Azure CIS Benchmark v2.0.0 Now Available as CloudQuery Transformation
What's new in the CIS benchmark v2.0.0 for Azure?
Kevin Rheinheimer • Feb 01, 2024
In March 2023, the Center for Internet Security (CIS) unveiled a major release (v2.0.0) of their Microsoft Azure Foundations Benchmark. Let's walk through it together to see what's new and what effect this may have on your cloud configurations.
- 2.1.19 Ensure 'Additional email addresses' is Configured with a Security Contact Email - In addition to having the owner's email, this level 1 recommendation will ensure that not only the account owner will be notified but also any additional security contacts will be notified in the event of a potential compromise
- 5.3.1 Ensure Application Insights are Configured - This level 2 recommendation provides actionable application metrics and telemetry data, making it that much easier to not only be proactive and ward off potential security threats, but also allows for retroactive analysis to be done. Note: Application insights relies on a Log Analytics Workspace, which will incur additional fees.
- 5.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored - Basic/Free SKUs in Azure do not have a service SLA meaning Microsoft will not offer support for your production workloads. This is a level 2 recommendation due to additional cost incurred by implementing.
- 7.1 Ensure an Azure Bastion Host Exists - In an effort to support zero-trust architecture, Microsoft has provided an internal tool as a way to avoid public exposure of those resources. However, if you already have a zero-trust solution, you may not want to implement this level 2 recommendation.
- 2.6 Ensure that Azure Defender is set to On for Kubernetes - This manual control was removed in favor of 2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On', taking a more agnostic approach to container security rather than focusing on one specific service.
- 2.3 Microsoft Defender for External Attack Surface Monitoring - this section was added to the v2.0.0 benchmark with no recommendations, here is some further context from CIS:
As more services are exposed to the public internet it is important to be able to monitor the externally exposed surface of your Azure Tenant, to this end it is recommended that tools that monitor this surface are implemented. Microsoft have a new tool to do this in their Defender Suite of products. Defender EASM, this tool is configured very simply to scan specified domains and report on them, specific domains and addresses can be excluded from the scan. Typically these tools will report on any vulnerability that is identified (CVE) and will also identify ports and protocols that are open on devices. Results are classified Critical/High/Medium & Low with proposed mitigations.
CloudQuery has both a free and premium version of the Azure Compliance transformation plugin. If you are interested in gaining more compliance insights and a better sense of security, please find the plugins and documentation below: