How to Check Your Azure Account Against the CIS Benchmark
Learn how to use the CIS benchmarks report to check and enforce security best practices in your Azure account.
Learn how to use the CIS benchmarks report to check and enforce security best practices in your Azure account.
As security threats evolve, organizations must continually assess and update their security policies. The Center for Internet Security (CIS) is actively collaborating with industry leaders to create and publish comprehensive security configuration benchmarks. These benchmarks provide organizations with a reference point for safely configuring their systems and help them meet compliance requirements.
Azure CIS benchmarks are among the most comprehensive of these resources. They help organizations secure their Azure environment by providing a detailed checklist of security best practices.
In this guide, we’ll explain how your organization can use Azure CIS benchmarks to check for compliance and apply rules to your organization.
Azure CIS benchmarks are for organizations that use Azure and seek to establish a secure baseline configuration for their environment. The guidelines in the benchmarks are based on industry best practices and organized into security domains.
Azure CIS benchmarks provide two levels of security settings for organizations to reference.
It's important to note that CIS regularly updates its benchmarks, so check for new versions and ensure your system is up-to-date with the latest rules. For example,
Azure CIS Benchmark version 2.0, released in February, 2023, featured mostly formatting changes and a handful of recommendations added and removed.
For comparison, the prior release in August 2022 (CIS v1.5) featured 34 new recommendations, updated Azure CLI and PowerShell audit and remediation methods, and sections for Microsoft Defender, Conditional Access, and Key Vault compliance.
Azure CIS benchmarks cover different categories designed to protect or reduce risk within the system. The categories are what you need to review when running compliance checks and include:
To start checking compliance against Azure CIS benchmarks, download any benchmark version from the Center for Internet Security’s website and use it as a reference for configuring your system.
For instance, for the Identity and Access Management section, you can scan for user accounts with weak passwords and inadequate Multi-Factor Authentication (MFA) settings.
Similarly, benchmarks in the Networking sections can help you identify weak settings or configurations unique to Azure and adopt regular practices, like evaluating any Public IP addresses periodically.
Your organization can use the Azure CIS benchmarks to run manual compliance checks or set up new automated checks against the rules in the benchmarks to continually eliminate gaps in your security posture.
Since there are hundreds of controls across all the different CIS sections, if you rely only on manual checks, there’s no way you can ensure active compliance with these standards.
With Blink, you can run this automation to check your Azure account against many of these controls daily. With this information compiled in a simple report, you can make updates and tag in the relevant team members quickly.
This Azure compliance automation in the Blink library runs on a schedule that you can specify. When it runs, it does the following steps:
You can import this automation from the library into your account and customize it based on your organization’s needs. For example, you can drag-and-drop new actions into the canvas or send certain reports to different stakeholders.
If you have reporting requirements to support internal audits, running automations like this one can save your team significant time.
You can build your own automation from scratch or use one of our 5K pre-built automations today.
Get started with Blink today to see how easy automation can be.
Blink is secure, decentralized, and cloud-native. Get modern cloud and security operations today.