Azure CIS 1.3.1 Benchmark Report
Legacy Report
This is now a legacy report and will be deprecated on 31st March 2023. See Legacy Policies and Reports for a full list of policies and reports/assessments that will be deprecated.
Lacework advises that you start using the latest available reports/assessments.
The Azure CIS 1.3.1 benchmark report was added as of the v4.32 platform release. This report will continue to co-exist with the CIS 1.0 benchmark report for Azure. The CIS 1.0 benchmark will eventually be deprecated once all Lacework customers have had time to migrate to the latest report.
Prerequisites
The following articles describe how to integrate your Azure environment with the Lacework Compliance platform. Completing these will prepare your environment for the Azure CIS 1.3.1 benchmark.
Choose one of the following options:
- Azure Compliance Integration - Manually using the Azure Portal
- This guide includes links to existing articles for creating the Azure App and gathering the required information. Previous methods are now deprecated.
- Azure Compliance & Activity Log Integrations - Terraform using Azure Cloud Shell
- This guide has been updated for the new 1.0 Terraform module.
- Azure Compliance & Activity Log Integrations - Terraform From Any Supported Host
- This guide has been updated for the new 1.0 Terraform module.
note
For Terraform, the new Azure CIS 1.3.1 benchmark will run under your existing integration, but will require an upgrade by 2022.
Enable the Azure CIS 1.3.1 Benchmark
The Azure CIS 1.3.1 benchmark is released with all policies disabled.
On the Policies page, search for AZURE_CIS_131 to filter for Azure CIS 1.3.1 policies only.
You can enable or disable individual policies using its status toggle: 
Alternatively, see Batch Update Policies to enable or disable multiple policies at once.
note
Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Rules.
Automated vs Manual Rules
Lacework uses the CIS Workbench Benchmarks to automate your Compliance rules where it is possible to do so.
Automated rules that were deemed "manual"
In some cases, Lacework is able to automate some of the Azure CIS 1.3.1 benchmark rules that were deemed as "manual" by CIS. The following table outlines these rules:
| Automated Rules | Action | Rationale |
|---|---|---|
Azure_CIS131_3_3Azure_CIS131_3_7Azure_CIS131_3_10Azure_CIS131_3_11 | Lacework have automated these rules, described as Manual in the Azure CIS 1.3.1 benchmark. | Lacework have submitted corrections to CIS on these rules and the auditing procedure in place for upcoming 1.4.0 benchmark. More details can be found at the CIS Workbench. |
Manual rules that were deemed "automated"
For some of the benchmark rules, it is not possible to automate the checks in an Azure environment. As such, manual auditing of these rules in your Azure environment is required.
The table below outlines the Azure CIS 1.3.1 benchmark rules that require manual checks:
| Manual Rules | Action | Rationale |
|---|---|---|
Azure_CIS131_1_3Azure_CIS131_1_22Azure_CIS131_3_9Azure_CIS131_5_1_1Azure_CIS131_5_3Azure_CIS131_8_1Azure_CIS131_8_3 | Lacework have marked these rules as manual processing only. They cannot be automated in full due to one of the following reasons : - Scope is defined by the user. - It requires configuring other products or API permissions that are out of scope. - Known issues for audit procedure described by CIS control rule. | Lacework have submitted corrections to CIS on these rules, in place for upcoming benchmark 1.4.0. More details can be found at the CIS Workbench. |
Lacework Custom Rules
The following custom rules are used to automate certain "manual" CIS 1.3.1 benchmark rules as close to the original intention:
| Lacework Custom Rule | CIS Rule |
|---|---|
LW_Azure_IAM_1 | Azure_CIS131_1_1 |
LW_Azure_IAM_2 | Azure_CIS131_1_2 |
LW_Azure_IAM_3 | Azure_CIS131_1_3 |
These CIS rules were originally considered at the Tenant-level, but the custom versions are implemented at the Subscription-level.
important
These rules can only be enabled/automated if you have enabled Azure Security Center (free). See Azure FAQ for further info.