Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
The most up-to-date Azure Security Benchmark is available here.
Inventory and Asset Management recommendations focus on addressing issues related to actively managing (inventory, track, and correct) all Azure resources so that only authorized resources are given access, and unauthorized and unmanaged resources are identified and removed.
Azure ID | CIS IDs | Responsibility |
---|---|---|
6.1 | 1.1, 1.2, 1.3, 1.4, 9.1, 12.1 | Customer |
Use Azure Resource Graph to query/discover all resources (such as compute, storage, network, ports, and protocols etc.) within your subscription(s). Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions as well as resources within your subscriptions.
Although classic Azure resources may be discovered via Resource Graph, it is highly recommended to create and use Azure Resource Manager resources going forward.
Azure ID | CIS IDs | Responsibility |
---|---|---|
6.2 | 1.5 | Customer |
Apply tags to Azure resources giving metadata to logically organize them into a taxonomy.
Azure ID | CIS IDs | Responsibility |
---|---|---|
6.3 | 1.6 | Customer |
Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track assets. Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.
Azure ID | CIS IDs | Responsibility |
---|---|---|
6.4 | 2.1 | Customer |
Create an inventory of approved Azure resources and approved software for compute resources as per our organizational needs.
Azure ID | CIS IDs | Responsibility |
---|---|---|
6.5 | 2.3, 2.4 | Customer |
Use Azure Policy to put restrictions on the type of resources that can be created in your subscription(s).
Use Azure Resource Graph to query/discover resources within their subscription(s). Ensure that all Azure resources present in the environment are approved.
Azure ID | CIS IDs | Responsibility |
---|---|---|
6.6 | 2.3, 2.4 | Customer |
Use Azure virtual machine Inventory to automate the collection of information about all software on Virtual Machines. Software Name, Version, Publisher, and Refresh time are available from the Azure portal. To get access to install date and other information, enable guest-level diagnostics and bring the Windows Event Logs into a Log Analytics Workspace.
Azure ID | CIS IDs | Responsibility |
---|---|---|
6.7 | 2.5 | Customer |
Use Azure Security Center's File Integrity Monitoring (Change Tracking) and virtual machine inventory to identify all software installed on Virtual Machines. You can implement your own process for removing unauthorized software. You can also use a third party solution to identify unapproved software.
Azure ID | CIS IDs | Responsibility |
---|---|---|
6.8 | 2.6 | Customer |
Use Azure Security Center Adaptive Application Controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.
Azure ID | CIS IDs | Responsibility |
---|---|---|
6.9 | 2.6 | Customer |
Use Azure Policy to restrict which services you can provision in your environment.
Azure ID | CIS IDs | Responsibility |
---|---|---|
6.10 | 2.7 | Customer |
Use Azure Security Center Adaptive Application Controls to specify which file types a rule may or may not apply to.
Implement third party solution if this does not meet the requirement.
Azure ID | CIS IDs | Responsibility |
---|---|---|
6.11 | 2.9 | Customer |
Use Azure Conditional Access to limit users' ability to interact with Azure Resources Manager by configuring "Block access" for the "Microsoft Azure Management" App.
Azure ID | CIS IDs | Responsibility |
---|---|---|
6.12 | 2.9 | Customer |
Depending on the type of scripts, you may use operating system specific configurations or third-party resources to limit users' ability to execute scripts within Azure compute resources. You can also leverage Azure Security Center Adaptive Application Controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.
How to control PowerShell script execution in Windows Environments
How to use Azure Security Center Adaptive Application Controls
Azure ID | CIS IDs | Responsibility |
---|---|---|
6.13 | 2.9 | Customer |
Software that is required for business operations, but may incur higher risk for the organization, should be isolated within its own virtual machine and/or virtual network and sufficiently secured with either an Azure Firewall or Network Security Group.
- See the next Security Control: Secure Configuration