CIS Azure 1.5.0 Benchmark Report
This report co-exists with the older CIS benchmark reports for Microsoft Azure. The older CIS benchmark reports are deprecated and will eventually be removed. You should migrate to the latest report soon.
info
For information about compliance assessment differences between CIS Azure 1.3.1 and 1.5.0, see CIS Azure 1.3.1 to 1.5.0.
Changes to Benchmark Reports in the Lacework Console
Due to changes in the Lacework Console, visibility of and interaction with the CIS Azure 1.5.0 benchmark is different from previous CIS reports.
The notable changes are outlined below:
- All CIS 1.5.0 benchmark policies are enabled or disabled through the Policies page (see Enable the CIS Azure 1.5.0 Benchmark).
- The Compliance > Azure > Reports page does not list this report, but will continue to list and display results for the older CIS Azure benchmark reports.
- The Cloud Compliance Dashboard provides details for each assessment, including the CIS Azure 1.5.0 report.
- The Reports page lists all reports that have been run in your environment, including a 90-day history for each report type on all your integrated accounts. The summary for each report can be viewed in the Console, and downloaded in PDF format. See Reports for information.
tip
See Reports and Use Cases for Cloud Compliance Dashboard for guidance on viewing similar sections and data.
Prerequisites
The following articles describe how to integrate your Azure environment with the Lacework Compliance platform. Completing these will prepare your environment for the CIS Azure 1.5.0 benchmark.
- Determine your Azure Integration Type
- The setup for the Configuration integration type must be completed in order to use the Lacework Compliance platform.
- Create an Azure App for Integration
- Ensure that you have also assigned the appropriate Azure Key Vault permissions to the Azure application created for Lacework.
- Gather Azure Client ID, Tenant ID, and Client Secret
- Determine your Azure Integration Type
Choose one of the following options:
Previous Integrations using Terraform
If you have previously integrated Azure with Lacework using Terraform, re-run terraform init -upgrade, followed by terraform apply to upgrade modules.
Enable the CIS Azure 1.5.0 Benchmark
All policies in the CIS AWS 1.4.0 benchmark are enabled by default. You can disable or enable them as follows.
Enable or Disable Policies through the Lacework Console
On the Policies page, use the framework:cis-azure-1-5-0 tag to filter for CIS Azure 1.5.0 policies only.
You can enable or disable individual policies using its status toggle: 
Alternatively, see Batch Update Policies to enable or disable multiple policies at once.
note
Manual policies do not have a status toggle as there is no functional check to enable.
Bulk Enable or Disable Policies through the Lacework CLI
Enable or disable all the CIS Azure 1.5.0 policies by using the following commands in the Lacework CLI:
lacework policy enable --tag framework:cis-azure-1-5-0
lacework policy disable --tag framework:cis-azure-1-5-0
tip
If you have not set up the CLI before, see the Lacework CLI guide to get started.
Automated vs Manual Rules
Lacework uses the CIS Workbench Benchmarks to automate your Compliance rules where it is possible to do so. 'Manual' rule types cannot be assessed end-to-end by Lacework platform, and must be left for you to follow the auditing procedure.
For some benchmark rules, it is not possible to automate the checks in an Azure environment. As such, manual auditing of these rules in your Azure environment is required.
Manual Rules (that were deemed automated)
The following table outlines a number of CIS Azure 1.5.0 rules that cannot yet be automated (they were deemed as "automated" by CIS). As such, manual auditing of these rules in your Azure environment is required.
info
Lacework intends to automate these rules in a future release.
| CIS Azure 1.5.0 Control ID | Lacework Policy ID | Title |
|---|---|---|
| 4.1.1 | lacework-global-537 | Ensure that 'Auditing' is set to 'On'. |
| 4.1.6 | lacework-global-541 | Ensure that 'Auditing' Retention is 'greater than 90 days'. |
Permanently Manual Rules (that were deemed automated)
The following table outlines rules that were deemed automated by CIS, but will remain manual:
note
For sections 2.2 and 2.3, see 2 - Microsoft Defender for Cloud for additional details.
| CIS Azure 1.5.0 Control ID | Lacework Policy ID | Title |
|---|---|---|
| 2.2.1 | lacework-global-524 | Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'. |
| 2.2.2 | lacework-global-611 | Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'. |
| 2.2.3 | lacework-global-612 | Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'. |
| 2.3.1 | lacework-global-525 | Ensure That 'All users with the following roles' is set to 'Owner'. |
| 2.3.2 | lacework-global-526 | Ensure 'Additional email addresses' is Configured with a Security Contact Email. |
| 2.3.3 | lacework-global-527 | Ensure That 'Notify about alerts with the following severity' is Set to 'High'. |
| 3.5 | lacework-global-616 | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests. |
| 3.11 | lacework-global-535 | Ensure Soft Delete is Enabled for Azure Containers and Blob Storage. |
| 3.13 | lacework-global-619 | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests. |
| 3.14 | lacework-global-620 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests. |
| 5.1.3 | lacework-global-556 | Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible. |
| 5.1.4 | lacework-global-630 | Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key. |
Automated Rules (that were deemed manual)
In some cases, Lacework is able to automate certain CIS Azure 1.5.0 benchmark rules that were deemed as manual by CIS. The following table outlines these rules:
| CIS Azure 1.5.0 Control ID | Lacework Policy ID | Title |
|---|---|---|
| 3.2 | lacework-global-615 | Ensure that ‘Enable Infrastructure Encryption’ for Each Storage Account in Azure Storage is Set to ‘enabled’. |
| 3.10 | lacework-global-534 | Ensure Private Endpoints are used to access Storage Accounts. |
| 4.3.7 | lacework-global-549 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled. |
| 4.5.1 | lacework-global-628 | Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks. |
| 4.5.2 | lacework-global-629 | Ensure That Private Endpoints Are Used Where Possible. |
| 6.6 | lacework-global-634 | Ensure that Network Watcher is 'Enabled'. |
| 7.1 | lacework-global-573 | Ensure Virtual Machines are utilizing Managed Disks. |
| 8.6 | lacework-global-639 | Enable Role Based Access Control for Azure Key Vault. |
| 8.7 | lacework-global-640 | Ensure that Private Endpoints are Used for Azure Key Vault. |
Rules that are pending automation
Lacework intends to automate the policies listed below in a future release. All of these were deemed as manual by CIS.
| CIS Azure 1.5.0 Control ID | Lacework Policy ID | Title |
|---|---|---|
| 5.1.6 | lacework-global-631 | Ensure that Network Security Group Flow logs are captured and sent to Log Analytics. |
| 8.8 | lacework-global-641 | Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services. |
Unimplemented Policies
The following policies are not yet implemented into our Compliance platform. Lacework will be adding these policies soon.
All policies listed in the table below are intended to be automated once released:
| CIS Azure 1.5.0 Control ID | Lacework Policy ID | Title |
|---|---|---|
| 8.1 | lacework-global-575 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults. |
| 8.2 | lacework-global-576 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. |
| 8.3 | lacework-global-577 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults. |
| 8.4 | lacework-global-578 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults. |
Policy Mapping for CIS Azure 1.5.0
The CIS Azure 1.5.0 rules are mapped to Lacework global policies. See the following sections for the mappings used.
1 - Identity and Access Management (IAM)
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 1.3 | lacework-global-588 |
| 1.4 | lacework-global-499 |
| 1.5 | lacework-global-500 |
| 1.6 | lacework-global-501 |
| 1.7 | lacework-global-502 |
| 1.8 | lacework-global-503 |
| 1.9 | lacework-global-504 |
| 1.10 | lacework-global-505 |
| 1.11 | lacework-global-589 |
| 1.12 | lacework-global-506 |
| 1.13 | lacework-global-507 |
| 1.14 | lacework-global-508 |
| 1.15 | lacework-global-509 |
| 1.16 | lacework-global-590 |
| 1.17 | lacework-global-510 |
| 1.18 | lacework-global-591 |
| 1.19 | lacework-global-592 |
| 1.20 | lacework-global-593 |
| 1.21 | lacework-global-594 |
| 1.22 | lacework-global-511 |
| 1.23 | lacework-global-512 |
| 1.24 | lacework-global-595 |
| 1.25 | lacework-global-596 |
1.1 - Security Defaults
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 1.1.1 | lacework-global-513 |
| 1.1.2 | lacework-global-514 |
| 1.1.3 | lacework-global-597 |
| 1.1.4 | lacework-global-515 |
1.2 - Conditional Access
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 1.2.1 | lacework-global-516 |
| 1.2.2 | lacework-global-517 |
| 1.2.3 | lacework-global-518 |
| 1.2.4 | lacework-global-519 |
| 1.2.5 | lacework-global-520 |
| 1.2.6 | lacework-global-521 |
2 - Microsoft Defender for Cloud
Permanently Manual Rules
As of 16th February 2023, the following sections will remain manual:
- 2.1 - Defender Plans (moved from Manual Rules (that were deemed automated)).
- 2.2 - Auto Provisioning (moved from Unimplemented Policies).
- 2.3 - Email Notifications (moved from Manual Rules (that were deemed automated))
The CIS Azure 1.5.0 benchmark recommends that if you have existing products (such as Lacework) that provide the same utility as some Microsoft Defender for Cloud products, you can ignore the recommendations in Section 2. Lacework has included all rules for 2 - Microsoft Defender for Cloud as manual Lacework policies so that you can read and understand the scope of CIS recommendations.
Lacework recommends that you analyze the scope of all the policies in subsection 2.1 and make a decision that is suitable for the needs of your environment. Note that enabling Microsoft Defender will incur extra costs to provide functionality already covered by the Lacework platform.
In a future release, the LQL datasource for Microsoft Defender settings will be made available. This will allow you to write your own custom LQL-based policies against Microsoft Defender settings, to match your own security posture program needs.
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 2.5 | lacework-global-522 |
| 2.6 | lacework-global-523 |
2.1 - Defender Plans
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 2.1.1 | lacework-global-598 |
| 2.1.2 | lacework-global-599 |
| 2.1.3 | lacework-global-600 |
| 2.1.4 | lacework-global-601 |
| 2.1.5 | lacework-global-602 |
| 2.1.6 | lacework-global-603 |
| 2.1.7 | lacework-global-604 |
| 2.1.8 | lacework-global-605 |
| 2.1.9 | lacework-global-606 |
| 2.1.10 | lacework-global-607 |
| 2.1.11 | lacework-global-608 |
| 2.1.12 | lacework-global-609 |
| 2.1.13 | lacework-global-610 |
2.2 - Auto Provisioning
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 2.2.1 | lacework-global-524 |
| 2.2.2 | lacework-global-611 |
| 2.2.3 | lacework-global-612 |
2.3 - Email Notifications
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 2.3.1 | lacework-global-525 |
| 2.3.2 | lacework-global-526 |
| 2.3.3 | lacework-global-527 |
2.4 - Integrations
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 2.4.1 | lacework-global-613 |
| 2.4.2 | lacework-global-614 |
3 - Storage Accounts
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 3.1 | lacework-global-528 |
| 3.2 | lacework-global-615 |
| 3.3 | lacework-global-529 |
| 3.4 | lacework-global-530 |
| 3.5 | lacework-global-616 |
| 3.6 | lacework-global-531 |
| 3.7 | lacework-global-532 |
| 3.8 | lacework-global-533 |
| 3.9 | lacework-global-617 |
| 3.10 | lacework-global-534 |
| 3.11 | lacework-global-535 |
| 3.12 | lacework-global-618 |
| 3.13 | lacework-global-619 |
| 3.14 | lacework-global-620 |
| 3.15 | lacework-global-536 |
4 - Database Services
4.1 - SQL Server - Auditing
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 4.1.1 | lacework-global-537 |
| 4.1.2 | lacework-global-538 |
| 4.1.3 | lacework-global-621 |
| 4.1.4 | lacework-global-539 |
| 4.1.5 | lacework-global-540 |
| 4.1.6 | lacework-global-541 |
4.2 - SQL Server - Microsoft Defender for SQL
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 4.2.1 | lacework-global-622 |
| 4.2.2 | lacework-global-623 |
| 4.2.3 | lacework-global-624 |
| 4.2.4 | lacework-global-625 |
| 4.2.5 | lacework-global-542 |
4.3 - PostgreSQL Database Server
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 4.3.1 | lacework-global-543 |
| 4.3.2 | lacework-global-544 |
| 4.3.3 | lacework-global-545 |
| 4.3.4 | lacework-global-546 |
| 4.3.5 | lacework-global-547 |
| 4.3.6 | lacework-global-548 |
| 4.3.7 | lacework-global-549 |
| 4.3.8 | lacework-global-550 |
4.4 - MySQL Database
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 4.4.1 | lacework-global-551 |
| 4.4.2 | lacework-global-552 |
| 4.4.3 | lacework-global-626 |
| 4.4.4 | lacework-global-627 |
4.5 - Cosmos DB
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 4.5.1 | lacework-global-628 |
| 4.5.2 | lacework-global-629 |
5 - Logging and Monitoring
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 5.3 | lacework-global-553 |
5.1 - Configuring Diagnostic Settings
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 5.1.1 | lacework-global-554 |
| 5.1.2 | lacework-global-555 |
| 5.1.3 | lacework-global-556 |
| 5.1.4 | lacework-global-630 |
| 5.1.5 | lacework-global-557 |
| 5.1.6 | lacework-global-631 |
| 5.1.7 | lacework-global-632 |
5.2 - Monitoring using Activity Log Alerts
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 5.2.1 | lacework-global-558 |
| 5.2.2 | lacework-global-559 |
| 5.2.3 | lacework-global-560 |
| 5.2.4 | lacework-global-561 |
| 5.2.5 | lacework-global-562 |
| 5.2.6 | lacework-global-563 |
| 5.2.7 | lacework-global-564 |
| 5.2.8 | lacework-global-565 |
| 5.2.9 | lacework-global-566 |
| 5.2.10 | lacework-global-567 |
6 - Networking
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 6.1 | lacework-global-568 |
| 6.2 | lacework-global-569 |
| 6.3 | lacework-global-570 |
| 6.4 | lacework-global-571 |
| 6.5 | lacework-global-633 |
| 6.6 | lacework-global-634 |
| 6.7 | lacework-global-572 |
7 - Virtual Machines
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 7.1 | lacework-global-573 |
| 7.2 | lacework-global-635 |
| 7.3 | lacework-global-636 |
| 7.4 | lacework-global-574 |
| 7.5 | lacework-global-637 |
| 7.6 | lacework-global-638 |
8 - Key Vault
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 8.1 | lacework-global-575 |
| 8.2 | lacework-global-576 |
| 8.3 | lacework-global-577 |
| 8.4 | lacework-global-578 |
| 8.5 | lacework-global-579 |
| 8.6 | lacework-global-639 |
| 8.7 | lacework-global-640 |
| 8.8 | lacework-global-641 |
9 - AppService
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 9.1 | lacework-global-642 |
| 9.2 | lacework-global-580 |
| 9.3 | lacework-global-581 |
| 9.4 | lacework-global-643 |
| 9.5 | lacework-global-582 |
| 9.6 | lacework-global-583 |
| 9.7 | lacework-global-584 |
| 9.8 | lacework-global-585 |
| 9.9 | lacework-global-586 |
| 9.10 | lacework-global-587 |
| 9.11 | lacework-global-644 |
10 - Miscellaneous
| CIS Azure 1.5.0 Control ID | Lacework Policy ID |
|---|---|
| 10.1 | lacework-global-645 |
FAQs
Why are there so many manual policies in CIS Azure 1.5.0?
- The Azure v1.5.0 benchmark (published by CIS) has 147 policies: 69 automated and 78 manual.
- In comparison, the Azure v1.3.1 benchmark had 111 policies: 61 automated and 50 manual.
Due to the policies yet to be implemented, and those temporarily released as manual, Lacework’s v1.5.0 benchmark may appear to have an imbalance of manual policies. As noted though, more than 50% of the CIS Azure 1.5.0 policies are manual.
Why were some policies in v1.3.1 automated but now moved to manual in v1.5.0?
There were a set of five policies in v1.3.1 that were automated, and are still marked as automated by CIS in v1.5.0. Lacework has temporarily released these five policies as manual, with a plan to automate them in the future. See Manual Rules (that were deemed automated).
A further set of six policies in v1.3.1 were automated, and have been marked as automated by CIS in v1.5.0. Lacework has delivered manual policies for these in v1.5.0. See Permanently Manual Rules (that were deemed automated).
For a full policy comparison between v1.3.1 and v1.5.0, see CIS Azure 1.3.1 to 1.5.0.
Why were some policies in v1.3.1 manual but now moved to automated in v1.5.0?
Lacework is sometimes able to monitor the required resources for a given policy (even when deemed as manual by CIS). These policies are then automated in the Lacework Compliance Platform.
Three policies that were manual in v1.3.1 have been automated by Lacework for v1.5.0:
- Azure_CIS_131_6_5
- Azure_CIS_131_7_1
- Azure_CIS_131_9_9
See CIS Azure 1.3.1 to 1.5.0 Mapping for further details.
Also, an additional four policies that are new in v1.5.0 have been automated (where CIS specified them as manual). See New Policies in CIS Azure 1.5.0 for details.
Do I have improved coverage with v1.5.0 versus what I had with v1.3.1?
When Lacework delivers on remaining unimplemented policies and planned automation for manual policies (including rules that are pending automation), coverage for v1.5.0 will be an improvement over v1.3.1.
Which policies are yet to be updated/released within the v1.5.0 benchmark?
As of 1st March 2023, there are 4 unimplemented policies. Work is in progress to complete automation of these policies.
There are also 4 policies that have been marked as manual by CIS for v1.5.0, but Lacework intends to automate these policies in a future release. See Rules that are pending automation.
Why do control IDs 8.6 and 8.7 show as "Could Not Assess" in policy assessments and reports?
Policy assessments and reports for control ID 8.6 and 8.7 may show "Could Not Assess" if you do have the Key Vault Reader role assigned to the Lacework application used for the integration.
This applies to Azure Key Vaults in your subscription/tenant that do not have RBAC enabled.
See Assign Azure Key Vault permissions in the Azure integration prerequisites for help in assigning this role.