🔵

CIS Microsoft Azure Benchmark v2.0

Center for Internet Security benchmark for Microsoft Azure. 120+ controls covering identity, networking, storage, databases, and logging.

5 critical3 high2 medium
1.1AZ-IAM-001critical

Ensure MFA is enabled for all privileged users

Multi-factor authentication must be enabled for all users with administrative roles in Azure AD.

1.2AZ-IAM-002medium

Ensure guest users are reviewed regularly

External guest users in Azure AD should be reviewed quarterly and removed if no longer needed.

2.1AZ-NSG-001critical

Ensure NSGs restrict SSH access from the internet

Network Security Groups should not allow SSH (port 22) from any source (0.0.0.0/0).

2.2AZ-NSG-002critical

Ensure NSGs restrict RDP access from the internet

Network Security Groups should not allow RDP (port 3389) from any source.

3.1AZ-STG-001critical

Ensure Storage Accounts disallow public blob access

Azure Storage accounts should have public blob access disabled.

3.2AZ-STG-002high

Ensure Storage Accounts use HTTPS-only transport

All storage account traffic must use HTTPS encryption.

4.1AZ-SQL-001critical

Ensure Azure SQL databases are not publicly accessible

Azure SQL databases should deny public network access.

4.2AZ-SQL-002high

Ensure Azure SQL Transparent Data Encryption is enabled

Transparent Data Encryption (TDE) must be enabled for all Azure SQL databases.

5.1AZ-LOG-001medium

Ensure Activity Log alerts are configured

Azure Activity Log alerts should notify on critical operations like policy changes and resource deletions.

6.1AZ-AKS-001high

Ensure AKS clusters have RBAC enabled

Azure Kubernetes Service clusters must have RBAC enabled for access control.