Benchmark: 1 Identity and Access Management
Overview
This section covers security recommendations that to follow to set identity and access management policies on an Azure Subscription. Identity and Access Management policies are the first step towards a defense-in-depth approach to securing an Azure Cloud Platform environment.
Most of the recommendations from this section are marked as "Not Scored" because of the lack of "Azure native CLI and API support" to perform the respective audits. However, from a security posture standpoint, these recommendations are important. According to the last communication with the Microsoft Support team regarding "Azure native CLI and API support", Microsoft teams are working to enhance "Microsoft graph API" to support all these "Azure AD" functionalities. Once we get this capability through "Microsoft Graph API", we will update the involved recommendations with the respective audit and remediation steps to make them as scored.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 1 Identity and Access Management.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.cis_v140_1Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.cis_v140_1 --shareControls
- 1.1 Ensure that multi-factor authentication status is enabled for all privileged users
- 1.2 Ensure that multi-factor authentication status is enabled for all non- privileged users
- 1.3 Ensure guest users are reviewed on a monthly basis
- 1.4 Ensure that 'Restore multi-factor authentication on all remembered devices' is enabled
- 1.5 Ensure that 'Number of methods required to reset' is set to '2'
- 1.6 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0"
- 1.7 Ensure that 'Notify users on password resets?' is set to 'Yes'
- 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
- 1.9 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'
- 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'
- 1.11 Ensure that 'Users can register applications' is set to 'No'
- 1.12 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
- 1.13 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
- 1.14 Ensure That 'Restrict access to Azure AD administration portal' is set to 'Yes'
- 1.15 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
- 1.16 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
- 1.17 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
- 1.18 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
- 1.19 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'
- 1.20 Ensure that no custom subscription owner roles are created
- 1.21 Ensure Security Defaults is enabled on Azure Active Directory
- 1.22 Ensure Custom Role is assigned for Administering Resource Locks