CIS Azure Foundations Benchmark
Overview
Center for Internet Security (CIS) provides set of best practices and security recommendations which is referred to as Microsoft Azure Foundations Benchmark. These benchmarks are provided for enhancing the security of the various different resources in Azure.
Purpose
The CIS Microsoft Azure Foundations Benchmark is a comprehensive set of best practices and security recommendations designed to strengthen the security posture of different resources in Azure. It serves as a practical guide for organizations, helping them establish a secure and compliant Azure environment. The primary purposes of this benchmark are:
Security Enhancement: The benchmark equips organizations with a set of well-defined security guidelines and best practices to proactively identify and address security vulnerabilities, misconfigurations, and potential threats within Azure.
Compliance Alignment: In a landscape with evolving compliance requirements, the benchmark enables organizations to align with industry and regulatory standards by providing clear and actionable security recommendations.
Standardization: By offering universally recognized best practices, the benchmark encourages the adoption of standardized security procedures across Azure environments, ensuring consistency and uniformity in security configurations.
Importance
Securing Azure is of paramount importance for several reasons:
Data Protection: Azure host critical applications and workloads that handle sensitive data. Insufficient security measures can lead to data breaches and loss.
Operational Continuity: Security incidents can disrupt operations and result in downtime, making a secure Azure environment crucial for maintaining business continuity.
Reputation and Trust: Security incidents can damage an organization's reputation and erode trust among customers and partners. The implementation of robust security measures is vital for preserving trust and integrity.
Legal and Regulatory Compliance: Many industries and jurisdictions have stringent data protection and security regulations. Non-compliance can lead to legal consequences and liabilities.
By adhering to the recommendations outlined in the CIS Microsoft Azure Foundations Benchmark, organizations can significantly enhance the security of their Azure, safeguard their assets, and mitigate potential security threats effectively.
How BOS targets CIS Azure Foundations Benchmarks v2.1.0
| Benchmark Index | CIS Benchmark Recommendation | BOS Env Template Supports | BOS Pipeline Template Supports | BOS Default | Comments |
|---|---|---|---|---|---|
| 1.1 | Security Defaults | ||||
| 1.1.1 | Ensure Security Defaults is enabled on Microsoft EntraID (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.1.2 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.1.3 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.1.4 | Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.2 | Conditional Access | ||||
| 1.2.1 | Ensure Trusted Locations Are Defined (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.2.2 | Ensure that an exclusionary Geographic Access Policy is considered (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.2.3 | Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.2.4 | Ensure that A Multi-factor Authentication Policy Exists for All Users (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.2.5 | Ensure Multi-factor Authentication is Required for Risky Sign-ins (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.2.6 | Ensure Multifactor Authentication is Required for Windows Azure Service Management API (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.2.7 | Ensure Multifactor Authentication is Required to access Microsoft Admin Portals (Manual) | ||||
| 1.3 | Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.4 | Ensure Guest Users Are Reviewed on a Regular Basis (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.5 | Ensure That 'Number of methods required to reset' is set to '2' (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.6 | Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.7 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.8 | Ensure that 'Notify users on password resets?' is set to 'Yes' (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.9 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.10 | Ensure That 'User consent for applications' is set to 'Do not allow user consent' (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.11 | Ensure That ‘User consent for applications’ Is Set To ‘Allow for Verified Publishers’ (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.12 | Ensure that 'Users can add gallery apps to My Apps' is set to 'No' (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.13 | Ensure That ‘Users Can Register Applications’ Is Set to ‘No’ (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.14 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.15 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.16 | Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes' (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.17 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.18 | Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.19 | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.20 | Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.21 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Microsoft Entra ID' is set to 'Yes' (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.22 | Ensure That No Custom Subscription Administrator Roles Exist (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.23 | Ensure a Custom Role is Assigned Permissions for Administering Resource Locks (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.24 | Ensure That Subscription leaving Microsoft Entra ID directory and Subscription entering Microsoft Entra ID directory Is Set To ‘Permit No One’ (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 1.25 | Ensure fewer than 5 users have global administrator assignment (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 2.1 | Microsoft Defender for Cloud | ||||
| 2.1.1 | Ensure That Microsoft Defender for Servers Is Set to 'On' (Automated) | Yes | NA | Yes | BOS Environment Template support enabling of Defender Plans. |
| 2.1.2 | Ensure That Microsoft Defender for App Services Is Set To 'On' (Automated) | Yes | NA | Yes | BOS Environment Template support enabling of Defender Plans. |
| 2.1.3 | Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' (Automated) | Yes | NA | Yes | BOS Environment Template support enabling of Defender Plans. |
| 2.1.4 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' (Automated) | Yes | NA | Yes | BOS Environment Template support enabling of Defender Plans. |
| 2.1.5 | Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' (Automated) | Yes | NA | Yes | BOS Environment Template support enabling of Defender Plans. |
| 2.1.6 | Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' (Automated) | Yes | NA | Yes | BOS Environment Template support enabling of Defender Plans. |
| 2.1.7 | Ensure That Microsoft Defender for Storage Is Set To 'On' (Automated) | Yes | NA | Yes | BOS Environment Template support enabling of Defender Plans. |
| 2.1.8 | Ensure That Microsoft Defender for Containers Is Set To 'On' (Automated) | Yes | NA | Yes | BOS Environment Template support enabling of Defender Plans. |
| 2.1.9 | Ensure That Microsoft Defender for Key Vault Is Set To 'On' (Automated) | Yes | NA | Yes | BOS Environment Template support enabling of Defender Plans. |
| 2.1.10 | [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' (Automated) | Yes | NA | Yes | BOS Environment Template support enabling of Defender Plans. |
| 2.1.11 | Ensure That Microsoft Defender for Resource Manager Is Set To 'On' (Automated) | Yes | NA | Yes | BOS Environment Template support enabling of Defender Plans. |
| 2.1.12 | Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' (Automated) | Yes | NA | Yes | BOS Environment Template support enabling of Defender Plans. |
| 2.1.13 | Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 2.1.14 | Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 2.1.15 | Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' (Manual) | Yes | NA | No | BOS Environment Template support Auto provisioning of 'Log Analytics agent for Azure VMs'. Disabled as it getting replaced with Azure monitoring agent. |
| 2.1.16 | Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 2.1.17 | Ensure That 'All users with the following roles' is set to 'Owner' (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 2.1.18 | Ensure 'Additional email addresses' is Configured with a Security Contact Email (Automated) | Yes | NA | No | BOS Environment Template support configuration of Security Contact Email. Disabled by default to avoid conflict with existing emails |
| 2.1.19 | Ensure That 'Notify about alerts with the following severity' is Set to 'High' (Automated) | Yes | NA | No | BOS Environment Template support configuration of Security Contact Email. Disabled by default to avoid conflict with existing emails |
| 2.1.20 | Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 2.1.21 | Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 2.1.22 | Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 2.2 | Microsoft Defender for IoT | ||||
| 2.2.1 | Ensure That Microsoft Defender for IoT Hub Is Set To 'On' (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 3.0 | Storage Accounts | ||||
| 3.1 | Ensure that 'Secure transfer required' is set to 'Enabled' (Automated) | Yes | NA | Yes | BOS Environment Template support configuration of TLS version for storage account. |
| 3.2 | Ensure that ‘Enable Infrastructure Encryption’ for Each Storage Account in Azure Storage is Set to ‘enabled’ (Automated) | Yes | NA | Yes | BOS Environment Template support configuration of Infra encryption. |
| 3.3 | Ensure that 'Enable key rotation reminders' is enabled for each Storage Account (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 3.4 | Ensure that Storage Account Access Keys are Periodically Regenerated (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 3.5 | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests (Automated) | Yes | NA | Yes | BOS Environment Template support configuration Diagnostic Setting. |
| 3.6 | Ensure that Shared Access Signature Tokens Expire Within an Hour (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 3.7 | Ensure that 'Public Network Access' is `Disabled' for storage accounts (Automated) | Yes | NA | Yes | BOS Environment Template support configuration of Public access. |
| 3.8 | Ensure Default Network Access Rule for Storage Accounts is Set to Deny (Automated) | Yes | NA | Yes | BOS Environment Template support configuration of Network Rules for Storage Account. |
| 3.9 | Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access (Automated) | Yes | NA | Yes | BOS Environment Template support configuration of 'Allow Azure services on the trusted services list to access this storage account' |
| 3.10 | Ensure Private Endpoints are used to access Storage Accounts (Automated) | Yes | NA | No | BOS Environment Template support configuration of Private endpoint for storage account. Disabled by default because these storage accounts are azure for storing logs and Azure needs access of the storage account without any network rules inorder for it to write it in. |
| 3.11 | Ensure Soft Delete is Enabled for Azure Containers and Blob Storage (Automated) | Yes | NA | Yes | BOS Environment Template support configuration of Soft delete retention days for storage account. |
| 3.12 | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK) (Manual) | Yes | NA | Yes | BOS Environment Template support configuration of Encryption with Customer Managed Keys for storage account. |
| 3.13 | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests (Automated) | Yes | NA | Yes | BOS Environment Template support configuration Diagnostic Setting. |
| 3.14 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests (Automated) | Yes | NA | Yes | BOS Environment Template support configuration Diagnostic Setting. |
| 3.15 | Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" (Automated) | Yes | NA | Yes | BOS Environment Template creates storage account which defaults to TLS1.2 |
| 3.16 | Ensure 'Cross Tenant Replication' is not enabled (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 3.17 | Ensure that `Allow Blob Anonymous Access` is set to `Disabled` (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 4.1 | SQL Server - Auditing | ||||
| 4.1.1 | Ensure that 'Auditing' is set to 'On' (Automated) | Yes | NA | Yes | BOS Environment Template support configuration and retention of Audit logs. |
| 4.1.2 | Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) (Automated) | Yes | NA | Yes | BOS Environment Template support configuration of Network Rules for SQL. |
| 4.1.3 | Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key (Automated) | Yes | NA | Yes | BOS Environment Template support TDE with CMK. |
| 4.1.4 | Ensure that Microsoft Entra authentication is Configured for SQL Servers (Automated) | Yes | NA | No | BOS Environment Template support enablement of AzureAD Authentication. |
| 4.1.5 | Ensure that 'Data encryption' is set to 'On' on a SQL Database (Automated) | Yes | NA | Yes | BOS Environment Template support TDE with CMK. |
| 4.1.6 | Ensure that 'Auditing' Retention is 'greater than 90 days' (Automated) | Yes | NA | Yes | BOS Environment Template support configuration and retention of Audit logs. |
| 4.3 | PostgreSQL Database Server | ||||
| 4.3.1 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 4.3.2 | Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 4.3.3 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 4.3.4 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 4.3.5 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 4.3.6 | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 4.3.7 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 4.3.8 | Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 4.4 | MySQL Database | ||||
| 4.4.1 | Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 4.4.2 | Ensure 'TLS Version' is set to 'TLSV1.2' (or higher) for MySQL flexible Database Server (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 4.4.3 | Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 4.4.4 | Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 4.5 | Cosmos DB | ||||
| 4.5.1 | Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks (Automated) | Yes | NA | Yes | BOS Environment Template support configuration of Firewall and Network for CosmosDb. |
| 4.5.2 | Ensure That Private Endpoints Are Used Where Possible (Automated) | Yes | NA | Yes | BOS Environment Template support configuration of Private Endpoint for CosmosDb. |
| 4.5.3 | Use Entra ID Client Authentication and Azure RBAC where possible. (Manual) | Yes | NA | Yes | BOS Environment Template creates CosmosDb with AAD client Authentication. |
| 5.1 | Configuring Diagnostic Settings | ||||
| 5.1.1 | Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs (Manual) | Yes | No | Yes | Diagnostic Setting is enabled for the resources. |
| 5.1.2 | Ensure Diagnostic Setting captures appropriate categories (Automated) | Yes | No | Yes | Types of logs captured in Diagnostic Setting is configurable in template. |
| 5.1.3 | Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 5.1.4 | Ensure that logging for Azure Key Vault is 'Enabled' (Automated) | Yes | No | Yes | Logging is enabled for Keyvault |
| 5.1.5 | Ensure that Network Security Group Flow logs are captured and sent to Log Analytics (Manual) | Yes | No | No | NSG Flow logs are disabled by default to limit cost. Once Enabled it send logs to log analytics. |
| 5.1.6 | Ensure that logging for Azure AppService 'HTTP logs' is enabled (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 5.2 | Monitoring using Activity Log Alerts | ||||
| 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 5.2.2 | Ensure that Activity Log Alert exists for Delete Policy Assignment (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 5.2.3 | Ensure that Activity Log Alert exists for Create or Update Network Security Group (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 5.2.4 | Ensure that Activity Log Alert exists for Delete Network Security Group (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 5.2.5 | Ensure that Activity Log Alert exists for Create or Update Security Solution (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 5.2.6 | Ensure that Activity Log Alert exists for Delete Security Solution (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 5.2.7 | Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 5.2.8 | Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 5.2.9 | Ensure that Activity Log Alert exists for Create or Update Public IP Address rule (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 5.2.10 | Ensure that Activity Log Alert exists for Delete Public IP Address rule (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 5.3 | Configuring Application Insights | ||||
| 5.3.1 | Ensure Application Insights are Configured (Automated) | Yes | NA | Yes | BOS Environment Template support configuration Application Insights. |
| 5.4 | Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it (Manual) | Yes | NA | Yes | BOS Environment Template support configuration Diagnostic Setting. |
| 5.5 | Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) (Automated) | Yes | NA | Yes | BOS Environment Template support configuration of resources SKU. |
| 6.0 | Networking | ||||
| 6.1 | Ensure that RDP access from the Internet is evaluated and restricted (Automated) | Yes | NA | Yes | BOS Environment Template creates Subnets with NSGs. Rules in the NSG can be configured via the template parameter. |
| 6.2 | Ensure that SSH access from the Internet is evaluated and restricted (Automated) | Yes | NA | Yes | BOS Environment Template creates Subnets with NSGs. Rules in the NSG can be configured via the template parameter. |
| 6.3 | Ensure that UDP access from the Internet is evaluated and restricted (Automated) | Yes | NA | Yes | BOS Environment Template creates Subnets with NSGs. Rules in the NSG can be configured via the template parameter. |
| 6.4 | Ensure that HTTP(S) access from the Internet is evaluated and restricted (Automated) | Yes | NA | Yes | BOS Environment Template creates Subnets with NSGs. Rules in the NSG can be configured via the template parameter. |
| 6.5 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' (Automated) | Yes | NA | No | BOS Environment Template support enablement and configuration for NSG Flow logs. Disabled by default to limit cost. |
| 6.6 | Ensure that Network Watcher is 'Enabled' (Automated) | Yes | NA | Yes | BOS Environment Template supports enablement of Network watcher. |
| 6.7 | Ensure that Public IP addresses are Evaluated on a Periodic Basis (Manual) | Yes | NA | Yes | BOS Environment Template creates Set number of Public IPs which are necessary for networking like NAT. |
| 7.0 | Virtual Machines | ||||
| 7.1 | Ensure an Azure Bastion Host Exists (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 7.2 | Ensure Virtual Machines are utilizing Managed Disks (Automated) | Yes | NA | Yes | BOS Environment Template creates VMs with managed disks. |
| 7.3 | Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) (Automated) | Yes | NA | Yes | BOS Environment Template encrypts disks with Azure Disk Encryption. |
| 7.4 | Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) (Automated) | Yes | NA | Yes | BOS Environment Template does not create any disk which is unattached. |
| 7.5 | Ensure that Only Approved Extensions Are Installed (Manual) | Yes | NA | Yes | BOS Environment Template installs Extensions which are owned by Azure. |
| 7.6 | Ensure that Endpoint Protection for all Virtual Machines is installed (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 7.7 | [Legacy] Ensure that VHDs are Encrypted (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 7.8 | Ensure only MFA enabled identities can access privileged Virtual Machine (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 7.9 | Ensure Trusted Launch is enabled on Virtual Machines (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 8.0 | Key Vault | ||||
| 8.1 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults (Automated) | Yes | NA | Yes | BOS Environment Template support configuration of Expiry date. |
| 8.2 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. (Automated) | Yes | NA | Yes | BOS Environment Template support configuration of Expiry date. |
| 8.3 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults (Automated) | Yes | NA | Yes | BOS Environment Template support configuration of Expiry date. |
| 8.4 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults (Automated) | Yes | NA | Yes | BOS Environment Template support configuration of Expiry date. |
| 8.5 | Ensure the Key Vault is Recoverable (Automated) | Yes | NA | Yes | BOS Environment Template support configuration purge protection. |
| 8.6 | Enable Role Based Access Control for Azure Key Vault (Manual) | Yes | NA | Yes | BOS Environment Template support configuration RBAC. |
| 8.7 | Ensure that Private Endpoints are Used for Azure Key Vault (Manual) | Yes | NA | Yes | BOS Environment Template support configuration Private endpoint. |
| 8.8 | Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services (Manual) | Yes | NA | Yes | BOS Environment Template support Azure Keyvault automatic Key rotation for keys created. |
| 9.0 | AppService | ||||
| 9.1 | Ensure App Service Authentication is set up for apps in Azure App Service (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 9.2 | Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 9.3 | Ensure Web App is using the latest version of TLS encryption (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 9.4 | Ensure that Register with Entra ID is enabled on App Service (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 9.5 | Ensure That 'PHP version' is the Latest, If Used to Run the Web App (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 9.6 | Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 9.7 | Ensure that 'Java version' is the latest, if used to run the Web App (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 9.8 | Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 9.9 | Ensure FTP deployments are Disabled (Automated) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 9.10 | Ensure Azure Key Vaults are Used to Store Secrets (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 10.0 | Miscellaneous | ||||
| 10.1 | Ensure that Resource Locks are set for Mission-Critical Azure Resources (Manual) | Yes | NA | Yes | BOS Environment Template support configuration of Resource Locks. |