Managed Security Review for CIS Azure Foundations Benchmark v3.0.0
info
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This page explains managed security reviews on CIS Azure Foundations Benchmark v3.0.0 provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.
To use managed security reviews
By applying Shisho Cloud workflows to your organization, you'll see security review results soon:
All managed review items
| Title | Item in Standard | Default Severity | ID in Shisho Cloud |
|---|---|---|---|
| Ensure to enable Entra ID Security Defaults | 2.1.1 | Medium | decision.api.shisho.dev/v1beta:azure_entraid_security_default |
| Ensure to enable per-user MFA for Entra ID | 2.1.2 | Medium | decision.api.shisho.dev/v1beta:azure_entraid_per_user_mfa |
| Ensure to define trusted locations in Entra ID | 2.2.1 | Low | decision.api.shisho.dev/v1beta:azure_entraid_trusted_location_usage |
| Ensure to use location-based Conditional Access Policy in Entra ID | 2.2.2 | Medium | decision.api.shisho.dev/v1beta:azure_entraid_trusted_location_cap |
| Ensure to require MFA in Entra ID Conditional Access Policy | 2.2.5 | Medium | decision.api.shisho.dev/v1beta:azure_entraid_mfa_cap |
| Ensure to restrict Entra ID non-administrator users from creating tenants | 2.3 | Low | decision.api.shisho.dev/v1beta:azure_entraid_default_create_tenant_permission |
| Entra ID should have a Custom Bad Password List | 2.8 | Low | decision.api.shisho.dev/v1beta:azure_entraid_banned_password_list |
| Ensure to restrict non-administrator users from consenting to Entra applications | 2.12 | Medium | decision.api.shisho.dev/v1beta:azure_entraid_app_consent |
| Ensure to restrict Entra ID non-administrator users from creating applications | 2.14 | Medium | decision.api.shisho.dev/v1beta:azure_entraid_default_create_app_permission |
| Ensure that Entra ID guest users have limited access to tenant information | 2.15 | Low | decision.api.shisho.dev/v1beta:azure_entraid_guest_baseline |
| Ensure that tenant-to-tenant transfer is not allowed in Azure subscription | 2.15 | High | decision.api.shisho.dev/v1beta:azure_entraid_subscription_policy |
| Ensure to restrict non-administrator users from inviting users to Entra ID | 2.16 | High | decision.api.shisho.dev/v1beta:azure_entraid_invitation_permission |
| Ensure to restrict Entra ID non-administrator users from creating security groups | 2.19 | Low | decision.api.shisho.dev/v1beta:azure_entraid_default_create_security_group_permission |
| Ensure to require MFA for new device registration to Entra ID | 2.22 | Medium | decision.api.shisho.dev/v1beta:azure_entraid_device_registration |
| Ensure to minimize the number of Entra ID global admins | 2.26 | High | decision.api.shisho.dev/v1beta:azure_entraid_global_admin |
| Ensure that connections to Azure Storage Account are forced to use HTTPS | 4.1 | Medium | decision.api.shisho.dev/v1beta:azure_storageaccount_secure_transfer |
| Ensure that infrastructure encryption is enabled for Azure Storage Account | 4.2 | Low | decision.api.shisho.dev/v1beta:azure_storageaccount_infrastructure_encryption |
| Ensure that audit logging is enabled for Azure Database for MySQL/MariaDB | 4.4.3 | Medium | decision.api.shisho.dev/v1beta:azure_mysql_audit |
| Ensure that public network access to Azure Storage Account is disallowed | 4.6 | High | decision.api.shisho.dev/v1beta:azure_storageaccount_blob_public_access |
| Ensure that the default network access rule for Azure Storage Account is set to deny all traffic | 4.7 | Medium | decision.api.shisho.dev/v1beta:azure_storageaccount_default_network_rule |
| Ensure that Azure services access to Azure Storage Account is allowed outside of network rules | 4.8 | Info | decision.api.shisho.dev/v1beta:azure_storageaccount_network_bypass |
| Ensure that private endpoint is used for accessing Azure Storage Account | 4.9 | Info | decision.api.shisho.dev/v1beta:azure_storageaccount_private_endpoint |
| Ensure that soft delete is enabled for Azure Storage Account | 4.10 | Medium | decision.api.shisho.dev/v1beta:azure_storageaccount_blob_soft_delete |
| Ensure that access logging for Azure Storage Account Queue Service is enabled | 4.12 | Low | decision.api.shisho.dev/v1beta:azure_storageaccount_queue_logging |
| Ensure that data access logging for Azure Storage Account Blob service is enabled | 4.13 | Medium | decision.api.shisho.dev/v1beta:azure_storageaccount_blob_logging |
| Ensure that access logging for Azure Storage Account Table Service is enabled | 4.14 | Low | decision.api.shisho.dev/v1beta:azure_storageaccount_table_logging |
| Ensure that connections to Azure Storage Account are forced to use secure SSL/TLS versions | 4.15 | Medium | decision.api.shisho.dev/v1beta:azure_storageaccount_tls_version |
| Ensure that cross-tenant replication is disabled for Azure Storage Account | 4.16 | High | decision.api.shisho.dev/v1beta:azure_storageaccount_cross_tenant |
| Ensure that anonymous read access to Azure Storage Account is disabled | 4.17 | Critical | decision.api.shisho.dev/v1beta:azure_storageaccount_anonymous_access |
| Ensure no Azure SQL Managed Database allows traffic from 0.0.0.0/0 | 5.1.7 | Critical | decision.api.shisho.dev/v1beta:azure_sql_public_access |
| Ensure that connection logging is enabled for Azure Database for PostgreSQL | 5.2.6 | Low | decision.api.shisho.dev/v1beta:azure_postgresql_audit_connection |
| Ensure that disconnection logging is enabled for Azure Database for PostgreSQL | 5.2.7 | Low | decision.api.shisho.dev/v1beta:azure_postgresql_audit_disconnection |
| Ensure no Azure Database for MySQL allows traffic from 0.0.0.0/0 | 5.3.3 | Critical | decision.api.shisho.dev/v1beta:azure_mysql_public_access |
| Ensure that connection logging is enabled for Azure Database for MySQL/MariaDB | 5.3.4 | Low | decision.api.shisho.dev/v1beta:azure_mysql_audit_connection |
| Ensure no CosmosDB allows traffic from 0.0.0.0/0 | 5.4.1 | Critical | decision.api.shisho.dev/v1beta:azure_cosmosdb_public_access |
| Ensure no Azure Network Security Group allows traffic from 0.0.0.0/0 | 7.1 | Critical | decision.api.shisho.dev/v1beta:azure_networksecuritygroup_public_access |
| Ensure Azure Network Security Group flow logs are retained for a sufficient period | 7.5 | Low | decision.api.shisho.dev/v1beta:azure_networksecuritygroup_flow_log_retention |
| Ensure Azure Network Watcher is enabled | 7.6 | High | decision.api.shisho.dev/v1beta:azure_networkwatcher_usage |
| Ensure to not make Azure managed disks publicly accessible | 8.5 | High | decision.api.shisho.dev/v1beta:azure_compute_disk_public_access |
| Ensure that connections to Azure Web Apps are forced to use HTTPS | 9.1 | Medium | decision.api.shisho.dev/v1beta:azure_appservices_webapp_disallow_http |
| Ensure that FTP is not allowed during deployment of Azure Web Apps | 9.3 | Medium | decision.api.shisho.dev/v1beta:azure_appservices_webapp_disallow_ftp |
| Ensure that connections to Azure App Services are forced to use secure SSL/TLS versions | 9.4 | Medium | decision.api.shisho.dev/v1beta:azure_appservices_webapp_min_tls_version |
| Ensure to disable Web Apps remote debugging | 9.12 | High | decision.api.shisho.dev/v1beta:azure_appservices_webapp_remote_debugging |