Benchmark: 3.5.6 Disable identifiers after a defined period of inactivity
Description
Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 3.5.6 Disable identifiers after a defined period of inactivity.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_5_6
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_5_6 --share
Controls
- Function apps should use managed identity
- App Service apps should use managed identity
- Cognitive Services accounts should have local authentication methods disabled
- Blocked accounts with read and write permissions on Azure resources should be removed
- Service Fabric clusters should only use Azure Active Directory for client authentication
- An Azure Active Directory administrator should be provisioned for SQL servers