CIS Azure Benchmark Checks in tfsec - crederauk/tfsec-custom-action GitHub Wiki
A list of the best practices listed in the benchmark, and their status in tfsec core checks and custom checks implemented by us.
Summary
🛑 Not Terraform-related (rules cannot be checked by looking at Terraform code): 53
🛑 Not doable with tfsec custom checks (details): 18
☑️ Done by tfsec (already checked in the list of checks tfsec has): 42
✅ Done: 2
Just to visualize the above ratio:
🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑☑️☑️☑️☑️☑️☑️☑️☑️☑️☑️☑️✅
1 Identity and Access Management
CIS # |
Policy |
Status |
1.1 |
Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all privileged users |
🛑 Not Terraform-related |
1.2 |
Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all non-privileged users |
🛑 Not Terraform-related |
1.3 |
Ensure guest users are reviewed on a monthly basis |
🛑 Not Terraform-related |
1.4 |
Ensure that 'Restore multi-factor authentication on all remembered devices' is enabled |
🛑 Not Terraform-related |
1.5 |
Ensure that 'Number of methods required to reset' is set to '2' |
🛑 Not Terraform-related |
1.6 |
Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' |
🛑 Not Terraform-related |
1.7 |
Ensure that 'Notify users on password resets?' is set to 'Yes' |
🛑 Not Terraform-related |
1.8 |
Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' |
🛑 Not Terraform-related |
1.9 |
Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' |
🛑 Not Terraform-related |
1.10 |
Ensure that 'Users can add gallery apps to My Apps' is set to 'No' |
🛑 Not Terraform-related |
1.11 |
Ensure that 'Users can register applications' is set to 'No' |
🛑 Not Terraform-related |
1.12 |
Ensure that 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' |
🛑 Not Terraform-related |
1.13 |
Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' |
🛑 Not Terraform-related |
1.14 |
Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' |
🛑 Not Terraform-related |
1.15 |
Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'Yes' |
🛑 Not Terraform-related |
1.16 |
Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' |
🛑 Not Terraform-related |
1.17 |
Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' |
🛑 Not Terraform-related |
1.18 |
Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' |
🛑 Not Terraform-related |
1.19 |
Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' |
🛑 Not Terraform-related |
1.20 |
Ensure that no custom subscription owner roles are created |
☑️ Done by tfsec |
1.21 |
Ensure security defaults is enabled on Azure Active Directory |
🛑 Not Terraform-related |
1.22 |
Ensure a custom role is assigned permissions for administering resource locks |
🛑 Not Terraform-related |
2 Microsoft Defender for Cloud
CIS # |
Policy |
Status |
2.1 |
Ensure that Microsoft Defender for Servers is set to 'On' |
☑️ Done by tfsec |
2.2 |
Ensure that Microsoft Defender for App Service is set to 'On' |
☑️ Done by tfsec |
2.3 |
Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' |
☑️ Done by tfsec |
2.4 |
Ensure that Microsoft Defender for SQL servers on machines is set to 'On' |
☑️ Done by tfsec |
2.5 |
Ensure that Microsoft Defender for Storage is set to 'On' |
☑️ Done by tfsec |
2.6 |
Ensure that Microsoft Defender for Kubernetes is set to 'On' |
☑️ Done by tfsec |
2.7 |
Ensure that Microsoft Defender for Container Registries is set to 'On' |
☑️ Done by tfsec |
2.8 |
Ensure that Microsoft Defender for Key Vault is set to 'On' |
☑️ Done by tfsec |
2.9 |
Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected |
🛑 Not Terraform-related |
2.10 |
Ensure that Microsoft Defender for Cloud Apps (MCAS) integration with Microsoft Defender for Cloud is selected |
🛑 Not Terraform-related |
2.11 |
Ensure that auto provisioning of 'Log Analytics agent for Azure VMs' is set to 'On' |
🛑 Not Terraform-related |
2.12 |
Ensure any of the ASC default policy setting is not set to 'Disabled' |
🛑 Not Terraform-related |
2.13 |
Ensure 'Additional email addresses' is configured with a security contact email |
🛑 Not Terraform-related |
2.14 |
Ensure that 'Notify about alerts with the following severity' is set to 'High' |
☑️ Done by tfsec |
2.15 |
Ensure that 'All users with the following roles' is set to 'Owner' |
🛑 Not Terraform-related |
3 Storage Accounts
CIS # |
Policy |
Status |
3.1 |
Ensure that 'Secure transfer required' is set to 'Enabled' |
🛑 Not Terraform-related |
3.2 |
Ensure that storage account access keys are periodically regenerated |
🛑 Not Terraform-related |
3.3 |
Ensure storage logging is enabled for queue service for 'Read', 'Write', and 'Delete' requests |
☑️ Done by tfsec |
3.4 |
Ensure that shared access signature tokens expire within an hour |
🛑 Not Terraform-related |
3.5 |
Ensure that 'Public access level' is set to 'Private' for blob containers |
🛑 Not Terraform-related |
3.6 |
Ensure default network access rule for storage accounts is set to deny |
☑️ Done by tfsec |
3.7 |
Ensure 'Trusted Microsoft Services' are enabled for storage account access |
☑️ Done by tfsec |
3.8 |
Ensure soft delete is enabled for Azure Storage |
🛑 Not Terraform-related |
3.9 |
Ensure storage for critical data are encrypted with customer managed keys |
🛑 Not Terraform-related |
3.10 |
Ensure storage logging is enabled for blob service for 'Read', 'Write', and 'Delete' requests |
🛑 Not Terraform-related |
3.11 |
Ensure storage logging is enabled for table service for 'Read', 'Write', and 'Delete' requests |
🛑 Not Terraform-related |
3.12 |
Ensure the 'Minimum TLS version' is set to 'Version 1.2' |
☑️ Done by tfsec |
4 Database Services
4.1 SQL Server - Auditing
CIS # |
Policy |
Status |
4.1.1 |
Ensure that 'Auditing' is set to 'On' |
☑️ Done by tfsec |
4.1.2 |
Ensure that 'Data encryption' is set to 'On' on a SQL Database |
🛑 Not Terraform-related |
4.1.3 |
Ensure that 'Auditing' retention is 'Greater than 90 days' |
☑️ Done by tfsec |
4.2 SQL Server - Azure Defender for SQL
CIS # |
Policy |
Status |
4.2.1 |
Ensure that Advanced Threat Protection (ATP) on a SQL Server is set to 'Enabled' |
🛑 Not doable with tfsec custom checks |
4.2.2 |
Ensure that Vulnerability Assessment (VA) is enabled on a SQL Server by setting a storage account |
🛑 Not doable with tfsec custom checks |
4.2.3 |
Ensure that VA setting 'Periodic recurring scans' is set to 'On' for each SQL Server |
🛑 Not doable with tfsec custom checks |
4.2.4 |
Ensure that VA setting 'Send scan reports to' is configured for a SQL server |
🛑 Not doable with tfsec custom checks |
4.2.5 |
Ensure that Vulnerabilty Assessment setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server |
🛑 Not doable with tfsec custom checks |
4.3 PostgreSQL Database Server
CIS # |
Policy |
Status |
4.3.1 |
Ensure 'Enforce SSL connection' is set to 'Enabled' for PostgreSQL Database Server |
☑️ Done by tfsec |
4.3.2 |
Ensure server parameter log_checkpoints is set to 'On' for PostgreSQL Database Server |
☑️ Done by tfsec |
4.3.3 |
Ensure server parameter log_connections is set to 'On' for PostgreSQL Database Server |
☑️ Done by tfsec |
4.3.4 |
Ensure server parameter log_disconnections is set to 'On' for PostgreSQL Database Server |
🛑 Not doable with tfsec custom checks |
4.3.5 |
Ensure server parameter connection_throttling is set to 'On' for PostgreSQL Database Server |
☑️ Done by tfsec |
4.3.6 |
Ensure server parameter log_retention_days is greater than 3 days for PostgreSQL Database Server |
🛑 Not doable with tfsec custom checks |
4.3.7 |
Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled |
🛑 Not Terraform-related |
4.3.8 |
Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' |
🛑 Not Terraform-related |
4.4 MySQL Database
CIS # |
Policy |
Status |
4.4.1 |
Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server |
☑️ Done by tfsec |
4.4.2 |
Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL Flexible Database Server |
☑️ Done by tfsec |
4.4.3 |
Ensure that Azure Active Directory Admin is configured |
🛑 Not Terraform-related |
4.4.4 |
Ensure SQL Server's TDE protector is encrypted with customer-managed key |
🛑 Not Terraform-related |
5 Logging and Monitoring
5.1 Configuring Diagnostic Settings
CIS # |
Policy |
Status |
5.1.1 |
Ensure that a 'Diagnostics Setting' exists |
🛑 Not doable with tfsec custom checks |
5.1.2 |
Ensure Diagnostics Setting captures appropriate categories |
🛑 Not doable with tfsec custom checks |
5.1.3 |
Ensure the storage container storing the activity logs is not publicly accessible |
☑️ Done by tfsec |
5.1.4 |
Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) |
🛑 Not Terraform-related |
5.1.5 |
Ensure that logging for Azure KeyVault is 'Enabled' |
🛑 Not Terraform-related |
5.2 Monitoring using Activity Log Alerts
CIS # |
Policy |
Status |
5.2.1 |
Ensure that Activity Log Alert exists for Create Policy Assignment |
🛑 Not doable with tfsec custom checks |
5.2.2 |
Ensure that Activity Log Alert exists for Delete Policy Assignment |
🛑 Not doable with tfsec custom checks |
5.2.3 |
Ensure that Activity Log Alert exists for Create or Update Network Security Group |
🛑 Not doable with tfsec custom checks |
5.2.4 |
Ensure that Activity Log Alert exists for Delete Network Security Group |
🛑 Not doable with tfsec custom checks |
5.2.5 |
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule |
🛑 Not doable with tfsec custom checks |
5.2.6 |
Ensure that Activity Log Alert exists for Delete Network Security Group Rule |
🛑 Not doable with tfsec custom checks |
5.2.7 |
Ensure that Activity Log Alert exists for Create or Update Security Solution |
🛑 Not doable with tfsec custom checks |
5.2.8 |
Ensure that Activity Log Alert exists for Delete Security Solution |
🛑 Not doable with tfsec custom checks |
5.2.9 |
Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
🛑 Not doable with tfsec custom checks |
5.2.10 |
Ensure that Diagnostic Logs are enabled for all services that support it |
🛑 Not Terraform-related |
6 Networking
CIS # |
Policy |
Status |
6.1 |
Ensure that RDP access is restricted from the Internet |
☑️ Done by tfsec |
6.2 |
Ensure that SSH access is restricted from the Internet |
☑️ Done by tfsec |
6.3 |
Ensure no SQL Databases allow ingress 0.0.0.0/0 (any IP) |
☑️ Done by tfsec |
6.4 |
Ensure that Network Security Group Flow Log retention period is 'Greater than 90 days' |
☑️ Done by tfsec |
6.5 |
Ensure that Network Watcher is 'Enabled' |
🛑 Not Terraform-related |
6.6 |
Ensure that UDP Services are restricted from the Internet |
🛑 Not Terraform-related |
7 Virtual Machines
CIS # |
Policy |
Status |
7.1 |
Ensure Virtual Machines are utilizing Managed Disks |
✅ Done |
7.2 |
Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) |
🛑 Not Terraform-related |
7.3 |
Ensure that 'Unattached disks' are encrypted with CMK |
🛑 Not Terraform-related |
7.4 |
Ensure that only approved extensions are installed |
🛑 Not Terraform-related |
7.5 |
Ensure that the latest OS patches for all Virtual Machines are applied |
🛑 Not Terraform-related |
7.6 |
Ensure that the endpoint protection for all Virtual Machines is installed |
🛑 Not Terraform-related |
7.7 |
Ensure that VHDs are encrypted |
🛑 Not Terraform-related |
8 Other Security Considerations
CIS # |
Policy |
Status |
8.1 |
Ensure that the expiration date is set for all Keys in RBAC Key Vaults |
☑️ Done by tfsec |
8.2 |
Ensure that the expiration date is set for all Keys in Non-RBAC Key Vaults |
☑️ Done by tfsec |
8.3 |
Ensure that the expiration date is set for all Secrets in RBAC Key Vaults |
☑️ Done by tfsec |
8.4 |
Ensure that the expiration date is set for all Secrets in Non-RBAC Key Vaults |
☑️ Done by tfsec |
8.5 |
Ensure that Resource Locks are set for mission critical Azure resources |
🛑 Not Terraform-related |
8.6 |
Ensure the Key Vault is recoverable |
☑️ Done by tfsec |
8.7 |
Enable role-based access control (RBAC) within Azure Kubernetes Services |
☑️ Done by tfsec |
9 AppService
CIS # |
Policy |
Status |
9.1 |
Ensure App Service Authentication is set up for apps in Azure App Service |
☑️ Done by tfsec |
9.2 |
Ensure Web App redirects all HTTP traffic to HTTPS in Azure App Service |
☑️ Done by tfsec |
9.3 |
Ensure Web App is using the latest version of TLS encryption |
☑️ Done by tfsec |
9.4 |
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' |
☑️ Done by tfsec |
9.5 |
Ensure that Register with Azure Active Directory is enabled on App Service |
☑️ Done by tfsec |
9.6 |
Ensure that 'PHP version' is the latest, if used to run the web app |
☑️ Done by tfsec |
9.7 |
Ensure that 'Python version' is the latest stable version, if used to run the web app |
☑️ Done by tfsec |
9.8 |
Ensure that 'Java version' is the latest, if used to run the web app |
✅ Done (this check will need manually updating for newer versions of Java - it checks for Java 17) |
9.9 |
Ensure that 'HTTP version' is the latest, if used to run the web app |
☑️ Done by tfsec |
9.10 |
Ensure FTP deployments are disabled |
☑️ Done by tfsec |
9.11 |
Ensure Azure Key Vaults are used to store Secrets |
🛑 Not Terraform-related |