The Center for Internet Security (CIS) is a nonprofit that publishes a benchmark — a set of security configuration best practices for Microsoft Azure.
To read more about CIS Microsoft Azure Foundations Benchmark, please visit CIS Microsoft Azure home page .
CIS Azure v1.5.0 non-compliance issues (44)
| Severity | Non-Compliance | Region | Resource | Issue | Remediation | Read more | Action | |
|---|---|---|---|---|---|---|---|---|
| Compute | Medium | CIS 2.5 | eastus | test-vm | Virtual Machine does not have Automatic Update configured. | To fulfill PCI DSS requirements on having the latest updates and patches installed, ensure that your VMs have Automatic Update enabled. | More info | |
| Compute | Medium | CIS 7.1 | westus2 | test-vm2 | Virtual Machine is not configured to use Azure managed Disk Volume. | For reliable, efficient and simplified disk management, ensure that your VMs are configured to use managed Disk Volumes. | More info | |
| Compute | Medium | CIS 7.2 PCI DSS 3.5 HIPAA (Encryption) | westus2 | data-disk | Disk Volume is not encrypted. | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, ensure that all VM disks are encrypted. | More info | |
| Compute | Medium | CIS 7.2 | westus2 | test-vm2_disk1_bcf51a4e96ba4accb5b16c34beb0fd23 | Disk Volume does not use customer-managed keys. | To have a more granular control over your VM data encryption/decryption process, ensure that VM disks are created using customer-managed keys (also known as Bring Your Own Keys - BYOKs). | More info | |
| Networking | Medium | CIS 6.5 PCI DSS 10.2 HIPAA (Audit) | eastus | basicNsgtest-scale-set_group-vnet-nic01 | Network Security Group (NSG) has flow log retention set to 31 days, while the recommended limit is 90 days. | To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure that NSGs have a sufficient flow log retention period, i.e. 90 days or more. | More info | |
| Networking | Medium | CIS 6.6 | eastus | Network | Network Watcher is not enabled in the region "East US". | To locate, diagnose, and gain insights into Azure networks, enable the Network Watcher service in the region "East US". | More info | |
| Storage | Medium | CIS 3.8 PCI DSS (Networking) HIPAA (Networking) | centralus | prevasioteststorageacc | Storage Account is configured to allow access to traffic from all networks (including Internet traffic). | To fulfill PCI requirements on segmenting networks using firewalls and HIPAA access controls that require data access to be restricted to known sources, configure your Storage Account to deny access to traffic from all networks by default. | More info | |
| Storage | Medium | CIS 3.11 | centralus | prevasioteststorageacc | Storage Account Blob has Soft Delete data retention period configured to 7 days, while the recommended minimum is 31 days or more. | To handle your data restoration process in the event of a failure more efficiently, ensure that your Storage Blob objects have a sufficient Soft Delete data retention period, i.e. greater than 30 days. | More info | |
| Storage | Medium | CIS 3.12 | eastus | prevasiostorageaccount | Storage Account uses Microsoft managed key instead of BYOK (Bring Your Own Key). | For greater control, transparency and increasing security by having full control of the encryption keys, ensure your Storage Account data at rest is protected with a key from your own Azure Key Vault. | More info | |
| Storage | Medium | CIS 3.9 | eastus | prevasiostorageaccount | Storage Account is configured not to allow trusted Azure services to access itself. | To allow trusted cloud services to access your Storage Account with the enabled firewall rules, add an exception so that the trusted Azure services can bypass your network rules and still access your Storage Account. | More info | |
| Storage | Medium | CIS 3.15 PCI DSS (Old Protocols) | eastus | prevasiostorageaccount | Storage Account has TLS version 1.0, which is lower than the desired TLS version 1.2. | To comply with the industry standards, ensure your Storage Account uses TLS 1.2 or higher for all TLS connections. | More info | |
| Storage | Medium | CIS 3.1 PCI DSS 4.2 HIPAA (Encryption) | eastus | prevasiostorageaccount | Storage Account allows insecure HTTP origin. | To fulfill HIPAA and PCI DSS requirements on strong cryptographic and security protocols for transmitting user data, ensures HTTPS-only traffic is allowed to Storage Account endpoints. | More info | |
| Storage | Medium | CIS 3.11 | eastus | prevasiostorageaccount | Storage Account Blob has Soft Delete data retention period configured to 3 days, while the recommended minimum is 31 days or more. | To handle your data restoration process in the event of a failure more efficiently, ensure that your Storage Blob objects have a sufficient Soft Delete data retention period, i.e. greater than 30 days. | More info | |
| Storage | Medium | CIS 3.12 | eastus | sqlvan5orkhoarubfu | Storage Account uses Microsoft managed key instead of BYOK (Bring Your Own Key). | For greater control, transparency and increasing security by having full control of the encryption keys, ensure your Storage Account data at rest is protected with a key from your own Azure Key Vault. | More info | |
| Storage | Medium | CIS 3.8 PCI DSS (Networking) HIPAA (Networking) | eastus | sqlvan5orkhoarubfu | Storage Account is configured to allow access to traffic from all networks (including Internet traffic). | To fulfill PCI requirements on segmenting networks using firewalls and HIPAA access controls that require data access to be restricted to known sources, configure your Storage Account to deny access to traffic from all networks by default. | More info | |
| Storage | Medium | CIS 3.11 | eastus | sqlvan5orkhoarubfu | Storage Account Blob has no Soft Delete data retention period configured. | To handle your data restoration process in the event of a failure more efficiently, ensure that your Storage Blob objects have a sufficient Soft Delete data retention period, i.e. greater than 30 days. | More info | |
| Storage | Medium | CIS 3.7 PCI DSS (Networking) HIPAA (Networking) | global | test-storage-container | Storage Blob Container allows public access. | To fulfill HIPAA and PCI DSS requirements on strict access controls to all data, ensure that all Blob Containers have anonymous public access disabled. | More info | |
| Web | Medium | CIS 9.1 PCI DSS 10.2 HIPAA (Audit) | eastus | prevasio-web-app | App Service has Authentication feature disabled. | To add an extra layer of security to the authentication process, ensure that your App Services have Authentication feature enabled. | More info | |
| Web | Low | CIS 9.9 | eastus | prevasio-web-app | App Service is not using the latest version of the HTTP protocol (HTTP 2.0). | To make your web applications load faster, enable HTTP 2.0 for your App Services. | More info | |
| Web | Medium | CIS 9.3 PCI DSS (Old Protocols) | eastus | prevasio-web-app | App Service has TLS version 1.1, which is lower than the desired TLS version 1.2. | To comply with the industry standards, ensure TLS 1.2 or higher is used for all TLS connections to App Services. | More info | |
| Web | Medium | CIS 9.4 | eastus | prevasio-web-app | App Service is not configured to use an SSL certificate to authenticate incoming client requests. | To configure the App Services to use an SSL certificate for incoming requests, enable "Incoming client certificates" configuration setting. | More info | |
| Web | Medium | CIS 9.2 PCI DSS 4.2 HIPAA (Encryption) | eastus | prevasio-web-app | App Service is not enforcing HTTPS-only traffic. | To redirect all non-secure HTTP requests to HTTPS so that the traffic between the web application servers and the application clients cannot be decrypted, enforce HTTPS-only traffic for your App Services. | More info | |
| Cosmos DB | Medium | CIS 4.5.1 | westus | prevasio-cosmos-db-account | Cosmos DB Account allows public access. | To add an additional layer of security to the account resources, update the firewall and the virtual network configuration for your Cosmos DB Accounts. | More info | |
| SQL | Medium | CIS 4.1.1 PCI DSS 10.2 HIPAA (Audit) | eastus | my-sql-db | SQL Database has Database Auditing disabled. | To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure that SQL Database Auditing is enabled. | More info | |
| SQL | Medium | CIS 4.4.2 PCI DSS (Old Protocols) HIPAA (Encryption) | eastus | prevasio-sql-server | SQL Server has TLS version 1.1, which is lower than the desired TLS version 1.2. | To comply with the industry standards, ensure TLS 1.2 or higher is used for all TLS connections to SQL Servers. | More info | |
| SQL | Medium | CIS 4.1.6 PCI DSS 10.2 HIPAA (Audit) | eastus | prevasio-sql-server | SQL Server Auditing retention is 10 days, while the recommended limit is 90 days. | To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure that SQL Servers have a sufficient log data retention period, i.e. 90 days or more. | More info | |
| SQL | High | CIS 4.1.2 | eastus | prevasio-sql-server | SQL Server is open to outside traffic. | In order to eliminate the exposure from the public Internet, ensure that your SQL Database Servers are accessible through private endpoints instead of public IP addresses or service endpoints. | More info | |
| SQL | Medium | CIS 4.1.1 PCI DSS 10.2 HIPAA (Audit) | westus | master | SQL Database has Database Auditing disabled. | To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure that SQL Database Auditing is enabled. | More info | |
| SQL | Low | CIS 4.1.2 | westus | prevasio-sql-server2 | SQL Server has no private endpoints configured. | To connect your virtual network to services in Azure without a public IP address at the source or destination, ensure the SQL Servers are accessible only through private endpoints. | More info | |
| SQL | Medium | CIS 4.4.2 PCI DSS (Old Protocols) HIPAA (Encryption) | westus | prevasio-sql-server2 | SQL Server has TLS version set to EnforcementDisabled, while the desired TLS version is 1.2. | To comply with the industry standards, ensure TLS 1.2 or higher is used for all TLS connections to SQL Servers. | More info | |
| SQL | Medium | westus | prevasio-sql-server2 | SQL Server has no Email Account Admins enabled. | To send monitored data for unusual activity, vulnerabilities, and threats to the account admins and subscription owners, ensure that advanced data security for SQL Servers has Email Account Admins enabled. | More info | ||
| SQL | High | westus | prevasio-sql-server2 | SQL Server has no list of emails configured to which alerts could be sent upon detection of anomalous activities. | To send alerts on unusual activity, vulnerabilities, and threats, specify email address(es) under "Send alerts to" in Advanced Threat Protection settings of Microsoft Defender for SQL. | More info | ||
| SQL | Medium | CIS 4.1.1 PCI DSS 10.2 HIPAA (Audit) | westus | prevasio-sql-server2 | SQL Server has Database Auditing disabled. | To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure that SQL Server Auditing is enabled. | More info | |
| SQL | Medium | CIS 4.1.4 | westus | prevasio-sql-server2 | SQL Server uses no Active Directory administrator. | To centrally manage identity and access to your SQL Database Servers, ensure that SQL Servers use an Active Directory administrator. | More info | |
| SQL | Medium | CIS 4.1.3 | westus | prevasio-sql-server2 | SQL Server has TDE (Transparent data encryption) that uses Microsoft managed key instead of BYOK (Bring Your Own Key). | For greater control, transparency and increasing security by having full control of the encryption keys, ensure your SQL Server data at rest is protected with a key from your own Azure key vault. | More info | |
| MySQL | High | CIS 4.4.1 PCI DSS 4.2 HIPAA (Encryption) | eastus | prevasio-mysql-server | MySQL Server is not configured to have its data in-transit encrypted. | To fulfill HIPAA requirements for all data to be transmitted over secure channels, ensure that MySQL Server is set to use SSL for data transmission. | More info | |
| PostgreSQL | High | CIS 4.3.1 PCI DSS 4.2 HIPAA (Encryption) | eastus2 | prevasio-postgresql-server | PostgreSQL Server is not configured to have its data in-transit encrypted. | To fulfill HIPAA requirements for all data to be transmitted over secure channels, ensure that PostgreSQL Server is set to use SSL for data transmission. | More info | |
| Security | High | CIS 8.5 | eastus | prevasio-key-vault-2 | Key Vault has no Purge Protection and therefore, is not recoverable. | To prevent permanent deletion/purging of encryption keys, secrets and certificates stored within the Key Vaults, ensure that all Key Vaults have Purge Protection enabled. | More info | |
| Security | Low | CIS 5.1.5 PCI DSS 10.2 HIPAA (Audit) | eastus | prevasio-key-vault | Key Vault has no AuditEvent logging enabled. | To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure that AuditEvent logging is enabled for each Key Vault. | More info | |
| Security | Medium | CIS 2.3.1 | westeurope | test-domain.com | Security Contact is not configured to send security alerts to administrators. | To notify subscription owners/administrators about detected vulnerabilities and other security issues, ensure that security alerts are configured to be sent to subscription owners/administrators. | More info | |
| Security | Medium | CIS 2.3.3 | westeurope | test-domain.com | Security Contact is not configured to receive high severity alert notifications. | To notify the Security Contact about potential security issues, ensure that high severity alert notificationss are properly configured. | More info | |
| Security | Medium | CIS 2.2 CIS 2.2.1 | global | Security | Automatic Provisioning of the Monitoring Agent is not enabled. | To collect security data and events from your cloud compute resources in order to help you prevent, detect, and respond effectively to security issues, ensure that automatic provisioning of the monitoring agent is enabled in your Microsoft Azure account. | More info | |
| Security | Medium | CIS 2.2 CIS 2.2.1 | global | Security | Automatic Provisioning of the Monitoring Agent is not enabled. | To collect security data and events from your cloud compute resources in order to help you prevent, detect, and respond effectively to security issues, ensure that automatic provisioning of the monitoring agent is enabled in your Microsoft Azure account. | More info | |
| Management & Governance | High | CIS 2.6 | global | SecurityCenterBuiltIn | The default set of policies monitored by Defender for Cloud contains 1 disabled policy. | To meet security and compliance requirements, ensure that all security policies (specified as parameters) provided by Defender for Cloud default policy (ASC Default) are enabled. | More info |