Skip to main content

CIS Azure 1.3.1 to 1.5.0

The following sections list the differences between the CIS Azure 1.3.1 and CIS Azure 1.5.0 benchmark policies.

CIS Azure 1.3.1 to 1.5.0 Mapping

The table below lists the mapping of policies between CIS Azure 1.3.1 and 1.5.0, including assessment type and severity differences:

tip

Click anywhere on the table and use the arrow keys on your keyboard to scroll left or right.

CIS 1.3.1 Policy IDCIS 1.3.1 Assessment TypeLacework 1.3.1 Assessment Type1.3.1 SeverityCIS 1.5.0 Policy IDCIS 1.5.0 Control IDCIS 1.5.0 Assessment TypeLacework 1.5.0 Assessment Type1.5.0 SeverityNotes
Azure_CIS_131_1_1ManualManualHighlacework-global-5141.1.2ManualManualHigh
Azure_CIS_131_1_2ManualManualMediumlacework-global-5971.1.3ManualManualMedium
Azure_CIS_131_1_3AutomatedManualMediumlacework-global-4991.4ManualManualMedium
Azure_CIS_131_1_4ManualManualMediumlacework-global-5001.5ManualManualHigh
Azure_CIS_131_1_5ManualManualHighlacework-global-5011.6ManualManualHigh
Azure_CIS_131_1_6ManualManualHighlacework-global-5031.8ManualManualHigh
Azure_CIS_131_1_7ManualManualHighlacework-global-5041.9ManualManualHigh
Azure_CIS_131_1_8ManualManualHighlacework-global-5051.10ManualManualHigh
Azure_CIS_131_1_9ManualManualMediumlacework-global-5061.12ManualManualMedium
Azure_CIS_131_1_10ManualManualHighlacework-global-5071.13ManualManualHigh
Azure_CIS_131_1_11ManualManualHighlacework-global-5081.14ManualManualHigh
Azure_CIS_131_1_12ManualManualHighlacework-global-5091.15ManualManualHigh
Azure_CIS_131_1_13ManualManualCriticalN/AN/AN/AN/AN/ASee Additional Notes.
Azure_CIS_131_1_14ManualManualCriticallacework-global-5901.16ManualManualCritical
Azure_CIS_131_1_15ManualManualCriticallacework-global-5101.17ManualManualCritical
Azure_CIS_131_1_16ManualManualHighlacework-global-5911.18ManualManualHigh
Azure_CIS_131_1_17ManualManualHighlacework-global-5921.19ManualManualHigh
Azure_CIS_131_1_18ManualManualHighlacework-global-5931.20ManualManualHigh
Azure_CIS_131_1_19ManualManualHighlacework-global-5941.21ManualManualHigh
Azure_CIS_131_1_20ManualManualMediumlacework-global-5111.22ManualManualMedium
Azure_CIS_131_1_21AutomatedAutomatedHighlacework-global-5121.23AutomatedAutomatedMedium
Azure_CIS_131_1_22AutomatedManualHighlacework-global-5131.1.1ManualManualHigh
Azure_CIS_131_1_23ManualManualMediumlacework-global-5951.24ManualManualMedium
Azure_CIS_131_2_1ManualManualMediumlacework-global-5982.1.1ManualManualMedium
Azure_CIS_131_2_2ManualManualMediumlacework-global-5992.1.2ManualManualMedium
Azure_CIS_131_2_3ManualManualMediumlacework-global-6012.1.4ManualManualMedium
Azure_CIS_131_2_4ManualManualMediumlacework-global-6022.1.5ManualManualMedium
Azure_CIS_131_2_5ManualManualMediumlacework-global-6042.1.7ManualManualMedium
Azure_CIS_131_2_6ManualManualMediumN/AN/AN/AN/AN/ASee Additional Notes.
Azure_CIS_131_2_7ManualManualMediumlacework-global-6052.1.8ManualManualMedium
Azure_CIS_131_2_8ManualManualMediumlacework-global-6072.1.10ManualManualMedium
Azure_CIS_131_2_9ManualManualMediumlacework-global-6142.4.2ManualManualMedium
Azure_CIS_131_2_10ManualManualMediumlacework-global-6132.4.1ManualManualMedium
Azure_CIS_131_2_11AutomatedAutomatedHighlacework-global-5242.2.1AutomatedManualHighReleased manual
Azure_CIS_131_2_12ManualManualHighlacework-global-5232.6ManualManualMedium
Azure_CIS_131_2_13AutomatedAutomatedHighlacework-global-5262.3.2AutomatedManualHighReleased manual
Azure_CIS_131_2_14AutomatedAutomatedHighlacework-global-5272.3.3AutomatedManualHighReleased manual
Azure_CIS_131_2_15AutomatedAutomatedHighlacework-global-5252.3.1AutomatedManualHighReleased manual
Azure_CIS_131_3_1AutomatedAutomatedHighlacework-global-5283.1AutomatedAutomatedHigh
Azure_CIS_131_3_2ManualManualHighlacework-global-5303.4ManualManualHigh
Azure_CIS_131_3_3ManualAutomatedHighlacework-global-6163.5AutomatedManualHighReleased manual
Azure_CIS_131_3_4ManualManualHighlacework-global-5313.6ManualManualHigh
Azure_CIS_131_3_5AutomatedAutomatedCriticallacework-global-5323.7AutomatedAutomatedCritical
Azure_CIS_131_3_6AutomatedAutomatedHighlacework-global-5333.8AutomatedAutomatedHigh
Azure_CIS_131_3_7ManualAutomatedHighlacework-global-6173.9AutomatedAutomatedHigh
Azure_CIS_131_3_8AutomatedAutomatedHighlacework-global-5353.11AutomatedManualHighReleased manual
Azure_CIS_131_3_9AutomatedManualHighlacework-global-6183.12ManualManualHigh
Azure_CIS_131_3_10ManualAutomatedHighlacework-global-6193.13AutomatedManualHighReleased manual
Azure_CIS_131_3_11ManualAutomatedHighlacework-global-6203.14AutomatedManualHighReleased manual
Azure_CIS_131_4_1_1AutomatedAutomatedHighlacework-global-5374.1.1AutomatedManualHighReleased manual
Azure_CIS_131_4_1_2AutomatedAutomatedHighlacework-global-5404.1.5AutomatedAutomatedHigh
Azure_CIS_131_4_1_3AutomatedAutomatedHighlacework-global-5414.1.6AutomatedManualHighReleased manual
Azure_CIS_131_4_2_1AutomatedAutomatedHighlacework-global-6224.2.1AutomatedAutomatedHighReleased on 1st March 2023.
Azure_CIS_131_4_2_2AutomatedAutomatedMediumlacework-global-6234.2.2AutomatedAutomatedMediumReleased on 1st March 2023.
Azure_CIS_131_4_2_3AutomatedAutomatedMediumlacework-global-6244.2.3AutomatedAutomatedMediumReleased on 1st March 2023.
Azure_CIS_131_4_2_4AutomatedAutomatedMediumlacework-global-6254.2.4AutomatedAutomatedMediumReleased on 1st March 2023.
Azure_CIS_131_4_2_5AutomatedAutomatedMediumlacework-global-5424.2.5AutomatedAutomatedMediumReleased on 1st March 2023.
Azure_CIS_131_4_3_1AutomatedAutomatedHighlacework-global-5434.3.1AutomatedAutomatedHigh
Azure_CIS_131_4_3_2AutomatedAutomatedHighlacework-global-5514.4.1AutomatedAutomatedHigh
Azure_CIS_131_4_3_3AutomatedAutomatedHighlacework-global-5444.3.2AutomatedAutomatedHighReleased on 1st March 2023.
Azure_CIS_131_4_3_4AutomatedAutomatedHighlacework-global-5454.3.3AutomatedAutomatedHighReleased on 1st March 2023.
Azure_CIS_131_4_3_5AutomatedAutomatedHighlacework-global-5464.3.4AutomatedAutomatedHighReleased on 1st March 2023.
Azure_CIS_131_4_3_6AutomatedAutomatedHighlacework-global-5474.3.5AutomatedAutomatedHighReleased on 1st March 2023.
Azure_CIS_131_4_3_7AutomatedAutomatedHighlacework-global-5484.3.6AutomatedAutomatedHighReleased on 1st March 2023.
Azure_CIS_131_4_3_8ManualManualHighlacework-global-5494.3.7ManualAutomatedHighAutomated on 1st March 2023.
Azure_CIS_131_4_4AutomatedAutomatedHighlacework-global-5394.1.4AutomatedAutomatedHighReleased on 1st March 2023.
Azure_CIS_131_4_5AutomatedAutomatedHighlacework-global-6214.1.3AutomatedAutomatedHigh
Azure_CIS_131_5_1_1AutomatedManualLowlacework-global-5545.1.1ManualManualLow
Azure_CIS_131_5_1_2AutomatedAutomatedLowlacework-global-5555.1.2AutomatedAutomatedLow
Azure_CIS_131_5_1_3AutomatedAutomatedHighlacework-global-5565.1.3AutomatedManualHighReleased manual
Azure_CIS_131_5_1_4AutomatedAutomatedMediumlacework-global-6305.1.4AutomatedManualMediumReleased manual
Azure_CIS_131_5_1_5AutomatedAutomatedHighlacework-global-5575.1.5AutomatedAutomatedHigh
Azure_CIS_131_5_2_1AutomatedAutomatedMediumlacework-global-5585.2.1AutomatedAutomatedMedium
Azure_CIS_131_5_2_2AutomatedAutomatedMediumlacework-global-5595.2.2AutomatedAutomatedMedium
Azure_CIS_131_5_2_3AutomatedAutomatedHIghlacework-global-5605.2.3AutomatedAutomatedHigh
Azure_CIS_131_5_2_4AutomatedAutomatedHighlacework-global-5615.2.4AutomatedAutomatedHigh
Azure_CIS_131_5_2_5AutomatedAutomatedHighN/AN/AN/AN/AN/ASee Additional Notes.
Azure_CIS_131_5_2_6AutomatedAutomatedHighN/AN/AN/AN/AN/ASee Additional Notes.
Azure_CIS_131_5_2_7AutomatedAutomatedHighlacework-global-5625.2.5AutomatedAutomatedHigh
Azure_CIS_131_5_2_8AutomatedAutomatedHighlacework-global-5635.2.6AutomatedAutomatedHigh
Azure_CIS_131_5_2_9AutomatedAutomatedHighlacework-global-564, lacework-global-5655.2.7, 5.2.8AutomatedAutomatedHigh
Azure_CIS_131_5_3AutomatedManualHighlacework-global-5535.3ManualManualHigh
Azure_CIS_131_6_1AutomatedAutomatedHighlacework-global-5686.1AutomatedAutomatedHigh
Azure_CIS_131_6_2AutomatedAutomatedHighlacework-global-5696.2AutomatedAutomatedHigh
Azure_CIS_131_6_3AutomatedAutomatedHighlacework-global-5384.1.2AutomatedAutomatedHighReleased on 1st March 2023.
Azure_CIS_131_6_4AutomatedAutomatedMediumlacework-global-6336.5AutomatedAutomatedMedium
Azure_CIS_131_6_5ManualManualHighlacework-global-6346.6ManualAutomatedHigh
Azure_CIS_131_6_6AutomatedAutomatedMediumlacework-global-5706.3AutomatedAutomatedMedium
Azure_CIS_131_7_1ManualManualInfolacework-global-5737.1ManualAutomatedInfo
Azure_CIS_131_7_2AutomatedAutomatedHighlacework-global-6357.2AutomatedAutomatedHigh
Azure_CIS_131_7_3AutomatedAutomatedHighlacework-global-6367.3AutomatedAutomatedHigh
Azure_CIS_131_7_4ManualManualHighlacework-global-5747.4ManualManualHigh
Azure_CIS_131_7_5ManualManualHighlacework-global-5222.5ManualManualHigh
Azure_CIS_131_7_6ManualManualMediumlacework-global-6377.5ManualManualMedium
Azure_CIS_131_7_7ManualManualHighlacework-global-6387.6ManualManualMedium
Azure_CIS_131_8_1AutomatedManualHighlacework-global-575, lacework-global-5768.1, 8.2AutomatedAutomatedHighUnreleased
Azure_CIS_131_8_2AutomatedManualHighlacework-global-577, lacework-global-5788.3, 8.4AutomatedAutomatedHighUnreleased
Azure_CIS_131_8_3ManualManualCriticallacework-global-64510.1ManualManualCritical
Azure_CIS_131_8_4AutomatedAutomatedHighlacework-global-5798.5AutomatedAutomatedHigh
Azure_CIS_131_8_5AutomatedAutomatedMediumN/AN/AN/AN/AN/ASee Additional Notes.
Azure_CIS_131_9_1AutomatedAutomatedMediumlacework-global-6429.1AutomatedAutomatedMedium
Azure_CIS_131_9_2AutomatedAutomatedHighlacework-global-5809.2AutomatedAutomatedHigh
Azure_CIS_131_9_3AutomatedAutomatedMediumlacework-global-5819.3AutomatedAutomatedMedium
Azure_CIS_131_9_4AutomatedAutomatedHighlacework-global-6439.4AutomatedAutomatedHigh
Azure_CIS_131_9_5AutomatedAutomatedMediumlacework-global-5829.5AutomatedAutomatedMedium
Azure_CIS_131_9_6ManualManualMediumlacework-global-5839.6ManualManualMedium
Azure_CIS_131_9_7ManualManualMediumlacework-global-5849.7ManualManualMedium
Azure_CIS_131_9_8ManualManualMediumlacework-global-5859.8ManualManualMedium
Azure_CIS_131_9_9ManualManualMediumlacework-global-5869.9AutomatedAutomatedMedium
Azure_CIS_131_9_10AutomatedAutomatedMediumlacework-global-5879.10AutomatedAutomatedMedium
Azure_CIS_131_9_11ManualManualMediumlacework-global-6449.11ManualManualMedium

Additional Notes

  • Azure_CIS_131_1_13 - Azure merged the 'Guest can Invite' and 'Members Can Invite' options into one setting called 'Guest invite restrictions', so 1.13 and 1.14 (in v1.3.1) were merged for future versions.
  • Azure_CIS_131_2_6 - Updates to Azure Defender plans resulted in 2.6 and 2.7 (in v1.3.1) being merged for future versions.
  • Azure_CIS_131_5_2_5 - Removed following Azure updates.
  • Azure_CIS_131_5_2_6 - Removed following Azure updates.
  • Azure_CIS_131_8_5 - Moved to CIS Azure Kubernetes Service (AKS) Benchmark (Control ID 5.5.2 in v1.2.0).

New Policies in CIS Azure 1.5.0

All the new v1.5.0 policies (that were not in v1.3.1) are listed in the table below:

CIS Control ID and TitleLacework Policy IDCIS Assessment TypeLacework Assessment TypeSeverityNotes
1.1.4 Ensure that 'Restore multi-factor authentication on all remembered devices' is Enabledlacework-global-515ManualManualMedium
1.2.1 Ensure Trusted Locations Are Definedlacework-global-516ManualManualMedium
1.2.2 Ensure that an exclusionary Geographic Access Policy is consideredlacework-global-517ManualManualLow
1.2.3 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groupslacework-global-518ManualManualHigh
1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Userslacework-global-519ManualManualHigh
1.2.5 Ensure Multi-factor Authentication is Required for Risky Sign-inslacework-global-520ManualManualHigh
1.2.6 Ensure Multi-factor Authentication is Required for Azure Managementlacework-global-521ManualManualHigh
1.3 Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Managementlacework-global-588ManualManualLow
1.7 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organizationlacework-global-502ManualManualHigh
1.11 Ensure That ‘Users Can Consent to Apps Accessing Company Data on Their Behalf’ Is Set To ‘Allow for Verified Publishers’lacework-global-589ManualManualMedium
1.25 Ensure That ‘Subscription Entering AAD Directory’ and ‘Subscription Leaving AAD Directory’ Is Set To ‘Permit No One’lacework-global-596ManualManualHigh
2.1.3 Ensure That Microsoft Defender for Databases Is Set To 'On'lacework-global-600ManualManualMedium
2.1.6 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'lacework-global-603ManualManualMedium
2.1.9 Ensure That Microsoft Defender for Cosmos DB Is Set To 'On'lacework-global-606ManualManualMedium
2.1.11 Ensure That Microsoft Defender for DNS Is Set To 'On'lacework-global-608ManualManualMedium
2.1.12 Ensure That Microsoft Defender for IoT Is Set To 'On'lacework-global-609ManualManualMedium
2.1.13 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'lacework-global-610ManualManualMedium
2.2.2 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'lacework-global-611AutomatedManualMediumReleased manual
2.2.3 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'lacework-global-612AutomatedManualMediumReleased manual
3.2 Ensure that ‘Enable Infrastructure Encryption’ for Each Storage Account in Azure Storage is Set to ‘enabled’lacework-global-615ManualAutomatedLow
3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Accountlacework-global-529ManualManualMedium
3.10 Ensure Private Endpoints are used to access Storage Accountslacework-global-534ManualAutomatedMedium
3.15 Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"lacework-global-536AutomatedAutomatedMedium
4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'lacework-global-550AutomatedAutomatedMediumReleased on 1st March 2023.
4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Serverlacework-global-552AutomatedAutomatedMediumReleased on 1st March 2023.
4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Serverlacework-global-626ManualManualMedium
4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Serverlacework-global-627ManualManualMedium
4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networkslacework-global-628ManualAutomatedMedium
4.5.2 Ensure That Private Endpoints Are Used Where Possiblelacework-global-629ManualAutomatedMedium
5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analyticslacework-global-631ManualManualLow
5.1.7 Ensure that logging for Azure AppService 'AppServiceHTTPLogs' is enabledlacework-global-632ManualManualMedium
5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rulelacework-global-566AutomatedAutomatedHigh
5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rulelacework-global-567AutomatedAutomatedHigh
6.4 Ensure that HTTP(S) access from the Internet is evaluated and restrictedlacework-global-571AutomatedAutomatedHigh
6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basislacework-global-572ManualManualMedium
8.6 Enable Role Based Access Control for Azure Key Vaultlacework-global-639ManualAutomatedHighAutomated on 1st March 2023.
8.7 Ensure that Private Endpoints are Used for Azure Key Vaultlacework-global-640ManualAutomatedMediumAutomated on 1st March 2023.
8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Serviceslacework-global-641ManualManualHigh