privileged users from executing privileged functions", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_subscription_owner_more_than_1" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1153_01c3system_35_01_c", + "description": "", + "title": "All file system access not explicitly required is disabled, and only authorized users are permitted access to only that which is expressly required for the performance of the users' job duties", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/KubernetesService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.kubernetes_instance_rbac_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1154_01c3system_4_01_c", + "description": "", + "title": "Contractors are provided with minimal system and physical access only after the organization assesses the contractor's ability to comply with its security requirements and the contractor agrees to comply", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_subscription_owner_max_3" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_remote_diagnostic_and_configuration_port_protection", + "description": "", + "title": "Remote Diagnostic and Configuration Port Protection", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_1192_01l1organizational_1_01_l", + "azure_compliance.benchmark.hipaa_hitrust_v92_1193_01l2organizational_13_01_l", + "azure_compliance.benchmark.hipaa_hitrust_v92_1194_01l2organizational_2_01_l", + "azure_compliance.benchmark.hipaa_hitrust_v92_1195_01l3organizational_1_01_l", + "azure_compliance.benchmark.hipaa_hitrust_v92_1196_01l3organizational_24_01_l", + "azure_compliance.benchmark.hipaa_hitrust_v92_1197_01l3organizational_3_01_l" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1192_01l1organizational_1_01_l", + "description": "", + "title": "Access to network equipment is physically protected", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_jit_access_protected" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1193_01l2organizational_13_01_l", + "description": "", + "title": "Controls for the access to diagnostic and configuration ports include the use of a key lock and the implementation of supporting procedures to control physical access to the port", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Network", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.network_security_group_remote_access_restricted" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1194_01l2organizational_2_01_l", + "description": "", + "title": "Ports, services, and similar applications installed on a computer or network systems, which are not specifically required for business functionality, are disabled or removed", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_web_app_remote_debugging_disabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1195_01l3organizational_1_01_l", + "description": "", + "title": "The organization reviews the information system within every three hundred and sixty- five (365) days to identify and disables unnecessary and non-secure functions, ports, protocols, and/or services", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_function_app_remote_debugging_disabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1196_01l3organizational_24_01_l", + "description": "The organization identifies unauthorized (blacklisted) software on the information system, prevents program execution in accordance with a list of unauthorized (blacklisted) software programs, employs an allow-all, deny-by exception policy to prohibit execution of known unauthorized (blacklisted) software, and reviews and updates the list of unauthorized (blacklisted) software programs annually.", + "title": "Identify unauthorized (blacklisted) software on the information system", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/AppService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_api_app_remote_debugging_disabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1197_01l3organizational_3_01_l", + "description": "", + "title": "The organization disables Bluetooth and peer-to-peer networking protocols within the information system determined to be unnecessary or non-secure", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_adaptive_application_controls_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_security_of_network_services", + "description": "", + "title": "Security of Network Services", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_0835_09n1organizational_1_09_n", + "azure_compliance.benchmark.hipaa_hitrust_v92_0836_09_n2organizational_1_09_n", + "azure_compliance.benchmark.hipaa_hitrust_v92_0837_09_n2Organizational_2_09_n", + "azure_compliance.benchmark.hipaa_hitrust_v92_0885_09n2organizational_3_09_n", + "azure_compliance.benchmark.hipaa_hitrust_v92_0886_09n2Organizational_4_09_n", + "azure_compliance.benchmark.hipaa_hitrust_v92_0887_09n2organizational_5_09_n", + "azure_compliance.benchmark.hipaa_hitrust_v92_0888_09n2Organizational_6_09_n" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0835_09n1organizational_1_09_n", + "description": "", + "title": "Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_network_traffic_data_collection_windows_agent_installed", + "azure_compliance.control.compute_vm_uses_azure_resource_manager" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0836_09_n2organizational_1_09_n", + "description": "", + "title": "The organization formally authorizes and documents the characteristics of each connection from an information system to other information systems outside the organization", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_network_traffic_data_collection_linux_agent_installed" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0837_09_n2Organizational_2_09_n", + "description": "", + "title": "Formal agreements with external information system providers include specific obligations for security and privacy", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Network", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.network_watcher_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0885_09n2organizational_3_09_n", + "description": "", + "title": "The organization reviews and updates the interconnection security agreements on an ongoing basis verifying enforcement of security requirements", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_network_traffic_data_collection_linux_agent_installed" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0886_09n2Organizational_4_09_n", + "description": "The organization employs and documents in a formal agreement or other document, either i) allow-all, deny-by-exception, or, ii) deny-all, permit-by-exception (preferred), policy for allowing specific information systems to connect to external information systems.", + "title": "Formal agreement for allowing specific information systems to connect to external information systems", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Network", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.network_watcher_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0887_09n2organizational_5_09_n", + "description": "", + "title": "The organization requires external/outsourced service providers to identify the specific functions, ports, and protocols used in the provision of the external/outsourced services", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_network_traffic_data_collection_windows_agent_installed" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0888_09n2Organizational_6_09_n", + "description": "", + "title": "The contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Network", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.network_watcher_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_in_networks", + "description": "", + "title": "Segregation in Networks", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m", + "azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0805_01m1organizational_12_01_m", + "description": "The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains.", + "title": "The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_web_app_use_virtual_service_endpoint", + "azure_compliance.control.compute_vm_attached_with_network", + "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "azure_compliance.control.container_registry_use_virtual_service_endpoint", + "azure_compliance.control.cosmosdb_use_virtual_service_endpoint", + "azure_compliance.control.eventhub_namespace_use_virtual_service_endpoint", + "azure_compliance.control.keyvault_vault_use_virtual_service_endpoint", + "azure_compliance.control.network_security_group_not_configured_gateway_subnets", + "azure_compliance.control.network_security_group_subnet_associated", + "azure_compliance.control.sql_server_use_virtual_service_endpoint", + "azure_compliance.control.storage_account_use_virtual_service_endpoint" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0806_01m2organizational_12356_01_m", + "description": "The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; and traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements.", + "title": "The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_web_app_use_virtual_service_endpoint", + "azure_compliance.control.compute_vm_attached_with_network", + "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "azure_compliance.control.container_registry_use_virtual_service_endpoint", + "azure_compliance.control.cosmosdb_use_virtual_service_endpoint", + "azure_compliance.control.eventhub_namespace_use_virtual_service_endpoint", + "azure_compliance.control.keyvault_vault_use_virtual_service_endpoint", + "azure_compliance.control.network_security_group_not_configured_gateway_subnets", + "azure_compliance.control.network_security_group_subnet_associated", + "azure_compliance.control.sql_server_use_virtual_service_endpoint", + "azure_compliance.control.storage_account_use_virtual_service_endpoint" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_0894_01m2organizational_7_01_m", + "description": "", + "title": "Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_web_app_use_virtual_service_endpoint", + "azure_compliance.control.compute_vm_attached_with_network", + "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "azure_compliance.control.container_registry_use_virtual_service_endpoint", + "azure_compliance.control.cosmosdb_use_virtual_service_endpoint", + "azure_compliance.control.eventhub_namespace_use_virtual_service_endpoint", + "azure_compliance.control.keyvault_vault_use_virtual_service_endpoint", + "azure_compliance.control.network_security_group_not_configured_gateway_subnets", + "azure_compliance.control.network_security_group_subnet_associated", + "azure_compliance.control.network_watcher_in_regions_with_virtual_network", + "azure_compliance.control.sql_server_use_virtual_service_endpoint", + "azure_compliance.control.storage_account_use_virtual_service_endpoint" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_segregation_of_duties", + "description": "", + "title": "Segregation of Duties", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_1229_09c1organizational_1_09_c", + "azure_compliance.benchmark.hipaa_hitrust_v92_1230_09c2organizational_1_09_c", + "azure_compliance.benchmark.hipaa_hitrust_v92_1232_09c3organizational_12_09_c", + "azure_compliance.benchmark.hipaa_hitrust_v92_1276_09c2organizational_2_09_c", + "azure_compliance.benchmark.hipaa_hitrust_v92_1278_09c2organizational_56_09_c" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1229_09c1organizational_1_09_c", + "description": "", + "title": "Separation of duties is used to limit the risk of unauthorized or unintentional modification of information and systems", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/KubernetesService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.kubernetes_instance_rbac_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1230_09c2organizational_1_09_c", + "description": "", + "title": "No single person is able to access, modify, or use information systems without authorization or detection", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_no_custom_role" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1232_09c3organizational_12_09_c", + "description": "Access for individuals responsible for administering access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls.", + "title": "Access for individuals responsible for administering access controls is limited to the minimum necessary", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Network", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.network_security_group_rdp_access_restricted" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1276_09c2organizational_2_09_c", + "description": "", + "title": "Security audit activities are independent", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_no_custom_subscription_owner_roles_created" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1278_09c2organizational_56_09_c", + "description": "The organization identifies duties that require separation and defines information system access authorizations to support separation of duties; and incompatible duties are segregated across multiple users to minimize the opportunity for misuse or fraud.", + "title": "The organization identifies duties that require separation and defines information system access authorizations to support separation of duties", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_no_custom_subscription_owner_roles_created" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_user_authentication_for_external_connections", + "description": "", + "title": "User Authentication for External Connections", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_1119_01j2organizational_3_01_j", + "azure_compliance.benchmark.hipaa_hitrust_v92_1175_01j1organizational_8_01_j", + "azure_compliance.benchmark.hipaa_hitrust_v92_1179_01j3organizational_1_01_j" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1119_01j2organizational_3_01_j", + "description": "", + "title": "Network equipment is checked for unanticipated dial-up capabilities", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_jit_access_protected" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1175_01j1organizational_8_01_j", + "description": "", + "title": "Remote access to business information across public networks only takes place after successful identification and authentication", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_jit_access_protected" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1179_01j3organizational_1_01_j", + "description": "", + "title": "The information system monitors and controls remote access methods", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_jit_access_protected" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_user_identification_and_authentication", + "description": "", + "title": "User Identification and Authentication", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.hipaa_hitrust_v92_11112_01q2organizational_67_01_q", + "azure_compliance.benchmark.hipaa_hitrust_v92_11208_01q1organizational_8_01_q", + "azure_compliance.benchmark.hipaa_hitrust_v92_11210_01q2organizational_10_01_q", + "azure_compliance.benchmark.hipaa_hitrust_v92_11211_01q2organizational_11_01_q", + "azure_compliance.benchmark.hipaa_hitrust_v92_1123_01q1system_2_01_q", + "azure_compliance.benchmark.hipaa_hitrust_v92_1125_01q2system_1_01_q", + "azure_compliance.benchmark.hipaa_hitrust_v92_1127_01q2system_3_01_q" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_11112_01q2organizational_67_01_q", + "description": "The information system employs replay-resistant authentication mechanisms such as nonce, one-time passwords, or time stamps to secure network access for privileged accounts; and, for hardware token-based authentication, employs mechanisms that satisfy minimum token requirements discussed in NIST SP 800-63-2, Electronic Authentication Guideline.", + "title": "The information system employs replay-resistant authentication mechanisms", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_subscription_owner_max_3" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_11208_01q1organizational_8_01_q", + "description": "", + "title": "The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_subscription_owner_more_than_1" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_11210_01q2organizational_10_01_q", + "description": "", + "title": "Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_administrators_group_with_specified_members_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_11211_01q2organizational_11_01_q", + "description": "", + "title": "Signed electronic records shall contain information associated with the signing in human-readable format", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_administrators_group_with_no_specified_members_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1123_01q1system_2_01_q", + "description": "", + "title": "Users who performed privileged functions (e.g., system administration) use separate accounts when performing those privileged functions", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_administrators_group_with_extra_accounts_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1125_01q2system_1_01_q", + "description": "", + "title": "Multi-factor authentication methods are used in accordance with organizational policy, (e.g., for remote network access)", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_administrators_group_with_specified_members_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.hipaa_hitrust_v92_1127_01q2system_3_01_q", + "description": "", + "title": "Where tokens are provided for multi-factor authentication, in-person verification is required prior to granting access", + "tags": { + "category": "Compliance", + "hipaa_hitrust_v92": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_administrators_group_with_no_specified_members_windows" + ] + } +] \ No newline at end of file diff --git a/deepfence_server/cloud_controls/azure/nist.json b/deepfence_server/cloud_controls/azure/nist.json new file mode 100644 index 0000000000..69b7cf4e90 --- /dev/null +++ b/deepfence_server/cloud_controls/azure/nist.json @@ -0,0 +1,16878 @@ +[ + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Automated System Account Management AC-2(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Automated System Account Management AC-2(1)" + ], + "control_id": "azure_compliance.control.cognitive_service_local_auth_disabled", + "description": "Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication.", + "title": "Cognitive Services accounts should have local authentication methods disabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveServices" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Automated System Account Management AC-2(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Automated System Account Management AC-2(1)" + ], + "control_id": "azure_compliance.control.servicefabric_cluster_active_directory_authentication_enabled", + "description": "Audit usage of client authentication only via Azure Active Directory in Service Fabric.", + "title": "Service Fabric clusters should only use Azure Active Directory for client authentication", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ServiceFabric" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Automated System Account Management AC-2(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Automated System Account Management AC-2(1)" + ], + "control_id": "azure_compliance.control.sql_server_azure_ad_authentication_enabled", + "description": "Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.", + "title": "An Azure Active Directory administrator should be provisioned for SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Account Monitoring for Atypical Usage AC-2(12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Account Monitoring for Atypical Usage AC-2(12)" + ], + "control_id": "azure_compliance.control.appservice_azure_defender_enabled", + "description": "Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.", + "title": "Azure Defender for App Service should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Account Monitoring for Atypical Usage AC-2(12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Account Monitoring for Atypical Usage AC-2(12)" + ], + "control_id": "azure_compliance.control.arc_kubernetes_cluster_azure_defender_extension_installed", + "description": "Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis.", + "title": "Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Account Monitoring for Atypical Usage AC-2(12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Account Monitoring for Atypical Usage AC-2(12)" + ], + "control_id": "azure_compliance.control.compute_vm_azure_defender_enabled", + "description": "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.", + "title": "Azure Defender for servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Account Monitoring for Atypical Usage AC-2(12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Account Monitoring for Atypical Usage AC-2(12)" + ], + "control_id": "azure_compliance.control.compute_vm_jit_access_protected", + "description": "Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations", + "title": "Management ports of virtual machines should be protected with just-in-time network access control.", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Account Monitoring for Atypical Usage AC-2(12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Account Monitoring for Atypical Usage AC-2(12)" + ], + "control_id": "azure_compliance.control.container_registry_azure_defender_enabled", + "description": "Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.", + "title": "Azure Defender for container registries should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Account Monitoring for Atypical Usage AC-2(12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Account Monitoring for Atypical Usage AC-2(12)" + ], + "control_id": "azure_compliance.control.dns_azure_defender_enabled", + "description": "Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer.", + "title": "Azure Defender for DNS should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DNS" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Account Monitoring for Atypical Usage AC-2(12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Account Monitoring for Atypical Usage AC-2(12)" + ], + "control_id": "azure_compliance.control.keyvault_azure_defender_enabled", + "description": "Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.", + "title": "Azure Defender for Key Vault should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Account Monitoring for Atypical Usage AC-2(12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Account Monitoring for Atypical Usage AC-2(12)" + ], + "control_id": "azure_compliance.control.kubernetes_azure_defender_enabled", + "description": "Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.", + "title": "Azure Defender for Kubernetes should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Account Monitoring for Atypical Usage AC-2(12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Account Monitoring for Atypical Usage AC-2(12)" + ], + "control_id": "azure_compliance.control.resource_manager_azure_defender_enabled", + "description": "Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity.", + "title": "Azure Defender for Resource Manager should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ResourceManager" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Account Monitoring for Atypical Usage AC-2(12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Account Monitoring for Atypical Usage AC-2(12)" + ], + "control_id": "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "description": "Audit each SQL Managed Instance without advanced data security.", + "title": "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Account Monitoring for Atypical Usage AC-2(12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Account Monitoring for Atypical Usage AC-2(12)" + ], + "control_id": "azure_compliance.control.sql_database_server_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for Azure SQL Database servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Account Monitoring for Atypical Usage AC-2(12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Account Monitoring for Atypical Usage AC-2(12)" + ], + "control_id": "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for SQL servers on machines should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Account Monitoring for Atypical Usage AC-2(12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Account Monitoring for Atypical Usage AC-2(12)" + ], + "control_id": "azure_compliance.control.storage_azure_defender_enabled", + "description": "Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.", + "title": "Azure Defender for Storage should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Privileged User Accounts AC-2(7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Privileged User Accounts AC-2(7)" + ], + "control_id": "azure_compliance.control.cognitive_service_local_auth_disabled", + "description": "Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication.", + "title": "Cognitive Services accounts should have local authentication methods disabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveServices" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Privileged User Accounts AC-2(7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Privileged User Accounts AC-2(7)" + ], + "control_id": "azure_compliance.control.iam_no_custom_role", + "description": "Audit built-in roles such as 'Owner, Contributor, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling.", + "title": "Audit usage of custom RBAC rules", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Privileged User Accounts AC-2(7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Privileged User Accounts AC-2(7)" + ], + "control_id": "azure_compliance.control.servicefabric_cluster_active_directory_authentication_enabled", + "description": "Audit usage of client authentication only via Azure Active Directory in Service Fabric.", + "title": "Service Fabric clusters should only use Azure Active Directory for client authentication", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ServiceFabric" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2) \u003e Privileged User Accounts AC-2(7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)", + "Privileged User Accounts AC-2(7)" + ], + "control_id": "azure_compliance.control.sql_server_azure_ad_authentication_enabled", + "description": "Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.", + "title": "An Azure Active Directory administrator should be provisioned for SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)" + ], + "control_id": "azure_compliance.control.appservice_api_app_uses_managed_identity", + "description": "Use a managed identity for enhanced authentication security.", + "title": "Managed identity should be used in your API App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)" + ], + "control_id": "azure_compliance.control.appservice_function_app_uses_managed_identity", + "description": "Use a managed identity for enhanced authentication security.", + "title": "Managed identity should be used in your Function App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)" + ], + "control_id": "azure_compliance.control.appservice_web_app_uses_managed_identity", + "description": "Use a managed identity for enhanced authentication security.", + "title": "Managed identity should be used in your Web App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)" + ], + "control_id": "azure_compliance.control.cognitive_service_local_auth_disabled", + "description": "Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication.", + "title": "Cognitive Services accounts should have local authentication methods disabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveServices" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)" + ], + "control_id": "azure_compliance.control.iam_deprecated_account_with_owner_roles", + "description": "Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.", + "title": "Deprecated accounts with owner permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)" + ], + "control_id": "azure_compliance.control.iam_deprecated_account", + "description": "Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.", + "title": "Deprecated accounts should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)" + ], + "control_id": "azure_compliance.control.iam_external_user_with_owner_role", + "description": "External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.", + "title": "External accounts with owner permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)" + ], + "control_id": "azure_compliance.control.iam_external_user_with_read_permission", + "description": "External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.", + "title": "External accounts with read permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)" + ], + "control_id": "azure_compliance.control.iam_no_custom_role", + "description": "Audit built-in roles such as 'Owner, Contributor, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling.", + "title": "Audit usage of custom RBAC rules", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)" + ], + "control_id": "azure_compliance.control.iam_subscription_owner_max_3", + "description": "It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.", + "title": "A maximum of 3 owners should be designated for your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)" + ], + "control_id": "azure_compliance.control.servicefabric_cluster_active_directory_authentication_enabled", + "description": "Audit usage of client authentication only via Azure Active Directory in Service Fabric.", + "title": "Service Fabric clusters should only use Azure Active Directory for client authentication", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ServiceFabric" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Account Management (AC-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Account Management (AC-2)" + ], + "control_id": "azure_compliance.control.sql_server_azure_ad_authentication_enabled", + "description": "Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.", + "title": "An Azure Active Directory administrator should be provisioned for SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Access Enforcement (AC-3) \u003e Role-based Access Control AC-3(7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Access Enforcement (AC-3)", + "Role-based Access Control AC-3(7)" + ], + "control_id": "azure_compliance.control.kubernetes_instance_rbac_enabled", + "description": "To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.", + "title": "Role-Based Access Control (RBAC) should be used on Kubernetes Services", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Access Enforcement (AC-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Access Enforcement (AC-3)" + ], + "control_id": "azure_compliance.control.appservice_api_app_uses_managed_identity", + "description": "Use a managed identity for enhanced authentication security.", + "title": "Managed identity should be used in your API App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Access Enforcement (AC-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Access Enforcement (AC-3)" + ], + "control_id": "azure_compliance.control.appservice_function_app_uses_managed_identity", + "description": "Use a managed identity for enhanced authentication security.", + "title": "Managed identity should be used in your Function App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Access Enforcement (AC-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Access Enforcement (AC-3)" + ], + "control_id": "azure_compliance.control.appservice_web_app_uses_managed_identity", + "description": "Use a managed identity for enhanced authentication security.", + "title": "Managed identity should be used in your Web App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Access Enforcement (AC-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Access Enforcement (AC-3)" + ], + "control_id": "azure_compliance.control.cognitive_service_local_auth_disabled", + "description": "Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication.", + "title": "Cognitive Services accounts should have local authentication methods disabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveServices" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Access Enforcement (AC-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Access Enforcement (AC-3)" + ], + "control_id": "azure_compliance.control.compute_vm_account_with_password_linux", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Linux machines that have accounts without passwords.", + "title": "Audit Linux machines that have accounts without passwords", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Access Enforcement (AC-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Access Enforcement (AC-3)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_installed_linux", + "description": "This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition.", + "title": "Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Access Enforcement (AC-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Access Enforcement (AC-3)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "description": "The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity.", + "title": "Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Access Enforcement (AC-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Access Enforcement (AC-3)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity", + "description": "This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions.", + "title": "Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Access Enforcement (AC-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Access Enforcement (AC-3)" + ], + "control_id": "azure_compliance.control.compute_vm_ssh_key_authentication_linux", + "description": "Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys.", + "title": "Authentication to Linux machines should require SSH keys", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Access Enforcement (AC-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Access Enforcement (AC-3)" + ], + "control_id": "azure_compliance.control.compute_vm_uses_azure_resource_manager", + "description": "Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.", + "title": "Virtual machines should be migrated to new Azure Resource Manager resources", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Access Enforcement (AC-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Access Enforcement (AC-3)" + ], + "control_id": "azure_compliance.control.servicefabric_cluster_active_directory_authentication_enabled", + "description": "Audit usage of client authentication only via Azure Active Directory in Service Fabric.", + "title": "Service Fabric clusters should only use Azure Active Directory for client authentication", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ServiceFabric" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Access Enforcement (AC-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Access Enforcement (AC-3)" + ], + "control_id": "azure_compliance.control.sql_server_azure_ad_authentication_enabled", + "description": "Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.", + "title": "An Azure Active Directory administrator should be provisioned for SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Access Enforcement (AC-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Access Enforcement (AC-3)" + ], + "control_id": "azure_compliance.control.storage_account_uses_azure_resource_manager", + "description": "Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.", + "title": "Storage accounts should be migrated to new Azure Resource Manager resources", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4) \u003e Dynamic Information Flow Control AC-4(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)", + "Dynamic Information Flow Control AC-4(3)" + ], + "control_id": "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "description": "Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface.", + "title": "Adaptive network hardening recommendations should be applied on internet facing virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4) \u003e Dynamic Information Flow Control AC-4(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)", + "Dynamic Information Flow Control AC-4(3)" + ], + "control_id": "azure_compliance.control.compute_vm_jit_access_protected", + "description": "Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations", + "title": "Management ports of virtual machines should be protected with just-in-time network access control.", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.apimanagement_service_with_virtual_network", + "description": "Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.", + "title": "API Management services should use a virtual network", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/APIManagement" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.app_configuration_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks.", + "title": "App Configuration should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppConfiguration" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.appservice_web_app_cors_no_star", + "description": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.", + "title": "CORS should not allow every resource to access your Web Applications", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.azure_redis_cache_uses_private_link", + "description": "Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced.", + "title": "Azure Cache for Redis should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.cognitive_account_private_link_used", + "description": "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage.", + "title": "Cognitive Services should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveServices" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.cognitive_account_public_network_access_disabled", + "description": "Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account.", + "title": "Cognitive Services accounts should disable public network access", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveServices" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.cognitive_account_restrict_public_access", + "description": "Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.", + "title": "Cognitive Services accounts should restrict network access", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveServices" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.compute_disk_access_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced.", + "title": "Disk access resources should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "description": "Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface.", + "title": "Adaptive network hardening recommendations should be applied on internet facing virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.compute_vm_jit_access_protected", + "description": "Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations", + "title": "Management ports of virtual machines should be protected with just-in-time network access control.", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.compute_vm_non_internet_facing_protected_with_nsg", + "description": "Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG).", + "title": "Non-internet-facing virtual machines should be protected with network security groups", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.compute_vm_remote_access_restricted_all_ports", + "description": "Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.", + "title": "All network ports should be restricted on network security groups associated to your virtual machine", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "description": "Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG).", + "title": "Internet-facing virtual machines should be protected with network security groups", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.container_registry_restrict_public_access", + "description": "Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources.", + "title": "Container registries should not allow unrestricted network access", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.container_registry_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks.", + "title": "Container registries should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.cosmosdb_account_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced.", + "title": "CosmosDB accounts should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CosmosDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.cosmosdb_account_with_firewall_rules", + "description": "Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.", + "title": "Azure Cosmos DB accounts should have firewall rules", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CosmosDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.data_factory_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced.", + "title": "Azure Data Factory should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataFactory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.eventgrid_domain_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks.", + "title": "Azure Event Grid domains should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventGrid" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.eventgrid_topic_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks.", + "title": "Azure Event Grid topics should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventGrid" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.eventhub_namespace_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced.", + "title": "Event Hub namespaces should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.healthcare_fhir_uses_private_link", + "description": "Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links.", + "title": "Azure API for FHIR should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/HealthcareAPIs" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.keyvault_vault_private_link_used", + "description": "Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.", + "title": "Private endpoint should be configured for Key Vault", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.keyvault_vault_public_network_access_disabled", + "description": "Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks.", + "title": "Azure Key Vault should disable public network access", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.kubernetes_cluster_authorized_ip_range_defined", + "description": "ARestrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.", + "title": "Authorized IP ranges should be defined on Kubernetes Services", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.mariadb_server_public_network_access_disabled", + "description": "Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.", + "title": "Public network access should be disabled for MariaDB servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MariaDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.mysql_server_private_link_used", + "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.", + "title": "Private endpoint should be enabled for MySQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.mysql_server_public_network_access_disabled", + "description": "Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.", + "title": "Public network access should be disabled for MySQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.network_interface_ip_forwarding_disabled", + "description": "Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.", + "title": "IP Forwarding on your virtual machine should be disabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.network_security_group_remote_access_restricted", + "description": "Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.", + "title": "Management ports should be closed on your virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.network_security_group_subnet_associated", + "description": "This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.", + "title": "Subnets should be associated with a Network Security Group", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.postgres_server_private_link_used", + "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.", + "title": "Private endpoint should be enabled for PostgreSQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.postgresql_server_public_network_access_disabled", + "description": "Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.", + "title": "Public network access should be disabled for PostgreSQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.search_service_public_network_access_disabled", + "description": "Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service.", + "title": "Azure Cognitive Search services should disable public network access", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveSearch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.search_service_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced.", + "title": "Azure Cognitive Search services should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveSearch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.search_service_uses_sku_supporting_private_link", + "description": "With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced.", + "title": "Azure Cognitive Search service should use a SKU that supports private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveSearch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.servicebus_name_space_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced.", + "title": "Azure Service Bus namespaces should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ServiceBus" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.signalr_service_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks.", + "title": "Azure SignalR Service should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SignalRService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.sql_db_public_network_access_disabled", + "description": "Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.", + "title": "Public network access on Azure SQL Database should be disabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.sql_server_uses_private_link", + "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.", + "title": "Private endpoint connections on Azure SQL Database should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.storage_account_block_public_access", + "description": "Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.", + "title": "Storage account public access should be disallowed", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.storage_account_default_network_access_rule_denied", + "description": "Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.", + "title": "Storage accounts should restrict network access", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.storage_account_restrict_network_access", + "description": "Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.", + "title": "Storage accounts should restrict network access using virtual network rules", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.storage_account_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced.", + "title": "Storage accounts should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.storage_sync_private_link_used", + "description": "Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint.", + "title": "Azure File Sync should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/FileSync" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Information Flow Enforcement (AC-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Information Flow Enforcement (AC-4)" + ], + "control_id": "azure_compliance.control.synapse_workspace_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced.", + "title": "Azure Synapse workspaces should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SynapseAnalytics" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Separation of Duties (AC-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Separation of Duties (AC-5)" + ], + "control_id": "azure_compliance.control.iam_subscription_owner_more_than_1", + "description": "It is recommended to designate more than one subscription owner in order to have administrator access redundancy.", + "title": "There should be more than one owner assigned to your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Least Privilege (AC-6) \u003e Review of User Privileges AC-6(7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Least Privilege (AC-6)", + "Review of User Privileges AC-6(7)" + ], + "control_id": "azure_compliance.control.iam_no_custom_role", + "description": "Audit built-in roles such as 'Owner, Contributor, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling.", + "title": "Audit usage of custom RBAC rules", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_6_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_6_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Least Privilege (AC-6) \u003e Review of User Privileges AC-6(7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Least Privilege (AC-6)", + "Review of User Privileges AC-6(7)" + ], + "control_id": "azure_compliance.control.iam_subscription_owner_max_3", + "description": "It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.", + "title": "A maximum of 3 owners should be designated for your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_6_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_6_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Least Privilege (AC-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Least Privilege (AC-6)" + ], + "control_id": "azure_compliance.control.iam_no_custom_role", + "description": "Audit built-in roles such as 'Owner, Contributor, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling.", + "title": "Audit usage of custom RBAC rules", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Least Privilege (AC-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Least Privilege (AC-6)" + ], + "control_id": "azure_compliance.control.iam_subscription_owner_max_3", + "description": "It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.", + "title": "A maximum of 3 owners should be designated for your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Security and Privacy Attributes (AC-16)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Security and Privacy Attributes (AC-16)" + ], + "control_id": "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "description": "Audit each SQL Managed Instance without advanced data security.", + "title": "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_16" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_16", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Security and Privacy Attributes (AC-16)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Security and Privacy Attributes (AC-16)" + ], + "control_id": "azure_compliance.control.sql_server_azure_defender_enabled", + "description": "Audit SQL servers without Advanced Data Security.", + "title": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_16" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_16", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.app_configuration_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks.", + "title": "App Configuration should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppConfiguration" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.appservice_api_app_remote_debugging_disabled", + "description": "Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off.", + "title": "Remote debugging should be turned off for API Apps", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.appservice_function_app_remote_debugging_disabled", + "description": "Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off.", + "title": "Remote debugging should be turned off for Function Apps", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.appservice_web_app_remote_debugging_disabled", + "description": "Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off.", + "title": "Remote debugging should be turned off for Web Applications", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.azure_redis_cache_in_virtual_network", + "description": "Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network.", + "title": "Azure Cache for Redis should reside within a virtual network", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.azure_redis_cache_uses_private_link", + "description": "Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced.", + "title": "Azure Cache for Redis should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.cognitive_account_private_link_used", + "description": "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage.", + "title": "Cognitive Services should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveServices" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.compute_disk_access_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced.", + "title": "Disk access resources should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_installed_linux", + "description": "This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition.", + "title": "Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_installed_windows", + "description": "This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition.", + "title": "Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "description": "The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity.", + "title": "Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity", + "description": "This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions.", + "title": "Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.compute_vm_restrict_remote_connection_from_accounts_without_password_linux", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords.", + "title": "Audit Linux machines that allow remote connections from accounts without passwords", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.container_registry_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks.", + "title": "Container registries should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.cosmosdb_account_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced.", + "title": "CosmosDB accounts should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CosmosDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.data_factory_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced.", + "title": "Azure Data Factory should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataFactory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.eventgrid_domain_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks.", + "title": "Azure Event Grid domains should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventGrid" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.eventgrid_topic_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks.", + "title": "Azure Event Grid topics should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventGrid" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.eventhub_namespace_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced.", + "title": "Event Hub namespaces should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.healthcare_fhir_uses_private_link", + "description": "Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links.", + "title": "Azure API for FHIR should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/HealthcareAPIs" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.keyvault_vault_private_link_used", + "description": "Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.", + "title": "Private endpoint should be configured for Key Vault", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.mysql_server_private_link_used", + "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.", + "title": "Private endpoint should be enabled for MySQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.postgres_server_private_link_used", + "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.", + "title": "Private endpoint should be enabled for PostgreSQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.search_service_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced.", + "title": "Azure Cognitive Search services should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveSearch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.search_service_uses_sku_supporting_private_link", + "description": "With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced.", + "title": "Azure Cognitive Search service should use a SKU that supports private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveSearch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.servicebus_name_space_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced.", + "title": "Azure Service Bus namespaces should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ServiceBus" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.signalr_service_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks.", + "title": "Azure SignalR Service should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SignalRService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.spring_cloud_service_network_injection_enabled", + "description": "Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.", + "title": "Azure Spring Cloud should use network injection", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SpringCloud" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.sql_server_uses_private_link", + "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.", + "title": "Private endpoint connections on Azure SQL Database should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.storage_account_default_network_access_rule_denied", + "description": "Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.", + "title": "Storage accounts should restrict network access", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.storage_account_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced.", + "title": "Storage accounts should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.storage_sync_private_link_used", + "description": "Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint.", + "title": "Azure File Sync should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/FileSync" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17) \u003e Monitoring and Control AC-17(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)", + "Monitoring and Control AC-17(1)" + ], + "control_id": "azure_compliance.control.synapse_workspace_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced.", + "title": "Azure Synapse workspaces should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SynapseAnalytics" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.app_configuration_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks.", + "title": "App Configuration should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppConfiguration" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.appservice_api_app_remote_debugging_disabled", + "description": "Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off.", + "title": "Remote debugging should be turned off for API Apps", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.appservice_function_app_remote_debugging_disabled", + "description": "Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off.", + "title": "Remote debugging should be turned off for Function Apps", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.appservice_web_app_remote_debugging_disabled", + "description": "Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off.", + "title": "Remote debugging should be turned off for Web Applications", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.azure_redis_cache_in_virtual_network", + "description": "Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network.", + "title": "Azure Cache for Redis should reside within a virtual network", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.azure_redis_cache_uses_private_link", + "description": "Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced.", + "title": "Azure Cache for Redis should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.cognitive_account_private_link_used", + "description": "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage.", + "title": "Cognitive Services should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveServices" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.compute_disk_access_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced.", + "title": "Disk access resources should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_installed_linux", + "description": "This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition.", + "title": "Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_installed_windows", + "description": "This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition.", + "title": "Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "description": "The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity.", + "title": "Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity", + "description": "This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions.", + "title": "Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.compute_vm_restrict_remote_connection_from_accounts_without_password_linux", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords.", + "title": "Audit Linux machines that allow remote connections from accounts without passwords", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.container_registry_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks.", + "title": "Container registries should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.cosmosdb_account_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced.", + "title": "CosmosDB accounts should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CosmosDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.data_factory_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced.", + "title": "Azure Data Factory should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataFactory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.eventgrid_domain_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks.", + "title": "Azure Event Grid domains should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventGrid" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.eventgrid_topic_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks.", + "title": "Azure Event Grid topics should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventGrid" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.eventhub_namespace_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced.", + "title": "Event Hub namespaces should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.healthcare_fhir_uses_private_link", + "description": "Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links.", + "title": "Azure API for FHIR should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/HealthcareAPIs" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.keyvault_vault_private_link_used", + "description": "Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.", + "title": "Private endpoint should be configured for Key Vault", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.mysql_server_private_link_used", + "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.", + "title": "Private endpoint should be enabled for MySQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.postgres_server_private_link_used", + "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.", + "title": "Private endpoint should be enabled for PostgreSQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.search_service_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced.", + "title": "Azure Cognitive Search services should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveSearch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.search_service_uses_sku_supporting_private_link", + "description": "With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced.", + "title": "Azure Cognitive Search service should use a SKU that supports private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveSearch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.servicebus_name_space_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced.", + "title": "Azure Service Bus namespaces should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ServiceBus" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.signalr_service_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks.", + "title": "Azure SignalR Service should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SignalRService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.spring_cloud_service_network_injection_enabled", + "description": "Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.", + "title": "Azure Spring Cloud should use network injection", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SpringCloud" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.sql_server_uses_private_link", + "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.", + "title": "Private endpoint connections on Azure SQL Database should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.storage_account_default_network_access_rule_denied", + "description": "Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.", + "title": "Storage accounts should restrict network access", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.storage_account_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced.", + "title": "Storage accounts should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.storage_sync_private_link_used", + "description": "Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint.", + "title": "Azure File Sync should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/FileSync" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Access Control (AC) \u003e Remote Access (AC-17)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Access Control (AC)", + "Remote Access (AC-17)" + ], + "control_id": "azure_compliance.control.synapse_workspace_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced.", + "title": "Azure Synapse workspaces should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SynapseAnalytics" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac/azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.appservice_azure_defender_enabled", + "description": "Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.", + "title": "Azure Defender for App Service should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.appservice_web_app_diagnostic_logs_enabled", + "description": "Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.", + "title": "Diagnostic logs in App Services should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.arc_compute_machine_linux_log_analytics_agent_installed", + "description": "This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed.", + "title": "Log Analytics agent should be installed on your Linux Azure Arc machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.arc_compute_machine_windows_log_analytics_agent_installed", + "description": "This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed.", + "title": "Log Analytics agent should be installed on your Windows Azure Arc machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.arc_kubernetes_cluster_azure_defender_extension_installed", + "description": "Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis.", + "title": "Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.batch_account_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Batch accounts should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Batch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.compute_vm_azure_defender_enabled", + "description": "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.", + "title": "Azure Defender for servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_installed", + "description": "To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.", + "title": "Guest Configuration extension should be installed on your machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "description": "The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity.", + "title": "Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.compute_vm_log_analytics_agent_health_issues_resolved", + "description": "Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace.", + "title": "Log Analytics agent health issues should be resolved on your machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.compute_vm_log_analytics_agent_installed", + "description": "This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed.", + "title": "The Log Analytics agent should be installed on virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.compute_vm_network_traffic_data_collection_linux_agent_installed", + "description": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", + "title": "Network traffic data collection agent should be installed on Linux virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.compute_vm_network_traffic_data_collection_windows_agent_installed", + "description": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", + "title": "Network traffic data collection agent should be installed on Windows virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_log_analytics_agent_installed", + "description": "This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed.", + "title": "The Log Analytics agent should be installed on Virtual Machine Scale Sets", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_logging_enabled", + "description": "It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.", + "title": "Resource logs in Virtual Machine Scale Sets should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.container_registry_azure_defender_enabled", + "description": "Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.", + "title": "Azure Defender for container registries should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.datalake_analytics_account_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Data Lake Analytics should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataLakeAnalytics" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.datalake_store_account_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Azure Data Lake Store should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataLakeStorage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.dns_azure_defender_enabled", + "description": "Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer.", + "title": "Azure Defender for DNS should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DNS" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.eventhub_namespace_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Event Hub should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.iot_hub_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in IoT Hub should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/IoTHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.keyvault_azure_defender_enabled", + "description": "Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.", + "title": "Azure Defender for Key Vault should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.keyvault_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Key Vault should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.kubernetes_azure_defender_enabled", + "description": "Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.", + "title": "Azure Defender for Kubernetes should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.logic_app_workflow_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Logic Apps should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Logic" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.network_watcher_enabled", + "description": "Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.", + "title": "Network Watcher should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.resource_manager_azure_defender_enabled", + "description": "Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity.", + "title": "Azure Defender for Resource Manager should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ResourceManager" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.search_service_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Search services should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveSearch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.securitycenter_automatic_provisioning_monitoring_agent_on", + "description": "To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.", + "title": "Auto provisioning of the Log Analytics agent should be enabled on your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "description": "Audit each SQL Managed Instance without advanced data security.", + "title": "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.servicebus_namespace_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Service Bus should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ServiceBus" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.sql_database_server_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for Azure SQL Database servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.sql_server_auditing_on", + "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", + "title": "Auditing on SQL server should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.sql_server_azure_defender_enabled", + "description": "Audit SQL servers without Advanced Data Security.", + "title": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for SQL servers on machines should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.storage_azure_defender_enabled", + "description": "Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.", + "title": "Azure Defender for Storage should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Central Review and Analysis AU-6(4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Central Review and Analysis AU-6(4)" + ], + "control_id": "azure_compliance.control.stream_analytics_job_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Azure Stream Analytics should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/StreamAnalytics" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.appservice_azure_defender_enabled", + "description": "Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.", + "title": "Azure Defender for App Service should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.appservice_web_app_diagnostic_logs_enabled", + "description": "Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.", + "title": "Diagnostic logs in App Services should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.arc_compute_machine_linux_log_analytics_agent_installed", + "description": "This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed.", + "title": "Log Analytics agent should be installed on your Linux Azure Arc machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.arc_compute_machine_windows_log_analytics_agent_installed", + "description": "This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed.", + "title": "Log Analytics agent should be installed on your Windows Azure Arc machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.arc_kubernetes_cluster_azure_defender_extension_installed", + "description": "Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis.", + "title": "Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.batch_account_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Batch accounts should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Batch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.compute_vm_azure_defender_enabled", + "description": "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.", + "title": "Azure Defender for servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_installed", + "description": "To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.", + "title": "Guest Configuration extension should be installed on your machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "description": "The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity.", + "title": "Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.compute_vm_log_analytics_agent_health_issues_resolved", + "description": "Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace.", + "title": "Log Analytics agent health issues should be resolved on your machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.compute_vm_log_analytics_agent_installed", + "description": "This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed.", + "title": "The Log Analytics agent should be installed on virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.compute_vm_network_traffic_data_collection_linux_agent_installed", + "description": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", + "title": "Network traffic data collection agent should be installed on Linux virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.compute_vm_network_traffic_data_collection_windows_agent_installed", + "description": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", + "title": "Network traffic data collection agent should be installed on Windows virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_log_analytics_agent_installed", + "description": "This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed.", + "title": "The Log Analytics agent should be installed on Virtual Machine Scale Sets", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_logging_enabled", + "description": "It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.", + "title": "Resource logs in Virtual Machine Scale Sets should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.container_registry_azure_defender_enabled", + "description": "Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.", + "title": "Azure Defender for container registries should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.datalake_analytics_account_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Data Lake Analytics should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataLakeAnalytics" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.datalake_store_account_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Azure Data Lake Store should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataLakeStorage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.dns_azure_defender_enabled", + "description": "Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer.", + "title": "Azure Defender for DNS should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DNS" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.eventhub_namespace_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Event Hub should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.iot_hub_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in IoT Hub should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/IoTHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.keyvault_azure_defender_enabled", + "description": "Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.", + "title": "Azure Defender for Key Vault should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.keyvault_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Key Vault should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.kubernetes_azure_defender_enabled", + "description": "Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.", + "title": "Azure Defender for Kubernetes should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.logic_app_workflow_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Logic Apps should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Logic" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.network_watcher_enabled", + "description": "Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.", + "title": "Network Watcher should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.resource_manager_azure_defender_enabled", + "description": "Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity.", + "title": "Azure Defender for Resource Manager should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ResourceManager" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.search_service_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Search services should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveSearch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.securitycenter_automatic_provisioning_monitoring_agent_on", + "description": "To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.", + "title": "Auto provisioning of the Log Analytics agent should be enabled on your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "description": "Audit each SQL Managed Instance without advanced data security.", + "title": "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.servicebus_namespace_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Service Bus should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ServiceBus" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.sql_database_server_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for Azure SQL Database servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.sql_server_auditing_on", + "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", + "title": "Auditing on SQL server should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.sql_server_azure_defender_enabled", + "description": "Audit SQL servers without Advanced Data Security.", + "title": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for SQL servers on machines should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.storage_azure_defender_enabled", + "description": "Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.", + "title": "Azure Defender for Storage should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6) \u003e Integrated Analysis of Audit Records AU-6(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)", + "Integrated Analysis of Audit Records AU-6(5)" + ], + "control_id": "azure_compliance.control.stream_analytics_job_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Azure Stream Analytics should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/StreamAnalytics" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)" + ], + "control_id": "azure_compliance.control.appservice_azure_defender_enabled", + "description": "Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.", + "title": "Azure Defender for App Service should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)" + ], + "control_id": "azure_compliance.control.arc_kubernetes_cluster_azure_defender_extension_installed", + "description": "Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis.", + "title": "Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)" + ], + "control_id": "azure_compliance.control.compute_vm_azure_defender_enabled", + "description": "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.", + "title": "Azure Defender for servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)" + ], + "control_id": "azure_compliance.control.compute_vm_network_traffic_data_collection_linux_agent_installed", + "description": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", + "title": "Network traffic data collection agent should be installed on Linux virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)" + ], + "control_id": "azure_compliance.control.compute_vm_network_traffic_data_collection_windows_agent_installed", + "description": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", + "title": "Network traffic data collection agent should be installed on Windows virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)" + ], + "control_id": "azure_compliance.control.container_registry_azure_defender_enabled", + "description": "Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.", + "title": "Azure Defender for container registries should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)" + ], + "control_id": "azure_compliance.control.dns_azure_defender_enabled", + "description": "Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer.", + "title": "Azure Defender for DNS should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DNS" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)" + ], + "control_id": "azure_compliance.control.keyvault_azure_defender_enabled", + "description": "Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.", + "title": "Azure Defender for Key Vault should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)" + ], + "control_id": "azure_compliance.control.kubernetes_azure_defender_enabled", + "description": "Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.", + "title": "Azure Defender for Kubernetes should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)" + ], + "control_id": "azure_compliance.control.network_watcher_enabled", + "description": "Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.", + "title": "Network Watcher should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)" + ], + "control_id": "azure_compliance.control.resource_manager_azure_defender_enabled", + "description": "Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity.", + "title": "Azure Defender for Resource Manager should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ResourceManager" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)" + ], + "control_id": "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "description": "Audit each SQL Managed Instance without advanced data security.", + "title": "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)" + ], + "control_id": "azure_compliance.control.sql_database_server_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for Azure SQL Database servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)" + ], + "control_id": "azure_compliance.control.sql_server_azure_defender_enabled", + "description": "Audit SQL servers without Advanced Data Security.", + "title": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)" + ], + "control_id": "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for SQL servers on machines should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Review, Analysis, and Reporting (AU-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Review, Analysis, and Reporting (AU-6)" + ], + "control_id": "azure_compliance.control.storage_azure_defender_enabled", + "description": "Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.", + "title": "Azure Defender for Storage should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Retention (AU-11)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Retention (AU-11)" + ], + "control_id": "azure_compliance.control.sql_server_auditing_storage_account_destination_retention_90_days", + "description": "For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards.", + "title": "SQL servers with auditing to storage account destination should be configured with 90 days retention or higher", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_11" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_11", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.appservice_azure_defender_enabled", + "description": "Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.", + "title": "Azure Defender for App Service should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.appservice_web_app_diagnostic_logs_enabled", + "description": "Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.", + "title": "Diagnostic logs in App Services should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.arc_compute_machine_linux_log_analytics_agent_installed", + "description": "This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed.", + "title": "Log Analytics agent should be installed on your Linux Azure Arc machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.arc_compute_machine_windows_log_analytics_agent_installed", + "description": "This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed.", + "title": "Log Analytics agent should be installed on your Windows Azure Arc machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.arc_kubernetes_cluster_azure_defender_extension_installed", + "description": "Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis.", + "title": "Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.batch_account_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Batch accounts should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Batch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.compute_vm_azure_defender_enabled", + "description": "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.", + "title": "Azure Defender for servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_installed", + "description": "To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.", + "title": "Guest Configuration extension should be installed on your machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "description": "The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity.", + "title": "Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.compute_vm_log_analytics_agent_health_issues_resolved", + "description": "Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace.", + "title": "Log Analytics agent health issues should be resolved on your machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.compute_vm_log_analytics_agent_installed", + "description": "This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed.", + "title": "The Log Analytics agent should be installed on virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.compute_vm_network_traffic_data_collection_linux_agent_installed", + "description": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", + "title": "Network traffic data collection agent should be installed on Linux virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.compute_vm_network_traffic_data_collection_windows_agent_installed", + "description": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", + "title": "Network traffic data collection agent should be installed on Windows virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_log_analytics_agent_installed", + "description": "This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed.", + "title": "The Log Analytics agent should be installed on Virtual Machine Scale Sets", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_logging_enabled", + "description": "It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.", + "title": "Resource logs in Virtual Machine Scale Sets should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.container_registry_azure_defender_enabled", + "description": "Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.", + "title": "Azure Defender for container registries should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.datalake_analytics_account_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Data Lake Analytics should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataLakeAnalytics" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.datalake_store_account_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Azure Data Lake Store should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataLakeStorage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.dns_azure_defender_enabled", + "description": "Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer.", + "title": "Azure Defender for DNS should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DNS" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.eventhub_namespace_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Event Hub should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.iot_hub_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in IoT Hub should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/IoTHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.keyvault_azure_defender_enabled", + "description": "Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.", + "title": "Azure Defender for Key Vault should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.keyvault_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Key Vault should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.kubernetes_azure_defender_enabled", + "description": "Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.", + "title": "Azure Defender for Kubernetes should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.logic_app_workflow_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Logic Apps should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Logic" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.network_watcher_enabled", + "description": "Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.", + "title": "Network Watcher should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.resource_manager_azure_defender_enabled", + "description": "Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity.", + "title": "Azure Defender for Resource Manager should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ResourceManager" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.search_service_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Search services should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveSearch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.securitycenter_automatic_provisioning_monitoring_agent_on", + "description": "To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.", + "title": "Auto provisioning of the Log Analytics agent should be enabled on your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "description": "Audit each SQL Managed Instance without advanced data security.", + "title": "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.servicebus_namespace_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Service Bus should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ServiceBus" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.sql_database_server_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for Azure SQL Database servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.sql_server_auditing_on", + "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", + "title": "Auditing on SQL server should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.sql_server_azure_defender_enabled", + "description": "Audit SQL servers without Advanced Data Security.", + "title": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for SQL servers on machines should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.storage_azure_defender_enabled", + "description": "Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.", + "title": "Azure Defender for Storage should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12) \u003e System-wide and Time-correlated Audit Trail AU-12(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)", + "System-wide and Time-correlated Audit Trail AU-12(1)" + ], + "control_id": "azure_compliance.control.stream_analytics_job_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Azure Stream Analytics should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/StreamAnalytics" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.appservice_azure_defender_enabled", + "description": "Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.", + "title": "Azure Defender for App Service should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.appservice_web_app_diagnostic_logs_enabled", + "description": "Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.", + "title": "Diagnostic logs in App Services should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.arc_compute_machine_linux_log_analytics_agent_installed", + "description": "This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed.", + "title": "Log Analytics agent should be installed on your Linux Azure Arc machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.arc_compute_machine_windows_log_analytics_agent_installed", + "description": "This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed.", + "title": "Log Analytics agent should be installed on your Windows Azure Arc machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.arc_kubernetes_cluster_azure_defender_extension_installed", + "description": "Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis.", + "title": "Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.batch_account_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Batch accounts should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Batch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.compute_vm_azure_defender_enabled", + "description": "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.", + "title": "Azure Defender for servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_installed", + "description": "To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.", + "title": "Guest Configuration extension should be installed on your machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "description": "The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity.", + "title": "Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.compute_vm_log_analytics_agent_health_issues_resolved", + "description": "Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace.", + "title": "Log Analytics agent health issues should be resolved on your machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.compute_vm_log_analytics_agent_installed", + "description": "This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed.", + "title": "The Log Analytics agent should be installed on virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.compute_vm_network_traffic_data_collection_linux_agent_installed", + "description": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", + "title": "Network traffic data collection agent should be installed on Linux virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.compute_vm_network_traffic_data_collection_windows_agent_installed", + "description": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", + "title": "Network traffic data collection agent should be installed on Windows virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_log_analytics_agent_installed", + "description": "This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed.", + "title": "The Log Analytics agent should be installed on Virtual Machine Scale Sets", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_logging_enabled", + "description": "It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.", + "title": "Resource logs in Virtual Machine Scale Sets should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.container_registry_azure_defender_enabled", + "description": "Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.", + "title": "Azure Defender for container registries should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.datalake_analytics_account_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Data Lake Analytics should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataLakeAnalytics" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.datalake_store_account_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Azure Data Lake Store should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataLakeStorage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.dns_azure_defender_enabled", + "description": "Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer.", + "title": "Azure Defender for DNS should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DNS" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.eventhub_namespace_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Event Hub should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.iot_hub_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in IoT Hub should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/IoTHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.keyvault_azure_defender_enabled", + "description": "Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.", + "title": "Azure Defender for Key Vault should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.keyvault_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Key Vault should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.kubernetes_azure_defender_enabled", + "description": "Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.", + "title": "Azure Defender for Kubernetes should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.logic_app_workflow_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Logic Apps should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Logic" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.network_watcher_enabled", + "description": "Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.", + "title": "Network Watcher should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.resource_manager_azure_defender_enabled", + "description": "Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity.", + "title": "Azure Defender for Resource Manager should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ResourceManager" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.search_service_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Search services should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveSearch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.securitycenter_automatic_provisioning_monitoring_agent_on", + "description": "To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.", + "title": "Auto provisioning of the Log Analytics agent should be enabled on your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "description": "Audit each SQL Managed Instance without advanced data security.", + "title": "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.servicebus_namespace_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Service Bus should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ServiceBus" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.sql_database_server_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for Azure SQL Database servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.sql_server_auditing_on", + "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", + "title": "Auditing on SQL server should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.sql_server_azure_defender_enabled", + "description": "Audit SQL servers without Advanced Data Security.", + "title": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for SQL servers on machines should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.storage_azure_defender_enabled", + "description": "Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.", + "title": "Azure Defender for Storage should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Audit and Accountability Control (AU) \u003e Audit Record Generation (AU-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Audit and Accountability Control (AU)", + "Audit Record Generation (AU-12)" + ], + "control_id": "azure_compliance.control.stream_analytics_job_logging_enabled", + "description": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.", + "title": "Resource logs in Azure Stream Analytics should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/StreamAnalytics" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_au/azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Configuration Settings (CM-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Configuration Settings (CM-6)" + ], + "control_id": "azure_compliance.control.appservice_api_app_client_certificates_on", + "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.", + "title": "Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Configuration Settings (CM-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Configuration Settings (CM-6)" + ], + "control_id": "azure_compliance.control.appservice_api_app_cors_no_star", + "description": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.", + "title": "CORS should not allow every resource to access your API App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Configuration Settings (CM-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Configuration Settings (CM-6)" + ], + "control_id": "azure_compliance.control.appservice_api_app_remote_debugging_disabled", + "description": "Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off.", + "title": "Remote debugging should be turned off for API Apps", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Configuration Settings (CM-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Configuration Settings (CM-6)" + ], + "control_id": "azure_compliance.control.appservice_function_app_client_certificates_on", + "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.", + "title": "Function apps should have 'Client Certificates (Incoming client certificates)' enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Configuration Settings (CM-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Configuration Settings (CM-6)" + ], + "control_id": "azure_compliance.control.appservice_function_app_cors_no_star", + "description": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.", + "title": "CORS should not allow every resource to access your Function Apps", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Configuration Settings (CM-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Configuration Settings (CM-6)" + ], + "control_id": "azure_compliance.control.appservice_function_app_remote_debugging_disabled", + "description": "Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off.", + "title": "Remote debugging should be turned off for Function Apps", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Configuration Settings (CM-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Configuration Settings (CM-6)" + ], + "control_id": "azure_compliance.control.appservice_web_app_client_certificates_on", + "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.", + "title": "Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Configuration Settings (CM-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Configuration Settings (CM-6)" + ], + "control_id": "azure_compliance.control.appservice_web_app_cors_no_star", + "description": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.", + "title": "CORS should not allow every resource to access your Web Applications", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Configuration Settings (CM-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Configuration Settings (CM-6)" + ], + "control_id": "azure_compliance.control.appservice_web_app_remote_debugging_disabled", + "description": "Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off.", + "title": "Remote debugging should be turned off for Web Applications", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Configuration Settings (CM-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Configuration Settings (CM-6)" + ], + "control_id": "azure_compliance.control.compute_vm_meet_security_baseline_requirements_linux", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.", + "title": "Linux machines should meet requirements for the Azure compute security baseline", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Configuration Settings (CM-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Configuration Settings (CM-6)" + ], + "control_id": "azure_compliance.control.compute_vm_meet_security_baseline_requirements_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.", + "title": "Windows machines should meet requirements of the Azure compute security baseline", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Configuration Settings (CM-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Configuration Settings (CM-6)" + ], + "control_id": "azure_compliance.control.kubernetes_cluster_add_on_azure_policy_enabled", + "description": "Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.", + "title": "Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Configuration Settings (CM-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Configuration Settings (CM-6)" + ], + "control_id": "azure_compliance.control.kubernetes_cluster_pods_and_containers_uses_approved_user_and_group_id", + "description": "Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes.", + "title": "Kubernetes cluster pods and containers should only run with approved user and group IDs", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Least Functionality (CM-7) \u003e Prevent Program Execution CM-7(2) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Least Functionality (CM-7)", + "Prevent Program Execution CM-7(2) " + ], + "control_id": "azure_compliance.control.compute_vm_adaptive_application_controls_enabled", + "description": "Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.", + "title": "Adaptive application controls for defining safe applications should be enabled on your machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Least Functionality (CM-7) \u003e Prevent Program Execution CM-7(2) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Least Functionality (CM-7)", + "Prevent Program Execution CM-7(2) " + ], + "control_id": "azure_compliance.control.compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated", + "description": "Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.", + "title": "Allowlist rules in your adaptive application control policy should be updated", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Least Functionality (CM-7) \u003e Authorized Software ??? Allow-by-exception CM-7(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Least Functionality (CM-7)", + "Authorized Software ??? Allow-by-exception CM-7(5)" + ], + "control_id": "azure_compliance.control.compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated", + "description": "Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.", + "title": "Allowlist rules in your adaptive application control policy should be updated", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Least Functionality (CM-7) \u003e Authorized Software ??? Allow-by-exception CM-7(5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Least Functionality (CM-7)", + "Authorized Software ??? Allow-by-exception CM-7(5)" + ], + "control_id": "azure_compliance.control.compute_vm_adaptive_application_controls_enabled", + "description": "Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.", + "title": "Adaptive application controls for defining safe applications should be enabled on your machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Least Functionality (CM-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Least Functionality (CM-7)" + ], + "control_id": "azure_compliance.control.compute_vm_adaptive_application_controls_enabled", + "description": "Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.", + "title": "Adaptive application controls for defining safe applications should be enabled on your machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Least Functionality (CM-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Least Functionality (CM-7)" + ], + "control_id": "azure_compliance.control.compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated", + "description": "Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.", + "title": "Allowlist rules in your adaptive application control policy should be updated", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Least Functionality (CM-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Least Functionality (CM-7)" + ], + "control_id": "azure_compliance.control.compute_vm_azure_defender_enabled", + "description": "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.", + "title": "Azure Defender for servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Software Usage Restrictions (CM-10)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Software Usage Restrictions (CM-10)" + ], + "control_id": "azure_compliance.control.compute_vm_adaptive_application_controls_enabled", + "description": "Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.", + "title": "Adaptive application controls for defining safe applications should be enabled on your machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_10" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_10", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e Software Usage Restrictions (CM-10)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "Software Usage Restrictions (CM-10)" + ], + "control_id": "azure_compliance.control.compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated", + "description": "Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.", + "title": "Allowlist rules in your adaptive application control policy should be updated", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_10" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_10", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e User-installed Software (CM-11)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "User-installed Software (CM-11)" + ], + "control_id": "azure_compliance.control.compute_vm_adaptive_application_controls_enabled", + "description": "Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.", + "title": "Adaptive application controls for defining safe applications should be enabled on your machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_11" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_11", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Configuration Management (CM) \u003e User-installed Software (CM-11)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Configuration Management (CM)", + "User-installed Software (CM-11)" + ], + "control_id": "azure_compliance.control.compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated", + "description": "Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.", + "title": "Allowlist rules in your adaptive application control policy should be updated", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_11" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm/azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_11", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Contingency Planning (CP) \u003e Alternate Storage Site (CP-6) \u003e Separation from Primary Site CP-6(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Contingency Planning (CP)", + "Alternate Storage Site (CP-6)", + "Separation from Primary Site CP-6(1)" + ], + "control_id": "azure_compliance.control.mariadb_server_geo_redundant_backup_enabled", + "description": "Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.", + "title": "Geo-redundant backup should be enabled for Azure Database for MariaDB", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MariaDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Contingency Planning (CP) \u003e Alternate Storage Site (CP-6) \u003e Separation from Primary Site CP-6(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Contingency Planning (CP)", + "Alternate Storage Site (CP-6)", + "Separation from Primary Site CP-6(1)" + ], + "control_id": "azure_compliance.control.mysql_db_server_geo_redundant_backup_enabled", + "description": "Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.", + "title": "Geo-redundant backup should be enabled for Azure Database for MySQL", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Contingency Planning (CP) \u003e Alternate Storage Site (CP-6) \u003e Separation from Primary Site CP-6(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Contingency Planning (CP)", + "Alternate Storage Site (CP-6)", + "Separation from Primary Site CP-6(1)" + ], + "control_id": "azure_compliance.control.postgres_db_server_geo_redundant_backup_enabled", + "description": "Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.", + "title": "Geo-redundant backup should be enabled for Azure Database for PostgreSQL", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Contingency Planning (CP) \u003e Alternate Storage Site (CP-6) \u003e Separation from Primary Site CP-6(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Contingency Planning (CP)", + "Alternate Storage Site (CP-6)", + "Separation from Primary Site CP-6(1)" + ], + "control_id": "azure_compliance.control.sql_database_long_term_geo_redundant_backup_enabled", + "description": "This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled.", + "title": "Long-term geo-redundant backup should be enabled for Azure SQL Databases", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Contingency Planning (CP) \u003e Alternate Storage Site (CP-6) \u003e Separation from Primary Site CP-6(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Contingency Planning (CP)", + "Alternate Storage Site (CP-6)", + "Separation from Primary Site CP-6(1)" + ], + "control_id": "azure_compliance.control.storage_account_geo_redundant_enabled", + "description": "Use geo-redundancy to create highly available applications.", + "title": "Geo-redundant storage should be enabled for Storage Accounts", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Contingency Planning (CP) \u003e Alternate Storage Site (CP-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Contingency Planning (CP)", + "Alternate Storage Site (CP-6)" + ], + "control_id": "azure_compliance.control.mariadb_server_geo_redundant_backup_enabled", + "description": "Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.", + "title": "Geo-redundant backup should be enabled for Azure Database for MariaDB", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MariaDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Contingency Planning (CP) \u003e Alternate Storage Site (CP-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Contingency Planning (CP)", + "Alternate Storage Site (CP-6)" + ], + "control_id": "azure_compliance.control.mysql_db_server_geo_redundant_backup_enabled", + "description": "Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.", + "title": "Geo-redundant backup should be enabled for Azure Database for MySQL", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Contingency Planning (CP) \u003e Alternate Storage Site (CP-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Contingency Planning (CP)", + "Alternate Storage Site (CP-6)" + ], + "control_id": "azure_compliance.control.postgres_db_server_geo_redundant_backup_enabled", + "description": "Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.", + "title": "Geo-redundant backup should be enabled for Azure Database for PostgreSQL", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Contingency Planning (CP) \u003e Alternate Storage Site (CP-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Contingency Planning (CP)", + "Alternate Storage Site (CP-6)" + ], + "control_id": "azure_compliance.control.sql_database_long_term_geo_redundant_backup_enabled", + "description": "This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled.", + "title": "Long-term geo-redundant backup should be enabled for Azure SQL Databases", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Contingency Planning (CP) \u003e Alternate Storage Site (CP-6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Contingency Planning (CP)", + "Alternate Storage Site (CP-6)" + ], + "control_id": "azure_compliance.control.storage_account_geo_redundant_enabled", + "description": "Use geo-redundancy to create highly available applications.", + "title": "Geo-redundant storage should be enabled for Storage Accounts", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Contingency Planning (CP) \u003e Alternate Processing Site (CP-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Contingency Planning (CP)", + "Alternate Processing Site (CP-7)" + ], + "control_id": "azure_compliance.control.compute_vm_disaster_recovery_enabled", + "description": "Audit virtual machines which do not have disaster recovery configured.", + "title": "Audit virtual machines without disaster recovery configured", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Contingency Planning (CP) \u003e System Backup (CP-9)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Contingency Planning (CP)", + "System Backup (CP-9)" + ], + "control_id": "azure_compliance.control.keyvault_purge_protection_enabled", + "description": "Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.", + "title": "Key vaults should have purge protection enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_9" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_9", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Contingency Planning (CP) \u003e System Backup (CP-9)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Contingency Planning (CP)", + "System Backup (CP-9)" + ], + "control_id": "azure_compliance.control.keyvault_soft_delete_enabled", + "description": "Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.", + "title": "Key vaults should have soft delete enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_9" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_9", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Contingency Planning (CP) \u003e System Backup (CP-9)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Contingency Planning (CP)", + "System Backup (CP-9)" + ], + "control_id": "azure_compliance.control.mariadb_server_geo_redundant_backup_enabled", + "description": "Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.", + "title": "Geo-redundant backup should be enabled for Azure Database for MariaDB", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MariaDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_9" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_9", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Contingency Planning (CP) \u003e System Backup (CP-9)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Contingency Planning (CP)", + "System Backup (CP-9)" + ], + "control_id": "azure_compliance.control.mysql_db_server_geo_redundant_backup_enabled", + "description": "Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.", + "title": "Geo-redundant backup should be enabled for Azure Database for MySQL", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_9" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_9", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Contingency Planning (CP) \u003e System Backup (CP-9)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Contingency Planning (CP)", + "System Backup (CP-9)" + ], + "control_id": "azure_compliance.control.postgres_db_server_geo_redundant_backup_enabled", + "description": "Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.", + "title": "Geo-redundant backup should be enabled for Azure Database for PostgreSQL", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_9" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp/azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_9", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Identification and Authentication (organizational Users) (IA-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Identification and Authentication (organizational Users) (IA-2)" + ], + "control_id": "azure_compliance.control.appservice_api_app_uses_managed_identity", + "description": "Use a managed identity for enhanced authentication security.", + "title": "Managed identity should be used in your API App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Identification and Authentication (organizational Users) (IA-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Identification and Authentication (organizational Users) (IA-2)" + ], + "control_id": "azure_compliance.control.appservice_function_app_uses_managed_identity", + "description": "Use a managed identity for enhanced authentication security.", + "title": "Managed identity should be used in your Function App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Identification and Authentication (organizational Users) (IA-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Identification and Authentication (organizational Users) (IA-2)" + ], + "control_id": "azure_compliance.control.appservice_web_app_uses_managed_identity", + "description": "Use a managed identity for enhanced authentication security.", + "title": "Managed identity should be used in your Web App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Identification and Authentication (organizational Users) (IA-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Identification and Authentication (organizational Users) (IA-2)" + ], + "control_id": "azure_compliance.control.cognitive_service_local_auth_disabled", + "description": "Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication.", + "title": "Cognitive Services accounts should have local authentication methods disabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveServices" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Identification and Authentication (organizational Users) (IA-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Identification and Authentication (organizational Users) (IA-2)" + ], + "control_id": "azure_compliance.control.servicefabric_cluster_active_directory_authentication_enabled", + "description": "Audit usage of client authentication only via Azure Active Directory in Service Fabric.", + "title": "Service Fabric clusters should only use Azure Active Directory for client authentication", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ServiceFabric" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Identification and Authentication (organizational Users) (IA-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Identification and Authentication (organizational Users) (IA-2)" + ], + "control_id": "azure_compliance.control.sql_server_azure_ad_authentication_enabled", + "description": "Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.", + "title": "An Azure Active Directory administrator should be provisioned for SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Identifier Management (IA-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Identifier Management (IA-4)" + ], + "control_id": "azure_compliance.control.appservice_api_app_uses_managed_identity", + "description": "Use a managed identity for enhanced authentication security.", + "title": "Managed identity should be used in your API App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Identifier Management (IA-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Identifier Management (IA-4)" + ], + "control_id": "azure_compliance.control.appservice_function_app_uses_managed_identity", + "description": "Use a managed identity for enhanced authentication security.", + "title": "Managed identity should be used in your Function App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Identifier Management (IA-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Identifier Management (IA-4)" + ], + "control_id": "azure_compliance.control.appservice_web_app_uses_managed_identity", + "description": "Use a managed identity for enhanced authentication security.", + "title": "Managed identity should be used in your Web App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Identifier Management (IA-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Identifier Management (IA-4)" + ], + "control_id": "azure_compliance.control.cognitive_service_local_auth_disabled", + "description": "Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication.", + "title": "Cognitive Services accounts should have local authentication methods disabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveServices" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Identifier Management (IA-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Identifier Management (IA-4)" + ], + "control_id": "azure_compliance.control.servicefabric_cluster_active_directory_authentication_enabled", + "description": "Audit usage of client authentication only via Azure Active Directory in Service Fabric.", + "title": "Service Fabric clusters should only use Azure Active Directory for client authentication", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ServiceFabric" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Identifier Management (IA-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Identifier Management (IA-4)" + ], + "control_id": "azure_compliance.control.sql_server_azure_ad_authentication_enabled", + "description": "Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.", + "title": "An Azure Active Directory administrator should be provisioned for SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5) \u003e Password-based Authentication IA-5(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)", + "Password-based Authentication IA-5(1) " + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_installed_linux", + "description": "This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition.", + "title": "Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5) \u003e Password-based Authentication IA-5(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)", + "Password-based Authentication IA-5(1) " + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_installed_windows", + "description": "This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition.", + "title": "Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5) \u003e Password-based Authentication IA-5(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)", + "Password-based Authentication IA-5(1) " + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "description": "The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity.", + "title": "Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5) \u003e Password-based Authentication IA-5(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)", + "Password-based Authentication IA-5(1) " + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity", + "description": "This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions.", + "title": "Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5) \u003e Password-based Authentication IA-5(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)", + "Password-based Authentication IA-5(1) " + ], + "control_id": "azure_compliance.control.compute_vm_max_password_age_70_days_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days.", + "title": "Audit Windows machines that do not have a maximum password age of 70 days", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5) \u003e Password-based Authentication IA-5(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)", + "Password-based Authentication IA-5(1) " + ], + "control_id": "azure_compliance.control.compute_vm_min_password_age_1_day_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day.", + "title": "Audit Windows machines that do not have a minimum password age of 1 day", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5) \u003e Password-based Authentication IA-5(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)", + "Password-based Authentication IA-5(1) " + ], + "control_id": "azure_compliance.control.compute_vm_min_password_length_14_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters.", + "title": "Audit Windows machines that do not restrict the minimum password length to 14 characters", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5) \u003e Password-based Authentication IA-5(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)", + "Password-based Authentication IA-5(1) " + ], + "control_id": "azure_compliance.control.compute_vm_password_complexity_setting_enabled_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled.", + "title": "Audit Windows machines that do not have the password complexity setting enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5) \u003e Password-based Authentication IA-5(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)", + "Password-based Authentication IA-5(1) " + ], + "control_id": "azure_compliance.control.compute_vm_password_file_permissions_0644_linux", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644", + "title": "Audit Linux machines that do not have the passwd file permissions set to 0644", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5) \u003e Password-based Authentication IA-5(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)", + "Password-based Authentication IA-5(1) " + ], + "control_id": "azure_compliance.control.compute_vm_passwords_stored_using_reversible_encryption_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption.", + "title": "Audit Windows machines that do not store passwords using reversible encryption", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5) \u003e Password-based Authentication IA-5(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)", + "Password-based Authentication IA-5(1) " + ], + "control_id": "azure_compliance.control.compute_vm_restrict_previous_24_passwords_resuse_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords.", + "title": "Audit Windows machines that allow re-use of the previous 24 passwords", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_installed_linux", + "description": "This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition.", + "title": "Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_installed_windows", + "description": "This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition.", + "title": "Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "description": "The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity.", + "title": "Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity", + "description": "This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions.", + "title": "Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)" + ], + "control_id": "azure_compliance.control.compute_vm_password_file_permissions_0644_linux", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644", + "title": "Audit Linux machines that do not have the passwd file permissions set to 0644", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)" + ], + "control_id": "azure_compliance.control.compute_vm_passwords_stored_using_reversible_encryption_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption.", + "title": "Audit Windows machines that do not store passwords using reversible encryption", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)" + ], + "control_id": "azure_compliance.control.compute_vm_ssh_key_authentication_linux", + "description": "Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys.", + "title": "Authentication to Linux machines should require SSH keys", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)" + ], + "control_id": "azure_compliance.control.keyvault_key_expiration_set", + "description": "Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.", + "title": "Key Vault keys should have an expiration date", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Identification and Authentication (IA) \u003e Authenticator Management (IA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Identification and Authentication (IA)", + "Authenticator Management (IA-5)" + ], + "control_id": "azure_compliance.control.keyvault_secret_expiration_set", + "description": "Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.", + "title": "Key Vault secrets should have an expiration date", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia/azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Handling (IR-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Handling (IR-4)" + ], + "control_id": "azure_compliance.control.appservice_azure_defender_enabled", + "description": "Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.", + "title": "Azure Defender for App Service should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Handling (IR-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Handling (IR-4)" + ], + "control_id": "azure_compliance.control.compute_vm_azure_defender_enabled", + "description": "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.", + "title": "Azure Defender for servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Handling (IR-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Handling (IR-4)" + ], + "control_id": "azure_compliance.control.container_registry_azure_defender_enabled", + "description": "Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.", + "title": "Azure Defender for container registries should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Handling (IR-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Handling (IR-4)" + ], + "control_id": "azure_compliance.control.dns_azure_defender_enabled", + "description": "Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer.", + "title": "Azure Defender for DNS should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DNS" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Handling (IR-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Handling (IR-4)" + ], + "control_id": "azure_compliance.control.keyvault_azure_defender_enabled", + "description": "Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.", + "title": "Azure Defender for Key Vault should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Handling (IR-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Handling (IR-4)" + ], + "control_id": "azure_compliance.control.kubernetes_azure_defender_enabled", + "description": "Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.", + "title": "Azure Defender for Kubernetes should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Handling (IR-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Handling (IR-4)" + ], + "control_id": "azure_compliance.control.resource_manager_azure_defender_enabled", + "description": "Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity.", + "title": "Azure Defender for Resource Manager should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ResourceManager" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Handling (IR-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Handling (IR-4)" + ], + "control_id": "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "description": "Audit each SQL Managed Instance without advanced data security.", + "title": "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Handling (IR-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Handling (IR-4)" + ], + "control_id": "azure_compliance.control.securitycenter_email_configured", + "description": "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.", + "title": "Subscriptions should have a contact email address for security issues", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Handling (IR-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Handling (IR-4)" + ], + "control_id": "azure_compliance.control.securitycenter_notify_alerts_configured", + "description": "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.", + "title": "Email notification for high severity alerts should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Handling (IR-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Handling (IR-4)" + ], + "control_id": "azure_compliance.control.securitycenter_security_alerts_to_owner_enabled", + "description": "To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.", + "title": "Email notification to subscription owner for high severity alerts should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Handling (IR-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Handling (IR-4)" + ], + "control_id": "azure_compliance.control.sql_database_server_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for Azure SQL Database servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Handling (IR-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Handling (IR-4)" + ], + "control_id": "azure_compliance.control.sql_server_azure_defender_enabled", + "description": "Audit SQL servers without Advanced Data Security.", + "title": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Handling (IR-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Handling (IR-4)" + ], + "control_id": "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for SQL servers on machines should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Handling (IR-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Handling (IR-4)" + ], + "control_id": "azure_compliance.control.storage_azure_defender_enabled", + "description": "Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.", + "title": "Azure Defender for Storage should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Monitoring (IR-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Monitoring (IR-5)" + ], + "control_id": "azure_compliance.control.appservice_azure_defender_enabled", + "description": "Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.", + "title": "Azure Defender for App Service should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Monitoring (IR-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Monitoring (IR-5)" + ], + "control_id": "azure_compliance.control.compute_vm_azure_defender_enabled", + "description": "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.", + "title": "Azure Defender for servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Monitoring (IR-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Monitoring (IR-5)" + ], + "control_id": "azure_compliance.control.container_registry_azure_defender_enabled", + "description": "Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.", + "title": "Azure Defender for container registries should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Monitoring (IR-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Monitoring (IR-5)" + ], + "control_id": "azure_compliance.control.dns_azure_defender_enabled", + "description": "Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer.", + "title": "Azure Defender for DNS should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DNS" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Monitoring (IR-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Monitoring (IR-5)" + ], + "control_id": "azure_compliance.control.keyvault_azure_defender_enabled", + "description": "Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.", + "title": "Azure Defender for Key Vault should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Monitoring (IR-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Monitoring (IR-5)" + ], + "control_id": "azure_compliance.control.kubernetes_azure_defender_enabled", + "description": "Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.", + "title": "Azure Defender for Kubernetes should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Monitoring (IR-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Monitoring (IR-5)" + ], + "control_id": "azure_compliance.control.resource_manager_azure_defender_enabled", + "description": "Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity.", + "title": "Azure Defender for Resource Manager should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ResourceManager" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Monitoring (IR-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Monitoring (IR-5)" + ], + "control_id": "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "description": "Audit each SQL Managed Instance without advanced data security.", + "title": "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Monitoring (IR-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Monitoring (IR-5)" + ], + "control_id": "azure_compliance.control.securitycenter_email_configured", + "description": "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.", + "title": "Subscriptions should have a contact email address for security issues", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Monitoring (IR-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Monitoring (IR-5)" + ], + "control_id": "azure_compliance.control.securitycenter_notify_alerts_configured", + "description": "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.", + "title": "Email notification for high severity alerts should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Monitoring (IR-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Monitoring (IR-5)" + ], + "control_id": "azure_compliance.control.securitycenter_security_alerts_to_owner_enabled", + "description": "To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.", + "title": "Email notification to subscription owner for high severity alerts should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Monitoring (IR-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Monitoring (IR-5)" + ], + "control_id": "azure_compliance.control.sql_database_server_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for Azure SQL Database servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Monitoring (IR-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Monitoring (IR-5)" + ], + "control_id": "azure_compliance.control.sql_server_azure_defender_enabled", + "description": "Audit SQL servers without Advanced Data Security.", + "title": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Monitoring (IR-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Monitoring (IR-5)" + ], + "control_id": "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for SQL servers on machines should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Incident Monitoring (IR-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Incident Monitoring (IR-5)" + ], + "control_id": "azure_compliance.control.storage_azure_defender_enabled", + "description": "Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.", + "title": "Azure Defender for Storage should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Vulnerabilities Related to Incidents IR-6(2) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Vulnerabilities Related to Incidents IR-6(2) " + ], + "control_id": "azure_compliance.control.securitycenter_email_configured", + "description": "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.", + "title": "Subscriptions should have a contact email address for security issues", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_6_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_6_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Vulnerabilities Related to Incidents IR-6(2) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Vulnerabilities Related to Incidents IR-6(2) " + ], + "control_id": "azure_compliance.control.securitycenter_notify_alerts_configured", + "description": "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.", + "title": "Email notification for high severity alerts should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_6_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_6_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Incident Response (IR) \u003e Vulnerabilities Related to Incidents IR-6(2) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Incident Response (IR)", + "Vulnerabilities Related to Incidents IR-6(2) " + ], + "control_id": "azure_compliance.control.securitycenter_security_alerts_to_owner_enabled", + "description": "To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.", + "title": "Email notification to subscription owner for high severity alerts should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_6_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir/azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_6_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.appservice_azure_defender_enabled", + "description": "Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.", + "title": "Azure Defender for App Service should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.compute_vm_azure_defender_enabled", + "description": "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.", + "title": "Azure Defender for servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.compute_vm_container_security_configurations_vulnerabilities_remediated", + "description": "Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.", + "title": "Vulnerabilities in container security configurations should be remediate", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_security_configuration_vulnerabilities_remediated", + "description": "Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.", + "title": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated", + "description": "Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations.", + "title": "Vulnerabilities in security configuration on your machines should be remediated", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.compute_vm_vulnerability_assessment_solution_enabled", + "description": "Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.", + "title": "A vulnerability assessment solution should be enabled on your virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.compute_vm_vulnerability_findings_resolved_for_sql_server", + "description": "SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.", + "title": "SQL servers on machines should have vulnerability findings resolved", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.container_registry_azure_defender_enabled", + "description": "Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.", + "title": "Azure Defender for container registries should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.container_registry_vulnerabilities_remediated", + "description": "Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.", + "title": "Vulnerabilities in Azure Container Registry images should be remediated", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.dns_azure_defender_enabled", + "description": "Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer.", + "title": "Azure Defender for DNS should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DNS" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.keyvault_azure_defender_enabled", + "description": "Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.", + "title": "Azure Defender for Key Vault should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.kubernetes_azure_defender_enabled", + "description": "Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.", + "title": "Azure Defender for Kubernetes should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.mssql_managed_instance_vulnerability_assessment_enabled", + "description": "Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.", + "title": "Vulnerability assessment should be enabled on SQL Managed Instance", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.resource_manager_azure_defender_enabled", + "description": "Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity.", + "title": "Azure Defender for Resource Manager should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ResourceManager" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "description": "Audit each SQL Managed Instance without advanced data security.", + "title": "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.sql_database_server_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for Azure SQL Database servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.sql_database_vulnerability_findings_resolved", + "description": "Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.", + "title": "SQL databases should have vulnerability findings resolved", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.sql_server_and_databases_va_enabled", + "description": "Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.", + "title": "Vulnerability assessment should be enabled on your SQL servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.sql_server_azure_defender_enabled", + "description": "Audit SQL servers without Advanced Data Security.", + "title": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for SQL servers on machines should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.storage_azure_defender_enabled", + "description": "Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.", + "title": "Azure Defender for Storage should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e Risk Assessment (RA) \u003e Vulnerability Monitoring and Scanning (RA-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "Risk Assessment (RA)", + "Vulnerability Monitoring and Scanning (RA-5)" + ], + "control_id": "azure_compliance.control.synapse_workspace_vulnerability_assessment_enabled", + "description": "Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces.", + "title": "Vulnerability assessment should be enabled on your Synapse workspaces", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SynapseAnalytics" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra/azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Security Function Isolation (SC-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Security Function Isolation (SC-3)" + ], + "control_id": "azure_compliance.control.compute_vm_azure_defender_enabled", + "description": "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.", + "title": "Azure Defender for servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Security Function Isolation (SC-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Security Function Isolation (SC-3)" + ], + "control_id": "azure_compliance.control.compute_vm_monitor_missing_endpoint_protection_in_asc", + "description": "Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations.", + "title": "Monitor missing Endpoint Protection in Azure Security Center", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Security Function Isolation (SC-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Security Function Isolation (SC-3)" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_endpoint_protection_solution_installed", + "description": "Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.", + "title": "Endpoint protection solution should be installed on virtual machine scale sets", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Security Function Isolation (SC-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Security Function Isolation (SC-3)" + ], + "control_id": "azure_compliance.control.compute_vm_windows_defender_exploit_guard_enabled", + "description": "Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).", + "title": "Windows Defender Exploit Guard should be enabled on your machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Denial-of-service Protection (SC-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Denial-of-service Protection (SC-5)" + ], + "control_id": "azure_compliance.control.application_gateway_waf_enabled", + "description": "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.", + "title": "Web Application Firewall (WAF) should be enabled for Application Gateway", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Denial-of-service Protection (SC-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Denial-of-service Protection (SC-5)" + ], + "control_id": "azure_compliance.control.frontdoor_waf_enabled", + "description": "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.", + "title": "Web Application Firewall (WAF) should be enabled for Azure Front Door Service service", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/FrontDoor" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Denial-of-service Protection (SC-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Denial-of-service Protection (SC-5)" + ], + "control_id": "azure_compliance.control.network_ddos_enabled", + "description": "DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.", + "title": "Azure DDoS Protection Standard should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Denial-of-service Protection (SC-5)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Denial-of-service Protection (SC-5)" + ], + "control_id": "azure_compliance.control.network_interface_ip_forwarding_disabled", + "description": "Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.", + "title": "IP Forwarding on your virtual machine should be disabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_5", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.apimanagement_service_with_virtual_network", + "description": "Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.", + "title": "API Management services should use a virtual network", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/APIManagement" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.app_configuration_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks.", + "title": "App Configuration should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppConfiguration" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.application_gateway_waf_enabled", + "description": "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.", + "title": "Web Application Firewall (WAF) should be enabled for Application Gateway", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.azure_redis_cache_uses_private_link", + "description": "Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced.", + "title": "Azure Cache for Redis should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.cognitive_account_private_link_used", + "description": "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage.", + "title": "Cognitive Services should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveServices" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.cognitive_account_public_network_access_disabled", + "description": "Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account.", + "title": "Cognitive Services accounts should disable public network access", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveServices" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.cognitive_account_restrict_public_access", + "description": "Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.", + "title": "Cognitive Services accounts should restrict network access", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveServices" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.compute_disk_access_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced.", + "title": "Disk access resources should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "description": "Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface.", + "title": "Adaptive network hardening recommendations should be applied on internet facing virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.compute_vm_jit_access_protected", + "description": "Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations", + "title": "Management ports of virtual machines should be protected with just-in-time network access control.", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.compute_vm_non_internet_facing_protected_with_nsg", + "description": "Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG).", + "title": "Non-internet-facing virtual machines should be protected with network security groups", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.compute_vm_remote_access_restricted_all_ports", + "description": "Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.", + "title": "All network ports should be restricted on network security groups associated to your virtual machine", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "description": "Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG).", + "title": "Internet-facing virtual machines should be protected with network security groups", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.container_registry_restrict_public_access", + "description": "Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources.", + "title": "Container registries should not allow unrestricted network access", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.container_registry_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks.", + "title": "Container registries should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.cosmosdb_account_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced.", + "title": "CosmosDB accounts should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CosmosDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.cosmosdb_account_with_firewall_rules", + "description": "Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.", + "title": "Azure Cosmos DB accounts should have firewall rules", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CosmosDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.data_factory_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced.", + "title": "Azure Data Factory should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataFactory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.eventgrid_domain_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks.", + "title": "Azure Event Grid domains should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventGrid" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.eventgrid_topic_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks.", + "title": "Azure Event Grid topics should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventGrid" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.eventhub_namespace_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced.", + "title": "Event Hub namespaces should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.frontdoor_waf_enabled", + "description": "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.", + "title": "Web Application Firewall (WAF) should be enabled for Azure Front Door Service service", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/FrontDoor" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.healthcare_fhir_uses_private_link", + "description": "Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links.", + "title": "Azure API for FHIR should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/HealthcareAPIs" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.keyvault_vault_private_link_used", + "description": "Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.", + "title": "Private endpoint should be configured for Key Vault", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.keyvault_vault_public_network_access_disabled", + "description": "Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks.", + "title": "Azure Key Vault should disable public network access", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.kubernetes_cluster_authorized_ip_range_defined", + "description": "ARestrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.", + "title": "Authorized IP ranges should be defined on Kubernetes Services", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.mariadb_server_public_network_access_disabled", + "description": "Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.", + "title": "Public network access should be disabled for MariaDB servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MariaDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.mysql_server_private_link_used", + "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.", + "title": "Private endpoint should be enabled for MySQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.mysql_server_public_network_access_disabled", + "description": "Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.", + "title": "Public network access should be disabled for MySQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.network_interface_ip_forwarding_disabled", + "description": "Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.", + "title": "IP Forwarding on your virtual machine should be disabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.network_security_group_remote_access_restricted", + "description": "Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.", + "title": "Management ports should be closed on your virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.network_security_group_subnet_associated", + "description": "This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.", + "title": "Subnets should be associated with a Network Security Group", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.postgres_server_private_link_used", + "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.", + "title": "Private endpoint should be enabled for PostgreSQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.postgresql_server_public_network_access_disabled", + "description": "Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.", + "title": "Public network access should be disabled for PostgreSQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.search_service_public_network_access_disabled", + "description": "Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service.", + "title": "Azure Cognitive Search services should disable public network access", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveSearch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.search_service_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced.", + "title": "Azure Cognitive Search services should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveSearch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.search_service_uses_sku_supporting_private_link", + "description": "With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced.", + "title": "Azure Cognitive Search service should use a SKU that supports private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveSearch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.servicebus_name_space_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced.", + "title": "Azure Service Bus namespaces should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ServiceBus" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.signalr_service_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks.", + "title": "Azure SignalR Service should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SignalRService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.sql_db_public_network_access_disabled", + "description": "Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.", + "title": "Public network access on Azure SQL Database should be disabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.sql_server_uses_private_link", + "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.", + "title": "Private endpoint connections on Azure SQL Database should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.storage_account_block_public_access", + "description": "Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.", + "title": "Storage account public access should be disallowed", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.storage_account_default_network_access_rule_denied", + "description": "Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.", + "title": "Storage accounts should restrict network access", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.storage_account_restrict_network_access", + "description": "Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.", + "title": "Storage accounts should restrict network access using virtual network rules", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.storage_account_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced.", + "title": "Storage accounts should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.storage_sync_private_link_used", + "description": "Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint.", + "title": "Azure File Sync should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/FileSync" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7) \u003e Access Points SC-7(3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)", + "Access Points SC-7(3)" + ], + "control_id": "azure_compliance.control.synapse_workspace_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced.", + "title": "Azure Synapse workspaces should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SynapseAnalytics" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.apimanagement_service_with_virtual_network", + "description": "Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.", + "title": "API Management services should use a virtual network", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/APIManagement" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.app_configuration_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks.", + "title": "App Configuration should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppConfiguration" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.application_gateway_waf_enabled", + "description": "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.", + "title": "Web Application Firewall (WAF) should be enabled for Application Gateway", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.azure_redis_cache_uses_private_link", + "description": "Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced.", + "title": "Azure Cache for Redis should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.cognitive_account_private_link_used", + "description": "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage.", + "title": "Cognitive Services should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveServices" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.cognitive_account_public_network_access_disabled", + "description": "Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account.", + "title": "Cognitive Services accounts should disable public network access", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveServices" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.cognitive_account_restrict_public_access", + "description": "Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.", + "title": "Cognitive Services accounts should restrict network access", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveServices" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.compute_disk_access_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced.", + "title": "Disk access resources should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "description": "Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface.", + "title": "Adaptive network hardening recommendations should be applied on internet facing virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.compute_vm_jit_access_protected", + "description": "Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations", + "title": "Management ports of virtual machines should be protected with just-in-time network access control.", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.compute_vm_non_internet_facing_protected_with_nsg", + "description": "Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG).", + "title": "Non-internet-facing virtual machines should be protected with network security groups", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.compute_vm_remote_access_restricted_all_ports", + "description": "Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.", + "title": "All network ports should be restricted on network security groups associated to your virtual machine", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "description": "Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG).", + "title": "Internet-facing virtual machines should be protected with network security groups", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.container_registry_restrict_public_access", + "description": "Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources.", + "title": "Container registries should not allow unrestricted network access", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.container_registry_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks.", + "title": "Container registries should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.cosmosdb_account_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced.", + "title": "CosmosDB accounts should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CosmosDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.cosmosdb_account_with_firewall_rules", + "description": "Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.", + "title": "Azure Cosmos DB accounts should have firewall rules", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CosmosDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.data_factory_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced.", + "title": "Azure Data Factory should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataFactory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.eventgrid_domain_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks.", + "title": "Azure Event Grid domains should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventGrid" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.eventgrid_topic_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks.", + "title": "Azure Event Grid topics should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventGrid" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.eventhub_namespace_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced.", + "title": "Event Hub namespaces should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/EventHub" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.frontdoor_waf_enabled", + "description": "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.", + "title": "Web Application Firewall (WAF) should be enabled for Azure Front Door Service service", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/FrontDoor" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.healthcare_fhir_uses_private_link", + "description": "Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links.", + "title": "Azure API for FHIR should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/HealthcareAPIs" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.keyvault_vault_private_link_used", + "description": "Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.", + "title": "Private endpoint should be configured for Key Vault", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.keyvault_vault_public_network_access_disabled", + "description": "Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks.", + "title": "Azure Key Vault should disable public network access", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.kubernetes_cluster_authorized_ip_range_defined", + "description": "ARestrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.", + "title": "Authorized IP ranges should be defined on Kubernetes Services", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.mariadb_server_public_network_access_disabled", + "description": "Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.", + "title": "Public network access should be disabled for MariaDB servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MariaDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.mysql_server_private_link_used", + "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.", + "title": "Private endpoint should be enabled for MySQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.mysql_server_public_network_access_disabled", + "description": "Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.", + "title": "Public network access should be disabled for MySQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.network_interface_ip_forwarding_disabled", + "description": "Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.", + "title": "IP Forwarding on your virtual machine should be disabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.network_security_group_remote_access_restricted", + "description": "Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.", + "title": "Management ports should be closed on your virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.network_security_group_subnet_associated", + "description": "This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.", + "title": "Subnets should be associated with a Network Security Group", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.postgres_server_private_link_used", + "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.", + "title": "Private endpoint should be enabled for PostgreSQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.postgresql_server_public_network_access_disabled", + "description": "Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.", + "title": "Public network access should be disabled for PostgreSQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.search_service_public_network_access_disabled", + "description": "Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service.", + "title": "Azure Cognitive Search services should disable public network access", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveSearch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.search_service_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced.", + "title": "Azure Cognitive Search services should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveSearch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.search_service_uses_sku_supporting_private_link", + "description": "With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced.", + "title": "Azure Cognitive Search service should use a SKU that supports private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveSearch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.servicebus_name_space_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced.", + "title": "Azure Service Bus namespaces should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ServiceBus" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.signalr_service_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks.", + "title": "Azure SignalR Service should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SignalRService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.sql_db_public_network_access_disabled", + "description": "Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.", + "title": "Public network access on Azure SQL Database should be disabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.sql_server_uses_private_link", + "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.", + "title": "Private endpoint connections on Azure SQL Database should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.storage_account_block_public_access", + "description": "Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.", + "title": "Storage account public access should be disallowed", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.storage_account_default_network_access_rule_denied", + "description": "Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.", + "title": "Storage accounts should restrict network access", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.storage_account_restrict_network_access", + "description": "Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.", + "title": "Storage accounts should restrict network access using virtual network rules", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.storage_account_uses_private_link", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced.", + "title": "Storage accounts should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.storage_sync_private_link_used", + "description": "Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint.", + "title": "Azure File Sync should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/FileSync" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Boundary Protection (SC-7)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Boundary Protection (SC-7)" + ], + "control_id": "azure_compliance.control.synapse_workspace_private_link_used", + "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced.", + "title": "Azure Synapse workspaces should use private link", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SynapseAnalytics" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8) \u003e Cryptographic Protection SC-8(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)", + "Cryptographic Protection SC-8(1) " + ], + "control_id": "azure_compliance.control.appservice_api_app_ftps_enabled", + "description": "Enable FTPS enforcement for enhanced security.", + "title": "FTPS only should be required in your API App", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8) \u003e Cryptographic Protection SC-8(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)", + "Cryptographic Protection SC-8(1) " + ], + "control_id": "azure_compliance.control.appservice_api_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your API App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8) \u003e Cryptographic Protection SC-8(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)", + "Cryptographic Protection SC-8(1) " + ], + "control_id": "azure_compliance.control.appservice_api_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "API App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8) \u003e Cryptographic Protection SC-8(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)", + "Cryptographic Protection SC-8(1) " + ], + "control_id": "azure_compliance.control.appservice_function_app_ftps_enabled", + "description": "Enable FTPS enforcement for enhanced security.", + "title": "FTPS only should be required in your Function App", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8) \u003e Cryptographic Protection SC-8(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)", + "Cryptographic Protection SC-8(1) " + ], + "control_id": "azure_compliance.control.appservice_function_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your Function App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8) \u003e Cryptographic Protection SC-8(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)", + "Cryptographic Protection SC-8(1) " + ], + "control_id": "azure_compliance.control.appservice_function_app_only_https_accessible", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Function App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8) \u003e Cryptographic Protection SC-8(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)", + "Cryptographic Protection SC-8(1) " + ], + "control_id": "azure_compliance.control.appservice_web_app_ftps_enabled", + "description": "Enable FTPS enforcement for enhanced security.", + "title": "FTPS should be required in your Web App", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8) \u003e Cryptographic Protection SC-8(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)", + "Cryptographic Protection SC-8(1) " + ], + "control_id": "azure_compliance.control.appservice_web_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your Web App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8) \u003e Cryptographic Protection SC-8(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)", + "Cryptographic Protection SC-8(1) " + ], + "control_id": "azure_compliance.control.appservice_web_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Web Application should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8) \u003e Cryptographic Protection SC-8(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)", + "Cryptographic Protection SC-8(1) " + ], + "control_id": "azure_compliance.control.azure_redis_cache_ssl_enabled", + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Only secure connections to your Azure Cache for Redis should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8) \u003e Cryptographic Protection SC-8(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)", + "Cryptographic Protection SC-8(1) " + ], + "control_id": "azure_compliance.control.compute_vm_secure_communication_protocols_configured", + "description": "To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.", + "title": "Windows web servers should be configured to use secure communication protocols", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8) \u003e Cryptographic Protection SC-8(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)", + "Cryptographic Protection SC-8(1) " + ], + "control_id": "azure_compliance.control.hdinsight_cluster_encryption_in_transit_enabled", + "description": "Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission.", + "title": "Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/HDInsight" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8) \u003e Cryptographic Protection SC-8(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)", + "Cryptographic Protection SC-8(1) " + ], + "control_id": "azure_compliance.control.mysql_ssl_enabled", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "title": "Enforce SSL connection should be enabled for MySQL database servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8) \u003e Cryptographic Protection SC-8(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)", + "Cryptographic Protection SC-8(1) " + ], + "control_id": "azure_compliance.control.postgres_sql_ssl_enabled", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server", + "title": "Enforce SSL connection should be enabled for PostgreSQL database servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8) \u003e Cryptographic Protection SC-8(1) ", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)", + "Cryptographic Protection SC-8(1) " + ], + "control_id": "azure_compliance.control.storage_account_secure_transfer_required_enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Secure transfer to storage accounts should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)" + ], + "control_id": "azure_compliance.control.appservice_api_app_ftps_enabled", + "description": "Enable FTPS enforcement for enhanced security.", + "title": "FTPS only should be required in your API App", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)" + ], + "control_id": "azure_compliance.control.appservice_api_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your API App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)" + ], + "control_id": "azure_compliance.control.appservice_api_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "API App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)" + ], + "control_id": "azure_compliance.control.appservice_function_app_ftps_enabled", + "description": "Enable FTPS enforcement for enhanced security.", + "title": "FTPS only should be required in your Function App", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)" + ], + "control_id": "azure_compliance.control.appservice_function_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your Function App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)" + ], + "control_id": "azure_compliance.control.appservice_function_app_only_https_accessible", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Function App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)" + ], + "control_id": "azure_compliance.control.appservice_web_app_ftps_enabled", + "description": "Enable FTPS enforcement for enhanced security.", + "title": "FTPS should be required in your Web App", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)" + ], + "control_id": "azure_compliance.control.appservice_web_app_latest_tls_version", + "description": "Upgrade to the latest TLS version.", + "title": "Latest TLS version should be used in your Web App", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)" + ], + "control_id": "azure_compliance.control.appservice_web_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Web Application should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)" + ], + "control_id": "azure_compliance.control.azure_redis_cache_ssl_enabled", + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Only secure connections to your Azure Cache for Redis should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)" + ], + "control_id": "azure_compliance.control.compute_vm_secure_communication_protocols_configured", + "description": "To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.", + "title": "Windows web servers should be configured to use secure communication protocols", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)" + ], + "control_id": "azure_compliance.control.hdinsight_cluster_encryption_in_transit_enabled", + "description": "Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission.", + "title": "Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/HDInsight" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)" + ], + "control_id": "azure_compliance.control.mysql_ssl_enabled", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "title": "Enforce SSL connection should be enabled for MySQL database servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)" + ], + "control_id": "azure_compliance.control.postgres_sql_ssl_enabled", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server", + "title": "Enforce SSL connection should be enabled for PostgreSQL database servers", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Transmission Confidentiality and Integrity (SC-8)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Transmission Confidentiality and Integrity (SC-8)" + ], + "control_id": "azure_compliance.control.storage_account_secure_transfer_required_enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Secure transfer to storage accounts should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.batch_account_encrypted_with_cmk", + "description": "Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", + "title": "Azure Batch account should use customer-managed keys to encrypt data", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Batch" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.cognitive_account_encrypted_with_cmk", + "description": "Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", + "title": "Cognitive Services accounts should enable data encryption with a customer-managed key", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CognitiveServices" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed", + "description": "High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption.", + "title": "Managed disks should be double encrypted with both platform-managed and customer-managed keys", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.container_registry_encrypted_with_cmk", + "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", + "title": "Container registries should be encrypted with a customer-managed key", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.cosmosdb_account_encryption_at_rest_using_cmk", + "description": "Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", + "title": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/CosmosDB" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.data_factory_encrypted_with_cmk", + "description": "Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", + "title": "Azure data factories should be encrypted with a customer-managed key", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataFactory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.hdinsight_cluster_encrypted_at_rest_with_cmk", + "description": "Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", + "title": "Azure HDInsight clusters should use customer-managed keys to encrypt data at rest", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/HDInsight" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.hdinsight_cluster_encryption_at_host_enabled", + "description": "Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service.", + "title": "Azure HDInsight clusters should use encryption at host to encrypt data at rest", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/HDInsight" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.healthcare_fhir_azure_api_encrypted_at_rest_with_cmk", + "description": "Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.", + "title": "Azure API for FHIR should use a customer-managed key to encrypt data at rest", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/HealthcareAPIs" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.hpc_cache_encrypted_with_cmk", + "description": "Manage encryption at rest of Azure HPC Cache with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", + "title": "HPC Cache accounts should use customer-managed key for encryption", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/HPCCache" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.kubernetes_cluster_os_and_data_disks_encrypted_with_cmk", + "description": "Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.", + "title": "Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.kusto_cluster_encrypted_at_rest_with_cmk", + "description": "Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys.", + "title": "Azure Data Explorer encryption at rest should use a customer-managed key", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataExplorer" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.machine_learning_workspace_encrypted_with_cmk", + "description": "Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", + "title": "Azure Machine Learning workspaces should be encrypted with a customer-managed key", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MachineLearning" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.mssql_managed_instance_encryption_at_rest_using_cmk", + "description": "Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.", + "title": "SQL managed instances should use customer-managed keys to encrypt data at rest", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.mysql_server_encrypted_at_rest_using_cmk", + "description": "Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", + "title": "MySQL servers should use customer-managed keys to encrypt data at rest", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.postgres_sql_server_encrypted_at_rest_using_cmk", + "description": "Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", + "title": "PostgreSQL servers should use customer-managed keys to encrypt data at rest", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.servicebus_premium_namespace_cmk_encrypted", + "description": "Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces.", + "title": "Service Bus Premium namespaces should use a customer-managed key for encryption", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ServiceBus" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.storage_account_encryption_at_rest_using_cmk", + "description": "Secure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.", + "title": "Storage accounts should use customer-managed key for encryption", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.storage_account_encryption_scopes_encrypted_at_rest_with_cmk", + "description": "Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", + "title": "Storage account encryption scopes should use customer-managed keys to encrypt data at rest", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Cryptographic Key Establishment and Management (SC-12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Cryptographic Key Establishment and Management (SC-12)" + ], + "control_id": "azure_compliance.control.synapse_workspace_encryption_at_rest_using_cmk", + "description": "Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.", + "title": "Azure Synapse workspaces should use customer-managed keys to encrypt data at rest", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SynapseAnalytics" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28) \u003e Cryptographic Protection SC-28(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)", + "Cryptographic Protection SC-28(1)" + ], + "control_id": "azure_compliance.control.app_service_environment_internal_encryption_enabled", + "description": "Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment.", + "title": "App Service Environment should enable internal encryption", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28) \u003e Cryptographic Protection SC-28(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)", + "Cryptographic Protection SC-28(1)" + ], + "control_id": "azure_compliance.control.compute_vm_and_sacle_set_encryption_at_host_enabled", + "description": "Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk.", + "title": "Virtual machines and virtual machine scale sets should have encryption at host enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28) \u003e Cryptographic Protection SC-28(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)", + "Cryptographic Protection SC-28(1)" + ], + "control_id": "azure_compliance.control.compute_vm_temp_disks_cache_and_data_flows_encrypted", + "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.", + "title": "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28) \u003e Cryptographic Protection SC-28(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)", + "Cryptographic Protection SC-28(1)" + ], + "control_id": "azure_compliance.control.databox_edge_device_double_encryption_enabled", + "description": "To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device.", + "title": "Azure Stack Edge devices should use double-encryption", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataBox" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28) \u003e Cryptographic Protection SC-28(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)", + "Cryptographic Protection SC-28(1)" + ], + "control_id": "azure_compliance.control.kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host", + "description": "To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards.", + "title": "Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28) \u003e Cryptographic Protection SC-28(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)", + "Cryptographic Protection SC-28(1)" + ], + "control_id": "azure_compliance.control.kusto_cluster_disk_encryption_enabled", + "description": "Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.", + "title": "Disk encryption should be enabled on Azure Data Explorer", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataExplorer" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28) \u003e Cryptographic Protection SC-28(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)", + "Cryptographic Protection SC-28(1)" + ], + "control_id": "azure_compliance.control.kusto_cluster_double_encryption_enabled", + "description": "Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys.", + "title": "Double encryption should be enabled on Azure Data Explorer", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataExplorer" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28) \u003e Cryptographic Protection SC-28(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)", + "Cryptographic Protection SC-28(1)" + ], + "control_id": "azure_compliance.control.mysql_server_infrastructure_encryption_enabled", + "description": "Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys.", + "title": "Infrastructure encryption should be enabled for Azure Database for MySQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28) \u003e Cryptographic Protection SC-28(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)", + "Cryptographic Protection SC-28(1)" + ], + "control_id": "azure_compliance.control.postgresql_server_infrastructure_encryption_enabled", + "description": "Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys.", + "title": "Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28) \u003e Cryptographic Protection SC-28(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)", + "Cryptographic Protection SC-28(1)" + ], + "control_id": "azure_compliance.control.servicefabric_cluster_protection_level_as_encrypt_and_sign", + "description": "Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.", + "title": "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ServiceFabric" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28) \u003e Cryptographic Protection SC-28(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)", + "Cryptographic Protection SC-28(1)" + ], + "control_id": "azure_compliance.control.sql_server_transparent_data_encryption_enabled", + "description": "Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements.", + "title": "Transparent Data Encryption on SQL databases should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28) \u003e Cryptographic Protection SC-28(1)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)", + "Cryptographic Protection SC-28(1)" + ], + "control_id": "azure_compliance.control.storage_account_infrastructure_encryption_enabled", + "description": "Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice.", + "title": "Storage accounts should have infrastructure encryption", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)" + ], + "control_id": "azure_compliance.control.app_service_environment_internal_encryption_enabled", + "description": "Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment.", + "title": "App Service Environment should enable internal encryption", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)" + ], + "control_id": "azure_compliance.control.compute_vm_and_sacle_set_encryption_at_host_enabled", + "description": "Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk.", + "title": "Virtual machines and virtual machine scale sets should have encryption at host enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)" + ], + "control_id": "azure_compliance.control.compute_vm_temp_disks_cache_and_data_flows_encrypted", + "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.", + "title": "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)" + ], + "control_id": "azure_compliance.control.databox_edge_device_double_encryption_enabled", + "description": "To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device.", + "title": "Azure Stack Edge devices should use double-encryption", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataBox" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)" + ], + "control_id": "azure_compliance.control.kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host", + "description": "To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards.", + "title": "Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)" + ], + "control_id": "azure_compliance.control.kusto_cluster_disk_encryption_enabled", + "description": "Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.", + "title": "Disk encryption should be enabled on Azure Data Explorer", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataExplorer" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)" + ], + "control_id": "azure_compliance.control.kusto_cluster_double_encryption_enabled", + "description": "Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys.", + "title": "Double encryption should be enabled on Azure Data Explorer", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DataExplorer" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)" + ], + "control_id": "azure_compliance.control.mysql_server_infrastructure_encryption_enabled", + "description": "Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys.", + "title": "Infrastructure encryption should be enabled for Azure Database for MySQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/MySQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)" + ], + "control_id": "azure_compliance.control.postgresql_server_infrastructure_encryption_enabled", + "description": "Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys.", + "title": "Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/PostgreSQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)" + ], + "control_id": "azure_compliance.control.servicefabric_cluster_protection_level_as_encrypt_and_sign", + "description": "Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.", + "title": "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ServiceFabric" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)" + ], + "control_id": "azure_compliance.control.sql_server_transparent_data_encryption_enabled", + "description": "Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements.", + "title": "Transparent Data Encryption on SQL databases should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Communications Protection (SC) \u003e Protection of Information at Rest (SC-28)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Communications Protection (SC)", + "Protection of Information at Rest (SC-28)" + ], + "control_id": "azure_compliance.control.storage_account_infrastructure_encryption_enabled", + "description": "Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice.", + "title": "Storage accounts should have infrastructure encryption", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc/azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2) \u003e Removal of Previous Versions of Software and Firmware SI-2(6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)", + "Removal of Previous Versions of Software and Firmware SI-2(6)" + ], + "control_id": "azure_compliance.control.appservice_function_app_latest_http_version", + "description": "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.", + "title": "Ensure that 'HTTP Version' is the latest, if used to run the Function app", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2) \u003e Removal of Previous Versions of Software and Firmware SI-2(6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)", + "Removal of Previous Versions of Software and Firmware SI-2(6)" + ], + "control_id": "azure_compliance.control.appservice_web_app_latest_http_version", + "description": "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.", + "title": "Ensure that 'HTTP Version' is the latest, if used to run the Web app", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2) \u003e Removal of Previous Versions of Software and Firmware SI-2(6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)", + "Removal of Previous Versions of Software and Firmware SI-2(6)" + ], + "control_id": "azure_compliance.control.appservice_function_app_latest_java_version", + "description": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.", + "title": "Ensure that 'Java version' is the latest, if used as a part of the Function app", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2) \u003e Removal of Previous Versions of Software and Firmware SI-2(6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)", + "Removal of Previous Versions of Software and Firmware SI-2(6)" + ], + "control_id": "azure_compliance.control.appservice_web_app_latest_java_version", + "description": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.", + "title": "Ensure that 'Java version' is the latest, if used as a part of the Web app", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2) \u003e Removal of Previous Versions of Software and Firmware SI-2(6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)", + "Removal of Previous Versions of Software and Firmware SI-2(6)" + ], + "control_id": "azure_compliance.control.appservice_web_app_latest_php_version", + "description": "Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.", + "title": "Ensure that 'PHP version' is the latest, if used as a part of the WEB app", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2) \u003e Removal of Previous Versions of Software and Firmware SI-2(6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)", + "Removal of Previous Versions of Software and Firmware SI-2(6)" + ], + "control_id": "azure_compliance.control.appservice_function_app_latest_python_version", + "description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.", + "title": "Ensure that 'Python version' is the latest, if used as a part of the Function app", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2) \u003e Removal of Previous Versions of Software and Firmware SI-2(6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)", + "Removal of Previous Versions of Software and Firmware SI-2(6)" + ], + "control_id": "azure_compliance.control.appservice_web_app_latest_python_version", + "description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.", + "title": "Ensure that 'Python version' is the latest, if used as a part of the Web app", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2) \u003e Removal of Previous Versions of Software and Firmware SI-2(6)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)", + "Removal of Previous Versions of Software and Firmware SI-2(6)" + ], + "control_id": "azure_compliance.control.kubernetes_cluster_upgraded_with_non_vulnerable_version", + "description": "Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+.", + "title": "Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2_6", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.appservice_azure_defender_enabled", + "description": "Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.", + "title": "Azure Defender for App Service should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.appservice_function_app_latest_http_version", + "description": "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.", + "title": "Ensure that 'HTTP Version' is the latest, if used to run the Function app", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.appservice_function_app_latest_java_version", + "description": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.", + "title": "Ensure that 'Java version' is the latest, if used as a part of the Function app", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.appservice_function_app_latest_python_version", + "description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.", + "title": "Ensure that 'Python version' is the latest, if used as a part of the Function app", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.appservice_web_app_latest_http_version", + "description": "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.", + "title": "Ensure that 'HTTP Version' is the latest, if used to run the Web app", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.appservice_web_app_latest_java_version", + "description": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.", + "title": "Ensure that 'Java version' is the latest, if used as a part of the Web app", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.appservice_web_app_latest_php_version", + "description": "Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.", + "title": "Ensure that 'PHP version' is the latest, if used as a part of the WEB app", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.appservice_web_app_latest_python_version", + "description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.", + "title": "Ensure that 'Python version' is the latest, if used as a part of the Web app", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.compute_vm_azure_defender_enabled", + "description": "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.", + "title": "Azure Defender for servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_security_configuration_vulnerabilities_remediated", + "description": "Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.", + "title": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated", + "description": "Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations.", + "title": "Vulnerabilities in security configuration on your machines should be remediated", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.compute_vm_system_updates_installed", + "description": "Missing security system updates on your servers will be monitored by Azure Security Center as recommendations.", + "title": "System updates should be installed on your machines", + "tags": { + "hipaa_hitrust_v92": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.compute_vm_vulnerability_assessment_solution_enabled", + "description": "Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.", + "title": "A vulnerability assessment solution should be enabled on your virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.container_registry_azure_defender_enabled", + "description": "Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.", + "title": "Azure Defender for container registries should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.dns_azure_defender_enabled", + "description": "Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer.", + "title": "Azure Defender for DNS should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DNS" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.keyvault_azure_defender_enabled", + "description": "Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.", + "title": "Azure Defender for Key Vault should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.kubernetes_azure_defender_enabled", + "description": "Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.", + "title": "Azure Defender for Kubernetes should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.kubernetes_cluster_upgraded_with_non_vulnerable_version", + "description": "Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+.", + "title": "Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.resource_manager_azure_defender_enabled", + "description": "Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity.", + "title": "Azure Defender for Resource Manager should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ResourceManager" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.sql_database_server_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for Azure SQL Database servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.sql_database_vulnerability_findings_resolved", + "description": "Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.", + "title": "SQL databases should have vulnerability findings resolved", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for SQL servers on machines should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Flaw Remediation (SI-2)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Flaw Remediation (SI-2)" + ], + "control_id": "azure_compliance.control.storage_azure_defender_enabled", + "description": "Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.", + "title": "Azure Defender for Storage should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Malicious Code Protection (SI-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Malicious Code Protection (SI-3)" + ], + "control_id": "azure_compliance.control.compute_vm_azure_defender_enabled", + "description": "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.", + "title": "Azure Defender for servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Malicious Code Protection (SI-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Malicious Code Protection (SI-3)" + ], + "control_id": "azure_compliance.control.compute_vm_monitor_missing_endpoint_protection_in_asc", + "description": "Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations.", + "title": "Monitor missing Endpoint Protection in Azure Security Center", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Malicious Code Protection (SI-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Malicious Code Protection (SI-3)" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_endpoint_protection_solution_installed", + "description": "Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.", + "title": "Endpoint protection solution should be installed on virtual machine scale sets", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Malicious Code Protection (SI-3)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Malicious Code Protection (SI-3)" + ], + "control_id": "azure_compliance.control.compute_vm_windows_defender_exploit_guard_enabled", + "description": "Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).", + "title": "Windows Defender Exploit Guard should be enabled on your machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_3", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4) \u003e Automated Organization-generated Alerts SI-4(12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)", + "Automated Organization-generated Alerts SI-4(12)" + ], + "control_id": "azure_compliance.control.securitycenter_email_configured", + "description": "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.", + "title": "Subscriptions should have a contact email address for security issues", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4) \u003e Automated Organization-generated Alerts SI-4(12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)", + "Automated Organization-generated Alerts SI-4(12)" + ], + "control_id": "azure_compliance.control.securitycenter_notify_alerts_configured", + "description": "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.", + "title": "Email notification for high severity alerts should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4) \u003e Automated Organization-generated Alerts SI-4(12)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)", + "Automated Organization-generated Alerts SI-4(12)" + ], + "control_id": "azure_compliance.control.securitycenter_security_alerts_to_owner_enabled", + "description": "To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.", + "title": "Email notification to subscription owner for high severity alerts should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4_12" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4_12", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.appservice_azure_defender_enabled", + "description": "Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.", + "title": "Azure Defender for App Service should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.arc_compute_machine_linux_log_analytics_agent_installed", + "description": "This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed.", + "title": "Log Analytics agent should be installed on your Linux Azure Arc machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.arc_compute_machine_windows_log_analytics_agent_installed", + "description": "This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed.", + "title": "Log Analytics agent should be installed on your Windows Azure Arc machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.arc_kubernetes_cluster_azure_defender_extension_installed", + "description": "Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis.", + "title": "Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.compute_vm_azure_defender_enabled", + "description": "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.", + "title": "Azure Defender for servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_installed", + "description": "To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.", + "title": "Guest Configuration extension should be installed on your machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "description": "The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity.", + "title": "Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.compute_vm_log_analytics_agent_health_issues_resolved", + "description": "Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace.", + "title": "Log Analytics agent health issues should be resolved on your machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.compute_vm_log_analytics_agent_installed", + "description": "This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed.", + "title": "The Log Analytics agent should be installed on virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.compute_vm_network_traffic_data_collection_linux_agent_installed", + "description": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", + "title": "Network traffic data collection agent should be installed on Linux virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.compute_vm_network_traffic_data_collection_windows_agent_installed", + "description": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", + "title": "Network traffic data collection agent should be installed on Windows virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.compute_vm_scale_set_log_analytics_agent_installed", + "description": "This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed.", + "title": "The Log Analytics agent should be installed on Virtual Machine Scale Sets", + "tags": { + "hipaa_hitrust_v92": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.container_registry_azure_defender_enabled", + "description": "Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.", + "title": "Azure Defender for container registries should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.dns_azure_defender_enabled", + "description": "Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer.", + "title": "Azure Defender for DNS should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/DNS" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.keyvault_azure_defender_enabled", + "description": "Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.", + "title": "Azure Defender for Key Vault should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KeyVault" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.kubernetes_azure_defender_enabled", + "description": "Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.", + "title": "Azure Defender for Kubernetes should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/KubernetesService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.network_watcher_enabled", + "description": "Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.", + "title": "Network Watcher should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Network" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.resource_manager_azure_defender_enabled", + "description": "Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity.", + "title": "Azure Defender for Resource Manager should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ResourceManager" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.securitycenter_automatic_provisioning_monitoring_agent_on", + "description": "To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.", + "title": "Auto provisioning of the Log Analytics agent should be enabled on your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "description": "Audit each SQL Managed Instance without advanced data security.", + "title": "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SecurityCenter" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.sql_database_server_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for Azure SQL Database servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.sql_server_azure_defender_enabled", + "description": "Audit SQL servers without Advanced Data Security.", + "title": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "description": "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.", + "title": "Azure Defender for SQL servers on machines should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e System Monitoring (SI-4)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "System Monitoring (SI-4)" + ], + "control_id": "azure_compliance.control.storage_azure_defender_enabled", + "description": "Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.", + "title": "Azure Defender for Storage should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Memory Protection (SI-16)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Memory Protection (SI-16)" + ], + "control_id": "azure_compliance.control.compute_vm_azure_defender_enabled", + "description": "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.", + "title": "Azure Defender for servers should be enabled", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_16" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_16", + "executable": false + }, + { + "category_breadcrumb": "NIST SP 800-53 Revision 5 \u003e System and Information Integrity (SI) \u003e Memory Protection (SI-16)", + "category_hierarchy": [ + "NIST SP 800-53 Revision 5", + "System and Information Integrity (SI)", + "Memory Protection (SI-16)" + ], + "control_id": "azure_compliance.control.compute_vm_windows_defender_exploit_guard_enabled", + "description": "Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).", + "title": "Windows Defender Exploit Guard should be enabled on your machines", + "tags": { + "nist_sp_800_53_rev_5": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_16" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.nist_sp_800_53_rev_5/azure_compliance.benchmark.nist_sp_800_53_rev_5_si/azure_compliance.benchmark.nist_sp_800_53_rev_5_si_16", + "executable": false + } +] \ No newline at end of file diff --git a/deepfence_server/cloud_controls/azure/nist_benchmarks.json b/deepfence_server/cloud_controls/azure/nist_benchmarks.json new file mode 100644 index 0000000000..ea3df49216 --- /dev/null +++ b/deepfence_server/cloud_controls/azure/nist_benchmarks.json @@ -0,0 +1,1708 @@ +[ + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5", + "description": "NIST SP 800-53 Revision 5 represents a multi-year effort to develop the next generation of security and privacy controls needed to strengthen and support the U.S. federal government.", + "title": "NIST SP 800-53 Revision 5", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "## Overview\n\n[NIST SP 800-53 Revision 5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53) represents a multi-year effort to develop the next generation of security and privacy controls needed to strengthen\nand support the U.S. federal government. These next generation controls offer a proactive and systematic approach to ensure that\ncritical systems, components, and services are sufficiently trustworthy and have the necessary resilience to defend the economic and\nnational security interests of the United States.\n", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac", + "description": "The AC Control Family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access.", + "title": "Access Control (AC)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_16", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2", + "description": "Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations.", + "title": "Account Management (AC-2)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_1", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_7", + "azure_compliance.control.appservice_api_app_uses_managed_identity", + "azure_compliance.control.appservice_function_app_uses_managed_identity", + "azure_compliance.control.appservice_web_app_uses_managed_identity", + "azure_compliance.control.cognitive_service_local_auth_disabled", + "azure_compliance.control.iam_deprecated_account_with_owner_roles", + "azure_compliance.control.iam_deprecated_account", + "azure_compliance.control.iam_external_user_with_owner_role", + "azure_compliance.control.iam_external_user_with_read_permission", + "azure_compliance.control.iam_no_custom_role", + "azure_compliance.control.iam_subscription_owner_max_3", + "azure_compliance.control.servicefabric_cluster_active_directory_authentication_enabled", + "azure_compliance.control.sql_server_azure_ad_authentication_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_1", + "description": "The organization employs automated mechanisms to support the management of information system accounts.", + "title": "Automated System Account Management AC-2(1)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.cognitive_service_local_auth_disabled", + "azure_compliance.control.servicefabric_cluster_active_directory_authentication_enabled", + "azure_compliance.control.sql_server_azure_ad_authentication_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_12", + "description": "The organization monitors information system accounts for organization-defined atypical use and reports atypical usage of information system accounts to organization-defined personnel or roles.", + "title": "Account Monitoring for Atypical Usage AC-2(12)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_azure_defender_enabled", + "azure_compliance.control.arc_kubernetes_cluster_azure_defender_extension_installed", + "azure_compliance.control.compute_vm_azure_defender_enabled", + "azure_compliance.control.compute_vm_jit_access_protected", + "azure_compliance.control.container_registry_azure_defender_enabled", + "azure_compliance.control.dns_azure_defender_enabled", + "azure_compliance.control.keyvault_azure_defender_enabled", + "azure_compliance.control.kubernetes_azure_defender_enabled", + "azure_compliance.control.resource_manager_azure_defender_enabled", + "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "azure_compliance.control.sql_database_server_azure_defender_enabled", + "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "azure_compliance.control.storage_azure_defender_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_2_7", + "description": "The organization establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles, monitors privileged role assignments, and takes organization-defined actions when privileged role assignments are no longer appropriate.", + "title": "Privileged User Accounts AC-2(7)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.cognitive_service_local_auth_disabled", + "azure_compliance.control.iam_no_custom_role", + "azure_compliance.control.servicefabric_cluster_active_directory_authentication_enabled", + "azure_compliance.control.sql_server_azure_ad_authentication_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3", + "description": "Enforce approved authorizations for access to systems in accordance with policy.", + "title": "Access Enforcement (AC-3)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3_7", + "azure_compliance.control.appservice_api_app_uses_managed_identity", + "azure_compliance.control.appservice_function_app_uses_managed_identity", + "azure_compliance.control.appservice_web_app_uses_managed_identity", + "azure_compliance.control.cognitive_service_local_auth_disabled", + "azure_compliance.control.compute_vm_account_with_password_linux", + "azure_compliance.control.compute_vm_guest_configuration_installed_linux", + "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "azure_compliance.control.compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity", + "azure_compliance.control.compute_vm_ssh_key_authentication_linux", + "azure_compliance.control.compute_vm_uses_azure_resource_manager", + "azure_compliance.control.servicefabric_cluster_active_directory_authentication_enabled", + "azure_compliance.control.sql_server_azure_ad_authentication_enabled", + "azure_compliance.control.storage_account_uses_azure_resource_manager" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_3_7", + "description": "The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon organization-defined roles and users authorized to assume such roles.", + "title": "Role-based Access Control AC-3(7)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure/KubernetesService", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.kubernetes_instance_rbac_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4", + "description": "Enforce approved authorizations. Control information workflow between interconnected systems.", + "title": "Information Flow Enforcement (AC-4)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4_3", + "azure_compliance.control.apimanagement_service_with_virtual_network", + "azure_compliance.control.app_configuration_private_link_used", + "azure_compliance.control.appservice_web_app_cors_no_star", + "azure_compliance.control.azure_redis_cache_uses_private_link", + "azure_compliance.control.cognitive_account_private_link_used", + "azure_compliance.control.cognitive_account_public_network_access_disabled", + "azure_compliance.control.cognitive_account_restrict_public_access", + "azure_compliance.control.compute_disk_access_uses_private_link", + "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "azure_compliance.control.compute_vm_jit_access_protected", + "azure_compliance.control.compute_vm_non_internet_facing_protected_with_nsg", + "azure_compliance.control.compute_vm_remote_access_restricted_all_ports", + "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "azure_compliance.control.container_registry_restrict_public_access", + "azure_compliance.control.container_registry_uses_private_link", + "azure_compliance.control.cosmosdb_account_uses_private_link", + "azure_compliance.control.cosmosdb_account_with_firewall_rules", + "azure_compliance.control.data_factory_uses_private_link", + "azure_compliance.control.eventgrid_domain_private_link_used", + "azure_compliance.control.eventgrid_topic_private_link_used", + "azure_compliance.control.eventhub_namespace_private_link_used", + "azure_compliance.control.healthcare_fhir_uses_private_link", + "azure_compliance.control.keyvault_vault_private_link_used", + "azure_compliance.control.keyvault_vault_public_network_access_disabled", + "azure_compliance.control.kubernetes_cluster_authorized_ip_range_defined", + "azure_compliance.control.mariadb_server_public_network_access_disabled", + "azure_compliance.control.mysql_server_private_link_used", + "azure_compliance.control.mysql_server_public_network_access_disabled", + "azure_compliance.control.network_interface_ip_forwarding_disabled", + "azure_compliance.control.network_security_group_remote_access_restricted", + "azure_compliance.control.network_security_group_subnet_associated", + "azure_compliance.control.postgres_server_private_link_used", + "azure_compliance.control.postgresql_server_public_network_access_disabled", + "azure_compliance.control.search_service_public_network_access_disabled", + "azure_compliance.control.search_service_uses_private_link", + "azure_compliance.control.search_service_uses_sku_supporting_private_link", + "azure_compliance.control.servicebus_name_space_private_link_used", + "azure_compliance.control.signalr_service_private_link_used", + "azure_compliance.control.sql_db_public_network_access_disabled", + "azure_compliance.control.sql_server_uses_private_link", + "azure_compliance.control.storage_account_block_public_access", + "azure_compliance.control.storage_account_default_network_access_rule_denied", + "azure_compliance.control.storage_account_restrict_network_access", + "azure_compliance.control.storage_account_uses_private_link", + "azure_compliance.control.storage_sync_private_link_used", + "azure_compliance.control.synapse_workspace_private_link_used" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_4_3", + "description": "The information system enforces dynamic information flow control based on organization-defined policies.", + "title": "Dynamic Information Flow Control AC-4(3)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "azure_compliance.control.compute_vm_jit_access_protected" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_5", + "description": "Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations.", + "title": "Separation of Duties (AC-5)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_subscription_owner_more_than_1" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_6", + "description": "Automate least privilege. Allow only authorized accesses for users and processes which are necessary.", + "title": "Least Privilege (AC-6)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_6_7", + "azure_compliance.control.iam_no_custom_role", + "azure_compliance.control.iam_subscription_owner_max_3" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_6_7", + "description": "The organization reviews organization-defined frequency the privileges assigned to organization-defined roles or classes of users to validate the need for such privileges and reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs.", + "title": "Review of User Privileges AC-6(7)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_no_custom_role", + "azure_compliance.control.iam_subscription_owner_max_3" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_16", + "description": "Support and maintains the binding of security attributes to information in storage, in process, and in transition.", + "title": "Security and Privacy Attributes (AC-16)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "azure_compliance.control.sql_server_azure_defender_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17", + "description": "Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems.", + "title": "Remote Access (AC-17)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "azure_compliance.control.app_configuration_private_link_used", + "azure_compliance.control.appservice_api_app_remote_debugging_disabled", + "azure_compliance.control.appservice_function_app_remote_debugging_disabled", + "azure_compliance.control.appservice_web_app_remote_debugging_disabled", + "azure_compliance.control.azure_redis_cache_in_virtual_network", + "azure_compliance.control.azure_redis_cache_uses_private_link", + "azure_compliance.control.cognitive_account_private_link_used", + "azure_compliance.control.compute_disk_access_uses_private_link", + "azure_compliance.control.compute_vm_guest_configuration_installed_linux", + "azure_compliance.control.compute_vm_guest_configuration_installed_windows", + "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "azure_compliance.control.compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity", + "azure_compliance.control.compute_vm_restrict_remote_connection_from_accounts_without_password_linux", + "azure_compliance.control.container_registry_uses_private_link", + "azure_compliance.control.cosmosdb_account_uses_private_link", + "azure_compliance.control.data_factory_uses_private_link", + "azure_compliance.control.eventgrid_domain_private_link_used", + "azure_compliance.control.eventgrid_topic_private_link_used", + "azure_compliance.control.eventhub_namespace_private_link_used", + "azure_compliance.control.healthcare_fhir_uses_private_link", + "azure_compliance.control.keyvault_vault_private_link_used", + "azure_compliance.control.mysql_server_private_link_used", + "azure_compliance.control.postgres_server_private_link_used", + "azure_compliance.control.search_service_uses_private_link", + "azure_compliance.control.search_service_uses_sku_supporting_private_link", + "azure_compliance.control.servicebus_name_space_private_link_used", + "azure_compliance.control.signalr_service_private_link_used", + "azure_compliance.control.spring_cloud_service_network_injection_enabled", + "azure_compliance.control.sql_server_uses_private_link", + "azure_compliance.control.storage_account_default_network_access_rule_denied", + "azure_compliance.control.storage_account_uses_private_link", + "azure_compliance.control.storage_sync_private_link_used", + "azure_compliance.control.synapse_workspace_private_link_used" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ac_17_1", + "description": "The information system monitors and controls remote access methods.", + "title": "Monitoring and Control AC-17(1)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.app_configuration_private_link_used", + "azure_compliance.control.appservice_api_app_remote_debugging_disabled", + "azure_compliance.control.appservice_function_app_remote_debugging_disabled", + "azure_compliance.control.appservice_web_app_remote_debugging_disabled", + "azure_compliance.control.azure_redis_cache_in_virtual_network", + "azure_compliance.control.azure_redis_cache_uses_private_link", + "azure_compliance.control.cognitive_account_private_link_used", + "azure_compliance.control.compute_disk_access_uses_private_link", + "azure_compliance.control.compute_vm_guest_configuration_installed_linux", + "azure_compliance.control.compute_vm_guest_configuration_installed_windows", + "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "azure_compliance.control.compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity", + "azure_compliance.control.compute_vm_restrict_remote_connection_from_accounts_without_password_linux", + "azure_compliance.control.container_registry_uses_private_link", + "azure_compliance.control.cosmosdb_account_uses_private_link", + "azure_compliance.control.data_factory_uses_private_link", + "azure_compliance.control.eventgrid_domain_private_link_used", + "azure_compliance.control.eventgrid_topic_private_link_used", + "azure_compliance.control.eventhub_namespace_private_link_used", + "azure_compliance.control.healthcare_fhir_uses_private_link", + "azure_compliance.control.keyvault_vault_private_link_used", + "azure_compliance.control.mysql_server_private_link_used", + "azure_compliance.control.postgres_server_private_link_used", + "azure_compliance.control.search_service_uses_private_link", + "azure_compliance.control.search_service_uses_sku_supporting_private_link", + "azure_compliance.control.servicebus_name_space_private_link_used", + "azure_compliance.control.signalr_service_private_link_used", + "azure_compliance.control.spring_cloud_service_network_injection_enabled", + "azure_compliance.control.sql_server_uses_private_link", + "azure_compliance.control.storage_account_default_network_access_rule_denied", + "azure_compliance.control.storage_account_uses_private_link", + "azure_compliance.control.storage_sync_private_link_used", + "azure_compliance.control.synapse_workspace_private_link_used" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_au", + "description": "The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information.", + "title": "Audit and Accountability Control (AU)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_11", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6", + "description": "Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities.", + "title": "Audit Record Review, Analysis, and Reporting (AU-6)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "azure_compliance.control.appservice_azure_defender_enabled", + "azure_compliance.control.arc_kubernetes_cluster_azure_defender_extension_installed", + "azure_compliance.control.compute_vm_azure_defender_enabled", + "azure_compliance.control.compute_vm_network_traffic_data_collection_linux_agent_installed", + "azure_compliance.control.compute_vm_network_traffic_data_collection_windows_agent_installed", + "azure_compliance.control.container_registry_azure_defender_enabled", + "azure_compliance.control.dns_azure_defender_enabled", + "azure_compliance.control.keyvault_azure_defender_enabled", + "azure_compliance.control.kubernetes_azure_defender_enabled", + "azure_compliance.control.network_watcher_enabled", + "azure_compliance.control.resource_manager_azure_defender_enabled", + "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "azure_compliance.control.sql_database_server_azure_defender_enabled", + "azure_compliance.control.sql_server_azure_defender_enabled", + "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "azure_compliance.control.storage_azure_defender_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_4", + "description": "The information system provides the capability to centrally review and analyze audit records from multiple components within the system.", + "title": "Central Review and Analysis AU-6(4)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_azure_defender_enabled", + "azure_compliance.control.appservice_web_app_diagnostic_logs_enabled", + "azure_compliance.control.arc_compute_machine_linux_log_analytics_agent_installed", + "azure_compliance.control.arc_compute_machine_windows_log_analytics_agent_installed", + "azure_compliance.control.arc_kubernetes_cluster_azure_defender_extension_installed", + "azure_compliance.control.batch_account_logging_enabled", + "azure_compliance.control.compute_vm_azure_defender_enabled", + "azure_compliance.control.compute_vm_guest_configuration_installed", + "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "azure_compliance.control.compute_vm_log_analytics_agent_health_issues_resolved", + "azure_compliance.control.compute_vm_log_analytics_agent_installed", + "azure_compliance.control.compute_vm_network_traffic_data_collection_linux_agent_installed", + "azure_compliance.control.compute_vm_network_traffic_data_collection_windows_agent_installed", + "azure_compliance.control.compute_vm_scale_set_log_analytics_agent_installed", + "azure_compliance.control.compute_vm_scale_set_logging_enabled", + "azure_compliance.control.container_registry_azure_defender_enabled", + "azure_compliance.control.datalake_analytics_account_logging_enabled", + "azure_compliance.control.datalake_store_account_logging_enabled", + "azure_compliance.control.dns_azure_defender_enabled", + "azure_compliance.control.eventhub_namespace_logging_enabled", + "azure_compliance.control.iot_hub_logging_enabled", + "azure_compliance.control.keyvault_azure_defender_enabled", + "azure_compliance.control.keyvault_logging_enabled", + "azure_compliance.control.kubernetes_azure_defender_enabled", + "azure_compliance.control.logic_app_workflow_logging_enabled", + "azure_compliance.control.network_watcher_enabled", + "azure_compliance.control.resource_manager_azure_defender_enabled", + "azure_compliance.control.search_service_logging_enabled", + "azure_compliance.control.securitycenter_automatic_provisioning_monitoring_agent_on", + "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "azure_compliance.control.servicebus_namespace_logging_enabled", + "azure_compliance.control.sql_database_server_azure_defender_enabled", + "azure_compliance.control.sql_server_auditing_on", + "azure_compliance.control.sql_server_azure_defender_enabled", + "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "azure_compliance.control.storage_azure_defender_enabled", + "azure_compliance.control.stream_analytics_job_logging_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_6_5", + "description": "The organization integrates analysis of audit records with analysis of vulnerable scanning information, performance data, and information system monitoring information collected from other sources to further enhance the ability to identify inappropriate or unusual activity.", + "title": "Integrated Analysis of Audit Records AU-6(5)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_azure_defender_enabled", + "azure_compliance.control.appservice_web_app_diagnostic_logs_enabled", + "azure_compliance.control.arc_compute_machine_linux_log_analytics_agent_installed", + "azure_compliance.control.arc_compute_machine_windows_log_analytics_agent_installed", + "azure_compliance.control.arc_kubernetes_cluster_azure_defender_extension_installed", + "azure_compliance.control.batch_account_logging_enabled", + "azure_compliance.control.compute_vm_azure_defender_enabled", + "azure_compliance.control.compute_vm_guest_configuration_installed", + "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "azure_compliance.control.compute_vm_log_analytics_agent_health_issues_resolved", + "azure_compliance.control.compute_vm_log_analytics_agent_installed", + "azure_compliance.control.compute_vm_network_traffic_data_collection_linux_agent_installed", + "azure_compliance.control.compute_vm_network_traffic_data_collection_windows_agent_installed", + "azure_compliance.control.compute_vm_scale_set_log_analytics_agent_installed", + "azure_compliance.control.compute_vm_scale_set_logging_enabled", + "azure_compliance.control.container_registry_azure_defender_enabled", + "azure_compliance.control.datalake_analytics_account_logging_enabled", + "azure_compliance.control.datalake_store_account_logging_enabled", + "azure_compliance.control.dns_azure_defender_enabled", + "azure_compliance.control.eventhub_namespace_logging_enabled", + "azure_compliance.control.iot_hub_logging_enabled", + "azure_compliance.control.keyvault_azure_defender_enabled", + "azure_compliance.control.keyvault_logging_enabled", + "azure_compliance.control.kubernetes_azure_defender_enabled", + "azure_compliance.control.logic_app_workflow_logging_enabled", + "azure_compliance.control.network_watcher_enabled", + "azure_compliance.control.resource_manager_azure_defender_enabled", + "azure_compliance.control.search_service_logging_enabled", + "azure_compliance.control.securitycenter_automatic_provisioning_monitoring_agent_on", + "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "azure_compliance.control.servicebus_namespace_logging_enabled", + "azure_compliance.control.sql_database_server_azure_defender_enabled", + "azure_compliance.control.sql_server_auditing_on", + "azure_compliance.control.sql_server_azure_defender_enabled", + "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "azure_compliance.control.storage_azure_defender_enabled", + "azure_compliance.control.stream_analytics_job_logging_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_11", + "description": "Retain audit records for security investigations. Meet regulatory and organizational data retention requirements.", + "title": "Audit Record Retention (AU-11)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure/SQL", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.sql_server_auditing_storage_account_destination_retention_90_days" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12", + "description": "Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events.", + "title": "Audit Record Generation (AU-12)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "azure_compliance.control.appservice_azure_defender_enabled", + "azure_compliance.control.appservice_web_app_diagnostic_logs_enabled", + "azure_compliance.control.arc_compute_machine_linux_log_analytics_agent_installed", + "azure_compliance.control.arc_compute_machine_windows_log_analytics_agent_installed", + "azure_compliance.control.arc_kubernetes_cluster_azure_defender_extension_installed", + "azure_compliance.control.batch_account_logging_enabled", + "azure_compliance.control.compute_vm_azure_defender_enabled", + "azure_compliance.control.compute_vm_guest_configuration_installed", + "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "azure_compliance.control.compute_vm_log_analytics_agent_health_issues_resolved", + "azure_compliance.control.compute_vm_log_analytics_agent_installed", + "azure_compliance.control.compute_vm_network_traffic_data_collection_linux_agent_installed", + "azure_compliance.control.compute_vm_network_traffic_data_collection_windows_agent_installed", + "azure_compliance.control.compute_vm_scale_set_log_analytics_agent_installed", + "azure_compliance.control.compute_vm_scale_set_logging_enabled", + "azure_compliance.control.container_registry_azure_defender_enabled", + "azure_compliance.control.datalake_analytics_account_logging_enabled", + "azure_compliance.control.datalake_store_account_logging_enabled", + "azure_compliance.control.dns_azure_defender_enabled", + "azure_compliance.control.eventhub_namespace_logging_enabled", + "azure_compliance.control.iot_hub_logging_enabled", + "azure_compliance.control.keyvault_azure_defender_enabled", + "azure_compliance.control.keyvault_logging_enabled", + "azure_compliance.control.kubernetes_azure_defender_enabled", + "azure_compliance.control.logic_app_workflow_logging_enabled", + "azure_compliance.control.network_watcher_enabled", + "azure_compliance.control.resource_manager_azure_defender_enabled", + "azure_compliance.control.search_service_logging_enabled", + "azure_compliance.control.securitycenter_automatic_provisioning_monitoring_agent_on", + "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "azure_compliance.control.servicebus_namespace_logging_enabled", + "azure_compliance.control.sql_database_server_azure_defender_enabled", + "azure_compliance.control.sql_server_auditing_on", + "azure_compliance.control.sql_server_azure_defender_enabled", + "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "azure_compliance.control.storage_azure_defender_enabled", + "azure_compliance.control.stream_analytics_job_logging_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_au_12_1", + "description": "The information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance for the relationship between timestamps of individual records in the audit trail.", + "title": "System-wide and Time-correlated Audit Trail AU-12(1)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_azure_defender_enabled", + "azure_compliance.control.appservice_web_app_diagnostic_logs_enabled", + "azure_compliance.control.arc_compute_machine_linux_log_analytics_agent_installed", + "azure_compliance.control.arc_compute_machine_windows_log_analytics_agent_installed", + "azure_compliance.control.arc_kubernetes_cluster_azure_defender_extension_installed", + "azure_compliance.control.batch_account_logging_enabled", + "azure_compliance.control.compute_vm_azure_defender_enabled", + "azure_compliance.control.compute_vm_guest_configuration_installed", + "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "azure_compliance.control.compute_vm_log_analytics_agent_health_issues_resolved", + "azure_compliance.control.compute_vm_log_analytics_agent_installed", + "azure_compliance.control.compute_vm_network_traffic_data_collection_linux_agent_installed", + "azure_compliance.control.compute_vm_network_traffic_data_collection_windows_agent_installed", + "azure_compliance.control.compute_vm_scale_set_log_analytics_agent_installed", + "azure_compliance.control.compute_vm_scale_set_logging_enabled", + "azure_compliance.control.container_registry_azure_defender_enabled", + "azure_compliance.control.datalake_analytics_account_logging_enabled", + "azure_compliance.control.datalake_store_account_logging_enabled", + "azure_compliance.control.dns_azure_defender_enabled", + "azure_compliance.control.eventhub_namespace_logging_enabled", + "azure_compliance.control.iot_hub_logging_enabled", + "azure_compliance.control.keyvault_azure_defender_enabled", + "azure_compliance.control.keyvault_logging_enabled", + "azure_compliance.control.kubernetes_azure_defender_enabled", + "azure_compliance.control.logic_app_workflow_logging_enabled", + "azure_compliance.control.network_watcher_enabled", + "azure_compliance.control.resource_manager_azure_defender_enabled", + "azure_compliance.control.search_service_logging_enabled", + "azure_compliance.control.securitycenter_automatic_provisioning_monitoring_agent_on", + "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "azure_compliance.control.servicebus_namespace_logging_enabled", + "azure_compliance.control.sql_database_server_azure_defender_enabled", + "azure_compliance.control.sql_server_auditing_on", + "azure_compliance.control.sql_server_azure_defender_enabled", + "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "azure_compliance.control.storage_azure_defender_enabled", + "azure_compliance.control.stream_analytics_job_logging_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm", + "description": "CM controls are specific to an organization’s configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control.", + "title": "Configuration Management (CM)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_10", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_11" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6", + "description": "The organization establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements; implements the configuration settings; identifies, documents, and approves any deviations from established configuration settings for organization-defined information system components based on organization-defined operational requirements; and monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.", + "title": "Configuration Settings (CM-6)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_api_app_client_certificates_on", + "azure_compliance.control.appservice_api_app_cors_no_star", + "azure_compliance.control.appservice_api_app_remote_debugging_disabled", + "azure_compliance.control.appservice_function_app_client_certificates_on", + "azure_compliance.control.appservice_function_app_cors_no_star", + "azure_compliance.control.appservice_function_app_remote_debugging_disabled", + "azure_compliance.control.appservice_web_app_client_certificates_on", + "azure_compliance.control.appservice_web_app_cors_no_star", + "azure_compliance.control.appservice_web_app_remote_debugging_disabled", + "azure_compliance.control.compute_vm_meet_security_baseline_requirements_linux", + "azure_compliance.control.compute_vm_meet_security_baseline_requirements_windows", + "azure_compliance.control.kubernetes_cluster_add_on_azure_policy_enabled", + "azure_compliance.control.kubernetes_cluster_pods_and_containers_uses_approved_user_and_group_id" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7", + "description": "The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of organization-defined prohibited or restricted functions, ports, protocols, and/or services.", + "title": "Least Functionality (CM-7)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7_5", + "azure_compliance.control.compute_vm_adaptive_application_controls_enabled", + "azure_compliance.control.compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated", + "azure_compliance.control.compute_vm_azure_defender_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7_2", + "description": "The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, rules authorizing the terms and conditions of software program usage.", + "title": "Prevent Program Execution CM-7(2) ", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_adaptive_application_controls_enabled", + "azure_compliance.control.compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_7_5", + "description": "The organization identifies organization-defined software programs authorized to execute on the information system, employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system, and reviews and updates the list of authorized software programs.", + "title": "Authorized Software ??? Allow-by-exception CM-7(5)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated", + "azure_compliance.control.compute_vm_adaptive_application_controls_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_10", + "description": "The organization uses software and associated documentation in accordance with contract agreements and copyright laws, tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution, and controls and documents the use of peer-to-peer file-sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.", + "title": "Software Usage Restrictions (CM-10)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_adaptive_application_controls_enabled", + "azure_compliance.control.compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_11", + "description": "The organization establishes organization-defined policies governing the installation of software by users, enforces software installation policies through organization-defined methods, and monitors policy compliance at organization-defined frequency.", + "title": "User-installed Software (CM-11)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_adaptive_application_controls_enabled", + "azure_compliance.control.compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp", + "description": "The CP control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution.", + "title": "Contingency Planning (CP)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_9" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6", + "description": "The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information and ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.", + "title": "Alternate Storage Site (CP-6)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6_1", + "azure_compliance.control.mariadb_server_geo_redundant_backup_enabled", + "azure_compliance.control.mysql_db_server_geo_redundant_backup_enabled", + "azure_compliance.control.postgres_db_server_geo_redundant_backup_enabled", + "azure_compliance.control.sql_database_long_term_geo_redundant_backup_enabled", + "azure_compliance.control.storage_account_geo_redundant_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_6_1", + "description": "The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.", + "title": "Separation from Primary Site CP-6(1)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.mariadb_server_geo_redundant_backup_enabled", + "azure_compliance.control.mysql_db_server_geo_redundant_backup_enabled", + "azure_compliance.control.postgres_db_server_geo_redundant_backup_enabled", + "azure_compliance.control.sql_database_long_term_geo_redundant_backup_enabled", + "azure_compliance.control.storage_account_geo_redundant_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_7", + "description": "The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable, ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption and ensure that the alternate processing site provides information security safeguards equivalent to that of the primary site.", + "title": "Alternate Processing Site (CP-7)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_disaster_recovery_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_cp_9", + "description": "The organization conducts backups of information system documentation including security-related documentation, user-level and system-level information contained in the information system with recovery time and recovery point objectives, and protects the confidentiality, integrity, and availability of backup information at storage locations.", + "title": "System Backup (CP-9)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.keyvault_purge_protection_enabled", + "azure_compliance.control.keyvault_soft_delete_enabled", + "azure_compliance.control.mariadb_server_geo_redundant_backup_enabled", + "azure_compliance.control.mysql_db_server_geo_redundant_backup_enabled", + "azure_compliance.control.postgres_db_server_geo_redundant_backup_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia", + "description": "IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems.", + "title": "Identification and Authentication (IA)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_4", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_2", + "description": "Identify and authenticate organization users and processes.", + "title": "Identification and Authentication (organizational Users) (IA-2)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_api_app_uses_managed_identity", + "azure_compliance.control.appservice_function_app_uses_managed_identity", + "azure_compliance.control.appservice_web_app_uses_managed_identity", + "azure_compliance.control.cognitive_service_local_auth_disabled", + "azure_compliance.control.servicefabric_cluster_active_directory_authentication_enabled", + "azure_compliance.control.sql_server_azure_ad_authentication_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_4", + "description": "Manage information system identifiers for users and devices. Automate authorizing and disabling users to prevent misuse.", + "title": "Identifier Management (IA-4)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_api_app_uses_managed_identity", + "azure_compliance.control.appservice_function_app_uses_managed_identity", + "azure_compliance.control.appservice_web_app_uses_managed_identity", + "azure_compliance.control.cognitive_service_local_auth_disabled", + "azure_compliance.control.servicefabric_cluster_active_directory_authentication_enabled", + "azure_compliance.control.sql_server_azure_ad_authentication_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5", + "description": "Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use.", + "title": "Authenticator Management (IA-5)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1", + "azure_compliance.control.compute_vm_guest_configuration_installed_linux", + "azure_compliance.control.compute_vm_guest_configuration_installed_windows", + "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "azure_compliance.control.compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity", + "azure_compliance.control.compute_vm_password_file_permissions_0644_linux", + "azure_compliance.control.compute_vm_passwords_stored_using_reversible_encryption_windows", + "azure_compliance.control.compute_vm_ssh_key_authentication_linux", + "azure_compliance.control.keyvault_key_expiration_set", + "azure_compliance.control.keyvault_secret_expiration_set" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ia_5_1", + "description": "The information system, for password-based authentication, enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type; enforces at least the organization-defined number of changed characters when new passwords are created; stores and transmits only cryptographically-protected passwords; enforces password minimum and maximum lifetime restrictions of organization-defined numbers for lifetime minimum, lifetime maximum; prohibits password reuse for organization-defined number generations; and allows the use of a temporary password for system logons with an immediate change to a permanent password.", + "title": "Password-based Authentication IA-5(1) ", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_guest_configuration_installed_linux", + "azure_compliance.control.compute_vm_guest_configuration_installed_windows", + "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "azure_compliance.control.compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity", + "azure_compliance.control.compute_vm_max_password_age_70_days_windows", + "azure_compliance.control.compute_vm_min_password_age_1_day_windows", + "azure_compliance.control.compute_vm_min_password_length_14_windows", + "azure_compliance.control.compute_vm_password_complexity_setting_enabled_windows", + "azure_compliance.control.compute_vm_password_file_permissions_0644_linux", + "azure_compliance.control.compute_vm_passwords_stored_using_reversible_encryption_windows", + "azure_compliance.control.compute_vm_restrict_previous_24_passwords_resuse_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir", + "description": "IR controls are specific to an organization’s incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan.", + "title": "Incident Response (IR)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_6_2" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_4", + "description": "The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; coordinates incident handling activities with contingency planning activities; and incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.", + "title": "Incident Handling (IR-4)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_azure_defender_enabled", + "azure_compliance.control.compute_vm_azure_defender_enabled", + "azure_compliance.control.container_registry_azure_defender_enabled", + "azure_compliance.control.dns_azure_defender_enabled", + "azure_compliance.control.keyvault_azure_defender_enabled", + "azure_compliance.control.kubernetes_azure_defender_enabled", + "azure_compliance.control.resource_manager_azure_defender_enabled", + "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "azure_compliance.control.securitycenter_email_configured", + "azure_compliance.control.securitycenter_notify_alerts_configured", + "azure_compliance.control.securitycenter_security_alerts_to_owner_enabled", + "azure_compliance.control.sql_database_server_azure_defender_enabled", + "azure_compliance.control.sql_server_azure_defender_enabled", + "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "azure_compliance.control.storage_azure_defender_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_5", + "description": "The organization tracks and documents information system security incidents.", + "title": "Incident Monitoring (IR-5)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_azure_defender_enabled", + "azure_compliance.control.compute_vm_azure_defender_enabled", + "azure_compliance.control.container_registry_azure_defender_enabled", + "azure_compliance.control.dns_azure_defender_enabled", + "azure_compliance.control.keyvault_azure_defender_enabled", + "azure_compliance.control.kubernetes_azure_defender_enabled", + "azure_compliance.control.resource_manager_azure_defender_enabled", + "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "azure_compliance.control.securitycenter_email_configured", + "azure_compliance.control.securitycenter_notify_alerts_configured", + "azure_compliance.control.securitycenter_security_alerts_to_owner_enabled", + "azure_compliance.control.sql_database_server_azure_defender_enabled", + "azure_compliance.control.sql_server_azure_defender_enabled", + "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "azure_compliance.control.storage_azure_defender_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ir_6_2", + "description": "The organization reports information system vulnerabilities associated with reported security incidents to organization-defined personnel or roles.", + "title": "Vulnerabilities Related to Incidents IR-6(2) ", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure/SecurityCenter", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.securitycenter_email_configured", + "azure_compliance.control.securitycenter_notify_alerts_configured", + "azure_compliance.control.securitycenter_security_alerts_to_owner_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra", + "description": "The RA control family relates to an organization’s risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts.", + "title": "Risk Assessment (RA)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5", + "description": "Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities.", + "title": "Vulnerability Monitoring and Scanning (RA-5)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_azure_defender_enabled", + "azure_compliance.control.compute_vm_azure_defender_enabled", + "azure_compliance.control.compute_vm_container_security_configurations_vulnerabilities_remediated", + "azure_compliance.control.compute_vm_scale_set_security_configuration_vulnerabilities_remediated", + "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated", + "azure_compliance.control.compute_vm_vulnerability_assessment_solution_enabled", + "azure_compliance.control.compute_vm_vulnerability_findings_resolved_for_sql_server", + "azure_compliance.control.container_registry_azure_defender_enabled", + "azure_compliance.control.container_registry_vulnerabilities_remediated", + "azure_compliance.control.dns_azure_defender_enabled", + "azure_compliance.control.keyvault_azure_defender_enabled", + "azure_compliance.control.kubernetes_azure_defender_enabled", + "azure_compliance.control.mssql_managed_instance_vulnerability_assessment_enabled", + "azure_compliance.control.resource_manager_azure_defender_enabled", + "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "azure_compliance.control.sql_database_server_azure_defender_enabled", + "azure_compliance.control.sql_database_vulnerability_findings_resolved", + "azure_compliance.control.sql_server_and_databases_va_enabled", + "azure_compliance.control.sql_server_azure_defender_enabled", + "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "azure_compliance.control.storage_azure_defender_enabled", + "azure_compliance.control.synapse_workspace_vulnerability_assessment_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc", + "description": "The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others.", + "title": "System and Communications Protection (SC)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_3", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_5", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_3", + "description": "The information system isolates security functions from nonsecurity functions.", + "title": "Security Function Isolation (SC-3)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_azure_defender_enabled", + "azure_compliance.control.compute_vm_monitor_missing_endpoint_protection_in_asc", + "azure_compliance.control.compute_vm_scale_set_endpoint_protection_solution_installed", + "azure_compliance.control.compute_vm_windows_defender_exploit_guard_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_5", + "description": "The information system protects against or limits the effects of the organization-defined types of denial of service attacks or reference to a source for such information by employing organization-defined security safeguards.", + "title": "Denial-of-service Protection (SC-5)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.application_gateway_waf_enabled", + "azure_compliance.control.frontdoor_waf_enabled", + "azure_compliance.control.network_ddos_enabled", + "azure_compliance.control.network_interface_ip_forwarding_disabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7", + "description": "The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; implements subnetworks for publicly accessible system components that are physically or logically separated from internal organizational networks; and connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.", + "title": "Boundary Protection (SC-7)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "azure_compliance.control.apimanagement_service_with_virtual_network", + "azure_compliance.control.app_configuration_private_link_used", + "azure_compliance.control.application_gateway_waf_enabled", + "azure_compliance.control.azure_redis_cache_uses_private_link", + "azure_compliance.control.cognitive_account_private_link_used", + "azure_compliance.control.cognitive_account_public_network_access_disabled", + "azure_compliance.control.cognitive_account_restrict_public_access", + "azure_compliance.control.compute_disk_access_uses_private_link", + "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "azure_compliance.control.compute_vm_jit_access_protected", + "azure_compliance.control.compute_vm_non_internet_facing_protected_with_nsg", + "azure_compliance.control.compute_vm_remote_access_restricted_all_ports", + "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "azure_compliance.control.container_registry_restrict_public_access", + "azure_compliance.control.container_registry_uses_private_link", + "azure_compliance.control.cosmosdb_account_uses_private_link", + "azure_compliance.control.cosmosdb_account_with_firewall_rules", + "azure_compliance.control.data_factory_uses_private_link", + "azure_compliance.control.eventgrid_domain_private_link_used", + "azure_compliance.control.eventgrid_topic_private_link_used", + "azure_compliance.control.eventhub_namespace_private_link_used", + "azure_compliance.control.frontdoor_waf_enabled", + "azure_compliance.control.healthcare_fhir_uses_private_link", + "azure_compliance.control.keyvault_vault_private_link_used", + "azure_compliance.control.keyvault_vault_public_network_access_disabled", + "azure_compliance.control.kubernetes_cluster_authorized_ip_range_defined", + "azure_compliance.control.mariadb_server_public_network_access_disabled", + "azure_compliance.control.mysql_server_private_link_used", + "azure_compliance.control.mysql_server_public_network_access_disabled", + "azure_compliance.control.network_interface_ip_forwarding_disabled", + "azure_compliance.control.network_security_group_remote_access_restricted", + "azure_compliance.control.network_security_group_subnet_associated", + "azure_compliance.control.postgres_server_private_link_used", + "azure_compliance.control.postgresql_server_public_network_access_disabled", + "azure_compliance.control.search_service_public_network_access_disabled", + "azure_compliance.control.search_service_uses_private_link", + "azure_compliance.control.search_service_uses_sku_supporting_private_link", + "azure_compliance.control.servicebus_name_space_private_link_used", + "azure_compliance.control.signalr_service_private_link_used", + "azure_compliance.control.sql_db_public_network_access_disabled", + "azure_compliance.control.sql_server_uses_private_link", + "azure_compliance.control.storage_account_block_public_access", + "azure_compliance.control.storage_account_default_network_access_rule_denied", + "azure_compliance.control.storage_account_restrict_network_access", + "azure_compliance.control.storage_account_uses_private_link", + "azure_compliance.control.storage_sync_private_link_used", + "azure_compliance.control.synapse_workspace_private_link_used" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_7_3", + "description": "The organization limits the number of external network connections to the information system.", + "title": "Access Points SC-7(3)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.apimanagement_service_with_virtual_network", + "azure_compliance.control.app_configuration_private_link_used", + "azure_compliance.control.application_gateway_waf_enabled", + "azure_compliance.control.azure_redis_cache_uses_private_link", + "azure_compliance.control.cognitive_account_private_link_used", + "azure_compliance.control.cognitive_account_public_network_access_disabled", + "azure_compliance.control.cognitive_account_restrict_public_access", + "azure_compliance.control.compute_disk_access_uses_private_link", + "azure_compliance.control.compute_vm_adaptive_network_hardening_recommendation_applied", + "azure_compliance.control.compute_vm_jit_access_protected", + "azure_compliance.control.compute_vm_non_internet_facing_protected_with_nsg", + "azure_compliance.control.compute_vm_remote_access_restricted_all_ports", + "azure_compliance.control.compute_vm_tcp_udp_access_restricted_internet", + "azure_compliance.control.container_registry_restrict_public_access", + "azure_compliance.control.container_registry_uses_private_link", + "azure_compliance.control.cosmosdb_account_uses_private_link", + "azure_compliance.control.cosmosdb_account_with_firewall_rules", + "azure_compliance.control.data_factory_uses_private_link", + "azure_compliance.control.eventgrid_domain_private_link_used", + "azure_compliance.control.eventgrid_topic_private_link_used", + "azure_compliance.control.eventhub_namespace_private_link_used", + "azure_compliance.control.frontdoor_waf_enabled", + "azure_compliance.control.healthcare_fhir_uses_private_link", + "azure_compliance.control.keyvault_vault_private_link_used", + "azure_compliance.control.keyvault_vault_public_network_access_disabled", + "azure_compliance.control.kubernetes_cluster_authorized_ip_range_defined", + "azure_compliance.control.mariadb_server_public_network_access_disabled", + "azure_compliance.control.mysql_server_private_link_used", + "azure_compliance.control.mysql_server_public_network_access_disabled", + "azure_compliance.control.network_interface_ip_forwarding_disabled", + "azure_compliance.control.network_security_group_remote_access_restricted", + "azure_compliance.control.network_security_group_subnet_associated", + "azure_compliance.control.postgres_server_private_link_used", + "azure_compliance.control.postgresql_server_public_network_access_disabled", + "azure_compliance.control.search_service_public_network_access_disabled", + "azure_compliance.control.search_service_uses_private_link", + "azure_compliance.control.search_service_uses_sku_supporting_private_link", + "azure_compliance.control.servicebus_name_space_private_link_used", + "azure_compliance.control.signalr_service_private_link_used", + "azure_compliance.control.sql_db_public_network_access_disabled", + "azure_compliance.control.sql_server_uses_private_link", + "azure_compliance.control.storage_account_block_public_access", + "azure_compliance.control.storage_account_default_network_access_rule_denied", + "azure_compliance.control.storage_account_restrict_network_access", + "azure_compliance.control.storage_account_uses_private_link", + "azure_compliance.control.storage_sync_private_link_used", + "azure_compliance.control.synapse_workspace_private_link_used" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8", + "description": "The information system protects the confidentiality and integrity of transmitted information.", + "title": "Transmission Confidentiality and Integrity (SC-8)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1", + "azure_compliance.control.appservice_api_app_ftps_enabled", + "azure_compliance.control.appservice_api_app_latest_tls_version", + "azure_compliance.control.appservice_api_app_use_https", + "azure_compliance.control.appservice_function_app_ftps_enabled", + "azure_compliance.control.appservice_function_app_latest_tls_version", + "azure_compliance.control.appservice_function_app_only_https_accessible", + "azure_compliance.control.appservice_web_app_ftps_enabled", + "azure_compliance.control.appservice_web_app_latest_tls_version", + "azure_compliance.control.appservice_web_app_use_https", + "azure_compliance.control.azure_redis_cache_ssl_enabled", + "azure_compliance.control.compute_vm_secure_communication_protocols_configured", + "azure_compliance.control.hdinsight_cluster_encryption_in_transit_enabled", + "azure_compliance.control.mysql_ssl_enabled", + "azure_compliance.control.postgres_sql_ssl_enabled", + "azure_compliance.control.storage_account_secure_transfer_required_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_8_1", + "description": "The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.", + "title": "Cryptographic Protection SC-8(1) ", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_api_app_ftps_enabled", + "azure_compliance.control.appservice_api_app_latest_tls_version", + "azure_compliance.control.appservice_api_app_use_https", + "azure_compliance.control.appservice_function_app_ftps_enabled", + "azure_compliance.control.appservice_function_app_latest_tls_version", + "azure_compliance.control.appservice_function_app_only_https_accessible", + "azure_compliance.control.appservice_web_app_ftps_enabled", + "azure_compliance.control.appservice_web_app_latest_tls_version", + "azure_compliance.control.appservice_web_app_use_https", + "azure_compliance.control.azure_redis_cache_ssl_enabled", + "azure_compliance.control.compute_vm_secure_communication_protocols_configured", + "azure_compliance.control.hdinsight_cluster_encryption_in_transit_enabled", + "azure_compliance.control.mysql_ssl_enabled", + "azure_compliance.control.postgres_sql_ssl_enabled", + "azure_compliance.control.storage_account_secure_transfer_required_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_12", + "description": "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction.", + "title": "Cryptographic Key Establishment and Management (SC-12)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.batch_account_encrypted_with_cmk", + "azure_compliance.control.cognitive_account_encrypted_with_cmk", + "azure_compliance.control.compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed", + "azure_compliance.control.container_registry_encrypted_with_cmk", + "azure_compliance.control.cosmosdb_account_encryption_at_rest_using_cmk", + "azure_compliance.control.data_factory_encrypted_with_cmk", + "azure_compliance.control.hdinsight_cluster_encrypted_at_rest_with_cmk", + "azure_compliance.control.hdinsight_cluster_encryption_at_host_enabled", + "azure_compliance.control.healthcare_fhir_azure_api_encrypted_at_rest_with_cmk", + "azure_compliance.control.hpc_cache_encrypted_with_cmk", + "azure_compliance.control.kubernetes_cluster_os_and_data_disks_encrypted_with_cmk", + "azure_compliance.control.kusto_cluster_encrypted_at_rest_with_cmk", + "azure_compliance.control.machine_learning_workspace_encrypted_with_cmk", + "azure_compliance.control.mssql_managed_instance_encryption_at_rest_using_cmk", + "azure_compliance.control.mysql_server_encrypted_at_rest_using_cmk", + "azure_compliance.control.postgres_sql_server_encrypted_at_rest_using_cmk", + "azure_compliance.control.servicebus_premium_namespace_cmk_encrypted", + "azure_compliance.control.storage_account_encryption_at_rest_using_cmk", + "azure_compliance.control.storage_account_encryption_scopes_encrypted_at_rest_with_cmk", + "azure_compliance.control.synapse_workspace_encryption_at_rest_using_cmk" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28", + "description": "The information system protects the confidentiality and integrity of organization-defined information at rest.", + "title": "Protection of Information at Rest (SC-28)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1", + "azure_compliance.control.app_service_environment_internal_encryption_enabled", + "azure_compliance.control.compute_vm_and_sacle_set_encryption_at_host_enabled", + "azure_compliance.control.compute_vm_temp_disks_cache_and_data_flows_encrypted", + "azure_compliance.control.databox_edge_device_double_encryption_enabled", + "azure_compliance.control.kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host", + "azure_compliance.control.kusto_cluster_disk_encryption_enabled", + "azure_compliance.control.kusto_cluster_double_encryption_enabled", + "azure_compliance.control.mysql_server_infrastructure_encryption_enabled", + "azure_compliance.control.postgresql_server_infrastructure_encryption_enabled", + "azure_compliance.control.servicefabric_cluster_protection_level_as_encrypt_and_sign", + "azure_compliance.control.sql_server_transparent_data_encryption_enabled", + "azure_compliance.control.storage_account_infrastructure_encryption_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28_1", + "description": "The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of organization-defined information on organization-defined information system components.", + "title": "Cryptographic Protection SC-28(1)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.app_service_environment_internal_encryption_enabled", + "azure_compliance.control.compute_vm_and_sacle_set_encryption_at_host_enabled", + "azure_compliance.control.compute_vm_temp_disks_cache_and_data_flows_encrypted", + "azure_compliance.control.databox_edge_device_double_encryption_enabled", + "azure_compliance.control.kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host", + "azure_compliance.control.kusto_cluster_disk_encryption_enabled", + "azure_compliance.control.kusto_cluster_double_encryption_enabled", + "azure_compliance.control.mysql_server_infrastructure_encryption_enabled", + "azure_compliance.control.postgresql_server_infrastructure_encryption_enabled", + "azure_compliance.control.servicefabric_cluster_protection_level_as_encrypt_and_sign", + "azure_compliance.control.sql_server_transparent_data_encryption_enabled", + "azure_compliance.control.storage_account_infrastructure_encryption_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_si", + "description": "The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection.", + "title": "System and Information Integrity (SI)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_3", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_16" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2", + "description": "The organization identifies, reports, and corrects information system flaws, tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation, installs security-relevant software and firmware updates within the organization-defined time period of the release of the updates, and incorporates flaw remediation into the organizational configuration management process.", + "title": "Flaw Remediation (SI-2)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2_6", + "azure_compliance.control.appservice_azure_defender_enabled", + "azure_compliance.control.appservice_function_app_latest_http_version", + "azure_compliance.control.appservice_function_app_latest_java_version", + "azure_compliance.control.appservice_function_app_latest_python_version", + "azure_compliance.control.appservice_web_app_latest_http_version", + "azure_compliance.control.appservice_web_app_latest_java_version", + "azure_compliance.control.appservice_web_app_latest_php_version", + "azure_compliance.control.appservice_web_app_latest_python_version", + "azure_compliance.control.compute_vm_azure_defender_enabled", + "azure_compliance.control.compute_vm_scale_set_security_configuration_vulnerabilities_remediated", + "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated", + "azure_compliance.control.compute_vm_system_updates_installed", + "azure_compliance.control.compute_vm_vulnerability_assessment_solution_enabled", + "azure_compliance.control.container_registry_azure_defender_enabled", + "azure_compliance.control.dns_azure_defender_enabled", + "azure_compliance.control.keyvault_azure_defender_enabled", + "azure_compliance.control.kubernetes_azure_defender_enabled", + "azure_compliance.control.kubernetes_cluster_upgraded_with_non_vulnerable_version", + "azure_compliance.control.resource_manager_azure_defender_enabled", + "azure_compliance.control.sql_database_server_azure_defender_enabled", + "azure_compliance.control.sql_database_vulnerability_findings_resolved", + "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "azure_compliance.control.storage_azure_defender_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_2_6", + "description": "The organization removes organization-defined software and firmware components after updated versions have been installed.", + "title": "Removal of Previous Versions of Software and Firmware SI-2(6)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_function_app_latest_http_version", + "azure_compliance.control.appservice_web_app_latest_http_version", + "azure_compliance.control.appservice_function_app_latest_java_version", + "azure_compliance.control.appservice_web_app_latest_java_version", + "azure_compliance.control.appservice_web_app_latest_php_version", + "azure_compliance.control.appservice_function_app_latest_python_version", + "azure_compliance.control.appservice_web_app_latest_python_version", + "azure_compliance.control.kubernetes_cluster_upgraded_with_non_vulnerable_version" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_3", + "description": "The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system; and configures malicious code protection mechanisms to perform periodic scans of the information system and real-time scans of files from external sources at an endpoint, network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy, and block and quarantine malicious code, send alert to the administrator and take organization-defined action in response to malicious code detection.", + "title": "Malicious Code Protection (SI-3)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_azure_defender_enabled", + "azure_compliance.control.compute_vm_monitor_missing_endpoint_protection_in_asc", + "azure_compliance.control.compute_vm_scale_set_endpoint_protection_solution_installed", + "azure_compliance.control.compute_vm_windows_defender_exploit_guard_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4", + "description": "The organization monitors the information system to detect attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives and unauthorized local, network, and remote connections; identifies unauthorized use of the information system through organization-defined techniques and methods; deploys monitoring devices strategically within the information system to collect organization-determined essential information and at ad hoc locations within the system to track specific types of transactions of interest to the organization; protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and provides organization-defined system monitoring information to organization-defined personnel or roles as needed.", + "title": "System Monitoring (SI-4)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4_12", + "azure_compliance.control.appservice_azure_defender_enabled", + "azure_compliance.control.arc_compute_machine_linux_log_analytics_agent_installed", + "azure_compliance.control.arc_compute_machine_windows_log_analytics_agent_installed", + "azure_compliance.control.arc_kubernetes_cluster_azure_defender_extension_installed", + "azure_compliance.control.compute_vm_azure_defender_enabled", + "azure_compliance.control.compute_vm_guest_configuration_installed", + "azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity", + "azure_compliance.control.compute_vm_log_analytics_agent_health_issues_resolved", + "azure_compliance.control.compute_vm_log_analytics_agent_installed", + "azure_compliance.control.compute_vm_network_traffic_data_collection_linux_agent_installed", + "azure_compliance.control.compute_vm_network_traffic_data_collection_windows_agent_installed", + "azure_compliance.control.compute_vm_scale_set_log_analytics_agent_installed", + "azure_compliance.control.container_registry_azure_defender_enabled", + "azure_compliance.control.dns_azure_defender_enabled", + "azure_compliance.control.keyvault_azure_defender_enabled", + "azure_compliance.control.kubernetes_azure_defender_enabled", + "azure_compliance.control.network_watcher_enabled", + "azure_compliance.control.resource_manager_azure_defender_enabled", + "azure_compliance.control.securitycenter_automatic_provisioning_monitoring_agent_on", + "azure_compliance.control.securitycenter_azure_defender_on_for_sqlservervm", + "azure_compliance.control.sql_database_server_azure_defender_enabled", + "azure_compliance.control.sql_server_azure_defender_enabled", + "azure_compliance.control.sql_server_vm_azure_defender_enabled", + "azure_compliance.control.storage_azure_defender_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_4_12", + "description": "The organization employs automated mechanisms to alert security personnel of the organization-defined activities that trigger alerts with security implications.", + "title": "Automated Organization-generated Alerts SI-4(12)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure/SecurityCenter", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.securitycenter_email_configured", + "azure_compliance.control.securitycenter_notify_alerts_configured", + "azure_compliance.control.securitycenter_security_alerts_to_owner_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.nist_sp_800_53_rev_5_si_16", + "description": "The information system implements organization-defined security safeguards to protect its memory from unauthorized code execution.", + "title": "Memory Protection (SI-16)", + "tags": { + "category": "Compliance", + "nist_sp_800_53_rev_5": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_azure_defender_enabled", + "azure_compliance.control.compute_vm_windows_defender_exploit_guard_enabled" + ] + } +] \ No newline at end of file diff --git a/deepfence_server/cloud_controls/azure/pci.json b/deepfence_server/cloud_controls/azure/pci.json new file mode 100644 index 0000000000..ca57634f28 --- /dev/null +++ b/deepfence_server/cloud_controls/azure/pci.json @@ -0,0 +1,2649 @@ +[ + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 1 - Install and maintain a firewall configuration to protect cardholder data \u003e Prohibit direct public access between the Internet and any system component in the cardholder data environment \u003e Limit inbound Internet traffic to IP addresses within the DMZ", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 1 - Install and maintain a firewall configuration to protect cardholder data", + "Prohibit direct public access between the Internet and any system component in the cardholder data environment", + "Limit inbound Internet traffic to IP addresses within the DMZ" + ], + "control_id": "azure_compliance.control.compute_vm_remote_access_restricted_all_ports", + "description": "Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.", + "title": "All network ports should be restricted on network security groups associated to your virtual machine", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_1_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_1_3_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_1/azure_compliance.benchmark.pci_dss_v321_requirement_1_3/azure_compliance.benchmark.pci_dss_v321_requirement_1_3_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 1 - Install and maintain a firewall configuration to protect cardholder data \u003e Prohibit direct public access between the Internet and any system component in the cardholder data environment \u003e Limit inbound Internet traffic to IP addresses within the DMZ", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 1 - Install and maintain a firewall configuration to protect cardholder data", + "Prohibit direct public access between the Internet and any system component in the cardholder data environment", + "Limit inbound Internet traffic to IP addresses within the DMZ" + ], + "control_id": "azure_compliance.control.storage_account_default_network_access_rule_denied", + "description": "Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.", + "title": "Storage accounts should restrict network access", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_1_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_1_3_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_1/azure_compliance.benchmark.pci_dss_v321_requirement_1_3/azure_compliance.benchmark.pci_dss_v321_requirement_1_3_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 1 - Install and maintain a firewall configuration to protect cardholder data \u003e Prohibit direct public access between the Internet and any system component in the cardholder data environment \u003e Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 1 - Install and maintain a firewall configuration to protect cardholder data", + "Prohibit direct public access between the Internet and any system component in the cardholder data environment", + "Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet" + ], + "control_id": "azure_compliance.control.automation_account_variable_encryption_enabled", + "description": "It is important to enable encryption of Automation account variable assets when storing sensitive data", + "title": "Automation account variables should be encrypted", + "tags": { + "pci_dss_v321": "true", + "service": "Azure/Automation" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_1_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_1_3_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_1/azure_compliance.benchmark.pci_dss_v321_requirement_1_3/azure_compliance.benchmark.pci_dss_v321_requirement_1_3_4", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 1 - Install and maintain a firewall configuration to protect cardholder data \u003e Prohibit direct public access between the Internet and any system component in the cardholder data environment \u003e Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 1 - Install and maintain a firewall configuration to protect cardholder data", + "Prohibit direct public access between the Internet and any system component in the cardholder data environment", + "Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet" + ], + "control_id": "azure_compliance.control.compute_vm_remote_access_restricted_all_ports", + "description": "Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.", + "title": "All network ports should be restricted on network security groups associated to your virtual machine", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_1_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_1_3_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_1/azure_compliance.benchmark.pci_dss_v321_requirement_1_3/azure_compliance.benchmark.pci_dss_v321_requirement_1_3_4", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 1 - Install and maintain a firewall configuration to protect cardholder data \u003e Prohibit direct public access between the Internet and any system component in the cardholder data environment \u003e Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 1 - Install and maintain a firewall configuration to protect cardholder data", + "Prohibit direct public access between the Internet and any system component in the cardholder data environment", + "Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet" + ], + "control_id": "azure_compliance.control.storage_account_default_network_access_rule_denied", + "description": "Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.", + "title": "Storage accounts should restrict network access", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_1_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_1_3_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_1/azure_compliance.benchmark.pci_dss_v321_requirement_1_3/azure_compliance.benchmark.pci_dss_v321_requirement_1_3_4", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 3 - Protect stored cardholder data \u003e Do not store sensitive authentication data after authorization (even if it is encrypted)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 3 - Protect stored cardholder data", + "Do not store sensitive authentication data after authorization (even if it is encrypted)" + ], + "control_id": "azure_compliance.control.iam_external_user_with_owner_role", + "description": "External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.", + "title": "External accounts with owner permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_3_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_3/azure_compliance.benchmark.pci_dss_v321_requirement_3_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 3 - Protect stored cardholder data \u003e Do not store sensitive authentication data after authorization (even if it is encrypted)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 3 - Protect stored cardholder data", + "Do not store sensitive authentication data after authorization (even if it is encrypted)" + ], + "control_id": "azure_compliance.control.iam_external_user_with_read_permission", + "description": "External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.", + "title": "External accounts with read permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_3_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_3/azure_compliance.benchmark.pci_dss_v321_requirement_3_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 3 - Protect stored cardholder data \u003e Do not store sensitive authentication data after authorization (even if it is encrypted)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 3 - Protect stored cardholder data", + "Do not store sensitive authentication data after authorization (even if it is encrypted)" + ], + "control_id": "azure_compliance.control.iam_external_user_with_write_permission", + "description": "External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.", + "title": "External accounts with write permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_3_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_3/azure_compliance.benchmark.pci_dss_v321_requirement_3_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 3 - Protect stored cardholder data \u003e Do not store sensitive authentication data after authorization (even if it is encrypted)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 3 - Protect stored cardholder data", + "Do not store sensitive authentication data after authorization (even if it is encrypted)" + ], + "control_id": "azure_compliance.control.iam_no_custom_role", + "description": "Audit built-in roles such as 'Owner, Contributor, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling.", + "title": "Audit usage of custom RBAC rules", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_3_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_3/azure_compliance.benchmark.pci_dss_v321_requirement_3_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 3 - Protect stored cardholder data \u003e Do not store sensitive authentication data after authorization (even if it is encrypted)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 3 - Protect stored cardholder data", + "Do not store sensitive authentication data after authorization (even if it is encrypted)" + ], + "control_id": "azure_compliance.control.iam_user_with_owner_permission_on_subscription_mfa_enabled", + "description": "Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.", + "title": "MFA should be enabled on accounts with owner permissions on your subscription", + "tags": { + "pci_dss_v321": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_3_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_3/azure_compliance.benchmark.pci_dss_v321_requirement_3_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 3 - Protect stored cardholder data \u003e Do not store sensitive authentication data after authorization (even if it is encrypted)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 3 - Protect stored cardholder data", + "Do not store sensitive authentication data after authorization (even if it is encrypted)" + ], + "control_id": "azure_compliance.control.iam_user_with_write_permission_on_subscription_mfa_enabled", + "description": "Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.", + "title": "MFA should be enabled for accounts with write permissions on your subscription", + "tags": { + "pci_dss_v321": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_3_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_3/azure_compliance.benchmark.pci_dss_v321_requirement_3_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 3 - Protect stored cardholder data \u003e Do not store sensitive authentication data after authorization (even if it is encrypted)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 3 - Protect stored cardholder data", + "Do not store sensitive authentication data after authorization (even if it is encrypted)" + ], + "control_id": "azure_compliance.control.sql_server_azure_ad_authentication_enabled", + "description": "Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.", + "title": "An Azure Active Directory administrator should be provisioned for SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_3_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_3/azure_compliance.benchmark.pci_dss_v321_requirement_3_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 3 - Protect stored cardholder data \u003e Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 3 - Protect stored cardholder data", + "Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks" + ], + "control_id": "azure_compliance.control.appservice_function_app_only_https_accessible", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Function App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_3_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_3/azure_compliance.benchmark.pci_dss_v321_requirement_3_4", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 3 - Protect stored cardholder data \u003e Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 3 - Protect stored cardholder data", + "Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks" + ], + "control_id": "azure_compliance.control.appservice_web_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Web Application should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_3_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_3/azure_compliance.benchmark.pci_dss_v321_requirement_3_4", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 3 - Protect stored cardholder data \u003e Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 3 - Protect stored cardholder data", + "Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks" + ], + "control_id": "azure_compliance.control.azure_redis_cache_ssl_enabled", + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Only secure connections to your Azure Cache for Redis should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_3_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_3/azure_compliance.benchmark.pci_dss_v321_requirement_3_4", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 3 - Protect stored cardholder data \u003e Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 3 - Protect stored cardholder data", + "Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks" + ], + "control_id": "azure_compliance.control.compute_vm_temp_disks_cache_and_data_flows_encrypted", + "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.", + "title": "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_3_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_3/azure_compliance.benchmark.pci_dss_v321_requirement_3_4", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 3 - Protect stored cardholder data \u003e Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 3 - Protect stored cardholder data", + "Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks" + ], + "control_id": "azure_compliance.control.servicefabric_cluster_protection_level_as_encrypt_and_sign", + "description": "Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.", + "title": "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ServiceFabric" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_3_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_3/azure_compliance.benchmark.pci_dss_v321_requirement_3_4", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 3 - Protect stored cardholder data \u003e Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 3 - Protect stored cardholder data", + "Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks" + ], + "control_id": "azure_compliance.control.sql_database_transparent_data_encryption_enabled", + "description": "Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements.", + "title": "Azure Defender for Azure SQL Database servers should be enabled", + "tags": { + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_3_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_3/azure_compliance.benchmark.pci_dss_v321_requirement_3_4", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 3 - Protect stored cardholder data \u003e Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 3 - Protect stored cardholder data", + "Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks" + ], + "control_id": "azure_compliance.control.storage_account_secure_transfer_required_enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Secure transfer to storage accounts should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_3_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_3/azure_compliance.benchmark.pci_dss_v321_requirement_3_4", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 4 - Encrypt transmission of cardholder data across open, public networks \u003e Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 4 - Encrypt transmission of cardholder data across open, public networks", + "Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications)" + ], + "control_id": "azure_compliance.control.appservice_api_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "API App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_4", + "azure_compliance.benchmark.pci_dss_v321_requirement_4_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_4/azure_compliance.benchmark.pci_dss_v321_requirement_4_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 4 - Encrypt transmission of cardholder data across open, public networks \u003e Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 4 - Encrypt transmission of cardholder data across open, public networks", + "Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications)" + ], + "control_id": "azure_compliance.control.appservice_function_app_only_https_accessible", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Function App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_4", + "azure_compliance.benchmark.pci_dss_v321_requirement_4_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_4/azure_compliance.benchmark.pci_dss_v321_requirement_4_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 4 - Encrypt transmission of cardholder data across open, public networks \u003e Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 4 - Encrypt transmission of cardholder data across open, public networks", + "Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications)" + ], + "control_id": "azure_compliance.control.automation_account_variable_encryption_enabled", + "description": "It is important to enable encryption of Automation account variable assets when storing sensitive data", + "title": "Automation account variables should be encrypted", + "tags": { + "pci_dss_v321": "true", + "service": "Azure/Automation" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_4", + "azure_compliance.benchmark.pci_dss_v321_requirement_4_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_4/azure_compliance.benchmark.pci_dss_v321_requirement_4_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 4 - Encrypt transmission of cardholder data across open, public networks \u003e Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 4 - Encrypt transmission of cardholder data across open, public networks", + "Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications)" + ], + "control_id": "azure_compliance.control.azure_redis_cache_ssl_enabled", + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Only secure connections to your Azure Cache for Redis should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_4", + "azure_compliance.benchmark.pci_dss_v321_requirement_4_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_4/azure_compliance.benchmark.pci_dss_v321_requirement_4_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 4 - Encrypt transmission of cardholder data across open, public networks \u003e Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 4 - Encrypt transmission of cardholder data across open, public networks", + "Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications)" + ], + "control_id": "azure_compliance.control.compute_vm_temp_disks_cache_and_data_flows_encrypted", + "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.", + "title": "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_4", + "azure_compliance.benchmark.pci_dss_v321_requirement_4_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_4/azure_compliance.benchmark.pci_dss_v321_requirement_4_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 4 - Encrypt transmission of cardholder data across open, public networks \u003e Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 4 - Encrypt transmission of cardholder data across open, public networks", + "Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications)" + ], + "control_id": "azure_compliance.control.servicefabric_cluster_protection_level_as_encrypt_and_sign", + "description": "Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.", + "title": "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ServiceFabric" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_4", + "azure_compliance.benchmark.pci_dss_v321_requirement_4_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_4/azure_compliance.benchmark.pci_dss_v321_requirement_4_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 4 - Encrypt transmission of cardholder data across open, public networks \u003e Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 4 - Encrypt transmission of cardholder data across open, public networks", + "Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications)" + ], + "control_id": "azure_compliance.control.sql_database_transparent_data_encryption_enabled", + "description": "Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements.", + "title": "Azure Defender for Azure SQL Database servers should be enabled", + "tags": { + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_4", + "azure_compliance.benchmark.pci_dss_v321_requirement_4_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_4/azure_compliance.benchmark.pci_dss_v321_requirement_4_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 4 - Encrypt transmission of cardholder data across open, public networks \u003e Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 4 - Encrypt transmission of cardholder data across open, public networks", + "Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications)" + ], + "control_id": "azure_compliance.control.storage_account_secure_transfer_required_enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Secure transfer to storage accounts should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_4", + "azure_compliance.benchmark.pci_dss_v321_requirement_4_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_4/azure_compliance.benchmark.pci_dss_v321_requirement_4_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 5 - Protect all systems against malware and regularly update anti-virus software or programs \u003e Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 5 - Protect all systems against malware and regularly update anti-virus software or programs", + "Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers)" + ], + "control_id": "azure_compliance.control.compute_vm_endpoint_protection_agent_installed", + "description": "Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations.", + "title": "Monitor missing Endpoint Protection in Azure Security Center", + "tags": { + "hipaa_hitrust_v92": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_5/azure_compliance.benchmark.pci_dss_v321_requirement_5_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 5 - Protect all systems against malware and regularly update anti-virus software or programs \u003e Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 5 - Protect all systems against malware and regularly update anti-virus software or programs", + "Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers)" + ], + "control_id": "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated", + "description": "Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations.", + "title": "Vulnerabilities in security configuration on your machines should be remediated", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_5/azure_compliance.benchmark.pci_dss_v321_requirement_5_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 5 - Protect all systems against malware and regularly update anti-virus software or programs \u003e Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 5 - Protect all systems against malware and regularly update anti-virus software or programs", + "Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers)" + ], + "control_id": "azure_compliance.control.compute_vm_system_updates_installed", + "description": "Missing security system updates on your servers will be monitored by Azure Security Center as recommendations.", + "title": "System updates should be installed on your machines", + "tags": { + "hipaa_hitrust_v92": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_5/azure_compliance.benchmark.pci_dss_v321_requirement_5_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 5 - Protect all systems against malware and regularly update anti-virus software or programs \u003e Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 5 - Protect all systems against malware and regularly update anti-virus software or programs", + "Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers)" + ], + "control_id": "azure_compliance.control.compute_vm_vulnerability_assessment_solution_enabled", + "description": "Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.", + "title": "A vulnerability assessment solution should be enabled on your virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_5/azure_compliance.benchmark.pci_dss_v321_requirement_5_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 5 - Protect all systems against malware and regularly update anti-virus software or programs \u003e Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers)", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 5 - Protect all systems against malware and regularly update anti-virus software or programs", + "Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers)" + ], + "control_id": "azure_compliance.control.sql_database_vulnerability_findings_resolved", + "description": "Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.", + "title": "SQL databases should have vulnerability findings resolved", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_5_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_5/azure_compliance.benchmark.pci_dss_v321_requirement_5_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 6 - Develop and maintain secure systems and applications \u003e Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 6 - Develop and maintain secure systems and applications", + "Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches" + ], + "control_id": "azure_compliance.control.compute_vm_vulnerability_assessment_solution_enabled", + "description": "Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.", + "title": "A vulnerability assessment solution should be enabled on your virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_6/azure_compliance.benchmark.pci_dss_v321_requirement_6_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 6 - Develop and maintain secure systems and applications \u003e Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 6 - Develop and maintain secure systems and applications", + "Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches" + ], + "control_id": "azure_compliance.control.compute_vm_endpoint_protection_agent_installed", + "description": "Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations.", + "title": "Monitor missing Endpoint Protection in Azure Security Center", + "tags": { + "hipaa_hitrust_v92": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_6/azure_compliance.benchmark.pci_dss_v321_requirement_6_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 6 - Develop and maintain secure systems and applications \u003e Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 6 - Develop and maintain secure systems and applications", + "Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches" + ], + "control_id": "azure_compliance.control.sql_database_vulnerability_findings_resolved", + "description": "Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.", + "title": "SQL databases should have vulnerability findings resolved", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_6/azure_compliance.benchmark.pci_dss_v321_requirement_6_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 6 - Develop and maintain secure systems and applications \u003e Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 6 - Develop and maintain secure systems and applications", + "Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches" + ], + "control_id": "azure_compliance.control.compute_vm_system_updates_installed", + "description": "Missing security system updates on your servers will be monitored by Azure Security Center as recommendations.", + "title": "System updates should be installed on your machines", + "tags": { + "hipaa_hitrust_v92": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_6/azure_compliance.benchmark.pci_dss_v321_requirement_6_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 6 - Develop and maintain secure systems and applications \u003e Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 6 - Develop and maintain secure systems and applications", + "Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches" + ], + "control_id": "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated", + "description": "Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations.", + "title": "Vulnerabilities in security configuration on your machines should be remediated", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_6/azure_compliance.benchmark.pci_dss_v321_requirement_6_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 6 - Develop and maintain secure systems and applications \u003e Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory \u003e Insecure cryptographic storage", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 6 - Develop and maintain secure systems and applications", + "Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory", + "Insecure cryptographic storage" + ], + "control_id": "azure_compliance.control.appservice_function_app_only_https_accessible", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Function App should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_5_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_6/azure_compliance.benchmark.pci_dss_v321_requirement_6_5/azure_compliance.benchmark.pci_dss_v321_requirement_6_5_3", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 6 - Develop and maintain secure systems and applications \u003e Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory \u003e Insecure cryptographic storage", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 6 - Develop and maintain secure systems and applications", + "Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory", + "Insecure cryptographic storage" + ], + "control_id": "azure_compliance.control.appservice_web_app_use_https", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "title": "Web Application should only be accessible over HTTPS", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/AppService" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_5_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_6/azure_compliance.benchmark.pci_dss_v321_requirement_6_5/azure_compliance.benchmark.pci_dss_v321_requirement_6_5_3", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 6 - Develop and maintain secure systems and applications \u003e Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory \u003e Insecure cryptographic storage", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 6 - Develop and maintain secure systems and applications", + "Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory", + "Insecure cryptographic storage" + ], + "control_id": "azure_compliance.control.automation_account_variable_encryption_enabled", + "description": "It is important to enable encryption of Automation account variable assets when storing sensitive data", + "title": "Automation account variables should be encrypted", + "tags": { + "pci_dss_v321": "true", + "service": "Azure/Automation" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_5_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_6/azure_compliance.benchmark.pci_dss_v321_requirement_6_5/azure_compliance.benchmark.pci_dss_v321_requirement_6_5_3", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 6 - Develop and maintain secure systems and applications \u003e Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory \u003e Insecure cryptographic storage", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 6 - Develop and maintain secure systems and applications", + "Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory", + "Insecure cryptographic storage" + ], + "control_id": "azure_compliance.control.azure_redis_cache_ssl_enabled", + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Only secure connections to your Azure Cache for Redis should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Redis" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_5_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_6/azure_compliance.benchmark.pci_dss_v321_requirement_6_5/azure_compliance.benchmark.pci_dss_v321_requirement_6_5_3", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 6 - Develop and maintain secure systems and applications \u003e Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory \u003e Insecure cryptographic storage", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 6 - Develop and maintain secure systems and applications", + "Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory", + "Insecure cryptographic storage" + ], + "control_id": "azure_compliance.control.compute_vm_temp_disks_cache_and_data_flows_encrypted", + "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.", + "title": "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_5_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_6/azure_compliance.benchmark.pci_dss_v321_requirement_6_5/azure_compliance.benchmark.pci_dss_v321_requirement_6_5_3", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 6 - Develop and maintain secure systems and applications \u003e Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory \u003e Insecure cryptographic storage", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 6 - Develop and maintain secure systems and applications", + "Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory", + "Insecure cryptographic storage" + ], + "control_id": "azure_compliance.control.servicefabric_cluster_protection_level_as_encrypt_and_sign", + "description": "Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.", + "title": "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ServiceFabric" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_5_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_6/azure_compliance.benchmark.pci_dss_v321_requirement_6_5/azure_compliance.benchmark.pci_dss_v321_requirement_6_5_3", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 6 - Develop and maintain secure systems and applications \u003e Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory \u003e Insecure cryptographic storage", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 6 - Develop and maintain secure systems and applications", + "Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory", + "Insecure cryptographic storage" + ], + "control_id": "azure_compliance.control.sql_database_transparent_data_encryption_enabled", + "description": "Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements.", + "title": "Azure Defender for Azure SQL Database servers should be enabled", + "tags": { + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_5_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_6/azure_compliance.benchmark.pci_dss_v321_requirement_6_5/azure_compliance.benchmark.pci_dss_v321_requirement_6_5_3", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 6 - Develop and maintain secure systems and applications \u003e Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory \u003e Insecure cryptographic storage", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 6 - Develop and maintain secure systems and applications", + "Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory", + "Insecure cryptographic storage" + ], + "control_id": "azure_compliance.control.storage_account_secure_transfer_required_enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "title": "Secure transfer to storage accounts should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_5_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_6/azure_compliance.benchmark.pci_dss_v321_requirement_6_5/azure_compliance.benchmark.pci_dss_v321_requirement_6_5_3", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 6 - Develop and maintain secure systems and applications \u003e Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 6 - Develop and maintain secure systems and applications", + "Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic" + ], + "control_id": "azure_compliance.control.compute_vm_endpoint_protection_agent_installed", + "description": "Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations.", + "title": "Monitor missing Endpoint Protection in Azure Security Center", + "tags": { + "hipaa_hitrust_v92": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_6/azure_compliance.benchmark.pci_dss_v321_requirement_6_6", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 6 - Develop and maintain secure systems and applications \u003e Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 6 - Develop and maintain secure systems and applications", + "Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic" + ], + "control_id": "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated", + "description": "Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations.", + "title": "Vulnerabilities in security configuration on your machines should be remediated", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_6/azure_compliance.benchmark.pci_dss_v321_requirement_6_6", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 6 - Develop and maintain secure systems and applications \u003e Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 6 - Develop and maintain secure systems and applications", + "Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic" + ], + "control_id": "azure_compliance.control.compute_vm_system_updates_installed", + "description": "Missing security system updates on your servers will be monitored by Azure Security Center as recommendations.", + "title": "System updates should be installed on your machines", + "tags": { + "hipaa_hitrust_v92": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_6/azure_compliance.benchmark.pci_dss_v321_requirement_6_6", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 6 - Develop and maintain secure systems and applications \u003e Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 6 - Develop and maintain secure systems and applications", + "Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic" + ], + "control_id": "azure_compliance.control.compute_vm_vulnerability_assessment_solution_enabled", + "description": "Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.", + "title": "A vulnerability assessment solution should be enabled on your virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_6/azure_compliance.benchmark.pci_dss_v321_requirement_6_6", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 6 - Develop and maintain secure systems and applications \u003e Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 6 - Develop and maintain secure systems and applications", + "Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic" + ], + "control_id": "azure_compliance.control.sql_database_vulnerability_findings_resolved", + "description": "Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.", + "title": "SQL databases should have vulnerability findings resolved", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_6" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_6/azure_compliance.benchmark.pci_dss_v321_requirement_6_6", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 7 - Restrict access to cardholder data by business need-to-know \u003e Limit access to system components and cardholder data to only those individuals whose job requires such access \u003e Define access needs for each role, including: - System components and data resources that each role needs to access for their job function - Level of privilege required (for example, user, administrator, etc.) for accessing resources", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 7 - Restrict access to cardholder data by business need-to-know", + "Limit access to system components and cardholder data to only those individuals whose job requires such access", + "Define access needs for each role, including: - System components and data resources that each role needs to access for their job function - Level of privilege required (for example, user, administrator, etc.) for accessing resources" + ], + "control_id": "azure_compliance.control.iam_subscription_owner_max_3", + "description": "It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.", + "title": "A maximum of 3 owners should be designated for your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_7", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_1_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_7/azure_compliance.benchmark.pci_dss_v321_requirement_7_1/azure_compliance.benchmark.pci_dss_v321_requirement_7_1_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 7 - Restrict access to cardholder data by business need-to-know \u003e Limit access to system components and cardholder data to only those individuals whose job requires such access \u003e Define access needs for each role, including: - System components and data resources that each role needs to access for their job function - Level of privilege required (for example, user, administrator, etc.) for accessing resources", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 7 - Restrict access to cardholder data by business need-to-know", + "Limit access to system components and cardholder data to only those individuals whose job requires such access", + "Define access needs for each role, including: - System components and data resources that each role needs to access for their job function - Level of privilege required (for example, user, administrator, etc.) for accessing resources" + ], + "control_id": "azure_compliance.control.iam_subscription_owner_more_than_1", + "description": "It is recommended to designate more than one subscription owner in order to have administrator access redundancy.", + "title": "There should be more than one owner assigned to your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_7", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_1_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_7/azure_compliance.benchmark.pci_dss_v321_requirement_7_1/azure_compliance.benchmark.pci_dss_v321_requirement_7_1_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 7 - Restrict access to cardholder data by business need-to-know \u003e Limit access to system components and cardholder data to only those individuals whose job requires such access \u003e Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 7 - Restrict access to cardholder data by business need-to-know", + "Limit access to system components and cardholder data to only those individuals whose job requires such access", + "Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities" + ], + "control_id": "azure_compliance.control.iam_subscription_owner_max_3", + "description": "It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.", + "title": "A maximum of 3 owners should be designated for your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_7", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_1_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_7/azure_compliance.benchmark.pci_dss_v321_requirement_7_1/azure_compliance.benchmark.pci_dss_v321_requirement_7_1_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 7 - Restrict access to cardholder data by business need-to-know \u003e Limit access to system components and cardholder data to only those individuals whose job requires such access \u003e Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 7 - Restrict access to cardholder data by business need-to-know", + "Limit access to system components and cardholder data to only those individuals whose job requires such access", + "Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities" + ], + "control_id": "azure_compliance.control.iam_subscription_owner_more_than_1", + "description": "It is recommended to designate more than one subscription owner in order to have administrator access redundancy.", + "title": "There should be more than one owner assigned to your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_7", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_1_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_7/azure_compliance.benchmark.pci_dss_v321_requirement_7_1/azure_compliance.benchmark.pci_dss_v321_requirement_7_1_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 7 - Restrict access to cardholder data by business need-to-know \u003e Limit access to system components and cardholder data to only those individuals whose job requires such access \u003e Assign access based on individual personnel's job classification and function", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 7 - Restrict access to cardholder data by business need-to-know", + "Limit access to system components and cardholder data to only those individuals whose job requires such access", + "Assign access based on individual personnel's job classification and function" + ], + "control_id": "azure_compliance.control.iam_subscription_owner_max_3", + "description": "It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.", + "title": "A maximum of 3 owners should be designated for your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_7", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_1_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_7/azure_compliance.benchmark.pci_dss_v321_requirement_7_1/azure_compliance.benchmark.pci_dss_v321_requirement_7_1_3", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 7 - Restrict access to cardholder data by business need-to-know \u003e Limit access to system components and cardholder data to only those individuals whose job requires such access \u003e Assign access based on individual personnel's job classification and function", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 7 - Restrict access to cardholder data by business need-to-know", + "Limit access to system components and cardholder data to only those individuals whose job requires such access", + "Assign access based on individual personnel's job classification and function" + ], + "control_id": "azure_compliance.control.iam_subscription_owner_more_than_1", + "description": "It is recommended to designate more than one subscription owner in order to have administrator access redundancy.", + "title": "There should be more than one owner assigned to your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_7", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_1_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_7/azure_compliance.benchmark.pci_dss_v321_requirement_7_1/azure_compliance.benchmark.pci_dss_v321_requirement_7_1_3", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 7 - Restrict access to cardholder data by business need-to-know \u003e Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed \u003e Coverage of all system components", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 7 - Restrict access to cardholder data by business need-to-know", + "Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed", + "Coverage of all system components" + ], + "control_id": "azure_compliance.control.iam_external_user_with_owner_role", + "description": "External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.", + "title": "External accounts with owner permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_7", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_7/azure_compliance.benchmark.pci_dss_v321_requirement_7_2/azure_compliance.benchmark.pci_dss_v321_requirement_7_2_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 7 - Restrict access to cardholder data by business need-to-know \u003e Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed \u003e Coverage of all system components", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 7 - Restrict access to cardholder data by business need-to-know", + "Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed", + "Coverage of all system components" + ], + "control_id": "azure_compliance.control.iam_external_user_with_read_permission", + "description": "External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.", + "title": "External accounts with read permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_7", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_7/azure_compliance.benchmark.pci_dss_v321_requirement_7_2/azure_compliance.benchmark.pci_dss_v321_requirement_7_2_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 7 - Restrict access to cardholder data by business need-to-know \u003e Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed \u003e Coverage of all system components", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 7 - Restrict access to cardholder data by business need-to-know", + "Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed", + "Coverage of all system components" + ], + "control_id": "azure_compliance.control.iam_external_user_with_write_permission", + "description": "External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.", + "title": "External accounts with write permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_7", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_7/azure_compliance.benchmark.pci_dss_v321_requirement_7_2/azure_compliance.benchmark.pci_dss_v321_requirement_7_2_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 7 - Restrict access to cardholder data by business need-to-know \u003e Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed \u003e Coverage of all system components", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 7 - Restrict access to cardholder data by business need-to-know", + "Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed", + "Coverage of all system components" + ], + "control_id": "azure_compliance.control.iam_no_custom_role", + "description": "Audit built-in roles such as 'Owner, Contributor, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling.", + "title": "Audit usage of custom RBAC rules", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_7", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_7/azure_compliance.benchmark.pci_dss_v321_requirement_7_2/azure_compliance.benchmark.pci_dss_v321_requirement_7_2_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 7 - Restrict access to cardholder data by business need-to-know \u003e Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed \u003e Coverage of all system components", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 7 - Restrict access to cardholder data by business need-to-know", + "Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed", + "Coverage of all system components" + ], + "control_id": "azure_compliance.control.iam_user_with_owner_permission_on_subscription_mfa_enabled", + "description": "Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.", + "title": "MFA should be enabled on accounts with owner permissions on your subscription", + "tags": { + "pci_dss_v321": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_7", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_7/azure_compliance.benchmark.pci_dss_v321_requirement_7_2/azure_compliance.benchmark.pci_dss_v321_requirement_7_2_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 7 - Restrict access to cardholder data by business need-to-know \u003e Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed \u003e Coverage of all system components", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 7 - Restrict access to cardholder data by business need-to-know", + "Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed", + "Coverage of all system components" + ], + "control_id": "azure_compliance.control.iam_user_with_write_permission_on_subscription_mfa_enabled", + "description": "Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.", + "title": "MFA should be enabled for accounts with write permissions on your subscription", + "tags": { + "pci_dss_v321": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_7", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_7/azure_compliance.benchmark.pci_dss_v321_requirement_7_2/azure_compliance.benchmark.pci_dss_v321_requirement_7_2_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 7 - Restrict access to cardholder data by business need-to-know \u003e Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed \u003e Coverage of all system components", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 7 - Restrict access to cardholder data by business need-to-know", + "Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed", + "Coverage of all system components" + ], + "control_id": "azure_compliance.control.sql_server_azure_ad_authentication_enabled", + "description": "Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.", + "title": "An Azure Active Directory administrator should be provisioned for SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_7", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_7/azure_compliance.benchmark.pci_dss_v321_requirement_7_2/azure_compliance.benchmark.pci_dss_v321_requirement_7_2_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components \u003e Control addition, deletion, and modification of user IDs, credentials, and other identifier objects", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components", + "Control addition, deletion, and modification of user IDs, credentials, and other identifier objects" + ], + "control_id": "azure_compliance.control.iam_deprecated_account_with_owner_roles", + "description": "Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.", + "title": "Deprecated accounts with owner permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_1/azure_compliance.benchmark.pci_dss_v321_requirement_8_1_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components \u003e Control addition, deletion, and modification of user IDs, credentials, and other identifier objects", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components", + "Control addition, deletion, and modification of user IDs, credentials, and other identifier objects" + ], + "control_id": "azure_compliance.control.iam_deprecated_account", + "description": "Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.", + "title": "Deprecated accounts should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_1/azure_compliance.benchmark.pci_dss_v321_requirement_8_1_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components \u003e Control addition, deletion, and modification of user IDs, credentials, and other identifier objects", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components", + "Control addition, deletion, and modification of user IDs, credentials, and other identifier objects" + ], + "control_id": "azure_compliance.control.iam_external_user_with_owner_role", + "description": "External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.", + "title": "External accounts with owner permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_1/azure_compliance.benchmark.pci_dss_v321_requirement_8_1_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components \u003e Control addition, deletion, and modification of user IDs, credentials, and other identifier objects", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components", + "Control addition, deletion, and modification of user IDs, credentials, and other identifier objects" + ], + "control_id": "azure_compliance.control.iam_external_user_with_read_permission", + "description": "External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.", + "title": "External accounts with read permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_1/azure_compliance.benchmark.pci_dss_v321_requirement_8_1_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components \u003e Control addition, deletion, and modification of user IDs, credentials, and other identifier objects", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components", + "Control addition, deletion, and modification of user IDs, credentials, and other identifier objects" + ], + "control_id": "azure_compliance.control.iam_external_user_with_write_permission", + "description": "External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.", + "title": "External accounts with write permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1_2" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_1/azure_compliance.benchmark.pci_dss_v321_requirement_8_1_2", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components \u003e Immediately revoke access for any terminated users", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components", + "Immediately revoke access for any terminated users" + ], + "control_id": "azure_compliance.control.iam_deprecated_account", + "description": "Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.", + "title": "Deprecated accounts should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_1/azure_compliance.benchmark.pci_dss_v321_requirement_8_1_3", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components \u003e Immediately revoke access for any terminated users", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components", + "Immediately revoke access for any terminated users" + ], + "control_id": "azure_compliance.control.iam_deprecated_account_with_owner_roles", + "description": "Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.", + "title": "Deprecated accounts with owner permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_1/azure_compliance.benchmark.pci_dss_v321_requirement_8_1_3", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components \u003e Manage IDs used by thid parties to access, support, or maintain system components via remote access", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components", + "Manage IDs used by thid parties to access, support, or maintain system components via remote access" + ], + "control_id": "azure_compliance.control.iam_deprecated_account_with_owner_roles", + "description": "Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.", + "title": "Deprecated accounts with owner permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_1/azure_compliance.benchmark.pci_dss_v321_requirement_8_1_5", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components \u003e Manage IDs used by thid parties to access, support, or maintain system components via remote access", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components", + "Manage IDs used by thid parties to access, support, or maintain system components via remote access" + ], + "control_id": "azure_compliance.control.iam_deprecated_account", + "description": "Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.", + "title": "Deprecated accounts should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_1/azure_compliance.benchmark.pci_dss_v321_requirement_8_1_5", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components \u003e Manage IDs used by thid parties to access, support, or maintain system components via remote access", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components", + "Manage IDs used by thid parties to access, support, or maintain system components via remote access" + ], + "control_id": "azure_compliance.control.iam_external_user_with_owner_role", + "description": "External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.", + "title": "External accounts with owner permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_1/azure_compliance.benchmark.pci_dss_v321_requirement_8_1_5", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components \u003e Manage IDs used by thid parties to access, support, or maintain system components via remote access", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components", + "Manage IDs used by thid parties to access, support, or maintain system components via remote access" + ], + "control_id": "azure_compliance.control.iam_external_user_with_read_permission", + "description": "External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.", + "title": "External accounts with read permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_1/azure_compliance.benchmark.pci_dss_v321_requirement_8_1_5", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components \u003e Manage IDs used by thid parties to access, support, or maintain system components via remote access", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components", + "Manage IDs used by thid parties to access, support, or maintain system components via remote access" + ], + "control_id": "azure_compliance.control.iam_external_user_with_write_permission", + "description": "External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.", + "title": "External accounts with write permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_1/azure_compliance.benchmark.pci_dss_v321_requirement_8_1_5", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric \u003e Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric", + "Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_installed_windows", + "description": "This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition.", + "title": "Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_2/azure_compliance.benchmark.pci_dss_v321_requirement_8_2_3", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric \u003e Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric", + "Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_no_managed_identity", + "description": "This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions.", + "title": "Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities", + "tags": { + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_2/azure_compliance.benchmark.pci_dss_v321_requirement_8_2_3", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric \u003e Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric", + "Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity", + "description": "This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions.", + "title": "Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_2/azure_compliance.benchmark.pci_dss_v321_requirement_8_2_3", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric \u003e Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric", + "Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters" + ], + "control_id": "azure_compliance.control.compute_vm_max_password_age_70_days_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days.", + "title": "Audit Windows machines that do not have a maximum password age of 70 days", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_2/azure_compliance.benchmark.pci_dss_v321_requirement_8_2_3", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric \u003e Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric", + "Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters" + ], + "control_id": "azure_compliance.control.compute_vm_min_password_length_14_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters.", + "title": "Audit Windows machines that do not restrict the minimum password length to 14 characters", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_2/azure_compliance.benchmark.pci_dss_v321_requirement_8_2_3", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric \u003e Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric", + "Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters" + ], + "control_id": "azure_compliance.control.compute_vm_restrict_previous_24_passwords_resuse_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords.", + "title": "Audit Windows machines that allow re-use of the previous 24 passwords", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2_3" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_2/azure_compliance.benchmark.pci_dss_v321_requirement_8_2_3", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric \u003e Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric", + "Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_installed_windows", + "description": "This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition.", + "title": "Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_2/azure_compliance.benchmark.pci_dss_v321_requirement_8_2_5", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric \u003e Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric", + "Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_no_managed_identity", + "description": "This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions.", + "title": "Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities", + "tags": { + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_2/azure_compliance.benchmark.pci_dss_v321_requirement_8_2_5", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric \u003e Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric", + "Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used" + ], + "control_id": "azure_compliance.control.compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity", + "description": "This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions.", + "title": "Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_2/azure_compliance.benchmark.pci_dss_v321_requirement_8_2_5", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric \u003e Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric", + "Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used" + ], + "control_id": "azure_compliance.control.compute_vm_max_password_age_70_days_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days.", + "title": "Audit Windows machines that do not have a maximum password age of 70 days", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_2/azure_compliance.benchmark.pci_dss_v321_requirement_8_2_5", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric \u003e Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric", + "Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used" + ], + "control_id": "azure_compliance.control.compute_vm_min_password_length_14_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters.", + "title": "Audit Windows machines that do not restrict the minimum password length to 14 characters", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_2/azure_compliance.benchmark.pci_dss_v321_requirement_8_2_5", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric \u003e Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric", + "Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used" + ], + "control_id": "azure_compliance.control.compute_vm_restrict_previous_24_passwords_resuse_windows", + "description": "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords.", + "title": "Audit Windows machines that allow re-use of the previous 24 passwords", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2_5" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_2/azure_compliance.benchmark.pci_dss_v321_requirement_8_2_5", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication \u003e Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication", + "Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access" + ], + "control_id": "azure_compliance.control.iam_external_user_with_owner_role", + "description": "External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.", + "title": "External accounts with owner permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_3_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_3/azure_compliance.benchmark.pci_dss_v321_requirement_8_3_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication \u003e Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication", + "Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access" + ], + "control_id": "azure_compliance.control.iam_external_user_with_read_permission", + "description": "External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.", + "title": "External accounts with read permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_3_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_3/azure_compliance.benchmark.pci_dss_v321_requirement_8_3_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication \u003e Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication", + "Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access" + ], + "control_id": "azure_compliance.control.iam_external_user_with_write_permission", + "description": "External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.", + "title": "External accounts with write permissions should be removed from your subscription", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_3_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_3/azure_compliance.benchmark.pci_dss_v321_requirement_8_3_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication \u003e Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication", + "Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access" + ], + "control_id": "azure_compliance.control.iam_no_custom_role", + "description": "Audit built-in roles such as 'Owner, Contributor, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling.", + "title": "Audit usage of custom RBAC rules", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/ActiveDirectory" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_3_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_3/azure_compliance.benchmark.pci_dss_v321_requirement_8_3_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication \u003e Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication", + "Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access" + ], + "control_id": "azure_compliance.control.iam_user_with_owner_permission_on_subscription_mfa_enabled", + "description": "Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.", + "title": "MFA should be enabled on accounts with owner permissions on your subscription", + "tags": { + "pci_dss_v321": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_3_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_3/azure_compliance.benchmark.pci_dss_v321_requirement_8_3_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication \u003e Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication", + "Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access" + ], + "control_id": "azure_compliance.control.iam_user_with_write_permission_on_subscription_mfa_enabled", + "description": "Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.", + "title": "MFA should be enabled for accounts with write permissions on your subscription", + "tags": { + "pci_dss_v321": "true", + "service": "Azure/ContainerRegistry" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_3_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_3/azure_compliance.benchmark.pci_dss_v321_requirement_8_3_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 8 - Identify and authenticate access to system components \u003e Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication \u003e Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 8 - Identify and authenticate access to system components", + "Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication", + "Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access" + ], + "control_id": "azure_compliance.control.sql_server_azure_ad_authentication_enabled", + "description": "Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.", + "title": "An Azure Active Directory administrator should be provisioned for SQL servers", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_3_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_8/azure_compliance.benchmark.pci_dss_v321_requirement_8_3/azure_compliance.benchmark.pci_dss_v321_requirement_8_3_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 10 - Track and monitor all access to network resources and cardholder data \u003e Secure audit trails so they cannot be altered \u003e Write logs for external-facing technologies onto a secure, centralized, internal log server or media device", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 10 - Track and monitor all access to network resources and cardholder data", + "Secure audit trails so they cannot be altered", + "Write logs for external-facing technologies onto a secure, centralized, internal log server or media device" + ], + "control_id": "azure_compliance.control.audit_diagnostic_setting", + "description": "Audit diagnostic setting for selected resource types.", + "title": "Audit diagnostic setting", + "tags": { + "hipaa_hitrust_v92": "true", + "pci_dss_v321": "true", + "service": "Azure/Monitor" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_10", + "azure_compliance.benchmark.pci_dss_v321_requirement_10_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_10_5_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_10/azure_compliance.benchmark.pci_dss_v321_requirement_10_5/azure_compliance.benchmark.pci_dss_v321_requirement_10_5_4", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 10 - Track and monitor all access to network resources and cardholder data \u003e Secure audit trails so they cannot be altered \u003e Write logs for external-facing technologies onto a secure, centralized, internal log server or media device", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 10 - Track and monitor all access to network resources and cardholder data", + "Secure audit trails so they cannot be altered", + "Write logs for external-facing technologies onto a secure, centralized, internal log server or media device" + ], + "control_id": "azure_compliance.control.compute_vm_uses_azure_resource_manager", + "description": "Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.", + "title": "Virtual machines should be migrated to new Azure Resource Manager resources", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_10", + "azure_compliance.benchmark.pci_dss_v321_requirement_10_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_10_5_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_10/azure_compliance.benchmark.pci_dss_v321_requirement_10_5/azure_compliance.benchmark.pci_dss_v321_requirement_10_5_4", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 10 - Track and monitor all access to network resources and cardholder data \u003e Secure audit trails so they cannot be altered \u003e Write logs for external-facing technologies onto a secure, centralized, internal log server or media device", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 10 - Track and monitor all access to network resources and cardholder data", + "Secure audit trails so they cannot be altered", + "Write logs for external-facing technologies onto a secure, centralized, internal log server or media device" + ], + "control_id": "azure_compliance.control.sql_server_auditing_on", + "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", + "title": "Auditing on SQL server should be enabled", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_10", + "azure_compliance.benchmark.pci_dss_v321_requirement_10_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_10_5_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_10/azure_compliance.benchmark.pci_dss_v321_requirement_10_5/azure_compliance.benchmark.pci_dss_v321_requirement_10_5_4", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 10 - Track and monitor all access to network resources and cardholder data \u003e Secure audit trails so they cannot be altered \u003e Write logs for external-facing technologies onto a secure, centralized, internal log server or media device", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 10 - Track and monitor all access to network resources and cardholder data", + "Secure audit trails so they cannot be altered", + "Write logs for external-facing technologies onto a secure, centralized, internal log server or media device" + ], + "control_id": "azure_compliance.control.storage_account_uses_azure_resource_manager", + "description": "Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.", + "title": "Storage accounts should be migrated to new Azure Resource Manager resources", + "tags": { + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Storage" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_10", + "azure_compliance.benchmark.pci_dss_v321_requirement_10_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_10_5_4" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_10/azure_compliance.benchmark.pci_dss_v321_requirement_10_5/azure_compliance.benchmark.pci_dss_v321_requirement_10_5_4", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 11 - Regularly test security systems and processes \u003e Run internal and external network vulnerability scans at least quarterly and after any significant change in the network \u003e Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 11 - Regularly test security systems and processes", + "Run internal and external network vulnerability scans at least quarterly and after any significant change in the network", + "Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved" + ], + "control_id": "azure_compliance.control.compute_vm_endpoint_protection_agent_installed", + "description": "Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations.", + "title": "Monitor missing Endpoint Protection in Azure Security Center", + "tags": { + "hipaa_hitrust_v92": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_11", + "azure_compliance.benchmark.pci_dss_v321_requirement_11_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_11_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_11/azure_compliance.benchmark.pci_dss_v321_requirement_11_2/azure_compliance.benchmark.pci_dss_v321_requirement_11_2_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 11 - Regularly test security systems and processes \u003e Run internal and external network vulnerability scans at least quarterly and after any significant change in the network \u003e Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 11 - Regularly test security systems and processes", + "Run internal and external network vulnerability scans at least quarterly and after any significant change in the network", + "Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved" + ], + "control_id": "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated", + "description": "Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations.", + "title": "Vulnerabilities in security configuration on your machines should be remediated", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_11", + "azure_compliance.benchmark.pci_dss_v321_requirement_11_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_11_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_11/azure_compliance.benchmark.pci_dss_v321_requirement_11_2/azure_compliance.benchmark.pci_dss_v321_requirement_11_2_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 11 - Regularly test security systems and processes \u003e Run internal and external network vulnerability scans at least quarterly and after any significant change in the network \u003e Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 11 - Regularly test security systems and processes", + "Run internal and external network vulnerability scans at least quarterly and after any significant change in the network", + "Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved" + ], + "control_id": "azure_compliance.control.compute_vm_system_updates_installed", + "description": "Missing security system updates on your servers will be monitored by Azure Security Center as recommendations.", + "title": "System updates should be installed on your machines", + "tags": { + "hipaa_hitrust_v92": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_11", + "azure_compliance.benchmark.pci_dss_v321_requirement_11_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_11_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_11/azure_compliance.benchmark.pci_dss_v321_requirement_11_2/azure_compliance.benchmark.pci_dss_v321_requirement_11_2_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 11 - Regularly test security systems and processes \u003e Run internal and external network vulnerability scans at least quarterly and after any significant change in the network \u003e Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 11 - Regularly test security systems and processes", + "Run internal and external network vulnerability scans at least quarterly and after any significant change in the network", + "Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved" + ], + "control_id": "azure_compliance.control.compute_vm_vulnerability_assessment_solution_enabled", + "description": "Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.", + "title": "A vulnerability assessment solution should be enabled on your virtual machines", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/Compute" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_11", + "azure_compliance.benchmark.pci_dss_v321_requirement_11_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_11_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_11/azure_compliance.benchmark.pci_dss_v321_requirement_11_2/azure_compliance.benchmark.pci_dss_v321_requirement_11_2_1", + "executable": false + }, + { + "category_breadcrumb": "PCI DSS 3.2.1 \u003e Requirement 11 - Regularly test security systems and processes \u003e Run internal and external network vulnerability scans at least quarterly and after any significant change in the network \u003e Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved", + "category_hierarchy": [ + "PCI DSS 3.2.1", + "Requirement 11 - Regularly test security systems and processes", + "Run internal and external network vulnerability scans at least quarterly and after any significant change in the network", + "Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved" + ], + "control_id": "azure_compliance.control.sql_database_vulnerability_findings_resolved", + "description": "Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.", + "title": "SQL databases should have vulnerability findings resolved", + "tags": { + "hipaa_hitrust_v92": "true", + "nist_sp_800_53_rev_5": "true", + "pci_dss_v321": "true", + "service": "Azure/SQL" + }, + "documentation": "", + "parent_control_hierarchy": [ + "azure_compliance.benchmark.pci_dss_v321", + "azure_compliance.benchmark.pci_dss_v321_requirement_11", + "azure_compliance.benchmark.pci_dss_v321_requirement_11_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_11_2_1" + ], + "parent_control_breadcrumb": "azure_compliance.benchmark.pci_dss_v321/azure_compliance.benchmark.pci_dss_v321_requirement_11/azure_compliance.benchmark.pci_dss_v321_requirement_11_2/azure_compliance.benchmark.pci_dss_v321_requirement_11_2_1", + "executable": false + } +] \ No newline at end of file diff --git a/deepfence_server/cloud_controls/azure/pci_benchmarks.json b/deepfence_server/cloud_controls/azure/pci_benchmarks.json new file mode 100644 index 0000000000..b4828e245b --- /dev/null +++ b/deepfence_server/cloud_controls/azure/pci_benchmarks.json @@ -0,0 +1,744 @@ +[ + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321", + "description": "The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you.", + "title": "PCI DSS 3.2.1", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThe Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. [The PCI Security Standards Council](https://www.pcisecuritystandards.org/) (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards, including [PCI DSS.](https://www.pcisecuritystandards.org/document_library/)\n\nCompliance with PCI DSS is required for any organization that stores, processes, or transmits cardholder data, which, at a minimum, consists of the full primary account number (PAN) – a unique payment card number that identifies the issuer and the particular cardholder account. Cardholder data may also appear in the form of a full PAN plus additional information such as cardholder name, expiration date, and service codes. Sensitive authentication data that may be transmitted or processed (but not stored) as part of a payment transaction contains additional data elements that must also be protected, including track data from card chip or magnetic stripe, PINs, PIN blocks, and so on.\n\nThe PCI DSS designates four levels of compliance based on transaction volume, with Service Provider Level 1 corresponding to the highest volume of transactions at more than 6 million a year. The assessment results in an Attestation of Compliance (AoC), which is available to customers and Report on Compliance (RoC) issued by an approved Qualified Security Assessor (QSA). The effective period for compliance begins upon passing the audit and receiving the AoC from the QSA and ends one year from the date the AoC is signed.\n\nMicrosoft Azure maintains a PCI DSS validation using an approved Qualified Security Assessor (QSA), and is certified as compliant under PCI DSS version 3.2.1 at Service Provider Level 1. The Attestation of Compliance (AOC) produced by the QSA is available for download. If you want to develop a cardholder data environment (CDE) or card processing service, you can rely on the Azure validation, thereby reducing the associated effort and costs of getting your own PCI DSS validation.", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_4", + "azure_compliance.benchmark.pci_dss_v321_requirement_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "azure_compliance.benchmark.pci_dss_v321_requirement_7", + "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "azure_compliance.benchmark.pci_dss_v321_requirement_10", + "azure_compliance.benchmark.pci_dss_v321_requirement_11" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_1", + "description": "Firewalls are devices that control computer traffic allowed into and out of an organization's network, and into sensitive areas within its internal network. Firewall functionality can also appear in other system components. Routers are hardware or software that connects two or more networks. All such networking devices are in scope for assessment of Requirement 1 if used within the cardholder data environment.", + "title": "Requirement 1 - Install and maintain a firewall configuration to protect cardholder data", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_1_3" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_1_3", + "description": "", + "title": "Prohibit direct public access between the Internet and any system component in the cardholder data environment", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_1_3_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_1_3_4" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_1_3_2", + "description": "", + "title": "Limit inbound Internet traffic to IP addresses within the DMZ", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_remote_access_restricted_all_ports", + "azure_compliance.control.storage_account_default_network_access_rule_denied" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_1_3_4", + "description": "", + "title": "Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.automation_account_variable_encryption_enabled", + "azure_compliance.control.compute_vm_remote_access_restricted_all_ports", + "azure_compliance.control.storage_account_default_network_access_rule_denied" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_3", + "description": "Cardholder data should not be stored unless it's necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored after authorization. If your organization stores PAN, it is crucial to render it unreadable (see 3.4, and table below for guidelines).", + "title": "Requirement 3 - Protect stored cardholder data", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_3_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_3_4" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_3_2", + "description": "Render all sensitive authentication data unrecoverable upon completion of the authorization process. Issuers and related entities may store sensitive authentication data if there is a business justification, and the data is stored securely.", + "title": "Do not store sensitive authentication data after authorization (even if it is encrypted)", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_external_user_with_owner_role", + "azure_compliance.control.iam_external_user_with_read_permission", + "azure_compliance.control.iam_external_user_with_write_permission", + "azure_compliance.control.iam_no_custom_role", + "azure_compliance.control.iam_user_with_owner_permission_on_subscription_mfa_enabled", + "azure_compliance.control.iam_user_with_write_permission_on_subscription_mfa_enabled", + "azure_compliance.control.sql_server_azure_ad_authentication_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_3_4", + "description": "Technology solutions for this requirement may include strong one-way hash functions of the entire PAN, truncation, index tokens with securely stored pads, or strong cryptography.", + "title": "Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_function_app_only_https_accessible", + "azure_compliance.control.appservice_web_app_use_https", + "azure_compliance.control.azure_redis_cache_ssl_enabled", + "azure_compliance.control.compute_vm_temp_disks_cache_and_data_flows_encrypted", + "azure_compliance.control.servicefabric_cluster_protection_level_as_encrypt_and_sign", + "azure_compliance.control.sql_database_transparent_data_encryption_enabled", + "azure_compliance.control.storage_account_secure_transfer_required_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_4", + "description": "Cyber criminals may be able to intercept transmissions of cardholder data over open, public networks so it is important to prevent their ability to view this data. Encryption is one technology that can be used to render transmitted data unreadable by any unauthorized person.", + "title": "Requirement 4 - Encrypt transmission of cardholder data across open, public networks", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_4_1" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_4_1", + "description": "Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices to implement strong encryption for authentication and transmission.", + "title": "Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications)", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_api_app_use_https", + "azure_compliance.control.appservice_function_app_only_https_accessible", + "azure_compliance.control.automation_account_variable_encryption_enabled", + "azure_compliance.control.azure_redis_cache_ssl_enabled", + "azure_compliance.control.compute_vm_temp_disks_cache_and_data_flows_encrypted", + "azure_compliance.control.servicefabric_cluster_protection_level_as_encrypt_and_sign", + "azure_compliance.control.sql_database_transparent_data_encryption_enabled", + "azure_compliance.control.storage_account_secure_transfer_required_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_5", + "description": "Malicious software (a.k.a “malware”) exploits system vulnerabilities after entering the network via users' e-mail and other online business activities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. Additional anti-malware solutions may supplement (but not replace) anti-virus software.", + "title": "Requirement 5 - Protect all systems against malware and regularly update anti-virus software or programs", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_5_1" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_5_1", + "description": "For systems not affected commonly by malicious software, perform periodic evaluations to evaluate evolving malware threats and confirm whether such systems continue to not require anti-virus software.", + "title": "Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers)", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_endpoint_protection_agent_installed", + "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated", + "azure_compliance.control.compute_vm_system_updates_installed", + "azure_compliance.control.compute_vm_vulnerability_assessment_solution_enabled", + "azure_compliance.control.sql_database_vulnerability_findings_resolved" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_6", + "description": "Security vulnerabilities in systems and applications may allow criminals to access PAN and other cardholder data. Many of these vulnerabilities are eliminated by installing vendor-provided security patches, which perform a quick-repair job for a specific piece of programming code. All critical systems must have the most recently released software patches to prevent exploitation. Entities should apply patches to less-critical systems as soon as possible, based on a risk-based vulnerability management program.", + "title": "Requirement 6 - Develop and maintain secure systems and applications", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_6_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_5", + "azure_compliance.benchmark.pci_dss_v321_requirement_6_6" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_6_2", + "description": "Install critical security patches within one month of release.", + "title": "Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_vulnerability_assessment_solution_enabled", + "azure_compliance.control.compute_vm_endpoint_protection_agent_installed", + "azure_compliance.control.sql_database_vulnerability_findings_resolved", + "azure_compliance.control.compute_vm_system_updates_installed", + "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_6_5", + "description": "", + "title": "Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_6_5_3" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_6_5_3", + "description": "", + "title": "Insecure cryptographic storage", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.appservice_function_app_only_https_accessible", + "azure_compliance.control.appservice_web_app_use_https", + "azure_compliance.control.automation_account_variable_encryption_enabled", + "azure_compliance.control.azure_redis_cache_ssl_enabled", + "azure_compliance.control.compute_vm_temp_disks_cache_and_data_flows_encrypted", + "azure_compliance.control.servicefabric_cluster_protection_level_as_encrypt_and_sign", + "azure_compliance.control.sql_database_transparent_data_encryption_enabled", + "azure_compliance.control.storage_account_secure_transfer_required_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_6_6", + "description": "", + "title": "Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_endpoint_protection_agent_installed", + "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated", + "azure_compliance.control.compute_vm_system_updates_installed", + "azure_compliance.control.compute_vm_vulnerability_assessment_solution_enabled", + "azure_compliance.control.sql_database_vulnerability_findings_resolved" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_7", + "description": "To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job.", + "title": "Requirement 7 - Restrict access to cardholder data by business need-to-know", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_7_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_2" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_7_1", + "description": "", + "title": "Limit access to system components and cardholder data to only those individuals whose job requires such access", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_7_1_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_1_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_7_1_3" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_7_1_1", + "description": "", + "title": "Define access needs for each role, including: - System components and data resources that each role needs to access for their job function - Level of privilege required (for example, user, administrator, etc.) for accessing resources", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_subscription_owner_max_3", + "azure_compliance.control.iam_subscription_owner_more_than_1" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_7_1_2", + "description": "", + "title": "Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_subscription_owner_max_3", + "azure_compliance.control.iam_subscription_owner_more_than_1" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_7_1_3", + "description": "", + "title": "Assign access based on individual personnel's job classification and function", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_subscription_owner_max_3", + "azure_compliance.control.iam_subscription_owner_more_than_1" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_7_2", + "description": "", + "title": "Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_7_2_1" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_7_2_1", + "description": "", + "title": "Coverage of all system components", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_external_user_with_owner_role", + "azure_compliance.control.iam_external_user_with_read_permission", + "azure_compliance.control.iam_external_user_with_write_permission", + "azure_compliance.control.iam_no_custom_role", + "azure_compliance.control.iam_user_with_owner_permission_on_subscription_mfa_enabled", + "azure_compliance.control.iam_user_with_write_permission_on_subscription_mfa_enabled", + "azure_compliance.control.sql_server_azure_ad_authentication_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_8", + "description": "Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Requirements apply to all accounts, including point of sale accounts, with administrative capabilities and all accounts with access to stored cardholder data. Requirements do not apply to accounts used by consumers (eg.,cardholders).", + "title": "Requirement 8 - Identify and authenticate access to system components", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_3" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_8_1", + "description": "Assign all users a unique user name before allowing them to access system components or cardholder data.", + "title": "Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1_2", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_1_5" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_8_1_2", + "description": "", + "title": "Control addition, deletion, and modification of user IDs, credentials, and other identifier objects", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_deprecated_account_with_owner_roles", + "azure_compliance.control.iam_deprecated_account", + "azure_compliance.control.iam_external_user_with_owner_role", + "azure_compliance.control.iam_external_user_with_read_permission", + "azure_compliance.control.iam_external_user_with_write_permission" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_8_1_3", + "description": "", + "title": "Immediately revoke access for any terminated users", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_deprecated_account", + "azure_compliance.control.iam_deprecated_account_with_owner_roles" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_8_1_5", + "description": "Remote access are as follows: - Enabled only during the time period needed and disabled when not in use. - Monitored when in use.", + "title": "Manage IDs used by thid parties to access, support, or maintain system components via remote access", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure/ActiveDirectory", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_deprecated_account_with_owner_roles", + "azure_compliance.control.iam_deprecated_account", + "azure_compliance.control.iam_external_user_with_owner_role", + "azure_compliance.control.iam_external_user_with_read_permission", + "azure_compliance.control.iam_external_user_with_write_permission" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_8_2", + "description": "Use strong authentication methods and render all passwords/passphrases unreadable during transmission and storage using strong cryptography.", + "title": "Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2_3", + "azure_compliance.benchmark.pci_dss_v321_requirement_8_2_5" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_8_2_3", + "description": "Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.", + "title": "Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_guest_configuration_installed_windows", + "azure_compliance.control.compute_vm_guest_configuration_with_no_managed_identity", + "azure_compliance.control.compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity", + "azure_compliance.control.compute_vm_max_password_age_70_days_windows", + "azure_compliance.control.compute_vm_min_password_length_14_windows", + "azure_compliance.control.compute_vm_restrict_previous_24_passwords_resuse_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_8_2_5", + "description": "", + "title": "Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure/Compute", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_guest_configuration_installed_windows", + "azure_compliance.control.compute_vm_guest_configuration_with_no_managed_identity", + "azure_compliance.control.compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity", + "azure_compliance.control.compute_vm_max_password_age_70_days_windows", + "azure_compliance.control.compute_vm_min_password_length_14_windows", + "azure_compliance.control.compute_vm_restrict_previous_24_passwords_resuse_windows" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_8_3", + "description": "This requires at least two of the three authentication methods described in 8.2 are used for authentication. Using one factor twice (e.g. using two separate passwords) is not considered multi-factor authentication. This requirement applies to administrative personnel with non-console access to the CDE from within the entity's network, and all remote network access (including for users, administrators, and third-parties) originating from outside the entity's network.", + "title": "Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_8_3_1" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_8_3_1", + "description": "", + "title": "Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.iam_external_user_with_owner_role", + "azure_compliance.control.iam_external_user_with_read_permission", + "azure_compliance.control.iam_external_user_with_write_permission", + "azure_compliance.control.iam_no_custom_role", + "azure_compliance.control.iam_user_with_owner_permission_on_subscription_mfa_enabled", + "azure_compliance.control.iam_user_with_write_permission_on_subscription_mfa_enabled", + "azure_compliance.control.sql_server_azure_ad_authentication_enabled" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_10", + "description": "Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management. The presence of logs in all environments allows thorough tracking and analysis if something goes wrong. Determining the cause of a compromise is very difficult without system activity logs.", + "title": "Requirement 10 - Track and monitor all access to network resources and cardholder data", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_10_5" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_10_5", + "description": "", + "title": "Secure audit trails so they cannot be altered", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_10_5_4" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_10_5_4", + "description": "", + "title": "Write logs for external-facing technologies onto a secure, centralized, internal log server or media device", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.audit_diagnostic_setting", + "azure_compliance.control.compute_vm_uses_azure_resource_manager", + "azure_compliance.control.sql_server_auditing_on", + "azure_compliance.control.storage_account_uses_azure_resource_manager" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_11", + "description": "Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security is maintained over time. Testing of security controls is especially important for any environmental changes such as deploying new software or changing system configurations.", + "title": "Requirement 11 - Regularly test security systems and processes", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_11_2" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_11_2", + "description": "Address vulnerabilities and perform rescans as needed, until passing scans are achieved. After passing a scan for initial PCI DSS compliance, an entity must, in subsequent years, complete four consecutive quarters of passing scans. Quarterly external scans must be performed by an Approved Scanning Vendor (ASV). Scans conducted after network changes and internal scans may be performed by internal staff.", + "title": "Run internal and external network vulnerability scans at least quarterly and after any significant change in the network", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.benchmark.pci_dss_v321_requirement_11_2_1" + ] + }, + { + "benchmark_id": "azure_compliance.benchmark.pci_dss_v321_requirement_11_2_1", + "description": "Scans must be performed by qualified personnel.", + "title": "Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved", + "tags": { + "category": "Compliance", + "pci_dss_v321": "true", + "plugin": "azure", + "service": "Azure", + "type": "Benchmark" + }, + "documentation": "", + "children": [ + "azure_compliance.control.compute_vm_endpoint_protection_agent_installed", + "azure_compliance.control.compute_vm_security_configuration_vulnerabilities_remediated", + "azure_compliance.control.compute_vm_system_updates_installed", + "azure_compliance.control.compute_vm_vulnerability_assessment_solution_enabled", + "azure_compliance.control.sql_database_vulnerability_findings_resolved" + ] + } +] \ No newline at end of file diff --git a/deepfence_server/cloud_controls/gcp/cis.json b/deepfence_server/cloud_controls/gcp/cis.json new file mode 100644 index 0000000000..fc21d624d4 --- /dev/null +++ b/deepfence_server/cloud_controls/gcp/cis.json @@ -0,0 +1,2392 @@ +[ + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "gcp_compliance.control.cis_v200_1_1", + "description": "Use corporate login credentials instead of personal accounts, such as Gmail accounts.", + "title": "1.1 Ensure that corporate login credentials are used", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "1.1", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/IAM" + }, + "documentation": "## Description\n\nUse corporate login credentials instead of personal accounts, such as Gmail accounts.\n\nIt is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources. Email accounts based outside of the user's organization, such as personal accounts, should not be used for business purposes.\n\n## Remediation\n\nFollow the documentation and setup corporate login accounts.\n\n### Prevention\n\nTo ensure that no email addresses outside the organization can be granted IAM permissions to its Google Cloud projects, folders or organization, turn on the Organization Policy for `Domain Restricted Sharing`. Learn more at: [https://cloud.google.com/resource-manager/docs/organization-policy/restrictingdomains](https://cloud.google.com/resource-manager/docs/organization-policy/restrictingdomains) (Page 16)\n\n### Default Value\n\nBy default, no email addresses outside the organization's domain have access to its Google Cloud deployments, but any user email account can be added to the IAM policy for Google Cloud Platform projects, folders, or organizations.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "gcp_compliance.control.cis_v200_1_2", + "description": "Setup multi-factor authentication for Google Cloud Platform accounts.", + "title": "1.2 Ensure that multi-factor authentication is enabled for all non-service accounts", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "1.2", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/IAM" + }, + "documentation": "## Description\n\nSetup multi-factor authentication for Google Cloud Platform accounts.\n\nMulti-factor authentication requires more than one mechanism to authenticate a user. This secures user logins from attackers exploiting stolen or weak credentials.\n\n## Remediation\n\n### From Console\n\nFor each Google Cloud Platform project:\n\n 1. Identify non-service accounts.\n 2. Setup multi-factor authentication for each account.\n\n### Default Value\n\nBy default, multi-factor authentication is not set.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "gcp_compliance.control.cis_v200_1_3", + "description": "Setup Security Key Enforcement for Google Cloud Platform admin accounts.", + "title": "1.3 Ensure that Security Key Enforcement is enabled for all admin accounts", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "1.3", + "cis_level": "2", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/IAM" + }, + "documentation": "## Description\n\nSetup Security Key Enforcement for Google Cloud Platform admin accounts.\n\nGoogle Cloud Platform users with Organization Administrator roles have the highest level of privilege in the organization. These accounts should be protected with the strongest form of two-factor authentication: Security Key Enforcement. Ensure that admins use Security Keys to log in instead of weaker second factors like SMS or one-time passwords (OTP). Security Keys are actual physical keys used to access Google Organization Administrator Accounts. They send an encrypted signature rather than a code, ensuring that logins cannot be phished.\n\n## Remediation\n\n1. Identify users with the Organization Administrator role.\n2. Setup Security Key Enforcement for each account. Learn more at: [https://cloud.google.com/security-key/](https://cloud.google.com/security-key/)\n\n### Default Value\n\nBy default, Security Key Enforcement is not enabled for Organization Administrators.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "gcp_compliance.control.cis_v200_1_4", + "description": "User managed service accounts should not have user-managed keys.", + "title": "1.4 Ensure that there are only GCP-managed service account keys for each service account", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "1.4", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/IAM" + }, + "documentation": "## Description\n\nUser managed service accounts should not have user-managed keys.\n\nAnyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.\n\nFor user-managed keys, the user has to take ownership of key management activities which include:\n- Key storage\n- Key distribution\n- Key revocation\n- Key rotation\n- Protecting the keys from unauthorized users\n- Key recovery\n\nEven with key owner precautions, keys can be easily leaked by common development malpractices like checking keys into the source code or leaving them in the Downloads directory, or accidentally leaving them on support blogs/channels.\n\nIt is recommended to prevent user-managed service account keys\n\n## Remediation\n\n### From Console\n\n1. Login to IAM page in the GCP Console using [https://console.cloud.google.com/iam-admin/iam](https://console.cloud.google.com/iam-admin/iam)\n2. In the left navigation pane, click `Service accounts`. All service accounts and their corresponding keys are listed.\n3. Click the service account.\n4. Click the `edit` and delete the keys.\n\n### From Command Line\n\nTo delete a user managed Service Account Key,\n\n```bash\ngcloud iam service-accounts keys delete --iam-account=\u003cuser-managed-serviceaccount-EMAIL\u003e \u003cKEY-ID\u003e\n```\n\n### Prevention\n\nYou can disable service account key creation through the `Disable service account key creation` Organization policy by visiting [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation](https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation). Learn more at: [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts](https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts). In addition, if you do not need to have service accounts in your project, you can also prevent the creation of service accounts through the `Disable service account creation` Organization policy: [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation](https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation).\n\n### Default Value\n\nBy default, there are no user-managed keys created for user-managed service accounts.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "gcp_compliance.control.cis_v200_1_5", + "description": "A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user. The application uses the service account to call the service's Google API so that users aren't directly involved. It's recommended not to use admin access for ServiceAccount.", + "title": "1.5 Ensure that Service Account has no Admin privileges", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "1.5", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/IAM" + }, + "documentation": "## Description\n\nA service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user. The application uses the service account to call the service's Google API so that users aren't directly involved. It's recommended not to use admin access\nfor ServiceAccount.\n\nService accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM. A ServiceAccount Access holder can perform critical actions like delete, update change settings, etc. without user intervention. For this reason, it's recommended that service accounts not have Admin\nrights.\n\n## Remediation\n\n### From Console\n\n1. Go to `IAM \u0026 admin/IAM` using [https://console.cloud.google.com/iam-admin/iam](https://console.cloud.google.com/iam-admin/iam)\n2. Go to the `Members`\n3. Identify `User-Managed user created` service account with roles containing `*Admin` or `*admin` or role matching `Editor` or role matching `Owner`\n4. Click the `Delete bin` icon to remove the role from the member (service account in this case)\n\n### From Command Line\n\n```bash\ngcloud projects get-iam-policy PROJECT_ID --format json \u003e iam.json\n```\n\n 1. Using a text editor, Remove `Role` which contains `roles/*Admin` or `roles/*admin` or matched `=roles/editor` or matches `roles/owner`. Add a role to the bindings array that defines the group members and the role for those members.\n\nFor example, to grant the role roles/appengine.appViewer to the `ServiceAccount` which is roles/editor, you would change the example shown below as follows:\n\n```bash\n {\n \"bindings\": [\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n ],\n \"role\": \"roles/appengine.appViewer\"\n },\n {\n \"members\": [\n \"user:email1@gmail.com\"\n ],\n \"role\": \"roles/owner\"\n },\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n \"serviceAccount:123456789012-compute@developer.gserviceaccount.com\"\n ],\n \"role\": \"roles/editor\"\n }\n ],\n \"etag\": \"BwUjMhCsNvY=\"\n }\n```\n\n 2. Update the project's IAM policy:\n\n```bash\ngcloud projects set-iam-policy PROJECT_ID iam.json\n```\n\n### Default Value\n\nUser Managed (and not user-created) default service accounts have the `Editor (roles/editor)` role assigned to them to support GCP services they offer.\nBy default, there are no roles assigned to `User Managed User created` service accounts.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "gcp_compliance.control.cis_v200_1_6", + "description": "It is recommended to assign the Service Account User (iam.serviceAccountUser) and Service Account Token Creator (iam.serviceAccountTokenCreator) roles to a user for a specific service account rather than assigning the role to a user at project level.", + "title": "1.6 Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "1.6", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/IAM" + }, + "documentation": "## Description\n\nIt is recommended to assign the `Service Account User (iam.serviceAccountUser)` and `Service Account Token Creator (iam.serviceAccountTokenCreator)` roles to a user for a specific service account rather than assigning the role to a user at project level.\n\nA service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end-user. Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved. In\naddition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.\n\nUsers with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access. Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/Service account.\n\nBased on business needs, there could be multiple user-managed service accounts configured for a project. Granting the `iam.serviceAccountUser` or `iam.serviceAserviceAccountTokenCreatorccountUser` roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future. This can result in elevation of privileges by using service accounts and corresponding `Compute Engine instances`.\n\nIn order to implement `least privileges` best practices, IAM users should not be assigned the Service Account User or Service Account Token Creator roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The `Service Account User` allows a user to bind a service account to a long-running job service, whereas the `Service Account Token Creator role` allows a user to directly impersonate (or assert) the identity of a service account.\n\n## Remediation\n\n### From Console\n\n1. Go to the IAM page in the GCP Console by visiting: [https://console.cloud.google.com/iam-admin/iam](https://console.cloud.google.com/iam-admin/iam).\n2. Click on the filter table text bar. Type `Role: Service Account User`\n3. Click the `Delete Bin` icon in front of the role `Service Account User` for every user listed as a result of a filter.\n4. Click on the filter table text bar. Type `Role: Service Account Token Creator`\n5. Click the `Delete Bin` icon in front of the role `Service Account Token Creator` for every user listed as a result of a filter.\n\n### From Command Line\n\n1. Using a text editor, remove the bindings with the `roles/iam.serviceAccountUser` or `roles/iam.serviceAccountTokenCreator`.\n\nFor example, you can use the iam.json file shown below as follows:\n\n```bash\n{\n \"bindings\": [\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\"\n ],\n \"role\": \"roles/appengine.appViewer\"\n },\n {\n \"members\": [\n \"user:email1@gmail.com\"\n ],\n \"role\": \"roles/owner\"\n },\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n \"serviceAccount:123456789012-compute@developer.gserviceaccount.com\"\n ],\n \"role\": \"roles/editor\"\n }\n ],\n \"etag\": \"BwUjMhCsNvY=\"\n}\n```\n\n2. Update the project's IAM policy:\n\n```bash\ngcloud projects set-iam-policy PROJECT_ID iam.json\n```\n\n### Default Value\n\nBy default, users do not have the Service Account User or Service Account Token Creator role assigned at project level.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "gcp_compliance.control.cis_v200_1_7", + "description": "Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests users make to Google cloud services accessible to that particular service account. It is recommended that all Service Account keys are regularly rotated.", + "title": "1.7 Ensure user-managed/external keys for service accounts are rotated every 90 days or less", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "1.7", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/IAM" + }, + "documentation": "## Description\n\nService Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests users make to Google cloud services accessible to that particular service account. It is recommended that all Service Account keys are regularly rotated.\n\nRotating Service Account keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\n\nEach service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.\n\n## Remediation\n\n### From Console\n\n#### Delete any external (user-managed) Service Account Key older than 90 days:\n\n1. Go to GCP console at `APIs \u0026 Services\\Credentials` using [https://console.cloud.google.com/apis/credentials](https://console.cloud.google.com/apis/credentials)\n2. In the Section `Service Account Keys`, for every external (user-managed) service account key where `creation date` is greater than or equal to the past 90 days, click `Delete Bin Icon` to `Delete Service Account key`\n\n#### Create a new external (user-managed) Service Account Key for a Service Account:\n\n1. Go to `APIs \u0026 Services\\Credentials` using [https://console.cloud.google.com/apis/credentials](https://console.cloud.google.com/apis/credentials)\n2. Click `Create Credentials` and Select `Service Account Key`.\n3. Choose the service account in the drop-down list for which an External (user-managed) Service Account key needs to be created.\n4. Select the desired key type format among `JSON` or `P12`.\n5. Click `Create`. It will download the `private key`. Keep it safe.\n6. Click `Close` if prompted.\n7. The site will redirect to the `APIs \u0026 Services\\Credentials` page. Make a note of the new `ID` displayed in the `Service account keys` section.\n\n### Default Value\n\nGCP does not provide an automation option for External (user-managed) Service key rotation.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "gcp_compliance.control.cis_v200_1_8", + "description": "It is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users.", + "title": "1.8 Ensure that Separation of duties is enforced while assigning service account related roles to users", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "1.8", + "cis_level": "2", + "cis_section_id": "1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/IAM" + }, + "documentation": "## Description\n\nIt is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users.\n\nThe built-in/predefined IAM role `Service Account admin` allows the user/identity to create, delete, and manage service account(s). The built-in/predefined IAM role `Service Account User` allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances.\n\nSeparation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud IAM - service accounts, this could be an action such as using a service account to access resources that user should not normally have access to.\n\nSeparation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.\n\nNo user should have `Service Account Admin` and `Service Account User` roles assigned at the same time.\n\n## Remediation\n\n### From Console\n\n1. Go to `IAM \u0026 Admin/IAM` using [https://console.cloud.google.com/iam-admin/iam](https://console.cloud.google.com/iam-admin/iam).\n2. For any member having both `Service Account Admin` and `Service account User` roles granted/assigned, click the `Delete Bin` icon to remove either role from the member. Removal of a role should be done based on the business requirements.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "gcp_compliance.control.cis_v200_1_9", + "description": "It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access.", + "title": "1.9 Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "1.9", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/KMS" + }, + "documentation": "## Description\n\nIt is recommended that the IAM policy on Cloud KMS `cryptokeys` should restrict anonymous and/or public access.\n\nGranting permissions to `allUsers` or `allAuthenticatedUsers` allows anyone to access the dataset. Such access might not be desirable if sensitive data is stored at the location. In this case, ensure that anonymous and/or public access to a Cloud KMS `cryptokey` is not allowed.\n\n## Remediation\n\n### From Command Line\n\n1. List all Cloud KMS Cryptokeys.\n\n```bash\ngcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'\n```\n\n2. Remove IAM policy binding for a KMS key to remove access to `allUsers` and `allAuthenticatedUsers` using the below command.\n\n```bash\ngcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]' \ngcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\n```\n\n### Default Value\n\nBy default Cloud KMS does not allow access to `allUsers` or `allAuthenticatedUsers`.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "gcp_compliance.control.cis_v200_1_10", + "description": "Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management. The format for the rotation schedule depends on the client library that is used. For the gcloud command-line tool, the next rotation time must be in ISO or RFC3339 format, and the rotation period must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d).", + "title": "1.10 Ensure KMS encryption keys are rotated within a period of 90 days", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "1.10", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/KMS" + }, + "documentation": "## Description\n\nGoogle Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management. The format for the rotation schedule depends on the client library that is used. For the gcloud command-line tool, the next rotation time must be in `ISO` or `RFC3339` format, and the rotation period must be in the form `INTEGER[UNIT]`, where units can be one of seconds (s), minutes (m), hours (h) or days (d).\n\nSet a key rotation period and starting time. A key can be created with a specified `rotation period`, which is the time between when new key versions are generated automatically. A key can also be created with a specified next rotation time. A key is a named object representing a `cryptographic` key used for a specific purpose. The key material, the actual bits used for `encryption`, can change over time as new key versions are created.\n\nA key is used to protect some `corpus of data`. A collection of files could be encrypted with the same key and people with `decrypt` permissions on that key would be able to decrypt those files. Therefore, it's necessary to make sure the `rotation period` is set to a specific time.\n\n## Remediation\n\n### From Console\n\n1. Go to `Cryptographic Keys` by visiting: [https://console.cloud.google.com/security/kms](https://console.cloud.google.com/security/kms).\n2. Click on the specific key ring\n3. From the list of keys, choose the specific key and Click on `Right side pop up the blade (3 dots)`.\n4. Click on `Edit rotation period`.\n5. On the pop-up window, `Select a new rotation period` in days which should be less than 90 and then choose `Starting on` date (date from which the rotation period begins).\n\n### From Command Line\n\n1. Update and schedule rotation by ROTATION_PERIOD and NEXT_ROTATION_TIME for each key:\n\n```bash\ngcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next-rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\n```\n\n### Default Value\n\nBy default, KMS encryption keys are rotated every 90 days.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "gcp_compliance.control.cis_v200_1_11", + "description": "It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.", + "title": "1.11 Ensure that Separation of duties is enforced while assigning KMS related roles to users", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "1.11", + "cis_level": "2", + "cis_section_id": "1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/KMS" + }, + "documentation": "## Description\n\nIt is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.\n\nThe built-in/predefined IAM role `Cloud KMS Admin` allows the user/identity to create, delete, and manage service account(s). The built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter/Decrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s). The built-in/predefined IAM role `Cloud KMS CryptoKey Decrypter` allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).\n\nSeparation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.\n\nNo user(s) should have `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles assigned at the same time.\n\n## Remediation\n\n### From Console\n\n1. Go to `IAM \u0026 Admin/IAM` using [https://console.cloud.google.com/iam-admin/iam](https://console.cloud.google.com/iam-admin/iam)\n2. For any member having `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter` roles granted/assigned, click the `Delete Bin` icon to remove the role from the member.\n\n**Note**: Removing a role should be done based on the business requirement.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "gcp_compliance.control.cis_v200_1_12", + "description": "API Keys should only be used for services in cases where other authentication methods are unavailable. Unused keys with their permissions in tact may still exist within a project. Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead.", + "title": "1.12 Ensure API Keys Only Exist for Active Services", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "1.12", + "cis_level": "2", + "cis_section_id": "1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/IAM" + }, + "documentation": "## Description\n\nAPI Keys should only be used for services in cases where other authentication methods are unavailable. Unused keys with their permissions in tact may still exist within a project. Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead.\n\nTo avoid the security risk in using API keys, it is recommended to use standard authentication flow instead. Security risks involved in using API-Keys appear below:\n\n- API keys are simple encrypted strings\n- API keys do not identify the user or the application making the API request\n- API keys are typically accessible to clients, making it easy to discover and steal an API key\n\n## Remediation\n\n### From Console\n\n1. Go to `APIs \u0026 Services\\Credentials` using\n2. In the section `API Keys`, to delete API Keys: Click the `Delete Bin Icon` in front of every `API Key Name`.\n\n### From Google Cloud Command Line\n\n1. Run the following from within the project you wish to audit **`gcloud services api-keys list --filter`**\n2. **Pipe the results into** `gcloud alpha services api-keys delete`\n\n### Default Value\n\nBy default, API keys are not created for a project.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "gcp_compliance.control.cis_v200_1_13", + "description": "Unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API key usage to trusted hosts, HTTP referrers and apps.", + "title": "1.13 Ensure API keys are restricted to use by only specified Hosts and Apps", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "1.13", + "cis_level": "2", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/IAM" + }, + "documentation": "## Description\n\nAPI Keys should only be used for services in cases where other authentication methods are unavailable. In this case, unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API key usage to trusted hosts, HTTP referrers and apps. It is recommended to use the more secure standard authentication flow instead.\n\nSecurity risks involved in using API-Keys appear below:\n\n- API keys are simple encrypted strings\n- API keys do not identify the user or the application making the API request\n- API keys are typically accessible to clients, making it easy to discover and steal an API key\n\nIn light of these potential risks, Google recommends using the standard authentication flow instead of API keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.\n\nIn order to reduce attack vectors, API-Keys can be restricted only to trusted hosts, HTTP referrers and applications.\n\n## Remediation\n\n### From Console\n\n### *Leaving Keys in Place*\n\n1. Go to `APIs \u0026 Services\\Credentials` using [https://console.cloud.google.com/apis/credentials](https://console.cloud.google.com/apis/credentials)\n2. In the section `API Keys`, Click the `API Key Name`. The API Key properties display on a new page.\n3. In the `Key restrictions` section, set the application restrictions to any of `HTTP referrers, IP addresses, Android apps, iOS apps`.\n4. Click `Save`.\n5. Repeat steps 2,3,4 for every unrestricted API key.\n\n**Note**: Do not set `HTTP referrers` to wild-cards (* or *.[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s) Do not set `IP addresse`s and referrer to `any host (0.0.0.0 or 0.0.0.0/0 or ::0)`\n\n### *Removing Keys*\n\nAnother option is to remove the keys entirely.\n\n1. Go to `APIs \u0026 Services\\Credentials` using [https://console.cloud.google.com/apis/credentials](https://console.cloud.google.com/apis/credentials)\n2. In the section `API Keys`, select the check box next to each key you wish to remove\n3. Select `Delete` and confirm.\n\n### Default Value\n\nBy default, `Application Restrictions` are set to `None`.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "gcp_compliance.control.cis_v200_1_14", + "description": "API keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API keys to use (call) only APIs required by an application.", + "title": "1.14 Ensure API keys are restricted to only APIs that application needs access", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "1.14", + "cis_level": "2", + "cis_section_id": "1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/IAM" + }, + "documentation": "## Description\n\nAPI Keys should only be used for services in cases where other authentication methods are unavailable. API keys are always at risk because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API keys to use(call) only APIs required by an application.\n\nSecurity risks involved in using API-Keys appear below:\n\n- API keys are simple encrypted strings\n- API keys do not identify the user or the application making the API request\n- API keys are typically accessible to clients, making it easy to discover and steal an API key\n\nIn light of these potential risks, Google recommends using the standard authentication flow instead of API keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.\n\nIn order to reduce attack surfaces by providing `least privileges`, API-Keys can be restricted to use (call) only APIs required by an application.\n\n## Remediation\n\n### From Console\n\n1. Go to `APIs \u0026 Services\\Credentials` using [https://console.cloud.google.com/apis/credentials](https://console.cloud.google.com/apis/credentials)\n2. In the section `API Keys`, Click the `API Key Name`. The API Key properties display on a new page.\n3. In the `Key restrictions` section go to `API restrictions`.\n4. Click the `Select API` drop-down to choose an API.\n5. Click `Save`.\n6. Repeat steps 2,3,4,5 for every unrestricted API key\n\n**Note**: Do not set `API restrictions` to `Google Cloud APIs`, as this option allows access to all services offered by Google cloud.\n\n### From Command Line\n\n1. List all API keys.\n\n```bash\ngcloud services api-keys list\n```\n\n**Note** the `UID` of the key to add restrictions to.\n\n2. Run the update command with the appropriate flags to add the required restrictions.\n\n```bash\ngcloud alpha services api-keys update \u003cUID\u003e \u003crestriction_flags\u003e\n```\n\n**Note** - Flags can be found by running\n\n```bash\ngcloud alpha services api-keys update --help\n```\n\nor in this documentation [https://cloud.google.com/sdk/gcloud/reference/alpha/services/api-keys/update](https://cloud.google.com/sdk/gcloud/reference/alpha/services/api-keys/update)\n\n### Default Value\n\nBy default, `API restrictions` are set to `None`.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "gcp_compliance.control.cis_v200_1_15", + "description": "It is recommended to rotate API keys every 90 days.", + "title": "1.15 Ensure API keys are rotated every 90 days", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "1.15", + "cis_level": "2", + "cis_section_id": "1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/IAM" + }, + "documentation": "## Description\n\nAPI Keys should only be used for services in cases where other authentication methods are unavailable. If they are in use it is recommended to rotate API keys every 90 days.\n\nSecurity risks involved in using API-Keys appear below:\n\n- API keys are simple encrypted strings\n- API keys do not identify the user or the application making the API request\n- API keys are typically accessible to clients, making it easy to discover and steal an API key\n\nBecause of these potential risks, Google recommends using the standard authentication flow instead of API Keys. However, there are limited cases where API keys are more appropriate. For example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.\n\nOnce a key is stolen, it has no expiration, meaning it may be used indefinitely unless the project owner revokes or regenerates the key. Rotating API keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.\n\nAPI keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\n\n## Remediation\n\n### From Console\n\nTo find the listed API Keys with creation date\n\n1. Login to `APIs \u0026 Services\\Credentials` using [https://console.cloud.google.com/apis/credentials](https://console.cloud.google.com/apis/credentials)\n2. In the section `API Keys`, Click the `API Key Name`. The API Key properties display on a new page.\n3. Click `REGENERATE KEY` to rotate API key from the top section of the page.\n4. Click `Save`.\n5. Repeat steps 2,3,4 for every API key that has not been rotated in the last 90 days.\n\n**Note**: Do not set `HTTP referrers` to wild-cards (* or *.[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s) Do not set `IP addresses` and referrer to `any host (0.0.0.0 or 0.0.0.0/0 or ::0)`\n\n### From Command Line\n\nThere is not currently a way to regenerate and API key using gcloud commands. To'regenerate' a key you will need to create a new one, duplicate the restrictions from the key being rotated, and delete the old key.\n\n1. List existing keys.\n\n```bash\ngcloud services api-keys list\n```\n\n2. Note the `UID` and restrictions of the key to regenerate.\n3. Run this command to create a new API key. \u003ckey_name\u003e is the display name of the new key.\n\n```bash\ngcloud alpha services api-keys create --display-name=\"\u003ckey_name\u003e\"\n```\n\nNote the `UID` of the newly created key\n\n4. Run the update command to add required restrictions.\n\n**Note** - the restriction may vary for each key. Refer to this documentation for the appropriate flags.\n\n[https://cloud.google.com/sdk/gcloud/reference/alpha/services/api-keys/update](https://cloud.google.com/sdk/gcloud/reference/alpha/services/api-keys/update)\n\n```bash\ngcloud alpha services api-keys update \u003cUID of new key\u003e\n```\n\n5. Delete the old key.\n\n```bash\ngcloud alpha services api-keys delete \u003cUID of old key\u003e\n```\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "gcp_compliance.control.cis_v200_1_16", + "description": "It is recommended that Essential Contacts is configured to designate email addresses for Google Cloud services to notify of important technical or security information.", + "title": "1.16 Ensure essential contacts is configured for Organization", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "1.16", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Organization" + }, + "documentation": "## Description\n\nIt is recommended that Essential Contacts is configured to designate email addresses for Google Cloud services to notify of important technical or security information.\n\nMany Google Cloud services, such as Cloud Billing, send out notifications to share important information with Google Cloud users. By default, these notifications are sent to members with certain Identity and Access Management (IAM) roles. With Essential Contacts, you can customize who receives notifications by providing your own list of contacts.\n\n## Remediation\n\n### From Console\n\n1. Go to `Essential Contacts` by visiting [https://console.cloud.google.com/iam-admin/essential-contacts](https://console.cloud.google.com/iam-admin/essential-contacts)\n2. Make sure the organization appears in the resource selector at the top of the page. The resource selector tells you what project, folder, or organization you are currently managing contacts for.\n3. Click `+Add contact`\n4. In the `Email` and `Confirm Email` fields, enter the email address of the contact.\n5. From the `Notification categories` drop-down menu, select the notification categories that you want the contact to receive communications for.\n6. Click `Save`\n\n### From Command Line\n\n1. To add an organization Essential Contacts run a command:\n\n```bash\ngcloud essential-contacts create --email=\"\u003cEMAIL\u003e\" \\--notification-categories=\"\u003cNOTIFICATION_CATEGORIES\u003e\" \\--organization=\u003cORGANIZATION_ID\u003e\n```\n\n### Default Value\n\nBy default, there are no Essential Contacts configured.\nIn the absence of an Essential Contact, the following IAM roles are used to identify users to notify for the following categories:\n\n- Legal: `roles/billing.admin`\n- Security: `roles/resourcemanager.organizationAdmin`\n- Suspension: `roles/owner`\n- Technical: `roles/owner`\n- Technical Incidents: `roles/owner`\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "gcp_compliance.control.cis_v200_1_17", + "description": "When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK).", + "title": "1.17 Ensure that dataproc cluster is encrypted using customer-managed encryption key", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "1.17", + "cis_level": "2", + "cis_section_id": "1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Dataproc" + }, + "documentation": "## Description\n\nWhen you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK).\n\n\"Cloud services offer the ability to protect data related to those services using encryption keys managed by the customer within Cloud KMS. These encryption keys are called customer-managed encryption keys (CMEK). When you protect data in Google Cloud services with CMEK, the CMEK key is within your control.\n\n## Remediation\n\n### From Console\n\n1. Login to the GCP Console and navigate to the Dataproc Cluster page by visiting [https://console.cloud.google.com/dataproc/clusters](https://console.cloud.google.com/dataproc/clusters).\n2. Select the project from the projects dropdown list.\n3. On the `Dataproc Cluster` page, click on the `Create Cluster` to create a new cluster with Customer managed encryption keys.\n4. On `Create a cluster` page, perform below steps:\n\n * Inside `Set up cluster` section perform below steps:\n\n In the `Name` textbox, provide a name for your cluster.\n - From `Location` select the location in which you want to deploy a cluster.\n - Configure other configurations as per your requirements.\n * Inside `Configure Nodes` and `Customize cluster` section configure the settings as per your requirements.\n * Inside `Manage security` section, perform below steps:\n - From `Encryption`, select `Customer-managed key`.\n - Select a customer-managed key from dropdown list.\n - Ensure that the selected KMS Key have Cloud KMS CryptoKey Encrypter/Decrypter role assign to Dataproc Cluster service account(\"serviceAccount:service-\u003cproject_number\u003e@compute-system.iam.gserviceaccount.com\").\n - Click on `Create` to create a cluster.\n * Once the cluster is created migrate all your workloads from the older cluster to the new cluster and delete the old cluster by performing the below steps:\n - On the `Clusters` page, select the old cluster and click on `Delete cluster`.\n - On the `Confirm deletion` window, click on `Confirm` to delete the cluster.\n - Repeat step above for other Dataproc clusters available in the selected project.\n * Change the project from the project dropdown list and repeat the remediation procedure for other Dataproc clusters available in other projects.\n\n### From Command Line\n\nBefore creating cluster ensure that the selected KMS Key have Cloud KMS CryptoKey Encrypter/Decrypter role assign to Dataproc Cluster service account(\"serviceAccount:service-\u003cproject_number\u003e@compute-system.iam.gserviceaccount.com\").\nRun clusters create command to create new cluster with customer-managed key:\n\n```bash\ngcloud dataproc clusters create \u003ccluster_name\u003e --region=us-central1 --gce-pd-kms-key=\u003ckey_resource_name\u003e\n```\n\nThe above command will create a new cluster in the selected region. Once the cluster is created migrate all your workloads from the older cluster to the new cluster and Run clusters delete command to delete cluster:\n\n```bash\ngcloud dataproc clusters delete \u003ccluster_name\u003e --region=us-central1\n```\n\nRepeat step no. 1 to create a new Dataproc cluster.Change the project by running the below command and repeat the remediation procedure for other projects:\n\n```bash\ngcloud config set project \u003cproject_ID\u003e\"\n```\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 1 Identity and Access Management", + "category_hierarchy": [ + "CIS v2.0.0", + "1 Identity and Access Management" + ], + "control_id": "gcp_compliance.control.cis_v200_1_18", + "description": "Google Cloud Functions allow you to host serverless code that is executed when an event is triggered, without the requiring the management a host operating system. These functions can also store environment variables to be used by the code that may contain authentication or other information that needs to remain confidential.", + "title": "1.18 Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "1.18", + "cis_level": "1", + "cis_section_id": "1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Dataproc" + }, + "documentation": "## Description\n\nGoogle Cloud Functions allow you to host serverless code that is executed when an event is triggered, without the requiring the management a host operating system. These functions can also store environment variables to be used by the code that may contain authentication or other information that needs to remain confidential.\n\nIt is recommended to use the Secret Manager, because environment variables are stored unencrypted, and accessible for all users who have access to the code.\n\n## Remediation\n\nEnable the Secret Manager API for the GCP Project.\n\n### From Console\n\n1. Within the project you wish to enable, select the Navigation hamburger menu in the top left. Hover over 'APIs \u0026 Services' to under the heading 'Serverless', then select 'Enabled APIs \u0026 Services' in the menu that opens up.\n2. Click the button '+ Enable APIS and Services'\n3. In the Search bar, search for 'Secret Manager API' and select it.\n4. Click the blue box that says 'Enable'.\n\n### From Command Line\n\n1. Within the project you wish to enable the API in, run the following command.\n\n```bash\ngcloud services enable Secret Manager API\n```\n\nReviewing Environment Variables That Should Be Migrated to Secret Manager\n### From Console\n\n1. Log in to the Google Cloud Web Portal [https://console.cloud.google.com/](https://console.cloud.google.com/)\n2. Go to Cloud Functions\n3. Click on a function name from the list\n4. Click on Edit and review the Runtime environment for variables that should be secrets. Leave this list open for the next step.\n\n### From Command Line\n\n1. To view a list of your cloud functions run\n\n```bash\ngcloud functions list\n```\n\n2. For each cloud function run the following command.\n\n```bash\ngcloud functions describe \u003cfunction_name\u003e\n```\n\n3. Review the settings of the buildEnvironmentVariables and environmentVariables. Keep this information for the next step.\n\nMigrating Environment Variables to Secrets within the Secret Manager\n\n### From Console\n\n1. Go to the Secret Manager page in the Cloud Console.\n2. On the Secret Manager page, click Create Secret.\n3. On the Create secret page, under Name, enter the name of the Environment Variable you are replacing. This will then be the Secret Variable you will\nreference in your code.\n4. You will also need to add a version. This is the actual value of the variable that will be referenced from the code. To add a secret version when creating the initial secret, in the Secret value field, enter the value from the Environment Variable you are replacing.\n5. Leave the Regions section unchanged.\n6. Click the Create secret button.\n7. RepeatforallEnvironmentVariables\n\n### From Command Line\n\n1. Run the following command with the Environment Variable name you are replacing in the `\u003csecret-id\u003e`. It is most secure to point this command to a file with the Environment Variable value located in it, as if you entered it via command line it would show up in your shell’s command history.\n\n```bash\ngcloud secrets create \u003csecret-id\u003e --data-file=\"/path/to/file.txt\"\n```\n\nGranting your Runtime's Service Account Access to Secrets\n\n### From Console\n\n1. Within the project containing your runtime login with account that has the 'roles/secretmanager.secretAccessor' permission.\n2. Select the Navigation hamburger menu in the top left. Hover over 'Security' to under the then select 'Secret Manager' in the menu that opens up.\n3. Click the name of a secret listed in this screen.\n4. If it is not already open, click Show Info Panel in this screen to open the panel.\n - In the info panel, click Add principal.\n - In the New principals field, enter the service account your function uses for its identity. (If you need help locating or updating your runtime's service account, please see the 'docs/securing/function-identity#runtime_service_account' reference.)\n5. In the Select a role dropdown, choose Secret Manager and then Secret Manager Secret Accessor.\n\n### From Command Line\n\nAs of the time of writing, using Google CLI to list Runtime variables is only in beta. Because this is likely to change we are not including it here.Modifying the Code to use the Secrets in Secret Manager\n\n### From Console\n\nThis depends heavily on which language your runtime is in. For the sake of the brevity of this recommendation, please see the '/docs creating-and-accessing-secrets#access' reference for language specific instructions.\n\n### From Command Line\n\nThis depends heavily on which language your runtime is in. For the sake of the brevity of this recommendation, please see the' /docs/creating-and-accessing-secrets#access' reference for language specific instructions.\n\nDeleting the Insecure Environment Variables - **Be certain to do this step last**. Removing variables from code actively referencing them will prevent it from completing successfully.\n\n### From Console\n\n1. Select the Navigation hamburger menu in the top left. Hover over 'Security' then select 'Secret Manager' in the menu that opens up.\n2. Click the name of a function. Click Edit.\n3. Click Runtime, build and connections settings to expand the advanced configuration options.\n4. Click 'Security’. Hover over the secret you want to remove, then click 'Delete'.\n5. Click Next. Click Deploy. The latest version of the runtime will now reference the secrets in Secret Manager.\n\n### From Command Line\n\n```bash\ngcloud functions deploy \u003cFunction name\u003e --remove-env-vars \u003cenv vars\u003e\n```\n\nIf you need to find the env vars to remove, they are from the step where ‘gcloud functions describe \u003cfunction_name\u003e’ was run.\n\n### Default Value\n\nBy default Secret Manager is not enabled.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Logging and Monitoring", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Logging and Monitoring" + ], + "control_id": "gcp_compliance.control.cis_v200_2_1", + "description": "It is recommended that Cloud Audit Logging is configured to track all admin activities and read, write access to user data.", + "title": "2.1 Ensure that Cloud Audit Logging is configured properly", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "2.1", + "cis_level": "1", + "cis_section_id": "2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Logging" + }, + "documentation": "## Description\n\nIt is recommended that Cloud Audit Logging is configured to track all admin activities and read, write access to user data.\n\nCloud Audit Logging maintains two audit logs for each project, folder, and organization: Admin Activity and Data Access.\n\n1. Admin Activity logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources. Admin Activity audit logs are enabled for all services and cannot be configured.\n2. Data Access audit logs record API calls that create, modify, or read user-provided data. These are disabled by default and should be enabled.\n\nThere are three kinds of Data Access audit log information:\n - Admin read: Records operations that read metadata or configuration information. Admin activity audit logs record writes of metadata and configuration information that cannot be disabled.\n - Data read: Records operations that read user-provided data.\n - Data write: Records operations that write user-provided data.\n\nIt is recommended to have an effective default audit config configured in such a way that:\n\n1. Logtype is set to DATA_READ (to log user activity tracking) and DATA_WRITES (to log changes/tampering to user data).\n2. Audit config is enabled for all the services supported by the Data Access audit logs feature.\n3. Logs should be captured for all users, i.e., there are no exempted users in any of the audit config sections. This will ensure overriding the audit config will not contradict the requirement.\n\n## Remediation\n\n### From Console\n\n1. Go to `Audit Logs` by visiting [https://console.cloud.google.com/iam-admin/audit](https://console.cloud.google.com/iam-admin/audit).\n2. Follow the steps at [https://cloud.google.com/logging/docs/audit/configure-data-access](https://cloud.google.com/logging/docs/audit/configure-data-access) to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.\n\n### From Command Line\n\n1. To read the project's IAM policy and store it in a file run a command:\n\n```bash\ngcloud projects get-iam-policy PROJECT_ID \u003e /tmp/project_policy.yaml\n```\n\nAlternatively, the policy can be set at the organization or folder level. If setting the policy at the organization level, it is not necessary to also set it for each folder or project.\n\n```bash\ngcloud organizations get-iam-policy ORGANIZATION_ID \u003e /tmp/org_policy.yaml \ngcloud resource-manager folders get-iam-policy FOLDER_ID \u003e /tmp/folder_policy.yaml\n```\n\n2. Edit policy in /tmp/policy.yaml, adding or changing only the audit logs configuration to:\n\n **Note: Admin Activity Logs are enabled by default, and cannot be disabled. So they are not listed in these configuration changes.**\n\n```bash\nauditConfigs:\n- auditLogConfigs:\n - logType: DATA_WRITE\n - logType: DATA_READ\n service: allServices\n```\n\n**Note**: `exemptedMembers`: is not set as audit logging should be enabled for all the users\n\n3. To write new IAM policy run command:\n\n```bash\ngcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml \ngcloud resource-manager folders set-iam-policy FOLDER_ID /tmp/folder_policy.yaml\ngcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml\n```\n\nIf the preceding command reports a conflict with another change, then repeat these steps, starting with the first step.\n\n### Default Value\n\nAdmin Activity logs are always enabled. They cannot be disabled. Data Access audit logs are disabled by default because they can be quite large.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Logging and Monitoring", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Logging and Monitoring" + ], + "control_id": "gcp_compliance.control.cis_v200_2_2", + "description": "It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).", + "title": "2.2 Ensure that sinks are configured for all log entries", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "2.2", + "cis_level": "1", + "cis_section_id": "2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Logging" + }, + "documentation": "## Description\n\nIt is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).\n\nLog entries are held in Cloud Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. Exporting involves writing a filter that selects the log entries to export, and choosing a destination in Cloud Storage, BigQuery, or Cloud Pub/Sub. The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts.\n\n## Remediation\n\n### From Console\n\n1. Go to `Logs Router` by visiting https://console.cloud.google.com/logs/router.\n2. Click on the arrow symbol with `CREATE SINK` text.\n3. Fill out the fields for `Sink details`.\n4. Choose Cloud Logging bucket in the Select sink destination drop down menu.\n5. Choose a log bucket in the next drop down menu.\n6. If an inclusion filter is not provided for this sink, all ingested logs will be routed to the destination provided above. This may result in higher than expected resource usage.\n7. Click `Create Sink`.\n\nFor more information, see\n[https://cloud.google.com/logging/docs/export/configure_export_v2#dest-create](https://cloud.google.com/logging/docs/export/configure_export_v2#dest-create).\n### From Command Line\n\n1. To create a sink to export all log entries in a Google Cloud Storage bucket:\n\n```bash\ngcloud logging sinks create \u003csink-name\u003e storage.googleapis.com/DESTINATION_BUCKET_NAME\n```\n\n2. Sinks can be created for a folder or organization, which will include all projects.\n\n```bash\ngcloud logging sinks create \u003csink-name\u003e storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children --folder=FOLDER_ID | --organization=ORGANIZATION_ID\n```\n\n**Note**:\n1. A sink created by the command-line above will export logs in storage buckets. However, sinks can be configured to export logs into BigQuery, or Cloud Pub/Sub, or `Custom Destination`.\n2. While creating a sink, the sink option `--log-filter` is not used to ensure the sink exports all log entries.\n3. A sink can be created at a folder or organization level that collects the logs of all the projects underneath bypassing the option `--include-children` in the gcloud command.\n4. By default, there are no sinks configured.\n\n### Default Value\n\nBy default, there are no sinks configured.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Logging and Monitoring", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Logging and Monitoring" + ], + "control_id": "gcp_compliance.control.cis_v200_2_3", + "description": "Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.", + "title": "2.3 Ensure that retention policies on log buckets are configured using Bucket Lock", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "2.3", + "cis_level": "2", + "cis_section_id": "2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Logging" + }, + "documentation": "## Description\n\nEnabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.\n\nLogs can be exported by creating one or more sinks that include a log filter and a destination. As cloud logging receives new log entries, they are compared against each sink. If a log entry matches a sink's filter, then a copy of the log entry is written to the destination.\n\nSinks can be configured to export logs in storage buckets. It is recommended to configure a data retention policy for these cloud storage buckets and to lock the data retention policy; thus permanently preventing the policy from being removed.\nThis way, if the system is ever compromised by an attacker or a malicious insider who wants to cover their tracks, the activity logs are definitely preserved for forensics and security investigations.\n\nLocking a bucket is an irreversible action. Once you lock a bucket, you cannot remove the retention policy from the bucket or decrease the retention period for the policy. You \nwill then have to wait for the retention period for all items within the bucket before you can delete them, and then the bucket.\n\n## Remediation\n\n### From Console\n\n1. If sinks are not configured, first follow the instructions in the recommendation: `Ensure that sinks are configured for all Log entries`.\n2. For each storage bucket configured as a sink, go to the Cloud Storage browser at `https://console.cloud.google.com/storage/browser/\u003cBUCKET_NAME\u003e`.\n3. Select the Bucket Lock tab near the top of the page.\n4. In the Retention policy entry, click the Add Duration link. The `Set a retention policy` dialog box appears.\n5. Enter the desired length of time for the retention period and click `Save policy`.\n6. Set the `Lock status` for this retention policy to `Locked`.\n\n### From Command Line\n\n1. To list all sinks destined to storage buckets:\n\n```bash\ngcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID | --project=PROJECT_ID\n```\n\n2. For each storage bucket listed above, set a retention policy and lock it:\n\n```bash\ngsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]\ngsutil retention lock gs://[BUCKET_NAME]\n```\n\nFor more information, visit [https://cloud.google.com/storage/docs/using-bucket-lock#set-policy](https://cloud.google.com/storage/docs/using-bucket-lock#set-policy).\n\n### Default Value\n\nBy default, storage buckets used as log sinks do not have retention policies and Bucket Lock configured.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Logging and Monitoring", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Logging and Monitoring" + ], + "control_id": "gcp_compliance.control.cis_v200_2_4", + "description": "In order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all roles/Owner assignments should be monitored. Members (users/Service-Accounts) with a role assignment to primitive role roles/Owner are project owners.", + "title": "2.4 Ensure log metric filter and alerts exist for project ownership assignments/changes", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "2.4", + "cis_level": "1", + "cis_section_id": "2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Logging" + }, + "documentation": "## Description\n\nIn order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all `roles/Owner` assignments should be monitored.\nMembers (users/Service-Accounts) with a role assignment to primitive role `roles/Owner` are project owners.\nThe project owner has all the privileges on the project the role belongs to. These are summarized below:\n- All viewer permissions on all GCP Services within the project\n- Permissions for actions that modify the state of all GCP services within the project\n- Manage roles and permissions for a project and all resources within the project\n- Set up billing for a project\nGranting the owner role to a member (user/Service-Account) will allow that member to modify the Identity and Access Management (IAM) policy. Therefore,grant the owner role only if the member has a legitimate purpose to manage the IAM policy. This is because the project IAM policy contains sensitive access control data. Having a minimal set of users allowed to manage IAM policy will simplify any auditing that may be necessary.\n\n## Remediation\n\n### From Console\nCreate the prescribed log metric:\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n3. Clear any text and add:\n\n```bash\n(protoPayload.serviceName=\"cloudresourcemanager.googleapis.com\")\nAND (ProjectOwnership OR projectOwnerInvitee)\nOR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\"REMOVE\"\nAND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\"ADD\"\nAND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\")\n```\n\n4. Click `Submit Filter`. The logs display based on the filter text entered by the user.\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1`(default) and the `Type` to `Counter`. This ensures that the log metric counts the number of log entries matching the advanced logs query.\n6. Click `Create Metric`.\n\n#### Create the display prescribed Alert Policy:\n\n1. Identify the newly created metric under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n2. Click the 3-dot icon in the rightmost column for the desired metric and select `Create alert from Metric`. A new page opens.\n3. Fill out the alert policy configuration and click `Save`. Choosethealertingthreshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:\n\n```bash\nSet `Aggregator` to `Count`\nSet `Configuration`:\n- Condition: above\n- Threshold: 0\n- For: most recent value\n```\n\n4. Configure the desired notifications channels in the section `Notifications`.\n5. Name the policy and click `Save`.\n\n### From Command Line\n\nCreate a prescribed Log Metric:\n - Use the command: gcloud beta logging metrics create.\n - Reference for Command Usage: [https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create](https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create).\n\nCreate a prescribed Alert Policy:\n - Use the command: gcloud alpha monitoring policies create.\n - Reference for Command Usage: [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create](https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create).\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Logging and Monitoring", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Logging and Monitoring" + ], + "control_id": "gcp_compliance.control.cis_v200_2_5", + "description": "Cloud audit logging records information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by GCP services. Cloud audit logging provides a history of GCP API calls for an account, including API calls made via the console, SDKs, command-line tools, and other GCP services.", + "title": "2.5 Ensure that the log metric filter and alerts exist for Audit Configuration changes", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "2.5", + "cis_level": "1", + "cis_section_id": "2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Logging" + }, + "documentation": "## Description\n\nGoogle Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data Access logs to help answer the questions of, \"who did what, where, and when?\" within GCP projects.\n\nCloud audit logging records information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by GCP services.\n\nAdmin activity and data access logs produced by cloud audit logging enable security analysis, resource change tracking, and compliance auditing.\n\nConfiguring the metric filter and alerts for audit configuration changes ensures the recommended state of audit configuration is maintained so that all activities in the project are audit-able at any point in time.\n\n## Remediation\n\n### From Console\n\nCreate the prescribed log metric:\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n3. Clear any text and add:\n\n```\nprotoPayload.methodName=\"SetIamPolicy\" AND\nprotoPayload.serviceData.policyDelta.auditConfigDeltas:*\n```\n\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1` (default) and `Type` to `Counter`. This will ensure that the log metric counts the number of log entries matching the user's advanced logs query.\n6. Click `Create Metric`.\n\nCreate a prescribed Alert Policy:\n\n1. Identify the new metric the user just created, under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n2. Click the 3-dot icon in the rightmost column for the new metric and select `Create alert from Metric`. A new page opens.\n3. Fill out the alert policy configuration and click `Save`.Choose the alerting threshold and configuration that makes sense for the organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:\n\n```bash\nSet `Aggregator` to `Count`\nSet `Configuration`:\n- Condition: above\n- Threshold: 0\n- For: most recent value\n```\n\n4. Configure the desired notifications channels in the section `Notifications`.\n5. Name the policy and click `Save`.\n\n### From Command Line\n\nCreate a prescribed Log Metric:\n - Use the command: gcloud beta logging metrics create.\n - Reference for Command Usage [https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create](https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create).\n\nCreate a prescribed Alert Policy:\n - Use the command: gcloud alpha monitoring policies create.\n - Reference for Command Usage [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create](https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create).\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Logging and Monitoring", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Logging and Monitoring" + ], + "control_id": "gcp_compliance.control.cis_v200_2_6", + "description": "It is recommended that a metric filter and alarm be established for changes to Identity and Access Management (IAM) role creation, deletion and updating activities.", + "title": "2.6 Ensure that the log metric filter and alerts exist for Custom Role changes", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "2.6", + "cis_level": "1", + "cis_section_id": "2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Logging" + }, + "documentation": "## Description\n\nIt is recommended that a metric filter and alarm be established for changes to Identity and Access Management (IAM) role creation, deletion and updating activities.\n\nGoogle Cloud IAM provides predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources. However, to cater to organization-specific needs, IAM also provides the ability to create custom roles.\n\nProject owners and administrators with the Organization Role Administrator role or the IAM Role Administrator role can create custom roles. Monitoring role creation, deletion and updating activities will help in identifying any over-privileged role at early stages.\n\n## Remediation\n\n### From Console\n\nCreate the prescribed log metric:\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n3. Clear any text and add:\n\n```\nresource.type=\"iam_role\"\nAND (protoPayload.methodName = \"google.iam.admin.v1.CreateRole\"\nOR protoPayload.methodName=\"google.iam.admin.v1.DeleteRole\"\nOR protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\")\n```\n\n4. Click Submit Filter. Display logs appear based on the filter text entered by the user.\n5. In the Metric Editor menu on the right, fill out the name field. Set Units to 1 (default) and Type to Counter. This ensures that the log metric counts the number of log entries matching the advanced logs query.\n6. Click Create Metric.\n\nCreate a prescribed Alert Policy:\n1. Identify the new metric that was just created under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n2. Click the 3-dot icon in the rightmost column for the metric and select `Create alert from Metric`. A new page displays.\n3. Fill out the alert policy configuration and click `Save`.Choosethealertingthreshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value ensures that a notification is triggered for every owner change in the project:\n\n```bash\nSet `Aggregator` to `Count`\nSet `Configuration`:\n- Condition: above\n- Threshold: 0\n- For: most recent value\n```\n\n4. Configure the desired notifications channels in the section `Notifications`.\n5. Name the policy and click `Save`.\n\n### From Command Line\n\nCreate the prescribed Log Metric:\n- Use the command: gcloud logging metrics create\n\nCreate the prescribed Alert Policy:\n- Use the command: gcloud alpha monitoring policies create\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Logging and Monitoring", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Logging and Monitoring" + ], + "control_id": "gcp_compliance.control.cis_v200_2_7", + "description": "It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes.", + "title": "2.7 Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "2.7", + "cis_level": "2", + "cis_section_id": "2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Logging" + }, + "documentation": "## Description\n\nIt is recommended that a metric filter and alarm be established for Virtual Private Cloud(VPC) Network Firewall rule changes.\n\nMonitoring for create or update firewall rule events gives insight to network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From Console\n\nCreate the prescribed log metric:\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n3. Clear any text and add:\n\n```bash\nresource.type=\"gce_firewall_rule\"\nAND (protoPayload.methodName:\"compute.firewalls.patch\"\nOR protoPayload.methodName:\"compute.firewalls.insert\"\nOR protoPayload.methodName:\"compute.firewalls.delete\")\n```\n\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1` (default) and `Type` to `Counter`. This ensures that the log metric counts the number of log entries matching the advanced logs query.\n6. Click `Create Metric`.\n\nCreate the prescribed Alert Policy:\n\n1. Identify the newly created metric under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n2. Click the 3-dot icon in the rightmost column for the new metric and select `Create alert from Metric`. A new page displays.\n3. Fill out the alert policy configuration and click `Save`. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value ensures that a notification is triggered for every owner change in the project:\n\n```bash\nSet `Aggregator` to `Count`\nSet `Configuration`:\n- Condition: above\n- Threshold: 0\n- For: most recent value\n```\n\n4. Configure the desired notifications channels in the section `Notifications`.\n5. Name the policy and click `Save`.\n\n### From Command Line\n\nCreate the prescribed Log Metric:\n- Use the command: gcloud logging metrics create\n\nCreate the prescribed Alert Policy:\n- Use the command: gcloud alpha monitoring policies create\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Logging and Monitoring", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Logging and Monitoring" + ], + "control_id": "gcp_compliance.control.cis_v200_2_8", + "description": "It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network route changes.", + "title": "2.8 Ensure that the log metric filter and alerts exist for VPC network route changes", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "2.8", + "cis_level": "2", + "cis_section_id": "2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Logging" + }, + "documentation": "## Description\n\nIt is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network route changes.\n\nGoogle Cloud Platform (GCP) routes define the paths network traffic takes from a VM instance to another destination. The other destination can be inside the organization VPC network (such as another VM) or outside of it. Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop for delivery.\n\nMonitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.\n\n## Remediation\n\n### From Console\n\nCreate the prescribed Log Metric:\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`\n3. Clear any text and add:\n\n```\nresource.type=\"gce_route\"\nAND (protoPayload.methodName:\"compute.routes.delete\"\nOR protoPayload.methodName:\"compute.routes.insert\")\n```\n\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1` (default) and `Type` to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n6. Click `Create Metric`.\n\nCreate the prescribed alert policy:\n\n1. Identify the newly created metric under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n2. Click the 3-dot icon in the rightmost column for the new metric and select `Create alert from Metric`. A new page displays.\n3. Fill out the alert policy configuration and click `Save`. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value ensures that a notification is triggered for every owner change in the project:\n\n```bash\nSet `Aggregator` to `Count`\nSet `Configuration`:\n- Condition: above\n- Threshold: 0\n- For: most recent value\n```\n\n4. Configure the desired notifications channels in the section `Notifications`.\n5. Name the policy and click `Save`.\n\n### From Command Line\n\nCreate the prescribed Log Metric:\n- Use the command: gcloud logging metrics create\n\nCreate the prescribed Alert Policy:\n- Use the command: gcloud alpha monitoring policies create\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Logging and Monitoring", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Logging and Monitoring" + ], + "control_id": "gcp_compliance.control.cis_v200_2_9", + "description": "It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network changes.", + "title": "2.9 Ensure that the log metric filter and alerts exist for VPC network changes", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "2.9", + "cis_level": "2", + "cis_section_id": "2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Logging" + }, + "documentation": "## Description\n\nIt is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) changes.\n\nIt is possible to have more than one VPC within a project. In addition, it is also possible to create a peer connection between two VPCs enabling network traffic to route between VPCs.\n\nMonitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.\n\n## Remediation\n\n### From Console\n\nCreate the prescribed log metric:\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n2. Click the down arrow symbol on `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n3. Clear any text and add:\n\n```bash\nresource.type=gce_network\nAND (protoPayload.methodName=\"beta.compute.networks.insert\"\nOR protoPayload.methodName=\"beta.compute.networks.patch\"\nOR protoPayload.methodName=\"v1.compute.networks.delete\"\nOR protoPayload.methodName=\"v1.compute.networks.removePeering\" OR protoPayload.methodName=\"v1.compute.networks.addPeering\")\n```\n\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1` (default) and `Type` to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n6. Click `Create Metric`.\n\nCreate the prescribed alert policy:\n\n1. Identify the newly created metric under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n2. Click the 3-dot icon in the rightmost column for the new metric and select `Create alert from Metric`. A new page appears.\n3. Fill out the alert policy configuration and click `Save`. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of 0 for the most recent value will ensure that a notification is triggered for every owner change in the project:\n\n```bash\nSet `Aggregator` to `Count`\nSet `Configuration`:\n- Condition: above\n- Threshold: 0\n- For: most recent value\n```\n\n4. Configure the desired notifications channels in the section `Notifications`.\n5. Name the policy and click `Save`.\n\n### From Command Line\n\nCreate the prescribed Log Metric:\n- Use the command: gcloud logging metrics create\n\nCreate the prescribed Alert Policy:\n- Use the command: gcloud alpha monitoring policies create\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Logging and Monitoring", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Logging and Monitoring" + ], + "control_id": "gcp_compliance.control.cis_v200_2_10", + "description": "It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.", + "title": "2.10 Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "2.10", + "cis_level": "2", + "cis_section_id": "2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Logging" + }, + "documentation": "## Description\n\nIt is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.\n\nMonitoring changes to cloud storage bucket permissions may reduce the time needed to detect and correct permissions on sensitive cloud storage buckets and objects inside the bucket.\n\n## Remediation\n\n### From Console\n\nCreate the prescribed log metric:\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n3. Clear any text and add:\n\n```bash\nresource.type=\"gcs_bucket\"\nAND protoPayload.methodName=\"storage.setIamPermissions\"\n```\n\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n5. In the `Metric Editor` menu on right,fill out the name field.Set `Units` to `1` (default) and `Type` to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n6. Click `Create Metric`.\n\nCreate the prescribed Alert Policy:\n\n1. Identify the newly created metric under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n2. Click the 3-dot icon in the rightmost column for the new metric and select `Create alert from Metric`. A new page appears.\n3. Fill out the alert policy configuration and click Save.Choosethealertingthreshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:\n\n```bash\nSet `Aggregator` to `Count`\nSet `Configuration`:\n- Condition: above\n- Threshold: 0\n- For: most recent value\n```\n\n4. Configure the desired notifications channels in the section `Notifications`.\n5. Name the policy and click `Save`.\n\n### From Command Line\n\nCreate the prescribed Log Metric:\n- Use the command: gcloud beta logging metrics create\n\nCreate the prescribed Alert Policy:\n- Use the command: gcloud alpha monitoring policies create\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Logging and Monitoring", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Logging and Monitoring" + ], + "control_id": "gcp_compliance.control.cis_v200_2_11", + "description": "It is recommended that a metric filter and alarm be established for SQL instance configuration changes.", + "title": "2.11 Ensure that the log metric filter and alerts exist for SQL instance configuration changes", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "2.11", + "cis_level": "2", + "cis_section_id": "2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Logging" + }, + "documentation": "## Description\n\nIt is recommended that a metric filter and alarm be established for SQL instance configuration changes.\n\nMonitoring changes to SQL instance configuration changes may reduce the time needed to detect and correct misconfigurations done on the SQL server.\n\nBelow are a few of the configurable options which may the impact security posture of an SQL instance:\n - Enable auto backups and high availability: Misconfiguration may adversely impact business continuity, disaster recovery, and high availability\n - Authorize networks: Misconfiguration may increase exposure to untrusted networks\n\n## Remediation\n\n### From Console\n\nCreate the prescribed Log Metric:\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n3. Clear any text and add:\n\n```bash\nprotoPayload.methodName=\"cloudsql.instances.update\"\n```\n\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n5. In the `Metric Editor` menu on right,fill out the name field.Set `Units` to `1` (default) and Type to Counter. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n6. Click `Create Metric`\n\n#### Create the prescribed alert policy:\n\n1. Identify the newly created metric under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n2. Click the 3-dot icon in the rightmost column for the new metric and select `Create alert from Metric`. A new page appears.\n3. Fill out the alert policy configuration and click `Save`. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the user's project:\n\n```bash\nSet `Aggregator` to `Count`\nSet `Configuration`:\n - Condition: above\n - Threshold: 0\n - For: most recent value\n```\n\n4. Configure the desired notifications channels in the section `Notifications`.\n5. Name the policy and click `Save`.\n\n### From Command Line\n\nCreate the prescribed log metric:\n - Use the command: gcloud logging metrics create\n\nCreate the prescribed alert policy:\n - Use the command: gcloud alpha monitoring policies create\n - Reference for Command Usage: [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create](https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create).\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Logging and Monitoring", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Logging and Monitoring" + ], + "control_id": "gcp_compliance.control.cis_v200_2_12", + "description": "Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.", + "title": "2.12 Ensure that Cloud DNS logging is enabled for all VPC networks", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "2.12", + "cis_level": "1", + "cis_section_id": "2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/DNS" + }, + "documentation": "## Description\n\nCloud DNS logging records the queries from the name servers within your VPC to Stackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.\n\nSecurity monitoring and forensics cannot depend solely on IP addresses from VPC flow logs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual host routing, and other technology that can obscure the DNS name used by a client from the IP address.\n\nMonitoring of Cloud DNS logs provides visibility to DNS names requested by the clients within the VPC. These logs can be monitored for anomalous domain names, evaluated against threat intelligence , and\n\nNote: For full capture of DNS, firewall must block egress UDP/53 (DNS) and TCP/443 (DNS over HTTPS) to prevent client from using external DNS name server for resolution.\n\n## Remediation\n\n### From Command Line\n\nAdd New DNS Policy With Logging Enabled\n\nFor each VPC network that needs a DNS policy with logging enabled:\n\n```bash\ngcloud dns policies create enable-dns-logging --enable-logging --description=\"Enable DNS Logging\" --networks=VPC_NETWORK_NAME\n```\n\nThe VPC_NETWORK_NAME can be one or more networks in comma-separated list\n\nEnable Logging for Existing DNS Policy\nFor each VPC network that has an existing DNS policy that needs logging enabled\n\n```bash\ngcloud dns policies update POLICY_NAME --enable-logging --networks=VPC_NETWORK_NAME\n```\n\nThe VPC_NETWORK_NAME can be one or more networks in comma-separated list\n\n### Default Value\n\nCloud DNS logging is disabled by default on each network.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Logging and Monitoring", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Logging and Monitoring" + ], + "control_id": "gcp_compliance.control.cis_v200_2_13", + "description": "GCP Cloud Asset Inventory is services that provides a historical view of GCP resources and IAM policies through a time-series database. The information recorded includes metadata on Google Cloud resources, metadata on policies set on Google Cloud projects or resources, and runtime information gathered within a Google Cloud resource.", + "title": "2.13 Ensure Cloud Asset Inventory Is Enabled", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "2.13", + "cis_level": "1", + "cis_section_id": "2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Project" + }, + "documentation": "## Description\n\nGCP Cloud Asset Inventory is services that provides a historical view of GCP resources and IAM policies through a time-series database. The information recorded includes metadata on Google Cloud resources, metadata on policies set on Google Cloud projects or resources, and runtime information gathered within a Google Cloud resource.\n\nThe GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables security analysis, resource change tracking, and compliance auditing.\n\nIt is recommended GCP Cloud Asset Inventory be enabled for all GCP projects.\n\n## Remediation\n\n### From Console\n\nEnable the Cloud Asset API:\n\n1. Go to `API \u0026 Services/Library` by visiting [https://console.cloud.google.com/apis/library](https://console.cloud.google.com/apis/library)\n2. Search for `Cloud Asset API` and select the result for *Cloud Asset API*\n3. Click the `ENABLE` button.\n\n### From Command Line\n\nEnable the Cloud Asset API:\n\n1. Enable the Cloud Asset API through the services interface:\n\n```bash\ngcloud services enable cloudasset.googleapis.com\n```\n\n### Default Value\n\nThe Cloud Asset Inventory API is disabled by default in each project.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Logging and Monitoring", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Logging and Monitoring" + ], + "control_id": "gcp_compliance.control.cis_v200_2_14", + "description": "GCP Access Transparency provides audit logs for all actions that Google personnel take in your Google Cloud resources.", + "title": "2.14 Ensure 'Access Transparency' is 'Enabled'", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "2.14", + "cis_level": "2", + "cis_section_id": "2", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Project" + }, + "documentation": "## Description\n\nGCP Access Transparency provides audit logs for all actions that Google personnel take in your Google Cloud resources.\n\nControlling access to your information is one of the foundations of information security. Given that Google Employees do have access to your organizations' projects for support reasons, you should have logging in place to view who, when, and why your information is being accessed.\n\n## Remediation\n\n### From Console\n\n#### Add privileges to enable Access Transparency\n\n1. From the Google Cloud Home, within the project you wish to check, click on the Navigation hamburger menu in the top left. Hover over the 'IAM and Admin'. Select `IAM` in the top of the column that opens.\n2. Click the blue button the says `+add` at the top of the screen.\n3. In the `principals` field, select a user or group by typing in their associated email address.\n4. Click on the `role` field to expand it. In the filter field enter `Access Transparency Admin` and select it.\n5. Click `save`.\n\n#### Verify that the Google Cloud project is associated with a billing account\n\n1. From the Google Cloud Home, click on the Navigation hamburger menu in the top left. Select `Billing`.\n2. If you see `This project is not associated with a billing account` you will need to enter billing information or switch to a project with a billing account.\n\n#### Enable Access Transparency\n\n1. From the Google Cloud Home, click on the Navigation hamburger menu in the top left. Hover over the IAM \u0026 Admin Menu. Select `settings` in the middle of the column that opens.\n2. Click the blue button labeled Enable `Access Transparency for Organization`\n\n### Default Value\n\nBy default Access Transparency is not enabled.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Logging and Monitoring", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Logging and Monitoring" + ], + "control_id": "gcp_compliance.control.cis_v200_2_15", + "description": "GCP Access Approval enables you to require your organizations' explicit approval whenever Google support try to access your projects. You can then select users within your organization who can approve these requests through giving them a security role in IAM. All access requests display which Google Employee requested them in an email or Pub/Sub message that you can choose to Approve. This adds an additional control and logging of who in your organization approved/denied these requests.", + "title": "2.15 Ensure 'Access Approval' is 'Enabled'", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "2.15", + "cis_level": "2", + "cis_section_id": "2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Project" + }, + "documentation": "## Description\n\nGCP Access Approval enables you to require your organizations' explicit approval whenever Google support try to access your projects. You can then select users within your organization who can approve these requests through giving them a security role in IAM. All access requests display which Google Employee requested them in an email or Pub/Sub message that you can choose to Approve. This adds an additional control and logging of who in your organization approved/denied these requests.\n\nControlling access to your information is one of the foundations of information security. Google Employees do have access to your organizations' projects for support reasons. With Access Approval, organizations can then be certain that their information is accessed by only approved Google Personnel.\n\n## Remediation\n\n### From Console\n\n1. From the Google Cloud Home, within the project you wish to enable, click on the Navigation hamburger menu in the top left. Hover over the `Security` Menu. Select `Access Approval` in the middle of the column that opens.\n2. The status will be displayed here. On this screen, there is an option to click `Enroll`. If it is greyed out and you see an error bar at the top of the screen that says `Access Transparency is not enabled` please view the corresponding reference within this section to enable it.\n3. In the second screen click `Enroll`.\n\nGrant an IAM Group or User the role with permissions to Add Users to be Access Approval message Recipients\n\n1. From the Google Cloud Home, within the project you wish to enable, click on the Navigation hamburger menu in the top left. Hover over the `IAM and Admin`. Select `IAM` in the middle of the column that opens.\n2. Click the blue button the says `+ADD` at the top of the screen.\n3. In the `principals` field, select a user or group by typing in their associated email address.\n4. Click on the role field to expand it. In the filter field enter `Access Approval Approver` and select it.\n5. Click `save`.\n\nAdd a Group or User as an Approver for Access Approval Requests\n\n1. As a user with the `Access Approval Approver` permission, within the project where you wish to add an email address to which request will be sent, click on the Navigation hamburger menu in the top left. Hover over the `Security` Menu. Select `Access Approval` in the middle of the column that opens.\n2. Click `Manage Settings`\n3. Under `Set up approval notifications`, enter the email address associated with a Google Cloud User or Group you wish to send Access Approval requests to. All future access approvals will be sent as emails to this address.\n\n### From Command Line\n\n1. To update all services in an entire project, run the following command from an account that has permissions as an 'Approver for Access Approval Requests'\n\n```bash\ngcloud access-approval settings update --project=\u003cproject name\u003e --enrolled_services=all --notification_emails='\u003cemail recipient for access approval requests\u003e@\u003cdomain name\u003e'\n```\n\n### Default Value\n\nBy default Access Approval and its dependency of Access Transparency are not enabled.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 2 Logging and Monitoring", + "category_hierarchy": [ + "CIS v2.0.0", + "2 Logging and Monitoring" + ], + "control_id": "gcp_compliance.control.cis_v200_2_16", + "description": "Logging enabled on a HTTPS Load Balancer will show all network traffic and its destination.", + "title": "2.16 Ensure Logging is enabled for HTTP(S) Load Balancer", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "2.16", + "cis_level": "2", + "cis_section_id": "2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Logging" + }, + "documentation": "## Description\n\nLogging enabled on a HTTPS Load Balancer will show all network traffic and its destination.\n\nLogging will allow you to view HTTPS network traffic to your web applications.\n\n## Remediation\n\n### From Console\n\n1. From Google Cloud home open the Navigation Menu in the top left.\n2. Under the `Networking` heading select `Network services`.\n3. Select the HTTPS load-balancer you wish to audit.\n4. Select `Edit` then `Backend Configuration`.\n5. Select `Edit` on the corresponding backend service.\n6. Click `Enable Logging`.\n7. Set `Sample Rate` to a desired value. This is a percentage as a decimal point. 1.0 is 100%.\n\n### From Command Line\n\n1. Run the following command\n\n```bash\ngcloud compute backend-services update \u003cserviceName\u003e --region=REGION --enable-logging --logging-sample-rate=\u003cpercentageAsADecimal\u003e\n```\n\n### Default Value\n\nBy default logging for https load balancing is disabled. When logging is enabled it sets the default sample rate as 1.0 or 100%. Ensure this value fits the need of your organization to avoid high storage costs.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Networking", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Networking" + ], + "control_id": "gcp_compliance.control.cis_v200_3_1", + "description": "To prevent use of default network, a project should not have a default network.", + "title": "3.1 Ensure that the default network does not exist in a project", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "3.1", + "cis_level": "2", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Compute" + }, + "documentation": "## Description\n\nTo prevent use of `default` network, a project should not have a `default` network.\n\nThe `default` network has a preconfigured network configuration and automatically generates the following insecure firewall rules:\n\n- default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.\n- default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.\n- default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.\n- default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.\n\nThese automatically created firewall rules do not get audit logged and cannot be configured to enable firewall rule logging.\n\nFurthermore, the default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses, and as a result, it's not possible to use Cloud VPN or VPC Network Peering with the default network. \n\nBased on organization security and networking requirements, the organization should create a new network and delete the `default` network. \n\n## Remediation\n\n### From Console\n\n1. Login to the `VPC networks` page by visiting: [https://console.cloud.google.com/networking/networks/list](https://console.cloud.google.com/networking/networks/list)\n2. Click the network named `default`.\n3. On the network detail page, click `EDIT`.\n4. Click `DELETE VPC NETWORK`.\n5. If needed, create a new network to replace the default network.\n\n### From Command Line\n\nFor each Google Cloud Platform project,\n\n1. Delete the default network:\n\n```bash\ngcloud compute networks delete default\n```\n\n2. If needed, create a new network to replace it:\n\n```bash\ngcloud compute networks create NETWORK_NAME\n```\n\n### Prevention\n\nThe user can prevent the default network and its insecure default firewall rules from being created by setting up an Organization Policy to `Skip default network creation` at [https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation](https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation).\n\n### Default Value\n\nBy default, for each project, a `default` network is created.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Networking", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Networking" + ], + "control_id": "gcp_compliance.control.cis_v200_3_2", + "description": "In order to prevent use of legacy networks, a project should not have a legacy network configured.", + "title": "3.2 Ensure legacy networks do not exist for a project", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "3.2", + "cis_level": "1", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Compute" + }, + "documentation": "## Description\n\nIn order to prevent use of legacy networks, a project should not have a legacy network configured. As of now, Legacy Networks are gradually being phased out, and you can no longer create projects with them. This recommendation is to check older projects to ensure that they are not using Legacy Networks.\n\nLegacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. Subnetworks cannot be created in a legacy network and are unable to switch from legacy to auto or custom subnet networks. Legacy networks can have an impact for high network traffic projects and are subject to a single point of contention or failure.\n\n## Remediation\n\nFor each Google Cloud Platform project,\n\n1. Follow the documentation and create a non-legacy network suitable for the organization's requirements.\n2. Follow the documentation and delete the networks in the `legacy` mode.\n\n### Default Value\n\nBy default, networks are not created in the `legacy` mode.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Networking", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Networking" + ], + "control_id": "gcp_compliance.control.cis_v200_3_3", + "description": "Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.", + "title": "3.3 Ensure that DNSSEC is enabled for Cloud DNS", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "3.3", + "cis_level": "1", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/DNS" + }, + "documentation": "## Description\n\nCloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.\n\nDomain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling DNS responses to be validated. Having a trustworthy DNS that translates a domain name like [www.example.com](www.example.com) into its associated IP address is an increasingly important building block of today’s web-based applications. Attackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records. As a result, it prevents attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\n\n## Remediation\n\n### From Console\n\n1. Go to `Cloud DNS` by visiting [https://console.cloud.google.com/net-services/dns/zones](https://console.cloud.google.com/net-services/dns/zones).\n2. For each zone of `Type Public`, set `DNSSEC` to `On`.\n\n### From Command Line\n\nUse the below command to enable `DNSSEC` for Cloud DNS Zone Name.\n\n```bash\ngcloud dns managed-zones update ZONE_NAME --dnssec-state on\n```\n\n### Default Value\n\nBy default DNSSEC is not enabled.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Networking", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Networking" + ], + "control_id": "gcp_compliance.control.cis_v200_3_4", + "description": "DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.", + "title": "3.4 Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "3.4", + "cis_level": "1", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/DNS" + }, + "documentation": "## Description\n\n**NOTE**: Currently, the SHA1 algorithm has been removed from general use by Google, and, if being used, needs to be whitelisted on a project basis by Google and will also, therefore, require a Google Cloud support contract.\n\nDNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.\n\nThe algorithm used for key signing should be a recommended one and it should be strong. When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the user can select the DNSSEC signing algorithms and the denial-of-existence type. Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If there is a need to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.\n\n## Remediation\n\n### From Command Line\n\n1. If it is necessary to change the settings for a managed zone where it has been enabled, NSSEC must be turned off and re-enabled with different settings. To turn off DNSSEC, run the following command:\n\n```bash\ngcloud dns managed-zones update ZONE_NAME --dnssec-state off\n```\n\n2. To update key-signing for a reported managed DNS Zone, run the following command:\n\n```bash\ngcloud dns managed-zones update ZONE_NAME \\\n--dnssec-state on \\\n--ksk-algorithm KSK_ALGORITHM \\\n--ksk-key-length KSK_KEY_LENGTH \\\n--zsk-algorithm ZSK_ALGORITHM \\\n--zsk-key-length ZSK_KEY_LENGTH \\\n--denial-of-existence DENIAL_OF_EXISTENCE\n```\n\nSupported algorithm options and key lengths are as follows.\n\n```\nAlgorithm KSK Length ZSK Length\n--------- ---------- ----------\nRSASHA1 1024,2048 1024,2048\nRSASHA256 1024,2048 1024,2048\nRSASHA512 1024,2048 1024,2048\nECDSAP256SHA256 256 256\nECDSAP384SHA384 384 384\n```\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Networking", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Networking" + ], + "control_id": "gcp_compliance.control.cis_v200_3_5", + "description": "DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.", + "title": "3.5 Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "3.5", + "cis_level": "1", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/DNS" + }, + "documentation": "## Description\n\n**NOTE**: Currently, the SHA1 algorithm has been removed from general use by Google, and, if being used, needs to be whitelisted on a project basis by Google and will also, therefore, require a Google Cloud support contract.\n\nDNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.\n\nThe algorithm used for key signing should be a recommended one and it should be strong. When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the user can select the DNSSEC signing algorithms and the denial-of-existence type. Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If there is a need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off and then re-enable it with different settings.\n\n## Remediation\n\n### From Command Line\n\n1. If it is necessary to change the settings for a managed zone where it has been enabled, `DNSSEC` must be turned off and re-enabled with different settings. To turn off DNSSEC, run the following command:\n\n```bash\ngcloud dns managed-zones update ZONE_NAME --dnssec-state off\n```\n\n2. To update zone-signing for a reported managed DNS Zone, run the following command:\n\n```bash\ngcloud dns managed-zones update ZONE_NAME \\\n--dnssec-state on \\\n--ksk-algorithm KSK_ALGORITHM \\\n--ksk-key-length KSK_KEY_LENGTH \\\n--zsk-algorithm ZSK_ALGORITHM \\\n--zsk-key-length ZSK_KEY_LENGTH \\\n--denial-of-existence DENIAL_OF_EXISTENCE\n```\n\nSupported algorithm options and key lengths are as follows.\n\n```\nAlgorithm KSK Length ZSK Length\n--------- ---------- ----------\nRSASHA1 1024,2048 1024,2048\nRSASHA256 1024,2048 1024,2048\nRSASHA512 1024,2048 1024,2048\nECDSAP256SHA256 256 256\nECDSAP384SHA384 384 384\n```\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Networking", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Networking" + ], + "control_id": "gcp_compliance.control.cis_v200_3_6", + "description": "GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.", + "title": "3.6 Ensure that SSH access is restricted from the internet", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "3.6", + "cis_level": "2", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Compute" + }, + "documentation": "## Description\n\nGCP `Firewall Rules` are specific to a `VPC Network`. Each rule either `allows` or `denies` traffic when its conditions are met. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.\n\nFirewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, only an `IPv4` address or `IPv4 block in CIDR` notation can be used. Generic `(0.0.0.0/0)` incoming traffic from the internet to VPC or VM instance using `SSH` on `Port 22` can be avoided.\n\nGCP `Firewall Rules` within a `VPC Network` apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network. Egress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication). For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified. This route simply defines the path to the Internet, to avoid the most general `(0.0.0.0/0)` destination `IP Range` specified from the Internet through `SSH` with the default `Port 22`. Generic access from the Internet to a specific IP Range needs to be restricted.\n\n## Remediation\n\n### From Console\n\n1. Go to `VPC Network`.\n2. Go to the `Firewall Rules`.\n3. Click the `Firewall Rule` you want to modify.\n4. Click `Edit`.\n5. Modify `Source IP ranges` to specific `IP`.\n6. Click `Save`.\n\n### From Command Line\n\n1. Update the Firewall rule with the new `SOURCE_RANGE` from the below command:\n\n```bash\ngcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\n```\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Networking", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Networking" + ], + "control_id": "gcp_compliance.control.cis_v200_3_7", + "description": "GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.", + "title": "3.7 Ensure that RDP access is restricted from the Internet", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "3.7", + "cis_level": "2", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Compute" + }, + "documentation": "## Description\n\nGCP `Firewall Rules` are specific to a `VPC Network`. Each rule either `allows` or `denies` traffic when its conditions are met. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.\n\nFirewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, only an `IPv4` address or `IPv4 block in CIDR` notation can be used. Generic `(0.0.0.0/0)` incoming traffic from the internet to VPC or VM instance using\n`RDP` on `Port 3389` can be avoided.\n\nGCP `Firewall Rules` within a `VPC Network` apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network. Egress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication). For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified. This route simply defines the path to the Internet, to avoid the most general `(0.0.0.0/0)` destination `IP Range` specified from the Internet through `RDP` with the default Port `3389`. Generic access from the Internet to a specific IP Range needs to be restricted.\n\n## Remediation\n\n### From Console\n\n1. Go to `VPC Network`.\n2. Go to the `Firewall Rules`.\n3. Click the `Firewall Rule` to be modified.\n4. Click `Edit`.\n5. Modify `Source IP ranges` to specific `IP`.\n6. Click `Save`.\n\n### From Command Line\n\n1. Update RDP Firewall rule with new `SOURCE_RANGE` from the below command:\n\n```bash\ngcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[- PORT]],...] --source-ranges=[CIDR_RANGE,...]\n```", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Networking", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Networking" + ], + "control_id": "gcp_compliance.control.cis_v200_3_8", + "description": "Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business-critical VPC subnet.", + "title": "3.8 Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "3.8", + "cis_level": "2", + "cis_section_id": "3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Compute" + }, + "documentation": "## Description\n\nFlow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business-critical VPC subnet.\n\nVPC networks and subnetworks not reserved for internal HTTP(S) load balancing provide logically isolated and secure network partitions where GCP resources can be launched. When Flow Logs are enabled for a subnet, VMs within that subnet start reporting on all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows. Each VM samples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or from another VM, a host in the on-premises datacenter, a Google service, or a host on the Internet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow Logs enabled, both VMs report the flows.\n\nFlow Logs supports the following use cases: \n- Network monitoring \n- Understanding network usage and optimizing network traffic expenses \n- Network forensics \n- Real-time security analysis\n\nFlow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or provide insight during security workflows.\n\nThe Flow Logs must be configured such that all network traffic is logged, the interval of logging is granular to provide detailed information on the connections, no logs are filtered, and metadata to facilitate investigations are included.\n\n**Note**: Subnets reserved for use by internal HTTP(S) load balancers do not support VPC flow logs. \n\n## Remediation\n\n### From Console\n\n1. Go to the VPC network GCP Console visiting [https://console.cloud.google.com/networking/networks/list](https://console.cloud.google.com/networking/networks/list)\n2. Click the name of a subnet, The `Subnet details` page displays.\n3. Click the `EDIT` button.\n4. Set `Flow Logs` to `On`.\n5. Expand the `Configure Logs` section.\n6. Set `Aggregation Interval` to `5 SEC`.\n7. Check the box beside `Include metadata`.\n8. Set `Sample rate` to `100`.\n9. Click Save.\n\n**Note**: It is not possible to configure a Log filter from the console.\n\n### From Command Line\n\nTo enable VPC Flow Logs for a network subnet, run the following command:\n\n```bash\ngcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --enable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-flow-sampling=1 --logging-metadata=include-all\n```\n\n### Default Value\n\nBy default, Flow Logs is set to Off when a new VPC network subnet is created.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Networking", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Networking" + ], + "control_id": "gcp_compliance.control.cis_v200_3_9", + "description": "Secure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS) features clients are permitted to use when connecting to load balancers.", + "title": "3.9 Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "3.9", + "cis_level": "1", + "cis_section_id": "3", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Compute" + }, + "documentation": "## Description\n\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS) features clients are permitted to use when connecting to load balancers. To prevent usage of insecure features, SSL policies should use (a) at least TLS 1.2 with the MODERN profile; or (b) the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or (3) a CUSTOM profile that does not\nsupport any of the following features:\n```\nTLS_RSA_WITH_AES_128_GCM_SHA256\nTLS_RSA_WITH_AES_256_GCM_SHA384\nTLS_RSA_WITH_AES_128_CBC_SHA\nTLS_RSA_WITH_AES_256_CBC_SHA\nTLS_RSA_WITH_3DES_EDE_CBC_SHA\n```\n\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL proxy and HTTPS load balancers are external load balancers, meaning they distribute traffic from the Internet to a GCP network. GCP customers can configure load balancer SSL policies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a connection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies permissible cipher suites. To comply with users using outdated protocols, GCP load balancers can be configured to permit insecure cipher suites. In fact, the GCP default SSL policy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the widest range of insecure cipher suites. As a result, it is easy for customers to configure a load balancer without even knowing that they are permitting outdated cipher suites.\n\n## Remediation\n\n### From Console\n\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the `SSL Policies` page by visiting: [https://console.cloud.google.com/net-security/sslpolicies](https://console.cloud.google.com/net-security/sslpolicies)\n2. Click on the name of the insecure policy to go to its `SSL policy details` page.\n3. Click `EDIT`.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n\n```bash\nTLS_RSA_WITH_AES_128_GCM_SHA256\nTLS_RSA_WITH_AES_256_GCM_SHA384\nTLS_RSA_WITH_AES_128_CBC_SHA\nTLS_RSA_WITH_AES_256_CBC_SHA\nTLS_RSA_WITH_3DES_EDE_CBC_SHA\n```\n\n### From Command Line\n\n1. For each insecure SSL policy, update it to use secure cyphers:\n\n```bash\ngcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features\nFEATURES]\n```\n\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n\n```bash\ngcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n\ngcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --sslpolicy SSL_POLICY_NAME\n```\n\n### Default Value\n\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 3 Networking", + "category_hierarchy": [ + "CIS v2.0.0", + "3 Networking" + ], + "control_id": "gcp_compliance.control.cis_v200_3_10", + "description": "IAP authenticates the user requests to your apps via a Google single sign in. You can then manage these users with permissions to control access. It is recommended to use both IAP permissions and firewalls to restrict this access to your apps with sensitive information.", + "title": "3.10 Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "3.10", + "cis_level": "2", + "cis_section_id": "3", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Compute" + }, + "documentation": "## Description\n\nIAP authenticates the user requests to your apps via a Google single sign in. You can then manage these users with permissions to control access. It is recommended to use both IAP permissions and firewalls to restrict this access to your apps with sensitive information.\n\nIAP ensure that access to VMs is controlled by authenticating incoming requests. Access to your apps and the VMs should be restricted by firewall rules that allow only the proxy IAP IP addresses contained in the 35.235.240.0/20 subnet. Otherwise, unauthenticated requests can be made to your apps. To ensure that load balancing works correctly health checks should also be allowed.\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud Console [VPC network \u003e Firewall rules](https://console.cloud.google.com/networking/firewalls/list?_ga=2.72166934.480049361.1580860862-1336643914.1580248695).\n2. Select the checkbox next to the following rules:\n - default-allow-http\n - default-allow-https\n - default-allow-internal\n3. Click Delete.\n4. Click Create firewall rule and set the following values:\n - Name: allow-iap-traffic\n - Targets: All instances in the network\n - Source IP ranges (press Enter after you paste each value in the box, copy the value below the bold text including the dash):\n\n * `IAP Proxy Addresses` 35.235.240.0/20\n * `Google Health Check` 130.211.0.0/22\n * `Google Health Check` 35.191.0.0/16\n\n - Protocols and ports:\n\n * Specified protocols and ports required for access and management of your app. For example most health check connection protocols would be covered by;\n * tcp:80 (Default HTTP Health Check port)\n * tcp:443--(Default HTTPS Health Check port)\n \n **Note: if you have custom ports used by your load balancers, you will need to list them here**\n\n5. When you're finished updating values, click Create.\n\n### Default Value\n\nBy default all traffic is allowed.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_3" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Virtual Machines" + ], + "control_id": "gcp_compliance.control.cis_v200_4_1", + "description": "It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.", + "title": "4.1 Ensure that instances are not configured to use the default service account", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "4.1", + "cis_level": "1", + "cis_section_id": "4", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Compute" + }, + "documentation": "## Description\n\nIt is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.\n\nThe default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services. To defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended to not use the default Compute Engine service account. Instead, you should create a new service account and assigning only the permissions\nneeded by your instance.\n\nThe default Compute Engine service account is named `[PROJECT_NUMBER]- compute@developer.gserviceaccount.com`.\n\n## Remediation\n\n### From Console\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n2. Click on the instance name to go to its `VM instance details` page.\n3. Click `STOP` and then click `EDIT`.\n4. Under the section `API and identity management`, select a service account other than the default Compute Engine service account. You may first need to create a new service account.\n5. Click `Save` and then click `START`.\n\n### From Command Line\n\n1. Stop the instance:\n\n```bash\ngcloud compute instances stop \u003cINSTANCE_NAME\u003e\n```\n\n2. Update the instance:\n\n```bash\ngcloud compute instances set-service-account \u003cINSTANCE_NAME\u003e --serviceaccount=\u003cSERVICE_ACCOUNT\u003e\n```\n\n3. Restart the instance:\n\n```bash\ngcloud compute instances start \u003cINSTANCE_NAME\u003e\n```\n\n### Default Value\n\nBy default, Compute instances are configured to use the default Compute Engine service account.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_4" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_4", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Virtual Machines" + ], + "control_id": "gcp_compliance.control.cis_v200_4_2", + "description": "To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs.", + "title": "4.2 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "4.2", + "cis_level": "1", + "cis_section_id": "4", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Compute" + }, + "documentation": "## Description\n\nTo support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`.\n\nAlong with ability to optionally create, manage and use user managed custom service accounts, Google Compute Engine provides default service account `Compute Engine default service account` for an instances to access necessary cloud services. `Project Editor role` is assigned to `Compute Engine default service account` hence, This service account has almost all capabilities over all cloud services except billing. However, when `Compute Engine default service account` assigned to an instance it can operate in 3 scopes.\n\n```\n1. Allow default access: Allows only minimum access required to run an Instance (Least Privileges)\n2. Allow full access to all Cloud APIs: Allow full access to all the cloud APIs/Services (Too much access)\n3. Set access for each API: Allows Instance administrator to choose only those APIs that are needed to perform specific business functionality expected by instance\n```\n\nWhen an instance is configured with `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`, based on IAM roles assigned to the user(s) accessing Instance, it may allow user to perform cloud operations/API calls that user is not supposed to perform leading to successful privilege escalation.\n\n## Remediation\n\n### From Console\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n2. Click on the impacted VM instance.\n3. If the instance is not stopped, click the `Stop` button. Wait for the instance to be stopped.\n4. Next, click the `Edit` button.\n5. Scroll down to the `Service Account` section.\n6. Select a different service account or ensure that `Allow full access to all Cloud APIs` is not selected.\n7. Click the `Save` button to save your changes and then click `START`.\n\n### From Command Line\n\n1. Stop the instance:\n\n```bash\ngcloud compute instances stop \u003cINSTANCE_NAME\u003e\n```\n\n2. Update the instance:\n\n```bash\ngcloud compute instances set-service-account \u003cINSTANCE_NAME\u003e --service- account=\u003cSERVICE_ACCOUNT\u003e --scopes [SCOPE1, SCOPE2...]\n```\n\n3. Restart the instance:\n\n```bash\ngcloud compute instances start \u003cINSTANCE_NAME\u003e\n```\n\n### Default Value\n\nWhile creating an VM instance, default service account is used with scope `Allow default access`.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_4" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_4", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Virtual Machines" + ], + "control_id": "gcp_compliance.control.cis_v200_4_3", + "description": "It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.", + "title": "4.3 Ensure 'Block Project-wide SSH keys' is enabled for VM instances", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "4.3", + "cis_level": "1", + "cis_section_id": "4", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Compute" + }, + "documentation": "## Description\n\nIt is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.\n\nProject-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised.\n\n## Remediation\n\n### From Console\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances). It will list all the instances in your project.\n2. Click on the name of the Impacted instance\n3. Click `Edit` in the toolbar\n4. Under SSH Keys, go to the `Block project-wide SSH keys` checkbox\n5. To block users with project-wide SSH keys from connecting to this instance, select `Block project-wide SSH keys`\n6. Click `Save` at the bottom of the page\n7. Repeat steps for every impacted Instance\n\n### From Command Line\n\nTo block project-wide public SSH keys, set the metadata value to `TRUE`:\n\n```bash\ngcloud compute instances add-metadata \u003cINSTANCE_NAME\u003e --metadata block- project-ssh-keys=TRUE\n```\n\n### Default Value\n\nBy Default `Block Project-wide SSH keys` is not enabled.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_4" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_4", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Virtual Machines" + ], + "control_id": "gcp_compliance.control.cis_v200_4_4", + "description": "Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.", + "title": "4.4 Ensure oslogin is enabled for a Project", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "4.4", + "cis_level": "1", + "cis_section_id": "4", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Compute" + }, + "documentation": "## Description\n\nEnabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.\n\nEnabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.\n\n## Remediation\n\n### From Console\n\n1. Go to the VM compute metadata page by visiting: [https://console.cloud.google.com/compute/metadata](https://console.cloud.google.com/compute/metadata).\n2. Click `Edit`.\n3. Add a metadata entry where the key is `enable-oslogin` and the value is `TRUE`.\n4. Click `Save` to apply the changes.\n5. For every instance that overrides the project setting, go to the `VM Instances` page at [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n6. Click the name of the instance on which you want to remove the metadata value.\n7. At the top of the instance details page, click `Edit` to edit the instance settings.\n8. Under `Custom metadata`, remove any entry with key `enable-oslogin` and the value is `FALSE`\n9. At the bottom of the instance details page, click `Save` to apply your changes to the instance.\n\n### From Command Line\n\n1. Configure oslogin on the project\n\n```bash\ngcloud compute project-info add-metadata --metadata enable-oslogin=TRUE\n```\n\n2. Remove instance metadata that overrides the project setting.\n\n```bash\ngcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin\n```\n\nOptionally, you can enable two factor authentication for OS login. For more information, see: [https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication](https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication).\n\n### Default Value\n\nBy default, parameter `enable-oslogin` is not set, which is equivalent to setting it to `FALSE`.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_4" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_4", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Virtual Machines" + ], + "control_id": "gcp_compliance.control.cis_v200_4_5", + "description": "Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.", + "title": "4.5 Ensure 'Enable connecting to serial ports' is not enabled for VM Instance", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "4.5", + "cis_level": "1", + "cis_section_id": "4", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Compute" + }, + "documentation": "## Description\n\nInteracting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.\n\nA virtual machine instance has four virtual serial ports. Interacting with a serial port is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.\n\nThe interactive serial console does not support IP-based access restrictions such as IP whitelists. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. This allows anybody to connect to that instance if they know the correct SSH key, username, project ID, zone, and instance name.Therefore interactive serial console support should be disabled.\n\n## Remediation\n\nInteractive serial console support should be disabled.\n\n### From Console\n\n1. Login to Google Cloud console\n2. Go to Computer Engine\n3. Go to VMinstances\n4. Click on the Specific VM\n5. Click `EDIT`\n6. Unselect `Enable connecting to serial ports` below `Remote access` block.\n7. Click `Save`\n\n### From Command Line\n\nUse the below command to disable\n\n```bash\ngcloud compute instances add-metadata INSTANCE_NAME --zone=ZONE --metadata=serial-port-enable=false\n```\n\nor\n\n```bash\ngcloud compute instances add-metadata \u003cINSTANCE_NAME\u003e --zone=\u003cZONE\u003e --metadata=serial-port-enable=0\n```\n\n### Prevention\n\nYou can prevent VMs from having serial port access enable by `Disable VM serial port access` organization policy:\n[https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess](https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess).\n\n### Default Value\n\nBy default, connecting to serial ports is not enabled.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_4" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_4", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Virtual Machines" + ], + "control_id": "gcp_compliance.control.cis_v200_4_6", + "description": "Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets.", + "title": "4.6 Ensure that IP forwarding is not enabled on Instances", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "4.6", + "cis_level": "1", + "cis_section_id": "4", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Compute" + }, + "documentation": "## Description\n\nCompute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets.\n\nForwarding of data packets should be disabled to prevent data loss or information disclosure.\n\nCompute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. To enable this source and destination IP check, disable the canIpForward field, which allows an instance to send and receive packets with non-matching destination or source IPs.\n\n## Remediation\n\nYou only edit the `canIpForward` setting at instance creation time. Therefore, you need to delete the instance and create a new one where `canIpForward` is set to `false`.\n\n### From Console\n\n1. Go to the `VM Instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n2. Select the `VM Instance` you want to remediate.\n3. Click the `Delete` button.\n4. On the 'VM Instances' page, click `CREATE INSTANCE`.\n5. Create a new instance with the desired configuration. By default, the instance is configured to not allow IP forwarding.\n\n### From Command Line\n\n1. Delete the instance:\n\n```bash\ngcloud compute instances delete INSTANCE_NAME\n```\n\n2. Create a new instance to replace it, with `IP forwarding` set to `Off`\n\n```bash\ngcloud compute instances create\n```\n\n### Default Value\n\nBy default, instances are not configured to allow IP forwarding.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_4" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_4", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Virtual Machines" + ], + "control_id": "gcp_compliance.control.cis_v200_4_7", + "description": "Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.", + "title": "4.7 Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "4.7", + "cis_level": "2", + "cis_section_id": "4", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Compute" + }, + "documentation": "## Description\n\nCustomer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.\n\nIf you provide your own encryption keys, Compute Engine uses your key to protect the Google-generated keys used to encrypt and decrypt your data. Only users who can provide the correct key can use resources protected by a customer-supplied encryption key.\n\nGoogle does not store your keys on its servers and cannot access your protected data unless you provide the key. This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.\n\nAt least business critical VMs should have VM disks encrypted with CSEK.\n\n## Remediation\n\nCurrently there is no way to update the encryption of an existing disk. Therefore you should create a new disk with `Encryption` set to `Customer supplied`.\n\n### From Console\n\n1. Go to Compute Engine `Disks` by visiting: [https://console.cloud.google.com/compute/disks](https://console.cloud.google.com/compute/disks).\n2. Click `CREATE DISK`.\n3. Set `Encryption type` to `Customer supplied`\n4. Provide the `Key` in the box.\n5. Select `Wrapped key`.\n6. Click `Create`.\n\n### From Command Line\n\nIn the gcloud compute tool, encrypt a disk using the --csek-key-file flag during instance creation. If you are using an RSA-wrapped key, use the gcloud beta component:\n\n```bash\ngcloud compute instances create \u003cINSTANCE_NAME\u003e --csek-key-file \u003cexample-file.json\u003e\n```\n\nTo encrypt a standalone persistent disk:\n\n```bash\ngcloud compute disks create \u003cDISK_NAME\u003e --csek-key-file \u003cexample-file.json\u003e\n```\n\n### Default Value\n\nBy default, VM disks are encrypted with Google-managed keys. They are not encrypted with Customer-Supplied Encryption Keys.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_4" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_4", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Virtual Machines" + ], + "control_id": "gcp_compliance.control.cis_v200_4_8", + "description": "To defend against against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.", + "title": "4.8 Ensure Compute instances are launched with Shielded VM enabled", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "4.8", + "cis_level": "2", + "cis_section_id": "4", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Compute" + }, + "documentation": "## Description\n\nTo defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.\n\nShielded VMs are virtual machines (VMs) on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits.\n\nIntegrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, called the integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.\n\nSecure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.\n\n## Remediation\n\nTo be able turn on `Shielded VM` on an instance, your instance must use an image with Shielded VM support.\n\n### From Console\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n2. Click on the instance name to see its `VM instance details` page.\n3. Click `STOP` to stop the instance.\n4. When the instancehas stopped, click `EDIT`.\n5. In the Shielded VM section,select `Turn on vTPM` and `Turn on Integrity Monitoring`.\n6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select `Turn on Secure Boot`.\n7. Click the `Save` button to modify the instance and then click `START` to restart it.\n\n### From Command Line\n\nYou can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:\n\n```bash\ngcloud compute images list --project gce-uefi-images --no-standard-images \n```\n\n1. Stop the instance:\n\n```bash\ngcloud compute instances stop \u003cINSTANCE_NAME\u003e\n```\n\n2. Update the instance:\n\n```bash\ngcloud compute instances update \u003cINSTANCE_NAME\u003e --shielded-vtpm --shielded-vmintegrity-monitoring\n```\n\n3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on secure boot.\n\n```bash\ngcloud compute instances update \u003cINSTANCE_NAME\u003e --shielded-vm-secure-boot\n```\n\n4. Restart the instance:\n\n```bash\ngcloud compute instances start \u003cINSTANCE_NAME\u003e\n```\n\n### Prevention\n\nYou can ensure that all new VMs will be created with Shielded VM enabled by setting up an Organization Policy to for Shielded VM at [https://console.cloud.google.com/iam-admin/orgpolicies/compute-requireShieldedVm](https://console.cloud.google.com/iam-admin/orgpolicies/compute-requireShieldedVm). Learn more at: [https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint](https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint).\n\n### Default Value\n\nBy default, Compute Instances do not have Shielded VM enabled.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_4" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_4", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Virtual Machines" + ], + "control_id": "gcp_compliance.control.cis_v200_4_9", + "description": "Compute instances should not be configured to have external IP addresses.", + "title": "4.9 Ensure that Compute instances do not have public IP addresses", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "4.9", + "cis_level": "2", + "cis_section_id": "4", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Compute" + }, + "documentation": "## Description\n\nCompute instances should not be configured to have external IP addresses.\n\nTo reduce your attack surface, Compute instances should not have public IP addresses. Instead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.\n\n## Remediation\n\nTo be able turn on Shielded VM on an instance, your instance must use an image with Shielded VM support.\n\n### From Console\n\n1. Gotothe `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n2. Click on the instance name to go the the `Instance detail page`.\n3. Click `Edit`.\n4. For each Network interface, ensure that `External IP` is set to `None`.\n5. Click Done and then click `Save`.\n\n### From Command Line\n\n1. Describe the instance properties:\n\n```bash\ngcloud compute instances describe \u003cINSTANCE_NAME\u003e --zone=\u003cZONE\u003e\n```\n\n2. Identify the access config name that contains the external IP address. This access config appears in the following format:\n\n```\nnetworkInterfaces:\n- accessConfigs:\n - kind: compute#accessConfig\n name: External NAT\n natIP: 130.211.181.55\n type: ONE_TO_ONE_NAT\n```\n\n3. Delete the access config.\n\n```bash\ngcloud compute instances delete-access-config \u003cINSTANCE_NAME\u003e --zone=\u003cZONE\u003e --access-config-name \u003cACCESS_CONFIG_NAME\u003e\n```\n\nIn the above example, the `ACCESS_CONFIG_NAME` is `External NAT`. The name of your access config might be different. The name of your access config might be different.\n\n### Prevention\n\nYou can configure the `Define allowed external IPs for VM instances` Organization Policy to prevent VMs from being configured with public IP addresses. Learn more at: [https://console.cloud.google.com/orgpolicies/compute-vmExternalIpAccess](https://console.cloud.google.com/orgpolicies/compute-vmExternalIpAccess)\n\n### Default Value\n\nBy default, Compute instances have a public IP address.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_4" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_4", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Virtual Machines" + ], + "control_id": "gcp_compliance.control.cis_v200_4_10", + "description": "In order to maintain the highest level of security all connections to an application should be secure by default.", + "title": "4.10 Ensure that App Engine applications enforce HTTPS connections", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "4.10", + "cis_level": "2", + "cis_section_id": "4", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/AppEngine" + }, + "documentation": "## Description\n\nIn order to maintain the highest level of security all connections to an application should be secure by default.\n\nInsecure HTTP connections maybe subject to eavesdropping which can expose sensitive data.\n\n## Remediation\n\nAdd a line to the app.yaml file controlling the application which enforces secure connections. For example\n\n```\nhandlers:\n- url: /.*\n **secure: always**\n redirect_http_response_code: 301\n script: auto\n```\n\n[https://cloud.google.com/appengine/docs/standard/python3/config/appref](https://cloud.google.com/appengine/docs/standard/python3/config/appref)\n\n### Default Value\n\nBy default both HTTP and HTTP are supported\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_4" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_4", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Virtual Machines" + ], + "control_id": "gcp_compliance.control.cis_v200_4_11", + "description": "Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use—while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).", + "title": "4.11 Ensure that Compute instances have Confidential Computing enabled", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "4.11", + "cis_level": "2", + "cis_section_id": "4", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Compute" + }, + "documentation": "## Description\n\nGoogle Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).\n\nConfidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD EPYC™ CPUs. Customer data will stay encrypted while it is used, indexed, queried, or trained on. Encryption keys are generated in hardware, per VM, and not exportable. \nThanks to built-in hardware optimizations of both performance and security, there is no significant performance penalty to Confidential Computing workloads.\n\nConfidential Computing enables customers' sensitive code and other data encrypted in memory during processing. Google does not have access to the encryption keys. Confidential VM can help alleviate concerns about risk related to either dependency on Google infrastructure or Google insiders' access to customer data in the clear.\n\n## Remediation\n\nConfidential Computing can only be enabled when an instance is created. You must delete the current instance and create a new one.\n\n### From Console\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n2. Click `CREATE INSTANCE`.\n3. Fill out the desired configuration for your instance.\n4. Under the `Confidential VM service` section, check the option `Enable the Confidential Computing service on this VM instance`.\n5. Click `Create`.\n\n### From Command Line\n\nCreate a new instance with Confidential Compute enabled.\n\n```bash\ngcloud beta compute instances create INSTANCE_NAME --zone ZONE --confidential-compute --maintenance-policy=TERMINATE\n```\n\n### Default Value\n\nBy default, Confidential Computing is disabled for Compute instances.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_4" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_4", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 4 Virtual Machines", + "category_hierarchy": [ + "CIS v2.0.0", + "4 Virtual Machines" + ], + "control_id": "gcp_compliance.control.cis_v200_4_12", + "description": "For the virtual machines where you manage the operating system in Infrastructure as a Service (IaaS), you are responsible for keeping these operating systems and programs up to date. There are multiple ways to manage updates yourself that would be difficult to fit into one recommendation. Check the CIS Benchmarks for each of your Operating Systems as well for potential solutions there. In this recommendation we will use a feature in Google Cloud via its VM manager API to manage updates called Operating System Patch Management (referred to OS Patch Management from here on out). This may requires installing the OS Config API if it is not already installed. Also if you install custom operating systems, they may not functionally support the local OS config agent required to gather operating system patch information and issue update commands. These update commands are the default Linux and Windows commands to install updates such as yum or apt. This feature allows for a central management to issue those commands. OS Patch management also does not host the updates itself, so your VMs will need to be public or be able to access the internet. This is not the only Patch Management solution available to your organization and you should weigh your needs before committing to using this.", + "title": "4.12 Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "4.12", + "cis_level": "2", + "cis_section_id": "4", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Compute" + }, + "documentation": "## Description\n\nGoogle Cloud Virtual Machines have the ability via an OS Config agent API to periodically (about every 10 minutes) report OS inventory data. A patch compliance API periodically reads this data, and cross references metadata to determine if the latest updates are installed.This is not the only Patch Management solution available to your organization and you should weigh your needs before committing to using this method.\n\nKeeping virtual machine operating systems up to date is a security best practice. Using this service will simplify this process.\n\n## Remediation\n\n### From Console\n\n**Enabling OS Patch Management on a Project by Project Basis**\n\n**Install OS Config API for the Project**\n\n1. Navigate into a project. In the expanded hamburger menu located at the top left of the screen hover over \"APIs \u0026 Services\". Then in the menu right of that select \"API Libraries\"\n2. Search for \"VM Manager (OS Config API) or scroll down in the left hand column and select the filter labeled \"Compute\" where it is the last listed. Open this API.\n3. Click the blue 'Enable' button. \n\n**Add MetaData Tags for OSConfig Parsing**\n\n1. From the main Google Cloud console, open the hamburger menu in the top left. Mouse over Computer Engine to expand the menu next to it.\n2. Under the \"Settings\" heading, select \"Metadata\".\n3. In this view there will be a list of the project wide metadata tags for VMs. Click edit and 'add item' in the key column type 'enable-osconfig' and in the value column set it to 'true'.\n\n### From Command Line\n\n1. For project wide tagging, run the following command\n\n ```bash\n gcloud compute project-info add-metadata --project \u003cPROJECT_ID\u003e --metadata=enable-osconfig=TRUE\n ```\n\nPlease see the reference /compute/docs/troubleshooting/vm-manager/verify-setup#metadata-enabled at the bottom for more options like instance specific tagging.\n\n**Note**: Adding a new tag via commandline may overwrite existing tags. You will need to do this at a time of low usage for the least impact.\n\n**Install and Start the Local OSConfig for Data Parsing**\n\nThere is no way to centrally manage or start the Local OSConfig agent. Please view the reference of manage-os#agent-install to view specific operating system commands.\n\n**Setup a project wide Service Account**\n\nPlease view Recommendation 4.1 to view how to setup a service account. Rerun the audit procedure to test if it has taken effect.\n\n**Enable NAT or Configure Private Google Access to allow Access to Public Update Hosting**\n\nFor the sake of brevity, please see the attached resources to enable NAT or Private Google Access. Rerun the audit procedure to test if it has taken effect.\n\nFrom Command Line:\n\n**Install OS Config API for the Project**\n\n1. In each project you wish to audit run gcloud services enable osconfig.googleapis.com\n\n**Install and Start the Local OSConfig for Data Parsing**\n\nPlease view the reference of manage-os#agent-install to view specific operating system commands.\n\n**Setup a project wide Service Account**\n\nPlease view Recommendation 4.1 to view how to setup a service account. Rerun the audit procedure to test if it has taken effect.\n\n**Enable NAT or Configure Private Google Access to allow Access to Public Update Hosting**\n\nFor the sake of brevity, please see the attached resources to enable NAT or Private Google Access. Rerun the audit procedure to test if it has taken effect. Determine if Instances can connect to public update hosting\n\nLinux\n\nDebian Based Operating Systems\n\n```bash\nsudo apt update\n```\n\nThe output should have a numbered list of lines with Hit: URL of updates.\n\nRedhat Based Operating Systems\n\n```bash\nyum check-update\n```\n\nThe output should show a list of packages that have updates available.\n\nWindows\n\n```bash\nping http://windowsupdate.microsoft.com/\n```\n\nThe ping should successfully be delivered and received.\n\n### Default Value\n\nBy default most operating systems and programs do not update themselves. The Google Cloud VM Manager which is a dependency of the OS Patch management feature is installed on Google Built OS images with a build date of v20200114 or later. The VM manager is not enabled in a project by default and will need to be setup.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_4" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_4", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Storage", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Storage" + ], + "control_id": "gcp_compliance.control.cis_v200_5_1", + "description": "It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.", + "title": "5.1 Ensure that Cloud Storage bucket is not anonymously or publicly accessible", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "5.1", + "cis_level": "1", + "cis_section_id": "5", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Storage" + }, + "documentation": "## Description\n\nIt is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.\n\nAllowing anonymous or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous or public access to a bucket is not allowed.\n\n## Remediation\n\n### From Console\n\n1. Go to `Storage browser` by visiting [https://console.cloud.google.com/storage/browser](https://console.cloud.google.com/storage/browser). \n2. Click on the bucket name to go to its `Bucket details` page. \n3. Click on the `Permissions` tab. \n4. Click `Delete` button in front of `allUsers` and `allAuthenticatedUsers` to remove that particular role assignment.\n\n### From Command Line\n\nRemove `allUsers` and `allAuthenticatedUsers` access.\n\n```bash\ngsutil iam ch -d allUsers gs://BUCKET_NAME\ngsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME\n```\n\n### Prevention\n\nYou can prevent Storage buckets from becoming publicly accessible by setting up the `Domain restricted sharing` organization policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains](https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains).\n\n### Default Value\n\nBy Default, Storage buckets are not publicly shared.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_5" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_5", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 5 Storage", + "category_hierarchy": [ + "CIS v2.0.0", + "5 Storage" + ], + "control_id": "gcp_compliance.control.cis_v200_5_2", + "description": "It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.", + "title": "5.2 Ensure that Cloud Storage buckets have uniform bucket-level access enabled", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "5.2", + "cis_level": "2", + "cis_section_id": "5", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Storage" + }, + "documentation": "## Description\n\nIt is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.\n\nIt is recommended to use uniform bucket-level access to unify and simplify how you grant access to your Cloud Storage resources.\n\nCloud Storage offers two systems for granting users permission to access your buckets and objects: Cloud Identity and Access Management (Cloud IAM) and Access Control Lists (ACLs). These systems act in parallel - in order for a user to access a Cloud Storage resource, only one of the systems needs to grant the user permission. Cloud IAM is used throughout Google Cloud and allows you to grant a variety of permissions at the bucket and project levels. ACLs are used only by Cloud Storage and have limited permission options, but they allow you to grant permissions on a per-object basis.\n\nIn order to support a uniform permissioning system, cloud storage has uniform bucket- level access. Using this feature disables ACLs for all Cloud Storage resources: access to Cloud Storage resources then is granted exclusively through Cloud IAM. Enabling uniform bucket-level access guarantees that if a Storage bucket is not publicly accessible, no object in the bucket is publicly accessible either.\n\n## Remediation\n\n### From Console\n\n1. Open the Cloud Storage browser in the Google Cloud Console by visiting: [https://console.cloud.google.com/storage/browser](https://console.cloud.google.com/storage/browser) \n2. In the list of buckets, click on the name of the desired bucket.\n3. Select the `Permissions` tab near the top of the page. \n4. In the text box that starts with `This bucket uses fine-grained access control...`, click `Edit`. \n5. In the pop-up menu that appears, select `Uniform`. \n6. Click `Save`. \n\n### From Command Line\n\nUse the on option in a uniformbucketlevelaccess set command:\n\n```bash\ngsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/\n```\n\n## Prevention\n\nYou can set up an Organization Policy to enforce that any new bucket has uniform bucket level access enabled. Learn more at: [https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket](https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket)\n\n### Default Value\n\nBy default, Cloud Storage buckets do not have uniform bucket-level access enabled.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_5" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_5", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.1 MySQL Database", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.1 MySQL Database" + ], + "control_id": "gcp_compliance.control.cis_v200_6_1_1", + "description": "It is recommended to set a password for the administrative user (root by default) to prevent unauthorized access to the SQL database instances. This recommendation is applicable only for MySQL Instances. PostgreSQL does not offer any setting for No Password from the cloud console.", + "title": "6.1.1 Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.1.1", + "cis_level": "1", + "cis_section_id": "6.1", + "cis_type": "manual", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/SQL" + }, + "documentation": "## Description\n\nIt is recommended to set a password for the administrative user (`root` by default) to prevent unauthorized access to the SQL database instances.\n\nThis recommendation is applicable only for *MySQL Instances*. PostgreSQL does not offer any setting for No Password from the cloud console.\n\nAt the time of MySQL Instance creation, not providing an administrative password allows anyone to connect to the SQL database instance with administrative privileges. The root password should be set to ensure only authorized users have these privileges.\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console using [`https://console.cloud.google.com/sql/`](https://console.cloud.google.com/sql/)\n2. Select the instance to open its Overview page. \n3. Select `Access Control \u003e Users`.\n4. Click the `More actions icon` for the user to be updated. \n5. Select `Change password`, specify a `New password`, and click `OK`.\n\n### From Command Line\n\n1. Set a password to a MySql instance:\n\n```bash\ngcloud sql users set-password root --host=\u003chost\u003e --instance=\u003cinstance_name\u003e --prompt-for-password\n```\n\n2. A prompt will appear, requiring the user to enter a password:\n\n```bash\nInstance Password:\n```\n\n3. With a successful password configured, the following message should be seen:\n\n```bash\nUpdating Cloud SQL user...done.\n```\n\n### Default Value\n\nFrom the Google Cloud Platform Console, the `Create Instance` workflow enforces the rule to enter the root password unless the option `No Password` is selected explicitly.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.1 MySQL Database", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.1 MySQL Database" + ], + "control_id": "gcp_compliance.control.cis_v200_6_1_2", + "description": "It is recommended to set skip_show_database database flag for Cloud SQL Mysql instance to on.", + "title": "6.1.2 Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.1.2", + "cis_level": "1", + "cis_section_id": "6.1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/SQL" + }, + "documentation": "## Description\n\nIt is recommended to set `skip_show_database` database flag for Cloud SQL MySQL instance to `on`.\n\n'skip_show_database' database flag prevents people from using the SHOW DATABASES statement if they do not have the SHOW DATABASES privilege. This can improve security if you have concerns about users being able to see databases belonging to other users. Its effect depends on the SHOW DATABASES privilege: If the variable value is ON, the SHOW DATABASES statement is permitted only to users who have the SHOW DATABASES privilege, and the statement displays all database names. If the value is OFF, SHOW DATABASES is permitted to all users, but displays the names of only those databases for which the user has the SHOW DATABASES or other privilege. This recommendation is applicable to Mysql database instances.\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the Mysql instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before click `Add item`, choose the flag `skip_show_database` from the drop-down menu, and set its value to `on`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From Command Line\n\n1. List all Cloud SQL database Instances\n\n```bash\ngcloud sql instances list\n```\n\n2. Configure the `skip_show_database` database flag for every Cloud SQL MySQL database instance using the below command\n\n```bash\ngcloud sql instances patch INSTANCE_NAME --database-flags skip_show_database=on\n```\n\n**Note** This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.1 MySQL Database", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.1 MySQL Database" + ], + "control_id": "gcp_compliance.control.cis_v200_6_1_3", + "description": "It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.", + "title": "6.1.3 Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.1.3", + "cis_level": "1", + "cis_section_id": "6.1", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/SQL" + }, + "documentation": "## Description\n\nIt is recommended to set the `local_infile` database flag for a Cloud SQL MySQL instance to `off`.\n\nThe `local_infile` flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the `local_infile` setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.\n\nTo explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with local_infile disabled. local_infile can also be set at runtime.\n\nDue to security issues associated with the `local_infile` flag, it is recommended to disable it. This recommendation is applicable to MySQL database instances.\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the MySQL instance where the database flag needs to be enabled.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before,click Add item,choose\nthe flag `local_infile` from the drop-down menu, and set its value to `off`.\n6. Click `Save`.\n7. Confirm the changes under `Flags` on the Overview page.\n\n### From Command Line\n\n1. List all Cloud SQL database Instances\n\n```bash\ngcloud sql instances list\n```\n\n2. Configure the `local_infile` database flag for every Cloud SQL Mysql database instance using the below command\n\n```bash\ngcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off\n```\n\n**Note** This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n### Default Value\n\nBy default `local_infile` is `on`.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_1" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_1", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.2 PostgreSQL Database", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.2 PostgreSQL Database" + ], + "control_id": "gcp_compliance.control.cis_v200_6_2_1", + "description": "The log_error_verbosity flag controls the verbosity/details of messages logged. Valid values are: 'TERSE', 'DEFAULT', and 'VERBOSE'.", + "title": "6.2.1 Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.2.1", + "cis_level": "2", + "cis_section_id": "6.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/SQL" + }, + "documentation": "## Description\n\nThe `log_error_verbosity` flag controls the verbosity/details of messages logged. Valid values are:\n\n* `TERSE`\n* `DEFAULT`\n* `VERBOSE`\n\n`TERSE` excludes the logging of `DETAIL`, `HINT`, `QUERY`, and `CONTEXT` error information.\n\n`VERBOSE` output includes the `SQLSTATE` error code, source code file name, function name, and line number that generated the error.\n\nEnsure an appropriate value is set to 'DEFAULT' or stricter.\n\nAuditing helps in troubleshooting operational problems and also permits forensic analysis. If `log_error_verbosity` is not set to the correct value, too many details or too few details may be logged. This flag should be configured with a value of 'DEFAULT' or stricter. This recommendation is applicable to PostgreSQL database instances.\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_error_verbosity` from the drop-down menu and set appropriate value.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From Command Line\n\n1. Configure the log_error_verbosity database flag for every Cloud SQL PosgreSQL database instance using the below command.\n\n```bash\ngcloud sql instances patch \u003cINSTANCE_NAME\u003e --database-flags log_error_verbosity=\u003cTERSE|DEFAULT|VERBOSE\u003e\n```\n\n**Note**: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n### Default Value\n\nBy default `log_error_verbosity` is `DEFAULT`.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.2 PostgreSQL Database", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.2 PostgreSQL Database" + ], + "control_id": "gcp_compliance.control.cis_v200_6_2_2", + "description": "Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.", + "title": "6.2.2 Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.2.2", + "cis_level": "1", + "cis_section_id": "6.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/SQL" + }, + "documentation": "## Description\n\nEnabling the `log_connections` setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.\n\nPostgreSQL does not log attempted connections by default. Enabling the `log_connections` setting will create log entries for each attempted connection as well as successful completion of client authentication which can be useful in troubleshooting issues and to determine any unusual connection attempts to the server. This recommendation is applicable to PostgreSQL database instances.\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_connections` from the drop-down menu and set the value as `on`.\n6. Click `Save`.\n7. Confirm the changes under `Flags` on the Overview page.\n\n### From Command Line\n\n1. Configure the `log_connections` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n\n```bash\ngcloud sql instances patch \u003cINSTANCE_NAME\u003e --database-flags log_connections=on\n```\n\n**Note**: This command will overwrite all previously set database flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n### Default Value\n\nBy default `log_connections` is `off`.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.2 PostgreSQL Database", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.2 PostgreSQL Database" + ], + "control_id": "gcp_compliance.control.cis_v200_6_2_3", + "description": "Enabling the log_disconnections setting logs the end of each session, including the session duration.", + "title": "6.2.3 Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.2.3", + "cis_level": "1", + "cis_section_id": "6.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/SQL" + }, + "documentation": "## Description\n\nEnabling the `log_disconnections` setting logs the end of each session, including the session duration.\n\nPostgreSQL does not log session details such as duration and session end by default. Enabling the `log_disconnections` setting will create log entries at the end of each session which can be useful in troubleshooting issues and determine any unusual activity across a time period. The `log_disconnections` and `log_connections` work hand in hand and generally, the pair would be enabled/disabled together. This recommendation is applicable to PostgreSQL database instances.\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_disconnections` from the drop-down menu and set the value as `on`.\n6. Click `Save`.\n7. Confirm the changes under `Flags` on the Overview page.\n\n### From Command Line\n\n1. Configure the `log_disconnections` database flag for every Cloud SQL PosgreSQL database instance using the below command:\n\n```bash\ngcloud sql instances patch \u003cINSTANCE_NAME\u003e --database-flags log_disconnections=on\n```\n\n**Note**: This command will overwrite all previously setdatabase flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n### Default Value\n\nBy default `log_disconnections` is off.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.2 PostgreSQL Database", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.2 PostgreSQL Database" + ], + "control_id": "gcp_compliance.control.cis_v200_6_2_4", + "description": "The value of log_statement flag determined the SQL statements that are logged. Valid values are: 'none', 'ddl', 'mod', and 'all'.", + "title": "6.2.4 Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.2.4", + "cis_level": "2", + "cis_section_id": "6.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/SQL" + }, + "documentation": "## Description\n\nThe value of `log_statement` flag determined the SQL statements that are logged. Valid values are:\n* none\n* ddl\n* mod\n* all\n\nThe value `ddl` logs all data definition statements. The value `mod` logs all ddl statements, plus data-modifying statements. The statements are logged after a basic parsing is done and statement type is determined, thus this does not logs statements with errors. When using extended query protocol, logging occurs after an Execute message is received and values of the Bind parameters are included.\n\nA value of 'ddl' is recommended unless otherwise directed by your organization's logging policy.\n\nAuditing helps in forensic analysis. If log_statement is not set to the correct value, too many statements may be logged leading to issues in finding the relevant information from the logs, or too few statements may be logged with relevant information missing from the logs. Setting log_statement to align with your organization's security and logging policies facilitates later auditing and review of database activities. This recommendation is applicable to PostgreSQL database instances.\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_statement` from the drop-down menu and set appropriate value.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From Command Line\n\n1. Configure the `log_statement` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n\n```bash\ngcloud sql instances patch \u003cINSTANCE_NAME\u003e --database-flags log_statement=\u003cddl|mod|all|none\u003e\n```\n\n**Note**: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.2 PostgreSQL Database", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.2 PostgreSQL Database" + ], + "control_id": "gcp_compliance.control.cis_v200_6_2_5", + "description": "The log_min_messages flag defines the minimum message severity level that is considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each severity level includes the subsequent levels mentioned above.", + "title": "6.2.5 Ensure that the 'Log_min_messages' Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.2.5", + "cis_level": "1", + "cis_section_id": "6.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP" + }, + "documentation": "## Description\n\nThe `log_min_messages` flag defines the minimum message severity level that is considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`, `WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`. Each severity level includes the subsequent levels mentioned above. ERROR is considered the best practice setting. Changes should only be made in accordance with the organization's logging policy.\n\nAuditing helps in troubleshooting operational problems and also permits forensic analysis. If `log_min_messages` is not set to the correct value, messages may not be classified as error messages appropriately. An organization will need to decide their own threshold for logging `log_min_messages` flag.\n\nThis recommendation is applicable to PostgreSQL database instances.\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances)\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_min_messages` from the drop-down menu and set appropriate value.\n6. Click `Save` to save the changes.\n7. Confirm the changes under `Flags` on the Overview page.\n\n### From Command Line:\n\n1. Configure the `log_min_messages` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n\n```bash\ngcloud sql instances patch \u003cINSTANCE_NAME\u003e --database-flags log_min_messages=\u003cDEBUG5|DEBUG4|DEBUG3|DEBUG2|DEBUG1|INFO|NOTICE|WARNING|ERROR|LOG|FATAL|PANIC\u003e\n```\n\n**Note**: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n### Default Value\n\nBy default `log_min_messages` is `ERROR`.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.2 PostgreSQL Database", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.2 PostgreSQL Database" + ], + "control_id": "gcp_compliance.control.cis_v200_6_2_6", + "description": "The log_min_error_statement flag defines the minimum message severity level that are considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each severity level includes the subsequent levels mentioned above. Ensure a value of ERROR or stricter is set.", + "title": "6.2.6 Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.2.6", + "cis_level": "1", + "cis_section_id": "6.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP" + }, + "documentation": "## Description\n\nThe `log_min_error_statement` flag defines the minimum message severity level that are considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`, `WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`. Each severity level includes the subsequent levels mentioned above. Ensure a value of `ERROR` or stricter is set.\n\nAuditing helps in troubleshooting operational problems and also permits forensic analysis. If `log_min_error_statement` is not set to the correct value, messages may not be classified as error messages appropriately. Considering general log messages as error messages would make is difficult to find actual errors and considering only stricter severity levels as error messages may skip actual errors to log their SQL statements. The `log_min_error_statement` flag should be set to `ERROR` or stricter. This recommendation is applicable to PostgreSQL database instances.\n\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_min_error_statement` from the drop-down menu and set appropriate value.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From Command Line:\n\n1. Configure the `log_min_error_statement` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n\n```bash\ngcloud sql instances patch \u003cINSTANCE_NAME\u003e --database-flags log_min_error_statement=\u003cDEBUG5|DEBUG4|DEBUG3|DEBUG2|DEBUG1|INFO|NOTICE|WARNING|ERROR\u003e\n```\n\n**Note**: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n### Default Value\n\nBy default `log_min_error_statement` is `ERROR`.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.2 PostgreSQL Database", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.2 PostgreSQL Database" + ], + "control_id": "gcp_compliance.control.cis_v200_6_2_7", + "description": "The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set.", + "title": "6.2.7 Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.2.7", + "cis_level": "1", + "cis_section_id": "6.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP" + }, + "documentation": "## Description\n\nThe `log_min_duration_statement` flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that `log_min_duration_statement` is disabled, i.e., a value of `-1` is set.\n\nLogging SQL statements may include sensitive information that should not be recorded in logs. This recommendation is applicable to PostgreSQL database instances.\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_min_duration_statement` from the drop-down menu and set a value of `-1`.\n6. Click `Save`.\n7. Confirm the changes under `Flags` on the Overview page.\n\n### From Command Line:\n\n1. List all Cloud SQL database instances using the following command:\n\n```bash\ngcloud sql instances list\n```\n\n2. Configure the `log_min_duration_statement` flag for every Cloud SQL PosgreSQL database instance using the below command:\n\n```bash\ngcloud sql instances patch \u003cINSTANCE_NAME\u003e --database-flags log_min_duration_statement=-1\n```\n\n**Note**: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n### Default Value\n\nBy default `log_min_duration_statement` is `-1`.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.2 PostgreSQL Database", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.2 PostgreSQL Database" + ], + "control_id": "gcp_compliance.control.cis_v200_6_2_8", + "description": "Ensure cloudsql.enable_pgaudit database flag for Cloud SQL PostgreSQL instance is set to on to allow for centralized logging.", + "title": "6.2.8 Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.2.8", + "cis_level": "1", + "cis_section_id": "6.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP" + }, + "documentation": "## Description\n\nEnsure `cloudsql.enable_pgaudit` database flag for Cloud SQL PostgreSQL instance is set to on to allow for centralized logging.\n\nAs numerous other recommendations in this section consist of turning on flags for logging purposes, your organization will need a way to manage these logs. You may have a solution already in place. If you do not, consider installing and enabling the open source pgaudit extension within PostgreSQL and enabling its corresponding flag of `cloudsql.enable_pgaudit`. This flag and installing the extension enables database auditing in PostgreSQL through the open-source pgAudit extension. This extension provides detailed session and object logging to comply with government, financial, \u0026 ISO standards and provides auditing capabilities to mitigate threats by monitoring security events on the instance. Enabling the flag and settings later in this recommendation will send these logs to Google Logs Explorer so that you can access them in a central location. to This recommendation is applicable only to PostgreSQL database instances.\n\n## Remediation\n\nInitialize the pgAudit flag\n\n### From Console\n\n1. Go to [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Overview` page.\n3. Click `Edit`.\n4. Scroll down and expand `Flags`.\n5. To set a flag that has not been set on the instance before, click `Add item`.\n6. Enter `cloudsql.enable_pgaudit` for the flag name and set the flag to `on`.\n7. Click `Done`.\n8. Click `Save` to update the configuration.\n9. Confirm your changes under `Flags` on the `Overview` page.\n\n### From Command Line:\n\n1. Run the below command by providing \u003cINSTANCE_NAME\u003e to enable `cloudsql.enable_pgaudit` flag.\n\n```bash\ngcloud sql instances patch \u003cINSTANCE_NAME\u003e --database-flags=cloudsql.enable_pgaudit=on\n```\n**Note**: `RESTART` is required to get this configuration in effect.\n\n### Creating the extension\n\n1. Connect to the the server running PostgreSQL or through a SQL client of your choice.\n2. If SSHing to the server in the command line open the PostgreSQL shell by typing `psql`\n3. Run the following command as a superuser.\n\n```bash\nCREATE EXTENSION pgaudit;\n```\n\n### Updating the previously created pgaudit.log flag for your Logging Needs\n\n### From Console\n\n**Note**: there are multiple options here. This command will enable logging for all databases on a server. Please see the customizing database audit logging reference for more flag options.\n\n1. Go to [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Overview` page.\n3. Click `Edit`.\n4. Scroll down and expand `Flags`.\n5. To set a flag that has not been set on the instance before, click `Add item`.\n6. Enter `pgaudit.log=all` for the flag name and set the flag to `on`.\n7. Click `Done`.\n8. Click `Save` to update the configuration.\n9. Confirm your changes under `Flags` on the `Overview` page.\n\n### From Command Line:\n\nRun the command\n\n```bash\ngcloud sql instances patch \u003cINSTANCE_NAME\u003e --database-flags cloudsql.enable_pgaudit=on,pgaudit.log=all\n```\n\n### Determine if logs are being sent to Logs Explorer\n\n1. From the Google Console home page, open the hamburger menu in the top left.\n2. In the menu that pops open, scroll down to Logs Explorer under Operations.\n3. In the query box, paste the following and search\n\nresource.type=\"cloudsql_database\" logName=\"projects//logs/cloudaudit.googleapis.com%2Fdata_access\" protoPayload.request.@type=\"type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry\"\n\n```\nIf it returns any log sources, they are correctly setup.\n```\n\n### Default Value\n\nBy default `cloudsql.enable_pgaudit` database flag is set to `off` and the extension is not enabled.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.2 PostgreSQL Database", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.2 PostgreSQL Database" + ], + "control_id": "gcp_compliance.control.cis_v200_6_2_9", + "description": "Instance addresses can be public IP or private IP. Public IP means that the instance is accessible through the public internet. In contrast, instances using only private IP are not accessible through the public internet, but are accessible through a Virtual Private Cloud (VPC).", + "title": "6.2.9 Ensure Instance IP assignment is set to private", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.2.9", + "cis_level": "1", + "cis_section_id": "6.2", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP" + }, + "documentation": "## Description\n\nInstance addresses can be public IP or private IP. Public IP means that the instance is accessible through the public internet. In contrast, instances using only private IP are not accessible through the public internet, but are accessible through a Virtual Private Cloud (VPC). Limiting network access to your database will limit potential attacks. Setting databases access only to private will reduce attack surface.\n\n## Remediation\n\n### From Console\n\n1. In the Google Cloud console, go to the `Cloud SQL Instances` page.\n2. Open the `Overview page` of an instance by clicking the instance name.\n3. Select `Connections` from the SQL navigation menu.\n4. Check the `Private IP` checkbox. A drop-down list shows the available networks in your project.\n5. Select the VPC network you want to use:\nIf you see `Private service connection required`:\n 1. Click `Set up connection`.\n 2. In the `Allocate an IP range` section, choose one of the following options:\n 3. Select one or more existing IP ranges or create a new one from the dropdown. The dropdown includes previously allocated ranges, if there are any, or you can select Allocate a new IP range and enter a new range and name.\n 4. Use an automatically allocated IP range in your network.\n Note: You can specify an address range only for a primary instance, not for a read replica or clone.\n 5. Click Continue.\n 6. Click Create connection.\n 7. Verify that you see the Private service connection for network VPC_NETWORK_NAME has been successfully created status.\n6. [Optional step for Private Services Access - review reference links to VPC documents for additional detail] If you want to allow other Google Cloud services such as BigQuery to access data in Cloud SQL and make queries against this data over a private IP connection, then select the Private path for Google Cloud services check box.\n7. Click Save\n\n### From Command Line:\n\n1. List cloud SQL instances\n\n```bash\ngcloud sql instances list --format=\"json\" | jq '.[] |.connectionName,.ipAddresses'\n```\n**Note**: the `project name` of the instance you want to set to a private IP, this will be \u003cPROJECT_ID\u003e\n**Note**: the `instance name` of the instance you want to set to a private IP, this will be \u003cINSTANCE_ID\u003e\n\nExample public instance output:\n\n```bash\n\"my-project-123456:us-central1:my-instance\"\n {\n \"ipAddress\": \"0.0.0.0\",\n \"type\": \"PRIMARY\"\n },\n {\n \"ipAddress\": \"0.0.0.0\",\n \"type\": \"OUTGOING\"\n }\n```\n\n1. run the following command to list the available VPCs\n\n```bash\ngcloud compute networks list --format=\"json\" | jq '.[].name'\n```\n**Note** the name of the VPC to use for the instance private IP, this will be \u003cVPC_NETWORK_NAME\u003e\n\n3. run the following to set instance to a private IP\n\n```bash\ngcloud beta sql instances patch \u003cINSTANCE_ID\u003e \\--project=\u003cPROJECT_ID\u003e \\--network=projects/\u003cPROJECT_ID\u003e/global networks\u003cVPC_NETWORK_NAME\u003e \\--no-assign-ip\n```\n\n### Default Value\n\nPublic IP", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_2" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_2", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.3 SQL Server", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.3 SQL Server" + ], + "control_id": "gcp_compliance.control.cis_v200_6_3_1", + "description": "It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off.", + "title": "6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.3.1", + "cis_level": "1", + "cis_section_id": "6.3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP" + }, + "documentation": "## Description\n\nIt is recommended to `set external scripts` enabled database flag for Cloud SQL SQL Server instance to `off`\n\n`external scripts enabled` enable the execution of scripts with certain remote language extensions. This property is OFF by default. When Advanced Analytics Services is installed, setup can optionally set this property to true. As the External Scripts Enabled feature allows scripts external to SQL such as files located in an R library to be executed, which could adversely affect the security of the system, hence this should be disabled.This recommendation is applicable to SQL Server database instances.\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the Flags section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `external scripts enabled` from the drop-down menu, and set its value to `off`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From Command Line\n\n1. Configure the `external scripts enabled` database flag for every Cloud SQL SQL Server database instance using the below command.\n\n```bash\ngcloud sql instances patch INSTANCE_NAME --database-flags \"external scripts enabled=off\"\n```\n\n**Note**: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n### Default Value\n\nBy default `external scripts enabled` is `off`", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_3" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.3 SQL Server", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.3 SQL Server" + ], + "control_id": "gcp_compliance.control.cis_v200_6_3_2", + "description": "It is recommended to set cross db ownership chaining database flag for Cloud SQL SQL Server instance to off.", + "title": "6.3.2 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.3.2", + "cis_level": "1", + "cis_section_id": "6.3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP" + }, + "documentation": "## Description\n\nIt is recommended to set `cross db ownership chaining` database flag for Cloud SQL SQL Server instance to `off`.\n\nUse the `cross db ownership` for chaining option to configure cross-database ownership chaining for an instance of Microsoft SQL Server. This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases.Enabling `cross db ownership` is not recommended unless all of the databases hosted by the instance of SQL Server must participate in crossdatabase ownership chaining and you are aware of the security implications of this setting.This recommendation is applicable to SQL Server database instances.\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `cross db ownership chaining` from the drop-down menu, and set its value to `off`.\n6. Click `Save`.\n7. Confirm the changes under `Flags` on the Overview page.\n\n**Note:** Any changes to the database flag values, may require your instance to be restarted\n\n### From Command Line\n\n1. Configure the the `cross db ownership chaining` database flag for every Cloud SQL SQL Server database instance using the below command.\n\n```bash\ngcloud sql instances patch \u003cINSTANCE_NAME\u003e --database-flags \"cross db ownership chaining=off\"\n```\n\n**Note**: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n### Default Value\n\nAs you have to manually turn on this flag, the default value for this is 'On'. Though you would have had to design your database schema from the start to include this feature, it often is not enabled.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_3" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.3 SQL Server", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.3 SQL Server" + ], + "control_id": "gcp_compliance.control.cis_v200_6_3_3", + "description": "It is recommended to set user connections database flag for Cloud SQL SQL Server instance according organization-defined value.", + "title": "6.3.3 Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.3.3", + "cis_level": "1", + "cis_section_id": "6.3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP" + }, + "documentation": "## Description\n\nIt is recommended to set `user connections` database flag for Cloud SQL SQL Server instance according organization-defined value.\n\nThe `user connections` option specifies the maximum number of simultaneous user connections that are allowed on an instance of SQL Server. The actual number of user connections allowed also depends on the version of SQL Server that you are using, and also the limits of your application or applications and hardware. SQL Server allows a maximum of 32,767 user connections. Because user connections is by default a self- configuring value, with SQL Server adjusting the maximum number of user connections automatically as needed, up to the maximum value allowable. For example, if only 10 users are logged in, 10 user connection objects are allocated. In most cases, you do not have to change the value for this option. The default is 0, which means that the maximum (32,767) user connections are allowed. However if there is a number defined here that limits connections, SQL Server will not allow anymore above this limit. If the connections are at the limit, any new requests will be dropped potentially causing lost data or outages for those using the database.\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `user connections` from the drop-down menu, and set its value to your organization recommended value.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n**Note:** Any changes to the database flag values, may require your instance to be restarted\n\n### From Command Line\n\n1. Configure the `user connections` database flag for every Cloud SQL SQL Server database instance using the below command.\n\n```bash\ngcloud sql instances patch INSTANCE_NAME --database-flags \"user connections=[0-32,767]\"\n```\n\n**Note:** This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n### Default Value\n\nBy default `user connections` is set to '0' which does not limit the number of connections, giving the server free reign to facilitate a max of 32,767 connections.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_3" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.3 SQL Server", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.3 SQL Server" + ], + "control_id": "gcp_compliance.control.cis_v200_6_3_4", + "description": "It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured.", + "title": "6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.3.4", + "cis_level": "1", + "cis_section_id": "6.3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP" + }, + "documentation": "## Description\n\nIt is recommended that, `user options` database flag for Cloud SQL SQL Server instance should not be configured.\n\nThe `user options` option specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The user options option allows you to change the default values of the SET options (if the server's default settings are not appropriate).\n\nA user can override these defaults by using the SET statement. You can configure user options dynamically for new logins. After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected. This recommendation is applicable to SQL Server database instances.\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. Click the X next `user options` flag shown\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From Command Line\n\n1. List all Cloud SQL database Instances\n\n```bash\ngcloud sql instances list\n```\n\n2. Clear the `user options` database flag for every Cloud SQL SQL Server database instance using either of the below commands.\n\n```\n1.Clearing all flags to their default value\ngcloud sql instances patch \u003cINSTANCE_NAME\u003e --clear-database-flags\nOR\n2. To clear only `user options` database flag, configure the database flag by overriding the `user options`. Exclude `user options` flag and its value, and keep all other flags you want to configure.\ngcloud sql instances patch \u003cINSTANCE_NAME\u003e --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]\n```\n\n**Note:** This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n### Default Value\n\nBy default 'user options' is not configured.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_3" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.3 SQL Server", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.3 SQL Server" + ], + "control_id": "gcp_compliance.control.cis_v200_6_3_5", + "description": "It is recommended to set remote access database flag for Cloud SQL SQL Server instance to off.", + "title": "6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.3.5", + "cis_level": "1", + "cis_section_id": "6.3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP" + }, + "documentation": "## Description\n\nIt is recommended to set `remote access` database flag for Cloud SQL SQL Server instance to `off`.\n\nThe `remote access` option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running. This default value for this option is 1. This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server.To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled. The Remote Access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server. 'Remote access' functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, hence this should be disabled.\n\nThis recommendation is applicable to SQL Server database instances.\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `remote access` from the drop-down menu, and set its value to `off`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From Command Line\n\n1. Configure the `remote access` database flag for every Cloud SQL SQL Server database instance using the below command.\n\n```bash\ngcloud sql instances patch INSTANCE_NAME --database-flags \"remote access=off\"\n```\n\n**Note:** This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n### Default Value\n\nBy default 'remote access' is 'on'.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_3" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.3 SQL Server", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.3 SQL Server" + ], + "control_id": "gcp_compliance.control.cis_v200_6_3_6", + "description": "It is recommended to set 3625 (trace flag) database flag for Cloud SQL SQL Server instance to off.", + "title": "6.3.6 Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.3.6", + "cis_level": "1", + "cis_section_id": "6.3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP" + }, + "documentation": "## Description\n\nIt is recommended to set `3625 (trace flag)` database flag for Cloud SQL SQL Server instance to `on`.\n\nMicrosoft SQL Trace Flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. `3625(trace log)` Limits the amount of information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'. Setting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information, hence this is recommended to set this flag globally to on to prevent the flag having been left off, or changed by bad actors. This recommendation is applicable to SQL Server database instances.\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `3625` from the drop-down menu, and set its value to `on`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From Command Line\n\n1. Configure the `3625` database flag for every Cloud SQL SQL Server database instance using the below command.\n\n```bash\ngcloud sql instances patch INSTANCE_NAME --database-flags \"3625=on\"\n```\n\n**Note:** This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n### Default Value\n\nMySQL implementations by default have trace flags turned off, as they are used for logging purposes.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_3" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services \u003e 6.3 SQL Server", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services", + "6.3 SQL Server" + ], + "control_id": "gcp_compliance.control.cis_v200_6_3_7", + "description": "It is recommended to set contained database authentication database flag for Cloud SQL on the SQL Server instance is set to off.", + "title": "6.3.7 Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.3.7", + "cis_level": "1", + "cis_section_id": "6.3", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP" + }, + "documentation": "## Description\n\nIt is recommended to set `contained database authentication` database flag for Cloud SQL on the SQL Server instance is set to `off`.\n\nA contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed. Users can connect to the database without authenticating a login at the Database Engine level. Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server.Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators. Most of the threats are related to the USER WITH PASSWORD authentication process, which moves the authentication boundary from the Database Engine level to the database level, hence this is recommended to disable this flag.This recommendation is applicable to SQL Server database instances.\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the\nflag `contained database authentication` from the drop-down menu, and set its value to `off`.\n6. Click `Save`.\n7. Confirm the changes under `Flags` on the Overview page.\n\n### From Command Line\n\n1. Configure the `contained database authentication` database flag for every Cloud SQL SQL Server database instance using the below command.\n\n```bash\ngcloud sql instances patch INSTANCE_NAME --database-flags \"contained database authentication=off\"\n```\n\n**Note:** This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_6_3" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6/gcp_compliance.benchmark.cis_v200_6_3", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services" + ], + "control_id": "gcp_compliance.control.cis_v200_6_4", + "description": "It is recommended to enforce all incoming connections to SQL database instance to use SSL.", + "title": "6.4 Ensure that the Cloud SQL database instance requires all incoming connections to use SSL", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.4", + "cis_level": "1", + "cis_section_id": "6", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP" + }, + "documentation": "## Description\n\nIt is recommended to enforce all incoming connections to SQL database instance to use `SSL`.\n\nSQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1, MySql generation 2 and SQL Server 2017 instances.\n\n## Remediation\n\n### From Console\n\n1. Go to [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Click on an instance name to see its configuration overview.\n3. In the left-side panel, select `Connections`.\n4. In the `SSL connections` section,click `Allow only SSL connections`.\n5. Under `Configure SSL server certificates` click `Create new certificate`.\n6. Under `Configure SSL client certificates` click `Create a client certificate`.\n7. Follow the instructions shown to learn how to connect to your instance.\n\n### From Command Line\n\n1. To enforce SSL encryption for an instance run the command:\n\n```bash\ngcloud sql instances patch INSTANCE_NAME --require-ssl\n```\n\n**Note**:`RESTART` is required for type MySQL Generation 1 Instances `(backendType: FIRST_GEN)` to get this configuration in effect.\n\n### Default Value\n\nBy default parameter `settings: ipConfiguration: requireSsl` is not set which is equivalent to `requireSsl:false`.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services" + ], + "control_id": "gcp_compliance.control.cis_v200_6_5", + "description": "Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from public IP addresses.", + "title": "6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.5", + "cis_level": "1", + "cis_section_id": "6", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP" + }, + "documentation": "## Description\n\nDatabase Server should accept connections only from trusted Network(s)/IP(s) and restrict access from the world.\n\nTo minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it.\n\nAn authorized network should not have IPs/networks configured to `0.0.0.0/0` which will allow access to the instance from anywhere in the world. Note that authorized networks apply only to instances with public IPs.\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Click the instance name to open its `Instance details` page.\n3. Under the `Configuration` section click `Edit configurations`\n4. Under `Configuration options` expand the `Connectivity` section.\n5. Click the `delete` icon for the authorized network `0.0.0.0/0`.\n6. Click `Save` to update the instance.\n\n### From Command Line\n\nUpdate the authorized network list by dropping off any addresses\n\n```bash\ngcloud sql instances patch INSTANCE_NAME --authorizednetworks=IP_ADDR1,IP_ADDR2,...\n```\n\n### Prevention\n\nTo prevent new SQL instances from being configured to accept incoming connections from any IP addresses, set up a `Restrict Authorized Networks on Cloud SQL instances` Organization Policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks](https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks).\n\n### Default Value\n\nBy default, authorized networks are not configured. Remote connection to Cloud SQL database instance is not possible unless authorized networks are configured.", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services" + ], + "control_id": "gcp_compliance.control.cis_v200_6_6", + "description": "It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.", + "title": "6.6 Ensure that Cloud SQL database instances do not have public IPs", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.6", + "cis_level": "2", + "cis_section_id": "6", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP" + }, + "documentation": "## Description\n\nIt is recommended to configure Second Generation SQL instance to use private IPs instead of public IPs.\n\nTo lower the organization's attack surface, Cloud SQL databases should not have public IPs. Private IPs provide improved network security and lower latency for your application.\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console: [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances)\n2. Click the instance name to open its Instance details page.\n3. Select the `Connections` tab.\n4. Deselect the `Public IP` checkbox.\n5. Click `Save` to update the instance.\n\n### From Command Line\n\n1. For every instance remove its public IP and assign a private IP instead:\n\n```bash\ngcloud beta sql instances patch INSTANCE_NAME --network=VPC_NETWOR_NAME --noassign-ip\n```\n\n2. Confirm the changes using the following command:\n\n```sql\ngcloud sql instances describe INSTANCE_NAME\n```\n\n### Prevention\n\nTo prevent new SQL instances from getting configured with public IP addresses, set up a `Restrict Public IP access on Cloud SQL instances` Organization policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp](https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp).\n\n### Default Value\n\nBy default, Cloud SQL instances have a public IP.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 6 Cloud SQL Database Services", + "category_hierarchy": [ + "CIS v2.0.0", + "6 Cloud SQL Database Services" + ], + "control_id": "gcp_compliance.control.cis_v200_6_7", + "description": "It is recommended to have all SQL database instances set to enable automated backups.", + "title": "6.7 Ensure that Cloud SQL database instances are configured with automated backups", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "6.7", + "cis_level": "1", + "cis_section_id": "6", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP" + }, + "documentation": "## Description\n\nIt is recommended to have all SQL database instances set to enable automated backups.\n\nBackups provide a way to restore a Cloud SQL instance to recover lost data or recover from a problem with that instance. Automated backups need to be set for any instance that contains data that should be protected from loss or damage.This recommendation is applicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2 instances.\n\n## Remediation\n\n### From Console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance where the backups need to be configured.\n3. Click `Edit`.\n4. In the `Backups` section, check `Enable automated backups`, and choose a backup window.\n5. Click `Save`\n\n### From Command Line\n\n1. List all Cloud SQL database instances using the following command:\n\n```bash\ngcloud sql instances list\n```\n\n2. Enable `Automated backups` for every Cloud SQL database instance using the below command:\n\n```sql\ngcloud sql instances patch INSTANCE_NAME --backup-start-time [HH:MM]\n```\n\nThe `backup-start-time` parameter is specified in 24-hour time, in the UTC±00 time zone, and specifies the start of a 4-hour backup window. Backups can start any time during the backup window.\n\n### Default Value\n\nBy default, automated backups are not configured for Cloud SQL instances. Data backup is not possible on any Cloud SQL instance unless Automated Backup is configured.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_6" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_6", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 7 BigQuery", + "category_hierarchy": [ + "CIS v2.0.0", + "7 BigQuery" + ], + "control_id": "gcp_compliance.control.cis_v200_7_1", + "description": "It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.", + "title": "7.1 Ensure that BigQuery datasets are not anonymously or publicly accessible", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "7.1", + "cis_level": "1", + "cis_section_id": "7", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/BigQuery" + }, + "documentation": "## Description\n\nIt is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.\n\nGranting permissions to `allUsers` or `allAuthenticatedUsers` allows anyone to access the dataset. Such access might not be desirable if sensitive data is being stored in the dataset. Therefore, ensure that anonymous and/or public access to a dataset is not allowed.\n\n## Remediation\n\n### From Console\n\n1. Go to `BigQuery` by visiting: [https://console.cloud.google.com/bigquery](https://console.cloud.google.com/bigquery).\n2. Select the dataset from 'Resources'.\n3. Click `SHARING` near the right side of the window and select `Permissions`.\n4. Review each attached role.\n5. Click the delete icon for each member `allUsers` or `allAuthenticatedUsers`. On the popup click `Remove`.\n\n### From Command Line\n\nList the name of all datasets.\n\n```bash\nbq ls\n```\n\nRetrieve the data set details:\n\n```bash\nbq show --format=prettyjson PROJECT_ID:DATASET_NAME \u003e PATH_TO_FILE\n```\n\nIn the access section of the JSON file, update the dataset information to remove all roles containing `allUsers` or `allAuthenticatedUsers`.\n\nUpdate the dataset:\n\n```bash\nbq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME\n```\n\n### Prevention\n\nYou can prevent Bigquery dataset from becoming publicly accessible by setting up the `Domain restricted sharing` organization policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains](https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains).\n\n### Default Value\n\nBy default, BigQuery datasets are not publicly accessible.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_7" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_7", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 7 BigQuery", + "category_hierarchy": [ + "CIS v2.0.0", + "7 BigQuery" + ], + "control_id": "gcp_compliance.control.cis_v200_7_2", + "description": "BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.", + "title": "7.2 Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "7.2", + "cis_level": "2", + "cis_section_id": "7", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/BigQuery" + }, + "documentation": "## Description\n\nBigQuery by default encrypts the data as rest by employing `Envelope Encryption` using Google managed cryptographic keys. The data is encrypted using the `data encryption keys` and data encryption keys themselves are further encrypted using `key encryption keys`. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys. BigQuery stores the table and CMEK association and the encryption/decryption is done automatically.\n\nApplying the Default Customer-managed keys on BigQuery data sets ensures that all the new tables created in the future will be encrypted using CMEK but existing tables need to be updated to use CMEK individually.\n\n```\nNote: Google does not store your keys on its servers and cannot access your protected data unless you provide the key. This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.\n```\n\n## Remediation\n\n### From Command Line\n\nUse the following command to copy the data. The source and the destination needs to be same in case copying to the original table\n\n```bash\nbq cp --destination_kms_key \u003ccustomer_managed_key\u003e source_dataset.source_table destination_dataset.destination_table\n```\n\n### Default Value\n\nGoogle Managed keys are used as `key encryption keys`.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_7" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_7", + "executable": true + }, + { + "category_breadcrumb": "CIS v2.0.0 \u003e 7 BigQuery", + "category_hierarchy": [ + "CIS v2.0.0", + "7 BigQuery" + ], + "control_id": "gcp_compliance.control.cis_v200_7_3", + "description": "BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.", + "title": "7.3 Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_item_id": "7.3", + "cis_level": "2", + "cis_section_id": "7", + "cis_type": "automated", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/BigQuery" + }, + "documentation": "## Description\n\nBigQuery by default encrypts the data as rest by employing `Envelope Encryption` using Google managed cryptographic keys. The data is encrypted using the data encryption keys and `data encryption keys` themselves are further encrypted using `key encryption keys`. This is seamless and do not require any additional input from the user.However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.\n\nBigQuery by default encrypts the data as rest by employing `Envelope Encryption` using Google managed cryptographic keys. This is seamless and does not require any additional input from the user.\n\nFor greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. Setting a Default Customer-managed encryption key (CMEK) for a data set ensure any tables created in future will use the specified CMEK if none other is provided.\n\n```\nNote: Google does not store your keys on its servers and cannot access your protected data unless you provide the key. This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.\n```\n\n## Remediation\n\n### From Command Line\n\nThe default CMEK for existing data sets can be updated by specifying the default key in the `EncryptionConfiguration.kmsKeyName` field when calling the `datasets.insert` or `datasets.patch` methods.\n\n### Default Value\n\nGoogle Managed keys are used as `key encryption keys`.\n", + "parent_control_hierarchy": [ + "gcp_compliance.benchmark.cis_v200", + "gcp_compliance.benchmark.cis_v200_7" + ], + "parent_control_breadcrumb": "gcp_compliance.benchmark.cis_v200/gcp_compliance.benchmark.cis_v200_7", + "executable": true + } +] \ No newline at end of file diff --git a/deepfence_server/cloud_controls/gcp/cis_benchmarks.json b/deepfence_server/cloud_controls/gcp/cis_benchmarks.json new file mode 100644 index 0000000000..1a08234fb4 --- /dev/null +++ b/deepfence_server/cloud_controls/gcp/cis_benchmarks.json @@ -0,0 +1,282 @@ +[ + { + "benchmark_id": "gcp_compliance.benchmark.cis_v200", + "description": "The CIS Google Cloud Platform Foundations Security Benchmark covers foundational elements of Google Cloud Platform.", + "title": "CIS v2.0.0", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP", + "type": "Benchmark" + }, + "documentation": "To obtain the latest version of the official guide, please visit http://benchmarks.cisecurity.org.\n\n## Overview\n\nThe CIS Google Cloud Platform Foundations Security Benchmark covers foundational elements of Google Cloud Platform.\n\n## Profiles\n\nThe following configuration profiles are defined by this Benchmark:\n\n### Level 1\n\nItems in this profile intend to:\n- be practical and prudent;\n- provide a clear security benefit; and\n- not inhibit the utility of the technology beyond acceptable means.\n\n### Level 2\n\nThis profile extends the \"Level 1\" profile. Items in this profile exhibit one or more of the following characteristics:\n\n- are intended for environments or use cases where security is more critical than manageability and usability\n- acts as defense in depth measure\n- may impact the utility or performance of the technology\n- may include additional licensing, cost, or addition of third party software", + "children": [ + "gcp_compliance.benchmark.cis_v200_1", + "gcp_compliance.benchmark.cis_v200_2", + "gcp_compliance.benchmark.cis_v200_3", + "gcp_compliance.benchmark.cis_v200_4", + "gcp_compliance.benchmark.cis_v200_5", + "gcp_compliance.benchmark.cis_v200_6", + "gcp_compliance.benchmark.cis_v200_7" + ] + }, + { + "benchmark_id": "gcp_compliance.benchmark.cis_v200_1", + "description": "", + "title": "1 Identity and Access Management", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_section_id": "1", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers recommendations addressing Identity and Access Management on Google Cloud Platform.\n", + "children": [ + "gcp_compliance.control.cis_v200_1_1", + "gcp_compliance.control.cis_v200_1_2", + "gcp_compliance.control.cis_v200_1_3", + "gcp_compliance.control.cis_v200_1_4", + "gcp_compliance.control.cis_v200_1_5", + "gcp_compliance.control.cis_v200_1_6", + "gcp_compliance.control.cis_v200_1_7", + "gcp_compliance.control.cis_v200_1_8", + "gcp_compliance.control.cis_v200_1_9", + "gcp_compliance.control.cis_v200_1_10", + "gcp_compliance.control.cis_v200_1_11", + "gcp_compliance.control.cis_v200_1_12", + "gcp_compliance.control.cis_v200_1_13", + "gcp_compliance.control.cis_v200_1_14", + "gcp_compliance.control.cis_v200_1_15", + "gcp_compliance.control.cis_v200_1_16", + "gcp_compliance.control.cis_v200_1_17", + "gcp_compliance.control.cis_v200_1_18" + ] + }, + { + "benchmark_id": "gcp_compliance.benchmark.cis_v200_2", + "description": "", + "title": "2 Logging and Monitoring", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_section_id": "2", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers recommendations addressing Logging and Monitoring on Google Cloud Platform.", + "children": [ + "gcp_compliance.control.cis_v200_2_1", + "gcp_compliance.control.cis_v200_2_2", + "gcp_compliance.control.cis_v200_2_3", + "gcp_compliance.control.cis_v200_2_4", + "gcp_compliance.control.cis_v200_2_5", + "gcp_compliance.control.cis_v200_2_6", + "gcp_compliance.control.cis_v200_2_7", + "gcp_compliance.control.cis_v200_2_8", + "gcp_compliance.control.cis_v200_2_9", + "gcp_compliance.control.cis_v200_2_10", + "gcp_compliance.control.cis_v200_2_11", + "gcp_compliance.control.cis_v200_2_12", + "gcp_compliance.control.cis_v200_2_13", + "gcp_compliance.control.cis_v200_2_14", + "gcp_compliance.control.cis_v200_2_15", + "gcp_compliance.control.cis_v200_2_16" + ] + }, + { + "benchmark_id": "gcp_compliance.benchmark.cis_v200_3", + "description": "", + "title": "3 Networking", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_section_id": "3", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers recommendations addressing networking on Google Cloud Platform.\n", + "children": [ + "gcp_compliance.control.cis_v200_3_1", + "gcp_compliance.control.cis_v200_3_2", + "gcp_compliance.control.cis_v200_3_3", + "gcp_compliance.control.cis_v200_3_4", + "gcp_compliance.control.cis_v200_3_5", + "gcp_compliance.control.cis_v200_3_6", + "gcp_compliance.control.cis_v200_3_7", + "gcp_compliance.control.cis_v200_3_8", + "gcp_compliance.control.cis_v200_3_9", + "gcp_compliance.control.cis_v200_3_10" + ] + }, + { + "benchmark_id": "gcp_compliance.benchmark.cis_v200_4", + "description": "", + "title": "4 Virtual Machines", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_section_id": "4", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers recommendations addressing virtual machines on Google Cloud Platform.", + "children": [ + "gcp_compliance.control.cis_v200_4_1", + "gcp_compliance.control.cis_v200_4_2", + "gcp_compliance.control.cis_v200_4_3", + "gcp_compliance.control.cis_v200_4_4", + "gcp_compliance.control.cis_v200_4_5", + "gcp_compliance.control.cis_v200_4_6", + "gcp_compliance.control.cis_v200_4_7", + "gcp_compliance.control.cis_v200_4_8", + "gcp_compliance.control.cis_v200_4_9", + "gcp_compliance.control.cis_v200_4_10", + "gcp_compliance.control.cis_v200_4_11", + "gcp_compliance.control.cis_v200_4_12" + ] + }, + { + "benchmark_id": "gcp_compliance.benchmark.cis_v200_5", + "description": "", + "title": "5 Storage", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_section_id": "5", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/Storage", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers recommendations addressing storage on Google Cloud Platform.", + "children": [ + "gcp_compliance.control.cis_v200_5_1", + "gcp_compliance.control.cis_v200_5_2" + ] + }, + { + "benchmark_id": "gcp_compliance.benchmark.cis_v200_6", + "description": "", + "title": "6 Cloud SQL Database Services", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_section_id": "6", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/SQL", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers security recommendations to follow to secure Cloud SQL database services.\n\nThe recommendations in this section on setting up database flags are also present in the [CIS Oracle MySQL Community Server 5.7 Benchmarks](https://www.cisecurity.org/benchmark/oracle_mysql) and in the [CIS PostgreSQL 12 Benchmarks](https://www.cisecurity.org/benchmark/postgresql). We, nevertheless, include them here as well, the remediation instructions are different on Cloud SQL. Settings these flags require superuser privileges and can only be configured through GCP controls.\n\nLearn more at: [https://cloud.google.com/sql/docs/postgres/users](https://cloud.google.com/sql/docs/postgres/users) and [https://cloud.google.com/sql/docs/mysql/flags](https://cloud.google.com/sql/docs/mysql/flags).", + "children": [ + "gcp_compliance.benchmark.cis_v200_6_1", + "gcp_compliance.benchmark.cis_v200_6_2", + "gcp_compliance.benchmark.cis_v200_6_3", + "gcp_compliance.control.cis_v200_6_4", + "gcp_compliance.control.cis_v200_6_5", + "gcp_compliance.control.cis_v200_6_6", + "gcp_compliance.control.cis_v200_6_7" + ] + }, + { + "benchmark_id": "gcp_compliance.benchmark.cis_v200_6_1", + "description": "", + "title": "6.1 MySQL Database", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_section_id": "6.1", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/SQL", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers recommendations addressing Cloud SQL for MySQL on Google Cloud Platform.", + "children": [ + "gcp_compliance.control.cis_v200_6_1_1", + "gcp_compliance.control.cis_v200_6_1_2", + "gcp_compliance.control.cis_v200_6_1_3" + ] + }, + { + "benchmark_id": "gcp_compliance.benchmark.cis_v200_6_2", + "description": "", + "title": "6.2 PostgreSQL Database", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_section_id": "6.2", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/SQL", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers recommendations addressing Cloud SQL for PostgreSQL on Google Cloud Platform.", + "children": [ + "gcp_compliance.control.cis_v200_6_2_1", + "gcp_compliance.control.cis_v200_6_2_2", + "gcp_compliance.control.cis_v200_6_2_3", + "gcp_compliance.control.cis_v200_6_2_4", + "gcp_compliance.control.cis_v200_6_2_5", + "gcp_compliance.control.cis_v200_6_2_6", + "gcp_compliance.control.cis_v200_6_2_7", + "gcp_compliance.control.cis_v200_6_2_8", + "gcp_compliance.control.cis_v200_6_2_9" + ] + }, + { + "benchmark_id": "gcp_compliance.benchmark.cis_v200_6_3", + "description": "", + "title": "6.3 SQL Server", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_section_id": "6.3", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/SQL", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section covers recommendations addressing Cloud SQL for SQL Server on Google Cloud Platform.", + "children": [ + "gcp_compliance.control.cis_v200_6_3_1", + "gcp_compliance.control.cis_v200_6_3_2", + "gcp_compliance.control.cis_v200_6_3_3", + "gcp_compliance.control.cis_v200_6_3_4", + "gcp_compliance.control.cis_v200_6_3_5", + "gcp_compliance.control.cis_v200_6_3_6", + "gcp_compliance.control.cis_v200_6_3_7" + ] + }, + { + "benchmark_id": "gcp_compliance.benchmark.cis_v200_7", + "description": "", + "title": "7 BigQuery", + "tags": { + "benchmark": "cis", + "category": "Compliance", + "cis_section_id": "7", + "cis_version": "v2.0.0", + "plugin": "gcp", + "service": "GCP/BigQuery", + "type": "Benchmark" + }, + "documentation": "## Overview\n\nThis section addresses Google CloudPlatform BigQuery. BigQuery is a serverless, highly-scalable, and cost-effective cloud data warehouse with an in-memory BI Engine and machine learning built in.\n", + "children": [ + "gcp_compliance.control.cis_v200_7_1", + "gcp_compliance.control.cis_v200_7_2", + "gcp_compliance.control.cis_v200_7_3" + ] + } +] \ No newline at end of file diff --git a/deepfence_worker/cronjobs/cloud_compliance.go b/deepfence_worker/cronjobs/cloud_compliance.go index 1e94792a87..4bc1e1cc13 100644 --- a/deepfence_worker/cronjobs/cloud_compliance.go +++ b/deepfence_worker/cronjobs/cloud_compliance.go @@ -9,9 +9,13 @@ import ( "github.com/deepfence/golang_deepfence_sdk/utils/utils" "github.com/neo4j/neo4j-go-driver/v4/neo4j" "os" + "strings" ) -var BenchmarksAvailable = []string{"cis", "nist", "pci", "gdpr", "hipaa", "soc_2"} +var BenchmarksAvailableMap = map[string][]string{ + "aws": {"cis", "nist", "pci", "gdpr", "hipaa", "soc_2"}, + "gcp": {"cis"}, + "azure": {"cis", "nist", "pci", "hipaa"}} type Benchmark struct { BenchmarkId string `json:"benchmark_id"` @@ -52,22 +56,23 @@ func AddCloudControls(msg *message.Message) error { } defer tx.Close() - cwd := "/cloud_controls/aws" - for _, benchmark := range BenchmarksAvailable { - controlFilePath := fmt.Sprintf("%s/%s.json", cwd, benchmark) - controlsJson, err := os.ReadFile(controlFilePath) - if err != nil { - return fmt.Errorf("Error reading controls file %s: %s", controlFilePath, err.Error()) - } - var controlList []Control - if err := json.Unmarshal(controlsJson, &controlList); err != nil { - return fmt.Errorf("Error unmarshalling controls for compliance type %s: %s", benchmark, err.Error()) - } - var controlMap []map[string]interface{} - for _, control := range controlList { - controlMap = append(controlMap, utils.ToMap(control)) - } - if _, err = tx.Run(` + for cloud, benchmarksAvailable := range BenchmarksAvailableMap { + cwd := "/cloud_controls/" + cloud + for _, benchmark := range benchmarksAvailable { + controlFilePath := fmt.Sprintf("%s/%s.json", cwd, benchmark) + controlsJson, err := os.ReadFile(controlFilePath) + if err != nil { + return fmt.Errorf("Error reading controls file %s: %s", controlFilePath, err.Error()) + } + var controlList []Control + if err := json.Unmarshal(controlsJson, &controlList); err != nil { + return fmt.Errorf("Error unmarshalling controls for compliance type %s: %s", benchmark, err.Error()) + } + var controlMap []map[string]interface{} + for _, control := range controlList { + controlMap = append(controlMap, utils.ToMap(control)) + } + if _, err = tx.Run(` UNWIND $batch as row MERGE (n:CloudComplianceExecutable:CloudComplianceControl{ node_id: row.parent_control_breadcrumb + row.control_id, @@ -76,8 +81,8 @@ func AddCloudControls(msg *message.Message) error { description: row.description, title: row.title, documentation: row.documentation, - service: 'AWS', - cloud_provider: 'aws', + service: $cloudCap, + cloud_provider: $cloud, category: 'Compliance', compliance_type: $benchmark, parent_control_hierarchy: row.parent_control_hierarchy, @@ -88,26 +93,28 @@ func AddCloudControls(msg *message.Message) error { }) ON CREATE SET n.active = true`, - map[string]interface{}{ - "batch": controlMap, - "benchmark": benchmark, - }); err != nil { - return err - } - benchmarkFilePath := fmt.Sprintf("%s/%s_benchmarks.json", cwd, benchmark) - benchmarksJson, err := os.ReadFile(benchmarkFilePath) - if err != nil { - return fmt.Errorf("Error reading benchmarks file %s: %s", benchmarkFilePath, err.Error()) - } - var benchmarkList []Benchmark - if err := json.Unmarshal(benchmarksJson, &benchmarkList); err != nil { - return fmt.Errorf("Error unmarshalling benchmarks for compliance type %s: %s", benchmark, err.Error()) - } - var benchmarkMap []map[string]interface{} - for _, benchMark := range benchmarkList { - benchmarkMap = append(benchmarkMap, utils.ToMap(benchMark)) - } - if _, err = tx.Run(` + map[string]interface{}{ + "batch": controlMap, + "benchmark": benchmark, + "cloud": cloud, + "cloudCap": strings.ToUpper(cloud), + }); err != nil { + return err + } + benchmarkFilePath := fmt.Sprintf("%s/%s_benchmarks.json", cwd, benchmark) + benchmarksJson, err := os.ReadFile(benchmarkFilePath) + if err != nil { + return fmt.Errorf("Error reading benchmarks file %s: %s", benchmarkFilePath, err.Error()) + } + var benchmarkList []Benchmark + if err := json.Unmarshal(benchmarksJson, &benchmarkList); err != nil { + return fmt.Errorf("Error unmarshalling benchmarks for compliance type %s: %s", benchmark, err.Error()) + } + var benchmarkMap []map[string]interface{} + for _, benchMark := range benchmarkList { + benchmarkMap = append(benchmarkMap, utils.ToMap(benchMark)) + } + if _, err = tx.Run(` UNWIND $batch as row MERGE (n:CloudComplianceExecutable:CloudComplianceBenchmark{ node_id: row.benchmark_id, @@ -116,8 +123,8 @@ func AddCloudControls(msg *message.Message) error { description: row.description, title: row.title, documentation: row.documentation, - service: 'AWS', - cloud_provider: 'aws', + service: $cloudCap, + cloud_provider: $cloud, category: 'Compliance', compliance_type: $benchmark, executable: false @@ -128,11 +135,14 @@ func AddCloudControls(msg *message.Message) error { WHERE benchmark_id = m.parent_control_hierarchy[-1] MERGE (n) -[:INCLUDES]-> (m) `, - map[string]interface{}{ - "batch": benchmarkMap, - "benchmark": benchmark, - }); err != nil { - return err + map[string]interface{}{ + "batch": benchmarkMap, + "benchmark": benchmark, + "cloud": cloud, + "cloudCap": strings.ToUpper(cloud), + }); err != nil { + return err + } } } return tx.Commit()