Skip to main content

Azure CIS 1.3.1 Benchmark Report

Legacy Report

This is now a legacy report and will be deprecated on 31st March 2023. See Legacy Policies and Reports for a full list of policies and reports/assessments that will be deprecated.

Lacework advises that you start using the latest available reports/assessments.

The Azure CIS 1.3.1 benchmark report was added as of the v4.32 platform release. This report will continue to co-exist with the CIS 1.0 benchmark report for Azure. The CIS 1.0 benchmark will eventually be deprecated once all Lacework customers have had time to migrate to the latest report.

Prerequisites

The following articles describe how to integrate your Azure environment with the Lacework Compliance platform. Completing these will prepare your environment for the Azure CIS 1.3.1 benchmark.

Choose one of the following options:

  1. Azure Compliance Integration - Manually using the Azure Portal
    • This guide includes links to existing articles for creating the Azure App and gathering the required information. Previous methods are now deprecated.
  2. Azure Compliance & Activity Log Integrations - Terraform using Azure Cloud Shell
    • This guide has been updated for the new 1.0 Terraform module.
  3. Azure Compliance & Activity Log Integrations - Terraform From Any Supported Host
    • This guide has been updated for the new 1.0 Terraform module.
note

For Terraform, the new Azure CIS 1.3.1 benchmark will run under your existing integration, but will require an upgrade by 2022.

Enable the Azure CIS 1.3.1 Benchmark

The Azure CIS 1.3.1 benchmark is released with all policies disabled.

On the Policies page, search for AZURE_CIS_131 to filter for Azure CIS 1.3.1 policies only.

You can enable or disable individual policies using its status toggle: policy-status-toggle.png

Alternatively, see Batch Update Policies to enable or disable multiple policies at once.

note

Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Rules.

Automated vs Manual Rules

Lacework uses the CIS Workbench Benchmarks to automate your Compliance rules where it is possible to do so.

Automated rules that were deemed "manual"

In some cases, Lacework is able to automate some of the Azure CIS 1.3.1 benchmark rules that were deemed as "manual" by CIS. The following table outlines these rules:

Automated RulesActionRationale
Azure_CIS131_3_3
Azure_CIS131_3_7
Azure_CIS131_3_10
Azure_CIS131_3_11
Lacework have automated these rules, described as Manual in the Azure CIS 1.3.1 benchmark.Lacework have submitted corrections to CIS on these rules and the auditing procedure in place for upcoming 1.4.0 benchmark. More details can be found at the CIS Workbench.

Manual rules that were deemed "automated"

For some of the benchmark rules, it is not possible to automate the checks in an Azure environment. As such, manual auditing of these rules in your Azure environment is required.

The table below outlines the Azure CIS 1.3.1 benchmark rules that require manual checks:

Manual RulesActionRationale
Azure_CIS131_1_3
Azure_CIS131_1_22
Azure_CIS131_3_9
Azure_CIS131_5_1_1
Azure_CIS131_5_3
Azure_CIS131_8_1
Azure_CIS131_8_3
Lacework have marked these rules as manual processing only. They cannot be automated in full due to one of the following reasons :
- Scope is defined by the user.
- It requires configuring other products or API permissions that are out of scope.
- Known issues for audit procedure described by CIS control rule.
Lacework have submitted corrections to CIS on these rules, in place for upcoming benchmark 1.4.0. More details can be found at the CIS Workbench.

Lacework Custom Rules

The following custom rules are used to automate certain "manual" CIS 1.3.1 benchmark rules as close to the original intention:

Lacework Custom RuleCIS Rule
LW_Azure_IAM_1Azure_CIS131_1_1
LW_Azure_IAM_2Azure_CIS131_1_2
LW_Azure_IAM_3Azure_CIS131_1_3

These CIS rules were originally considered at the Tenant-level, but the custom versions are implemented at the Subscription-level.

important

These rules can only be enabled/automated if you have enabled Azure Security Center (free). See Azure FAQ for further info.