U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Checklist Program

National Checklist Program

NCP

  1. Checklist Repository

CIS Microsoft Azure Foundations Benchmark 2.1.0 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
Microsoft Azure cpe:/o:microsoft:azure:- (View CVEs)

Checklist Highlights

Checklist Name:
CIS Microsoft Azure Foundations Benchmark
Checklist ID:
1138
Version:
2.1.0
Type:
Compliance
Review Status:
Candidate
Authority:
Third Party: Center for Internet Security (CIS)
Original Publication Date:
02/13/2024

Checklist Summary:

This document, CIS Microsoft Azure Foundations Benchmark, provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. The scope of this benchmark is to establish the foundation level of security for anyone adopting Microsoft Azure Cloud. The benchmark is, however, not an exhaustive list of all possible security configurations and architecture. The benchmark should be understood as a starting point. Site-specific tailoring will almost certainly be required. The CIS Azure Foundations Benchmark provides recommendations for the following Azure Services: App Service Application Gateway Microsoft Entra ID Azure Advisor Azure Cosmos DB Azure Disk Storage Azure Files Azure Monitor Azure Policy Azure Private Link Azure Resource Manager Azure Service Health Azure SQL Azure SQL Database Key Vault Microsoft Azure portal Microsoft Defender for Cloud Static Web Apps Storage Accounts Virtual Machines Virtual Network Multiple Methods of Audit and Remediation Throughout the Benchmark, Audit and Remediation procedures are prescribed using up to four different methods. These multiple methods are presented for the convenience of readers who will be coming from different technical and experiential backgrounds. To perform any given Audit or Remediation, only one method needs to be performed. Not every method is available for every recommendation, and many that are available are not yet written for every recommendation. The methods presented in the Benchmark are formatted and titled as follows: "From Azure Portal" - This is the administrative GUI accessed at https://portal.azure.com. "From Azure CLI" - See additional detail in the next section. "From PowerShell" - See additional detail in the next section. "From REST API" - An Application Programming Interface (API) for HTTP operations on service endpoints. "From Azure Policy" - Azure Policy is administered from the Microsoft Defender for Cloud blade where Policy Initiatives can be created from "Regulatory Compliance" or by using pre-built Industry & Regulatory Standards. Setting Up PowerShell and Azure CLI In order to use the Azure Command Line Interface (CLI) and the Azure PowerShell methods for audit and remediation procedures, the following permissions are required for the account running the procedures: Global Reader Security Reader Subscription Contributor Key Vault Get/List privileges on Keys, Secrets, Certificates, and Certificate Authorities Network allow listing for any source IP address performing the audit activities Permissions to use PowerShell and Azure CLI These permissions can be directly assigned or assigned via Privileged Identity Management. The Azure CLI tool can be installed from the following location: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?tabs=azure-cli For PowerShell, the following cmdlets are required: Azure PowerShell: https://docs.microsoft.com/en-us/powershell/azure/install-az-ps-msi?view=azps-8.2.0 Microsoft Graph PowerShell: https://learn.microsoft.com/en-us/powershell/microsoftgraph/get-started?view=graph-powershell-1.0 Microsoft Entra ID PowerShell for Graph: https://docs.microsoft.com/en-us/powershell/azure/active-directory/overview?view=azureadps-2.0 MS Online PowerShell: https://docs.microsoft.com/en-us/powershell/module/msonline/?view=azureadps-1.0 Authenticating with Azure CLI Run the following command from either PowerShell or command prompt: az login --tenant --subscription Authenticating with PowerShell Login to the Azure tenant and subscription using the following command: Connect-AzAccount -Subscription -Tenant Connect-MgGraph Connect-MsolService Connect-AzureAD NOTE: This will store session information within the PowerShell environment and may persist after closing PowerShell. Please take all necessary precautions to shorten the lifespan of this session and protect it from unauthorized access. Latest Version To obtain the latest version of this guide, please visit https://www.cisecurity.org/cis-benchmarks/. Feedback If you have questions, comments, or have identified ways to improve this guide, please write us at benchmarkinfo@cisecurity.org.

Checklist Role:

  • Virtualization Server

Known Issues:

Not provided.

Target Audience:

This document is intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate Microsoft Azure.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

Not provided.

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

Not provided.

Product Support:

Not provided.

Point of Contact:

benchmarkinfo@cisecurity.org

Sponsor:

Not provided.

Licensing:

Not provided.

Change History: 

new checklist - 2/28/24

Dependency/Requirements:

URL Description

References:

Reference URL Description

NIST checklist record last modified on 02/28/2024

* This checklist is still undergoing review for inclusion into the NCP.