Azure CIS Benchmark v2.0.0 Now Available as CloudQuery Transformation

Here's what's new in v2.0.0 #

• 2.1.19 Ensure 'Additional email addresses' is Configured with a Security Contact Email - In addition to having the owner's email, this level 1 recommendation will ensure that not only the account owner will be notified but also any additional security contacts will be notified in the event of a potential compromise
• 5.3.1 Ensure Application Insights are Configured - This level 2 recommendation provides actionable application metrics and telemetry data, making it that much easier to not only be proactive and ward off potential security threats, but also allows for retroactive analysis to be done. Note: Application insights relies on a Log Analytics Workspace, which will incur additional fees.
• 5.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored - Basic/Free SKUs in Azure do not have a service SLA meaning Microsoft will not offer support for your production workloads. This is a level 2 recommendation due to additional cost incurred by implementing.
• 7.1 Ensure an Azure Bastion Host Exists - In an effort to support zero-trust architecture, Microsoft has provided an internal tool as a way to avoid public exposure of those resources. However, if you already have a zero-trust solution, you may not want to implement this level 2 recommendation.

Here's what dropped off in v2.0.0 #

• 2.6 Ensure that Azure Defender is set to On for Kubernetes - This manual control was removed in favor of 2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On', taking a more agnostic approach to container security rather than focusing on one specific service.

What to keep an eye out for #

• 2.3 Microsoft Defender for External Attack Surface Monitoring - this section was added to the v2.0.0 benchmark with no recommendations, here is some further context from CIS:

"As more services are exposed to the public internet it is important to be able to monitor the externally exposed surface of your Azure Tenant, to this end it is recommended that tools that monitor this surface are implemented. Microsoft have a new tool to do this in their Defender Suite of products. Defender EASM, this tool is configured very simply to scan specified domains and report on them, specific domains and addresses can be excluded from the scan. Typically these tools will report on any vulnerability that is identified (CVE) and will also identify ports and protocols that are open on devices. Results are classified Critical/High/Medium & Low with proposed mitigations."

How to use CloudQuery to gain insights about your Azure configuration #

• Broader Integration: CloudQuery integrates with multiple cloud providers, not just Azure, allowing you to monitor and secure multi-cloud environments from a single platform.
• Customizable Compliance: CloudQuery offers customizable compliance checks and transformations, enabling tailored security configurations specific to your organization’s needs.
• Open-Source Flexibility: As an open-source core tool, CloudQuery provides transparency and flexibility, allowing you to extend and customize its functionality to fit unique use cases.
• Comprehensive Reporting: CloudQuery delivers detailed, actionable reports on compliance and security, helping you proactively address potential vulnerabilities across your cloud infrastructure.
• Ease of Use: CloudQuery’s intuitive CLI based interface and extensive documentation make it easy for teams to implement and maintain robust security practices without extensive training.

• Azure Compliance (Free)
• Azure Compliance (Premium)