Alert Logic® Managed Detection and Response (MDR) is certified by the Center of Internet Security (CIS) for Level 1 and Level 2 of the latest version (2.0.0) of the CIS Microsoft Azure Foundations Benchmark. The CIS Microsoft Azure Foundations Benchmark is a set of guidelines that help you to secure your Azure environment by providing step-by-step implementation and assessment procedures from industry security experts that go beyond high-level security guidance.
CIS is a globally recognized security organization with a mission to identify, develop, validate, promote, and sustain best practice solutions for cyber defense. In this article, learn about assessing your Azure environment against the Benchmark.
Updated RBAC Role Document
An updated RBAC role document (Version 2023-06-12) has been released with specific permissions and changes required to discover and assess new asset types or properties.
Version |
Change |
Optional or Required | Purpose |
2023-06-12 |
+ Microsoft.Cache/redis/read
|
Required | Discovery Redis clusters |
+ Microsoft.DocumentDB/databaseAccounts/read
|
Required | Discovery CosmosDB accounts | |
+ Microsoft.Network/loadBalancers/read
|
Required | Discovery network load balancers | |
+ Microsoft.Network/virtualNetworkGateways/read
|
Required | Discovery Virtual Network Gateways | |
+ Microsoft.DBforPostgreSQL/servers/firewallRules/read + Microsoft.Insights/components/read + Microsoft.KeyVault/vaults/keys/read + Microsoft.KeyVault/vaults/secrets/readMetadata/action + Microsoft.Network/bastionHosts/read + Microsoft.Network/internalPublicIpAddresses/read + Microsoft.Security/autoProvisioningSettings/read +Microsoft.Storage/storageAccounts/blobServices/providers/Microsoft.Insights/diagnosticSettings/read + Microsoft.Storage/storageAccounts/blobServices/read +Microsoft.Storage/storageAccounts/fileServices/providers/Microsoft.Insights/diagnosticSettings/read + Microsoft.Storage/storageAccounts/fileServices/read + Microsoft.Storage/storageAccounts/listKeys/action +Microsoft.Storage/storageAccounts/managementPolicies/read +Microsoft.Storage/storageAccounts/queueServices/providers/Microsoft.Insights/diagnosticSettings/read + Microsoft.Storage/storageAccounts/queueServices/read +Microsoft.Storage/storageAccounts/tableServices/providers/Microsoft.Insights/diagnosticSettings/read + Microsoft.Storage/storageAccounts/tableServices/read |
Required | Assess CIS benchmark compliance |
To take advantage of the new functionality for supporting version 2.0.0 of the CIS Azure Foundations Benchmark, you must replace the previous JSON file, update the RBAC role document, and grant specific permissions in the Azure portal. Refer to Update your Azure Deployment for CIS Foundation Benchmarks.
Note: The CIS Microsoft Azure Foundation Benchmark report will remain blank until the RBAC role documents are updated and your existing Azure deployments in the Alert Logic console will continue to report the “Outdated Azure RBAC Role” health exposure and the “Update Deployment Permissions” health remediation.
Updated CIS Azure Foundations Benchmark Report
You can find the updated CIS Microsoft Azure Foundations Benchmark report in the Alert Logic console:
- Click the menu icon (), and then click Validate.
- Click Reports, and then click Compliance.
- Under CIS Microsoft Azure Benchmark, click VIEW.
- Click CIS Microsoft Azure Foundations Benchmark.
- Use the Deployment and Section filters to refine the results in the report.
Note: It may take up to 24 hours after you update the RBAC role documents to present complete results in the report.
For more information about this report, refer to CIS Microsoft Azure Foundations Benchmark report.
Comments
0 comments
Please sign in to leave a comment.