Azure Policy Regulatory Compliance controls for Azure Virtual Machines
Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets ✔️ Uniform scale sets
Regulatory Compliance in Azure Policy provides Azure created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure Virtual Machines . You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.
The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.
Important
Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.
Azure Security Benchmark
The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.
CIS Microsoft Azure Foundations Benchmark
For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
Domain | Control ID | Control Title | Policy (Azure portal) |
Policy Version (GitHub) |
---|---|---|---|---|
Security Center | 2.3 | Ensure ASC Default policy setting "Monitor System Updates" is not "Disabled" | System updates should be installed on your machines | 1.0.0 |
Security Center | 2.4 | Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled" | Vulnerabilities in security configuration on your machines should be remediated | 1.0.0 |
Security Center | 2.5 | Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" | Monitor missing Endpoint Protection in Azure Security Center | 1.0.0 |
Security Center | 2.6 | Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" | Disk encryption should be applied on virtual machines | 1.0.0 |
Security Center | 2.7 | Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled" | Adaptive Network Hardening recommendations should be applied on internet facing virtual machines | 1.0.0 |
Security Center | 2.9 | Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" | Internet-facing virtual machines should be protected with network security groups | 1.1.0 |
Security Center | 2.10 | Ensure ASC Default policy setting "Monitor Vulnerability Assessment" is not "Disabled" | Vulnerabilities should be remediated by a Vulnerability Assessment solution | 1.0.0 |
Security Center | 2.12 | Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled" | Management ports of virtual machines should be protected with just-in-time network access control | 1.0.1 |
Security Center | 2.13 | Ensure ASC Default policy setting "Monitor Adaptive Application Whitelisting" is not "Disabled" | Adaptive application controls for defining safe applications should be enabled on your machines | 1.0.2 |
Virtual Machines | 7.1 | Ensure that 'OS disk' are encrypted | Disk encryption should be applied on virtual machines | 1.0.0 |
Virtual Machines | 7.2 | Ensure that 'Data disks' are encrypted | Disk encryption should be applied on virtual machines | 1.0.0 |
Virtual Machines | 7.3 | Ensure that 'Unattached disks' are encrypted | Unattached disks should be encrypted | 1.0.0 |
Virtual Machines | 7.4 | Ensure that only approved extensions are installed | Only approved VM extensions should be installed | 1.0.0 |
Virtual Machines | 7.5 | Ensure that the latest OS Patches for all Virtual Machines are applied | System updates should be installed on your machines | 1.0.0 |
Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Monitor missing Endpoint Protection in Azure Security Center | 1.0.0 |
NIST SP 800-171 R2
For more information about this compliance standard, see NIST SP 800-171 R2.
Domain | Control ID | Control Title | Policy (Azure portal) |
Policy Version (GitHub) |
---|---|---|---|---|
Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords | 3.0.0 |
Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Show audit results from Linux VMs that allow remote connections from accounts without passwords | 3.0.0 |
Access Control | 3.1.4 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members | 1.2.0 |
Access Control | 3.1.4 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members | 1.2.0 |
Access Control | 3.1.4 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Show audit results from Windows VMs in which the Administrators group contains any of the specified members | 1.0.0 |
Access Control | 3.1.4 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members | 1.0.0 |
Access Control | 3.1.12 | Monitor and control remote access sessions. | Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords | 3.0.0 |
Access Control | 3.1.12 | Monitor and control remote access sessions. | Show audit results from Linux VMs that allow remote connections from accounts without passwords | 3.0.0 |
Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted | 1.0.0-preview |
Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted | 1.0.1 |
Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | Audit Log Analytics workspace for VM - Report Mismatch | 1.0.1 |
Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | The Log Analytics agent should be installed on Virtual Machine Scale Sets | 1.0.0 |
Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | The Log Analytics agent should be installed on virtual machines | 1.0.0 |
Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted | 1.0.0-preview |
Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted | 1.0.1 |
Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Audit Log Analytics workspace for VM - Report Mismatch | 1.0.1 |
Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | The Log Analytics agent should be installed on Virtual Machine Scale Sets | 1.0.0 |
Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | The Log Analytics agent should be installed on virtual machines | 1.0.0 |
Configuration Management | 3.4.7 | Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. | Adaptive application controls for defining safe applications should be enabled on your machines | 1.0.2 |
Configuration Management | 3.4.8 | Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. | Adaptive application controls for defining safe applications should be enabled on your machines | 1.0.2 |
Configuration Management | 3.4.9 | Control and monitor user-installed software. | Adaptive application controls for defining safe applications should be enabled on your machines | 1.0.2 |
Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Deploy prerequisites to audit Linux VMs that have accounts without passwords | 3.0.0 |
Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Show audit results from Linux VMs that have accounts without passwords | 3.0.0 |
Identification and Authentication | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created. | Deploy prerequisites to audit Linux VMs that have accounts without passwords | 3.0.0 |
Identification and Authentication | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created. | Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled | 1.2.0 |
Identification and Authentication | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created. | Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters | 1.2.0 |
Identification and Authentication | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created. | Show audit results from Linux VMs that have accounts without passwords | 3.0.0 |
Identification and Authentication | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created. | Show audit results from Windows VMs that do not have the password complexity setting enabled | 1.0.0 |
Identification and Authentication | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created. | Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters | 1.0.0 |
Identification and Authentication | 3.5.8 | Prohibit password reuse for a specified number of generations. | Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords | 1.2.0 |
Identification and Authentication | 3.5.8 | Prohibit password reuse for a specified number of generations. | Show audit results from Windows VMs that allow re-use of the previous 24 passwords | 1.0.0 |
Identification and Authentication | 3.5.10 | Store and transmit only cryptographically-protected passwords. | Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 | 3.0.0 |
Identification and Authentication | 3.5.10 | Store and transmit only cryptographically-protected passwords. | Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption | 1.2.0 |
Identification and Authentication | 3.5.10 | Store and transmit only cryptographically-protected passwords. | Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 | 3.0.0 |
Identification and Authentication | 3.5.10 | Store and transmit only cryptographically-protected passwords. | Show audit results from Windows VMs that do not store passwords using reversible encryption | 1.0.0 |
Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Vulnerabilities in container security configurations should be remediated | 1.0.0 |
Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Vulnerabilities in security configuration on your machines should be remediated | 1.0.0 |
Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated | 1.0.0 |
Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Vulnerabilities should be remediated by a Vulnerability Assessment solution | 1.0.0 |
System and Communications Protection | 3.13.1 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Access through Internet facing endpoint should be restricted | 1.0.0 |
System and Communications Protection | 3.13.1 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Adaptive Network Hardening recommendations should be applied on internet facing virtual machines | 1.0.0 |
System and Communications Protection | 3.13.1 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Deploy prerequisites to audit Windows web servers that are not using secure communication protocols | 1.2.0 |
System and Communications Protection | 3.13.1 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Show audit results from Windows web servers that are not using secure communication protocols | 1.0.0 |
System and Communications Protection | 3.13.5 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | Access through Internet facing endpoint should be restricted | 1.0.0 |
System and Communications Protection | 3.13.5 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | Adaptive Network Hardening recommendations should be applied on internet facing virtual machines | 1.0.0 |
System and Communications Protection | 3.13.5 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | Internet-facing virtual machines should be protected with network security groups | 1.1.0 |
System and Communications Protection | 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | Deploy prerequisites to audit Windows web servers that are not using secure communication protocols | 1.2.0 |
System and Communications Protection | 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | Show audit results from Windows web servers that are not using secure communication protocols | 1.0.0 |
System and Communications Protection | 3.13.16 | Protect the confidentiality of CUI at rest. | Disk encryption should be applied on virtual machines | 1.0.0 |
System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | System updates on virtual machine scale sets should be installed | 1.0.0 |
System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | System updates should be installed on your machines | 1.0.0 |
System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Vulnerabilities in security configuration on your machines should be remediated | 1.0.0 |
System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated | 1.0.0 |
System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Vulnerabilities should be remediated by a Vulnerability Assessment solution | 1.0.0 |
System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Endpoint protection solution should be installed on virtual machine scale sets | 1.0.0 |
System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Microsoft IaaSAntimalware extension should be deployed on Windows servers | 1.0.0 |
System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Monitor missing Endpoint Protection in Azure Security Center | 1.0.0 |
NIST SP 800-53 R4
For more information about this compliance standard, see NIST SP 800-53 R4.
Next steps
- See the built-ins on the Azure Policy GitHub repo.