What's new in the CIS v2.0 benchmark for Azure
Our analysis of the Azure recommendations.
Last month, the Center for Internet Security (CIS) released version 2.0.0 of their Foundation Benchmark for Microsoft Azure. While this is a new major version, only a few changes have been made between it and version 1.5, which was released over the summer.
Of the 118 changes in the change log, only five new recommendations were added, while one was removed. In addition, five recommendations were changed from Manual to Automated assessment as the Azure APIs matured. Finally, two recommendations were moved from Automated to Manual as the community realized assessing these with the Azure APIs was impossible.
Our take on the new recommendations in v2.0
- 1.3 Ensure that 'Users can create Azure AD Tenants' is set to 'No' - this recommendation seems pretty obvious. You want to ensure that an Azure AD Tenant created for your organization is governed and managed accordingly.
- 2.3 Microsoft Defender for External Attack Surface Monitoring - overall Section 2 was completely restructured with minimal substantive changes. Section 2.3 was added, but oddly no recommendations are in it.
- 4.5.3 Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible - is a new (manual) addition for CosmosDB that makes a ton of sense. Switching to provider-generated credentials is one less secret to mishandle or let an adversary access accidentally.
- 5.3.1 Ensure Application Insights are Configured - this level 2 recommendation focuses more on application performance; however, performance anomalies can often be indicators of compromise. This is a good recommendation if your organization has the budget and maturity to operationalize these insights.
- 5.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored - is intended to reflect that this tier of service doesn’t provide the level of monitoring required for production workloads, as this is an additional expense, CIS rates it a level 2.
- 7.1 Ensure an Azure Bastion Host Exists - is a level 2 recommendation to use an Azure-provided zero-trust tool rather than expose resources publicly. Many organizations will have already developed patterns for securely accessing resources, so you want to be careful blindly making this a requirement.
One recommendation was removed:
- 1.5 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Manual) was considered a duplicate of 1.1.4 Ensure that 'Restore multi-factor authentication on all remembered devices' is Enabled (Manual) and 1.5 was removed.
Other notable changes
In the CIS v1.5 benchmark, the following were identified as Manual controls. However there were APIs supporting these configurations. In v2.0 these are now correctly identified as automated controls:
- 3.2 Ensure that ‘Enable Infrastructure Encryption’ for Each Storage Account in Azure Storage is Set to ‘enabled’ (Level 2)
- 3.10 Ensure Private Endpoints are used to access Storage Accounts (Level 1)
- 4.5.1 Ensure That (Cosmos DB) 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks (Level 2)
- 6.6 Ensure that Network Watcher is 'Enabled' (Level 2)
- 7.2 Ensure Virtual Machines are utilizing Managed Disks (Level 1)
On the other hand, there were a few recommendations that shifted from Automated to Manual. CIS determined that the API calls from the previous version didn’t provide the correct API response. As a result, customers were getting a false sense of security, which has been corrected in version 2.0:
- 2.1.16 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' (Level 2)
- 2.1.17 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' (Level 2)
Evaluate your environment with Azure CIS v2.0
The Steampipe Azure Compliance mod, packed with hundreds of controls that check your Azure accounts for compliance with benchmarks like CIS, NIST, and PCI DSS, now includes new controls for Azure CIS v2.0.
steampipe plugin install azure azureadgit clone https://github.com/turbot/steampipe-mod-azure-compliance.gitcd steampipe-mod-azure-compliancesteampipe dashboard
http://localhost:9194 in your browser and view the dashboard.
We love open source!
Steampipe delivers a full suite of tools to build, execute and share cloud configuration, compliance, and security frameworks using HCL + SQL! We would love your help in expanding the open-source documentation and control coverage for the Steampipe Azure Compliance mod. The best way to get started is to join our Slack community; we would love to talk to you!