Policy Templates for Azure
For instructions on how to find Policy templates that are new or updated due to changed recommendations, see Find New and Updated Policy Templates.
For a list of Policy Templates that have been deprecated, see Policy Templates for Azure - DEPRECATED.
To find the Policy Templates for Azure CIS version v1.0.0 to v1.5.0, see Policy Templates for Azure- CIS Version v1.0.0 to v1.5.0.
Azure CIS version v2.0.0 onwards
This table lists the Policy Templates provided for use with Azure CIS version v2.0.0 onwards.
| Policy Name | Resource/Entity Type | CISv2.0.0 Level 1 | CISv2.0.0 Level 2 | Policy Description |
|---|---|---|---|---|
| Soft delete and purge protection should be enabled on Key vaults | Key Vaults | 8.5 |
It is recommended that the Key Vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is to prevent the loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates) and more. This may happen due to accidental deletion by a user or disruptive activity by a malicious user. |
|
| PostgreSQL Database Server should enable Log checkpoints |
PostgreSQL Database Server |
4.3.1 |
Enabling log_checkpoints helps the PostgreSQL database log each checkpoint, which generates query and error logs. However, access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance. |
|
| Web app should use latest version of TLS encryption | AppService | 9.3 |
The TLS (Transport Layer Security) protocol secures data transmission over the internet using standard encryption technology. Encryption should be set to the latest TLS version. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS. |
|
| Web app should enable client certificates | AppService | 9.4 |
Client certificates (Incoming client certificates) allow the app to request a certificate for incoming requests. Only clients with valid certificates can access the app. |
|
| Web app should use latest HTTP version | AppService | 9.9 |
Periodically, newer versions are released for HTTP either due to security flaws or additional functionality. Use the latest HTTP version for web apps to benefit from security fixes, if any, and/or new functionalities in the newer version. |
|
| PostgreSQL Database Flexible Server should enable Log checkpoints | PostgreSQL Database Flexible Server | 4.3.1 |
Enabling log_checkpoints helps the PostgreSQL database log each checkpoint, which generates query and error logs. However, access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance. |
|
| PostgreSQL Database Server should enable log connections | PostgreSQL Database Server | 4.3.3 |
Enabling log_connections helps PostgreSQL Database log attempted connections to the server, as well as the successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance. |
|
| PostgreSQL Database Server should enable log disconnections | PostgreSQL Database Server | 4.3.4 |
Enabling log_disconnections helps PostgreSQL Database to log the end of a session, including duration, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance. |
|
| PostgreSQL Database Server should enable throttling connection | PostgreSQL Database Server | 4.3.5 |
Enabling connection_throttling helps the PostgreSQL Database to set the verbosity of logged messages. This generates query and error logs with respect to concurrent connections that could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance. |
|
| PostgreSQL Database Server should have greater than 3 log retention days | PostgreSQL Database Server | 4.3.6 |
Configuring log_retention_days determines the duration in days Azure Database for PostgreSQL retains log files. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance. |
|
| PostgreSQL Database Server should enable Enforce SSL connection | PostgreSQL Database Server | 4.3.1 |
SSL connectivity provides a new layer of security by connecting database servers to client applications using the Secure Sockets Layer (SSL). Enforcing SSL connections between the database server and client applications protects against "man in the middle" attacks by encrypting the data stream between the server and the application. |
|
| Function app should use latest version of TLS encryption | AppService | 9.3 |
The TLS (Transport Layer Security) protocol secures data transmission over the internet using standard encryption technology. Encryption should be set to the latest TLS version. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS. |
|
| Function app should enable client certificates | AppService | 9.4 |
Client certificates (Incoming client certificates) allow the app to request a certificate for incoming requests. Only clients with valid certificates can access the app. |
|
| Function app should use latest HTTP version | AppService | 9.9 |
Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Use the latest HTTP version for web apps to benefit from security fixes, if any, and/or new functionalities in the newer version. |
|
| Soft delete should be enabled for Storage | Storage Accounts | 3.11 | It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted. | |
| App Services FTP deployments should be restricted | Azure Application | 9.1 | Azure FTP deployment endpoints are public. An attacker listening to traffic on a wifi network used by a remote employee or a corporate network could see login traffic in clear text which would then grant them full control of the code base of the app or service. This finding is more severe if User Credentials for deployment are set at the subscription level rather than using the default Application Credentials which are unique per App. | |
| Unattached disks should be encrypted with Customer Managed Key | Disk | 7.4 | Managed disks are encrypted by default with Platform-managed keys. Using Customer- managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that their entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks, which may lead to sensitive information disclosure and tampering. | |
| Web app should restrict all non-secure HTTP requests and redirect all HTTP traffic to HTTPS in Azure App Service | Azure Application | 9.2 | Enabling HTTPS-only traffic will redirect all non-secure HTTP requests to HTTPS ports. HTTPS uses the TLS/SSL protocol to provide a secure connection that is both encrypted and authenticated. It is therefore important to support HTTPS for the security benefits. | |
| Microsoft Defender should enable Endpoint to access my data | Azure Security Settings | 2.1.22 | Microsoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on endpoints monitored by Microsoft Defender for Cloud. MDE works only with Standard Tier subscriptions". | |
| TLS version should be set to default for MySQL flexible database Server | Azure MySQL database flexible Server | 4.4.2 | Ensure TLS version on MySQL flexible servers is set to the default value.TLS connectivity helps to provide a new layer of security by connecting database servers to client applications using Transport Layer Security. Enforcing TLS connections between database servers and client applications helps protect against man-in-the-middle attacks by encrypting the data stream between the server and the application. |