Benchmark: 5.3 Periodic Identity Reviews
Overview
Security Best Practices for Identity services should include operational reviews that periodically ensure the integrity and necessity of accounts and permissions. These operational practices should be performed regularly on a cadence that is based on your organization's policy or compliance requirements.
NOTE: The recommendations in this section may not have a precise audit or remediation procedure because they may not be a configurable setting as much as they are an operative task that should be performed on a periodic basis.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 5.3 Periodic Identity Reviews.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.cis_v500_5_3Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.cis_v500_5_3 --shareControls
- 5.3.1 Ensure that Azure admin accounts are not used for daily operations
- 5.3.2 Ensure that guest users are reviewed on a regular basis
- 5.3.3 Ensure that use of the 'User Access Administrator' role is restricted
- 5.3.4 Ensure that all 'privileged' role assignments are periodically reviewed
- 5.3.5 Ensure disabled user accounts do not have read, write, or owner permissions
- 5.3.6 Ensure 'Tenant Creator' role assignments are periodically reviewed
- 5.3.7 Ensure all non-privileged role assignments are periodically reviewed