Checking Your Azure Account Against the CIS Benchmarks

The CIS benchmarks for Azure are a comprehensive collection of security best practices for the platform. In this guide, we'll explain how to use the benchmarks report to check these controls in your Azure account.

Patrick Londa
May 16, 2023
 min read
Share this post

As security threats evolve, organizations must continually assess and update their security policies. The Center for Internet Security (CIS) is actively collaborating with industry leaders to create and publish comprehensive security configuration benchmarks. These benchmarks provide organizations with a reference point for safely configuring their systems and help them meet compliance requirements.

Azure CIS benchmarks are among the most comprehensive of these resources. They help organizations secure their Azure environment by providing a detailed checklist of security best practices.

In this guide, we’ll explain how your organization can use Azure CIS benchmarks to check for compliance and apply rules to your organization.

Understanding Azure CIS Benchmarks

Azure CIS benchmarks are for organizations that use Azure and seek to establish a secure baseline configuration for their environment. The guidelines in the benchmarks are based on industry best practices and organized into security domains.

Azure CIS benchmarks provide two levels of security settings for organizations to reference.

  • Level 1: Recommended security settings that organizations should use as a minimum baseline with minimal or no interruption of service or reduced functionality.
  • Level 2: More stringent security settings that organizations can use if they need additional security, which can result in some reduced functionality.

It's important to note that CIS regularly updates its benchmarks, so check for new versions and ensure your system is up-to-date with the latest rules. For example, 

Azure CIS Benchmark version 2.0, released in February, 2023, featured mostly formatting changes and a handful of recommendations added and removed.

For comparison, the prior release in August 2022 (CIS v1.5) featured 34 new recommendations, updated Azure CLI and PowerShell audit and remediation methods, and sections for Microsoft Defender, Conditional Access, and Key Vault compliance.

Validating Security Controls Across CIS Benchmark Categories

Azure CIS benchmarks cover different categories designed to protect or reduce risk within the system. The categories are what you need to review when running compliance checks and include:

  1. Identity and Access Management: Covers recommendations on how to secure identities, authentication, and authorization.
  2. Microsoft Defender: Provides guidelines on using Microsoft Defender and its features
  3. Storage Accounts: Includes recommendations for securing and configuring storage accounts
  4. Database Services: Includes recommendations for securing and managing database services
  5. Monitoring and Logging: Covers best practices for logging, auditing, and monitoring systems
  6. Networking: Includes recommendations for protecting access to the system, configuring networks, and other related settings
  7. Virtual Machines: Covers best practices for securing and managing virtual machines
  8. Key Vault: Covers best practices for securing and managing secrets using Key Vault
  9. AppService: Covers best practices for deploying and managing apps.
  10. Other Security Considerations: Provides guidelines for other security considerations such as backups and patching

To start checking compliance against Azure CIS benchmarks, download any benchmark version from the Center for Internet Security’s website and use it as a reference for configuring your system. 

For instance, for the Identity and Access Management section, you can scan for user accounts with weak passwords and inadequate Multi-Factor Authentication (MFA) settings.

Similarly, benchmarks in the Networking sections can help you identify weak settings or configurations unique to Azure and adopt regular practices, like evaluating any Public IP addresses periodically.

Your organization can use the Azure CIS benchmarks to run manual compliance checks or set up new automated checks against the rules in the benchmarks to continually eliminate gaps in your security posture.

Automating Azure CIS Compliance Checks With Blink

Since there are hundreds of controls across all the different CIS sections, if you rely only on manual checks, there’s no way you can ensure active compliance with these standards.

With Blink, you can run this automation to check your Azure account against many of these controls daily. With this information compiled in a simple report, you can make updates and tag in the relevant team members quickly.

Blink Automation: CIS V1.5.0 Compliance Report for Azure
Blink Automation: CIS V1.5.0 Compliance Report for Azure

This Azure compliance automation in the Blink library runs on a schedule that you can specify. When it runs, it does the following steps:

  1. Generates a compliance report for each section of the Azure CIS Benchmarks.
  2. Sends these reports to a specified email address.

You can import this automation from the library into your account and customize it based on your organization’s needs. For example, you can drag-and-drop new actions into the canvas or send certain reports to different stakeholders.

If you have reporting requirements to support internal audits, running automations like this one can save your team significant time.

You can build your own automation from scratch or use one of our 5K pre-built automations today.

Get started with Blink today to see how easy automation can be.

Automate your security operations everywhere.

Blink is secure, decentralized, and cloud-native. 
Get modern cloud and security operations today.

Get a Demo