Cloud Custodian Policies for CIS Microsoft Azure Foundations Benchmark (Part 1)

CIS Azure Foundations Benchmark Cloud Custodian Policies

1 — Identity and Access Management

policies:
- name: cis-identity-mfa-not-enabled-privileged-users
resource: azure.roleassignment
description: |
Find all Privileged users for whom MFA is NOT enabled. Enable
multi-factor authentication for all user credentials who have
write access to Azure resources. These include roles like
Service Co-Administrators, Subscription Owners, and
Contributors. This policy runs every Sunday at 8:55AM UTC.
filters:
- type: value
key: properties.roleName
op: eq
value: ['Owner','Contributors', 'admin']
- type: value
key:
Microsoft.Online.Administration.StrongAuthenticationRequirement
op: ne
value: Enabled
mode:
type: azure-periodic
schedule: 0 55 8 * * 0
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: cis-identity-mfa-not-enabled-non-privileged-users
resource: azure.roleassignment
description: |
Find all Non-Privileged users for whom MFA is NOT enabled.
Enable multi-factor authentication for all user credentials who
have write access to Azure resources. These include all roles
except Administrators, Subscription Owners, and Contributors.
This policy runs every Sunday at 8:55AM UTC.
filters:
- not:
- type: value
key: properties.roleName
op: eq
value: ['Owner','Contributors', 'admin']
- type: value
key:
Microsoft.Online.Administration.StrongAuthenticationRequirement
op: ne
value: Enabled
mode:
type: azure-periodic
schedule: 0 55 8 * * 0
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: cis-identity-no-custom-subscription-owner
resource: azure.roledefinition
description: |
Find all Guest Users in the Azure Active Directory.
This policy runs every Sunday at 8:55AM UTC.
filters:
- type: value
key: UserType
op: eq
value: Guest
mode:
type: azure-periodic
schedule: 0 55 8 * * 0
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: cis-storage-https-not-enabled
resource: azure.storage
description: |
Find all Storage Accounts where the traffic is not using HTTPS.
This policy runs every Sunday at 8:55AM UTC.
filters:
- type: value
key: properties.supportsHttpsTrafficOnly
op: ne
value: true
mode:
type: azure-periodic
schedule: 0 55 8 * * 0
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: cis-storage-https-not-enabled
resource: azure.storage
description: |
Find all Keys - that does not have auto regenerate enabled or
do not rotate every 30 days. This policy runs every Sunday at
8:55AM UTC.
filters:
- or:
- type: auto-regenerate-key
value: false
- type: regeneration-period
op: ne
value: P30D
mode:
type: azure-periodic
schedule: 0 55 8 * * 0
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: cis-storage-logging-not-enabled-for-queue-properties
resource: azure.storage
description: |
Find all storage accounts where diagnostic settings for queue
properties (read, write, delete) is not enabled. This
policy runs every Sunday at 8:55AM UTC.
filters:
- or:
- type: storage-diagnostic-settings
storage-type: queue
key: logging.read
op: eq
value: false
- type: storage-diagnostic-settings
storage-type: queue
key: logging.write
op: eq
value: false
- type: storage-diagnostic-settings
storage-type: queue
key: logging.delete
op: eq
value: false
mode:
type: azure-periodic
schedule: 0 55 8 * * 0
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: cis-storage-container-publicly-accessible
resource: azure.storage-container
description: |
Find all storage containers with public access enabled. This
policy runs every Sunday at 8:55AM UTC.
filters:
- type: value
value: properties.publicAccess
op: ne
value: None
mode:
type: azure-periodic
schedule: 0 55 8 * * 0
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: cis-storage-restrict-default-network-access
resource: azure.storage
description: |
Find all storage accounts where default network access is not
restricted. This policy runs every Sunday at 8:55AM UTC.
filters:
- type: value
value: properties.networkRuleSet.defaultAction
op: eq
value: Allow
mode:
type: azure-periodic
schedule: 0 55 8 * * 0
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: cis-storage-tms-not-enabled
resource: azure.storage
description: |
Find all storage accounts where trusted microsoft services are
not enabled. If the value is None, TMS is not enabled. This
policy runs every Sunday at 8:55AM UTC.
filters:
- type: value
value: properties.networkRuleSet.bypass
op: eq
value: None
mode:
type: azure-periodic
schedule: 0 55 8 * * 0
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: cis-storage-tms-not-enabled
resource: azure.storage
description: |
Find all storage accounts where soft delete for blobs are
not enabled. This policy runs every Sunday at 8:55AM UTC.
filters:
- type: value
value: properties.deleteRetentionPolicy.enabled
op: eq
value: false
mode:
type: azure-periodic
schedule: 0 55 8 * * 0
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: cis-storage-logging-not-enabled-for-blob-properties
resource: azure.storage
description: |
Find all storage accounts where diagnostic settings for blob
properties (read, write, delete) is not enabled. This
policy runs every Sunday at 8:55AM UTC.
filters:
- or:
- type: storage-diagnostic-settings
storage-type: blob
key: logging.read
op: eq
value: false
- type: storage-diagnostic-settings
storage-type: blob
key: logging.write
op: eq
value: false
- type: storage-diagnostic-settings
storage-type: blob
key: logging.delete
op: eq
value: false
mode:
type: azure-periodic
schedule: 0 55 8 * * 0
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: cis-storage-logging-not-enabled-for-table-properties
resource: azure.storage
description: |
Find all storage accounts where diagnostic settings for table
properties (read, write, delete) is not enabled. This
policy runs every Sunday at 8:55AM UTC.
filters:
- or:
- type: storage-diagnostic-settings
storage-type: table
key: logging.read
op: eq
value: false
- type: storage-diagnostic-settings
storage-type: table
key: logging.write
op: eq
value: false
- type: storage-diagnostic-settings
storage-type: table
key: logging.delete
op: eq
value: false
mode:
type: azure-periodic
schedule: 0 55 8 * * 0
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: cis-storage-tls-not-latest-version
resource: azure.storage
description: |
Find all storage accounts that are not using the latest TLS
version (1.2). This policy runs every Sunday at 8:55AM UTC.
filters:
- type: value
value: properties.minimumTlsVersion
op: ne
value: '1.2'
mode:
type: azure-periodic
schedule: 0 55 8 * * 0
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: cis-sqldatabase-auditing-set-off
resource: azure.sqldatabase
description: |
Find all SQL Database where auditing is not enabled.
restricted. This policy runs every Sunday at 8:55AM UTC.
filters:
- type: value
value: AuditState
op: ne
value: Enabled
mode:
type: azure-periodic
schedule: 0 55 8 * * 0
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: cis-sqldatabase-tde-not-enabled
resource: azure.sqldatabase
description: |
Find all SQL Database where TDE is not enabled.
restricted. This policy runs every Sunday at 8:55AM UTC.
filters:
- type: value
value: transparentDataEncryption
op: ne
value: Enabled
mode:
type: azure-periodic
schedule: 0 55 8 * * 0
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: cis-sqldatabase-tde-not-enabled
resource: azure.sqldatabase
description: |
Find all SQL Database with weekly backup retentions longer than
90 days. This policy runs every Sunday at 8:55AM UTC.
filters:
- type: long-term-backup-retention-policy
backup-type: weekly
op: gt
retention-period: 90
retention-period-units: days
mode:
type: azure-periodic
schedule: 0 55 8 * * 0
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: cis-sqlserver-atp-set-on
resource: azure.sqlserver
description: |
Find all SQL Server where advanced data security is not
enabled. This policy runs every Sunday at 8:55AM UTC.
filters:
- type: value
value: ThreatDetectionState
op: ne
value: Enabled
mode:
type: azure-periodic
schedule: 0 55 8 * * 0
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

67 Followers

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.