CIS Microsoft Azure Foundations Benchmark
- Version: 2.1.0
- URL: https://www.cisecurity.org/benchmark/azure
- Source of truth:
pipeline_check/core/standards/data/cis_azure_foundations.py
CIS Microsoft Azure Foundations Benchmark, CI/CD-relevant subset. Covers identity (Entra ID), storage accounts, Key Vault, container registry, and monitoring controls.
At a glance
- Controls in this standard: 35
- Controls evidenced by at least one check: 35 / 35
- Distinct checks evidencing this standard: 50
- Of those, autofixable with
--fix: 0
Severity levels (CRITICAL / HIGH / MEDIUM / LOW / INFO) follow the same scale across every provider and standard. See How to read severity on the standards overview for the definitions.
Coverage by control
Click a control ID to jump to the per-control section with the full check list. The severity mix column shows the spread of evidencing checks by severity (Critical / High / Medium / Low / Info).
| Control | Title | Checks | Severity mix |
|---|---|---|---|
1.21 |
Ensure that no custom subscription administrator roles are created | 1 | 1C |
1.24 |
Ensure that custom role permissions are managed and reviewed | 2 | 1C · 1M |
1.1.1 |
Ensure Security Defaults are enabled on Azure Active Directory | 2 | 2H |
1.1.2 |
Ensure that multi-factor authentication is enabled for all privileged users | 2 | 2H |
3.1 |
Ensure that 'Secure transfer required' is set to 'Enabled' | 2 | 2H |
3.7 |
Ensure default network access rule for storage accounts is set to deny | 1 | 1H |
3.10 |
Ensure storage account access keys are periodically regenerated | 2 | 1H · 1L |
3.12 |
Ensure storage for critical data is encrypted with Customer-Managed Key | 1 | 1M |
5.1.2 |
Ensure Diagnostic Setting captures appropriate categories | 3 | 1H · 2M |
5.1.5 |
Ensure that logging for Azure Key Vault is 'Enabled' | 2 | 2M |
5.2.1 |
Ensure that Activity Log Alert exists for Create Policy Assignment | 2 | 1M · 1L |
5.2.2 |
Ensure that Activity Log Alert exists for Delete Policy Assignment | 1 | 1M |
5.2.4 |
Ensure that Activity Log Alert exists for Create or Update Network Security Group | 1 | 1M |
8.1 |
Ensure that the expiration date is set on all keys | 2 | 2M |
8.4 |
Ensure the Key Vault is recoverable | 2 | 2H |
8.5 |
Enable role-based access control for Azure Key Vault | 2 | 2M |
9.1 |
Ensure Container Registry has admin user disabled | 3 | 3H |
9.2 |
Ensure Container Registry has content trust enabled | 2 | 1M · 1I |
6.1 |
Ensure that RDP access from the Internet is evaluated and restricted | 1 | 1C |
6.2 |
Ensure that SSH access from the Internet is evaluated and restricted | 1 | 1C |
6.3 |
Ensure no Network Security Group allows unrestricted ingress to port 3389 | 3 | 1C · 1H · 1M |
6.5 |
Ensure that Network Security Group flow log retention period is 'greater than 90 days' | 2 | 2M |
6.6 |
Ensure that Network Watcher is 'Enabled' | 5 | 3H · 2M |
9.3 |
Ensure that 'Web App Redirects All HTTP traffic to HTTPS' is set | 1 | 1H |
9.4 |
Ensure Web App is using the latest version of TLS encryption | 1 | 1H |
9.5 |
Ensure that Register with Azure AD is enabled on App Service | 1 | 1M |
9.10 |
Ensure FTP deployments are Disabled | 1 | 1M |
9.11 |
Ensure Azure Key Vaults are used to store secrets | 1 | 1H |
4.1.1 |
Ensure that 'Auditing' is set to 'On' | 1 | 1H |
4.1.3 |
Ensure that 'Data encryption' is set to 'On' for SQL databases | 1 | 1M |
4.1.4 |
Ensure that 'Azure Active Directory Admin' is configured for SQL Servers | 1 | 1M |
4.2.1 |
Ensure that Advanced Threat Protection (ATP) on a SQL Server is set to 'On' | 1 | 1M |
7.1 |
Ensure Virtual Machines use Managed Disks | 1 | 1M |
7.2 |
Ensure that OS and Data disks are encrypted with CMK | 1 | 1H |
7.4 |
Ensure that only approved extensions are installed | 1 | 1M |
Filter at runtime
Restrict a scan to checks that evidence this standard with --standard cis_azure_foundations:
# All providers, only checks tied to this standard
pipeline_check --standard cis_azure_foundations
# Compose with --pipeline to scope by provider
pipeline_check --pipeline github --standard cis_azure_foundations
# Compose with another standard to widen the lens
pipeline_check --pipeline aws --standard cis_azure_foundations --standard owasp_cicd_top_10
Controls in scope
1.21: Ensure that no custom subscription administrator roles are created
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
ENTRA-001 |
Service principal assigned Global Administrator | CRITICAL | Azure Cloud |
1.24: Ensure that custom role permissions are managed and reviewed
Evidenced by 2 checks across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
ENTRA-001 |
Service principal assigned Global Administrator | CRITICAL | Azure Cloud | |
ENTRA-005 |
No Conditional Access policy restricting external users | MEDIUM | Azure Cloud |
1.1.1: Ensure Security Defaults are enabled on Azure Active Directory
Evidenced by 2 checks across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
ENTRA-003 |
Service principal uses password credential | HIGH | Azure Cloud | |
ENTRA-006 |
No Conditional Access sign-in risk policy | HIGH | Azure Cloud |
1.1.2: Ensure that multi-factor authentication is enabled for all privileged users
Evidenced by 2 checks across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
ENTRA-002 |
App registration credential valid beyond 180 days | HIGH | Azure Cloud | |
ENTRA-004 |
No Conditional Access policy requiring MFA for admins | HIGH | Azure Cloud |
3.1: Ensure that 'Secure transfer required' is set to 'Enabled'
Evidenced by 2 checks across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZST-002 |
Storage account allows non-HTTPS traffic | HIGH | Azure Cloud | |
AZST-004 |
Storage account minimum TLS version below 1.2 | HIGH | Azure Cloud |
3.7: Ensure default network access rule for storage accounts is set to deny
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZST-001 |
Storage account allows public blob access | HIGH | Azure Cloud |
3.10: Ensure storage account access keys are periodically regenerated
Evidenced by 2 checks across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZST-005 |
Storage account blob lifecycle policy should be reviewed | LOW | Azure Cloud | |
AZST-006 |
Storage account access keys not rotated within 90 days | HIGH | Azure Cloud |
3.12: Ensure storage for critical data is encrypted with Customer-Managed Key
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZST-003 |
Storage account not encrypted with customer-managed key | MEDIUM | Azure Cloud |
5.1.2: Ensure Diagnostic Setting captures appropriate categories
Evidenced by 3 checks across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZMON-001 |
No diagnostic setting for subscription Activity Log | HIGH | Azure Cloud | |
AZMON-002 |
Activity Log retention less than 365 days | MEDIUM | Azure Cloud | |
AZMON-006 |
Log Analytics workspace retention less than 365 days | MEDIUM | Azure Cloud |
5.1.5: Ensure that logging for Azure Key Vault is 'Enabled'
Evidenced by 2 checks across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZMON-002 |
Activity Log retention less than 365 days | MEDIUM | Azure Cloud | |
AZMON-004 |
Key Vault has no diagnostic settings configured | MEDIUM | Azure Cloud |
5.2.1: Ensure that Activity Log Alert exists for Create Policy Assignment
Evidenced by 2 checks across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZMON-003 |
No alert rule for critical administrative operations | MEDIUM | Azure Cloud | |
AZMON-007 |
No service health alert rule configured | LOW | Azure Cloud |
5.2.2: Ensure that Activity Log Alert exists for Delete Policy Assignment
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZMON-003 |
No alert rule for critical administrative operations | MEDIUM | Azure Cloud |
5.2.4: Ensure that Activity Log Alert exists for Create or Update Network Security Group
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZMON-003 |
No alert rule for critical administrative operations | MEDIUM | Azure Cloud |
8.1: Ensure that the expiration date is set on all keys
Evidenced by 2 checks across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AKV-004 |
Key Vault key has no expiration date | MEDIUM | Azure Cloud | |
AKV-005 |
Key Vault secret has no expiration date | MEDIUM | Azure Cloud |
8.4: Ensure the Key Vault is recoverable
Evidenced by 2 checks across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AKV-001 |
Key Vault soft delete not enabled | HIGH | Azure Cloud | |
AKV-002 |
Key Vault purge protection not enabled | HIGH | Azure Cloud |
8.5: Enable role-based access control for Azure Key Vault
Evidenced by 2 checks across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AKV-003 |
Key Vault allows access from all networks | MEDIUM | Azure Cloud | |
AKV-006 |
Key Vault uses vault access policies instead of RBAC | MEDIUM | Azure Cloud |
9.1: Ensure Container Registry has admin user disabled
Evidenced by 3 checks across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
ACR-001 |
Container registry admin user enabled | HIGH | Azure Cloud | |
ACR-002 |
Container registry allows public network access | HIGH | Azure Cloud | |
ACR-004 |
Container registry Defender scanning not enabled | HIGH | Azure Cloud |
9.2: Ensure Container Registry has content trust enabled
Evidenced by 2 checks across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
ACR-003 |
Container registry content trust not enabled | MEDIUM | Azure Cloud | |
ACR-005 |
Container registry tag immutability (verify per-repository locking) | INFO | Azure Cloud |
6.1: Ensure that RDP access from the Internet is evaluated and restricted
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZNW-001 |
NSG allows inbound SSH or RDP from the internet | CRITICAL | Azure Cloud |
6.2: Ensure that SSH access from the Internet is evaluated and restricted
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZNW-001 |
NSG allows inbound SSH or RDP from the internet | CRITICAL | Azure Cloud |
6.3: Ensure no Network Security Group allows unrestricted ingress to port 3389
Evidenced by 3 checks across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZNW-001 |
NSG allows inbound SSH or RDP from the internet | CRITICAL | Azure Cloud | |
AZNW-004 |
NSG has no explicit deny-all inbound rule | MEDIUM | Azure Cloud | |
AZSQL-003 |
SQL Server allows public network access | HIGH | Azure Cloud |
6.5: Ensure that Network Security Group flow log retention period is 'greater than 90 days'
Evidenced by 2 checks across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZMON-005 |
NSG flow log retention less than 90 days | MEDIUM | Azure Cloud | |
AZNW-002 |
NSG does not have flow logging enabled | MEDIUM | Azure Cloud |
6.6: Ensure that Network Watcher is 'Enabled'
Evidenced by 5 checks across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZNW-002 |
NSG does not have flow logging enabled | MEDIUM | Azure Cloud | |
AZNW-003 |
Application Gateway does not have WAF enabled | HIGH | Azure Cloud | |
AZNW-005 |
Public IP address associated with a VM NIC | HIGH | Azure Cloud | |
AZVM-002 |
Virtual machine has a public IP address | HIGH | Azure Cloud | |
AZVM-003 |
Virtual machine does not have JIT network access | MEDIUM | Azure Cloud |
9.3: Ensure that 'Web App Redirects All HTTP traffic to HTTPS' is set
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZAPP-001 |
App Service does not enforce HTTPS | HIGH | Azure Cloud |
9.4: Ensure Web App is using the latest version of TLS encryption
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZAPP-002 |
App Service minimum TLS version below 1.2 | HIGH | Azure Cloud |
9.5: Ensure that Register with Azure AD is enabled on App Service
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZAPP-003 |
App Service does not use a managed identity | MEDIUM | Azure Cloud |
9.10: Ensure FTP deployments are Disabled
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZAPP-005 |
App Service FTP access not disabled | MEDIUM | Azure Cloud |
9.11: Ensure Azure Key Vaults are used to store secrets
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZAPP-004 |
App Service has remote debugging enabled | HIGH | Azure Cloud |
4.1.1: Ensure that 'Auditing' is set to 'On'
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZSQL-002 |
SQL Server auditing not enabled | HIGH | Azure Cloud |
4.1.3: Ensure that 'Data encryption' is set to 'On' for SQL databases
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZSQL-001 |
SQL Server TDE does not use a customer-managed key | MEDIUM | Azure Cloud |
4.1.4: Ensure that 'Azure Active Directory Admin' is configured for SQL Servers
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZSQL-004 |
SQL Server has no Azure AD administrator configured | MEDIUM | Azure Cloud |
4.2.1: Ensure that Advanced Threat Protection (ATP) on a SQL Server is set to 'On'
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZSQL-005 |
SQL Server advanced threat protection not enabled | MEDIUM | Azure Cloud |
7.1: Ensure Virtual Machines use Managed Disks
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZVM-005 |
Virtual machine does not use a managed identity | MEDIUM | Azure Cloud |
7.2: Ensure that OS and Data disks are encrypted with CMK
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZVM-001 |
Virtual machine disks are not encrypted | HIGH | Azure Cloud |
7.4: Ensure that only approved extensions are installed
Evidenced by 1 check across Azure Cloud.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
AZVM-004 |
Virtual machine automatic OS patching not enabled | MEDIUM | Azure Cloud |
This page is generated. Edit pipeline_check/core/standards/data/cis_azure_foundations.py (mappings) or scripts/gen_standards_docs.py (intro / per-control prose) and run python scripts/gen_standards_docs.py cis_azure_foundations.