Benchmark: 8 Networking Services
Overview
To better understand the relationship between the Foundations Benchmark and Services Benchmarks, please read the "Introduction" section of this document.
This section covers security recommendations to follow in order to set networking policies on an Azure subscription.
Azure Product Directory Reference: https://azure.microsoft.com/en-us/products#networking
FEEDBACK REQUEST: Is there a specific service or recommendation in this section that you'd like to see addressed or improved? Let us know by making a ticket or starting a discussion in the CIS Microsoft Azure Community (https://workbench.cisecurity.org/communities/72).
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 8 Networking Services.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.cis_v400_8Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.cis_v400_8 --shareControls
- 8.1 Ensure that RDP access from the Internet is evaluated and restricted
- 8.2 Ensure that SSH access from the Internet is evaluated and restricted
- 8.3 Ensure that UDP access from the Internet is evaluated and restricted
- 8.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted
- 8.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- 8.6 Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
- 8.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
- 8.8 Ensure that virtual network flow log retention days is set to greater than or equal to 90