AzPolicyAdvertizer

last sync: 2025-Jun-13 17:23:19 UTC

Azure Key Vaults should use private link

Azure BuiltIn Policy definition

Source Azure Portal
Display name Azure Key Vaults should use private link
Id a6abeaec-4d90-4a02-805f-6b26c4d3fbe9
Version 1.2.1
Details on versioning
Versioning Versions supported for Versioning: 1
1.2.1
Built-in Versioning [Preview]
Category Key Vault
Microsoft Learn
Description Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.2.1'
Repository: Azure-Policy a6abeaec-4d90-4a02-805f-6b26c4d3fbe9
Assessment(s) Assessments count: 1
Assessment Id: f6b59724-4a05-aa38-33e2-25f15eecf00b
DisplayName: Azure Key Vaults should use private link
Description: Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink.
Remediation description: To enable private endpoint for your key vault: 1. Log in to the Azure Portal and select your key vault. 2. Click the 'Networking' tab. 3. Select the 'Private Endpoint Connections' tab. 4. Click '+ Private Endpoint'. Please visit https://aka.ms/akvprivatelink for detailed configuration steps.
Categories: IdentityAndAccess
Severity: Medium
preview: True
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (2)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.KeyVault/vaults/privateEndpointConnections[*] Microsoft.KeyVault vaults properties.privateEndpointConnections[*] True False
Microsoft.KeyVault/vaults/privateEndpointConnections[*].privateLinkServiceConnectionState.status Microsoft.KeyVault vaults properties.privateEndpointConnections[*].properties.privateLinkServiceConnectionState.status True False
Rule resource types IF (1)
Compliance
The following 52 compliance controls are associated with this Policy definition 'Azure Key Vaults should use private link' (a6abeaec-4d90-4a02-805f-6b26c4d3fbe9)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v2.0 NS-2 Azure_Security_Benchmark_v2.0_NS-2 Azure Security Benchmark NS-2 Network Security Connect private networks together Customer Use Azure ExpressRoute or Azure virtual private network (VPN) to create private connections between Azure datacenters and on-premises infrastructure in a colocation environment. ExpressRoute connections do not go over the public internet , and they offer more reliability, faster speeds, and lower latencies than typical internet connections. For point-to-site VPN and site-to-site VPN, you can connect on-premises devices or networks to a virtual network using any combination of these VPN options and Azure ExpressRoute. To connect two or more virtual networks in Azure together, use virtual network peering or Private Link. Network traffic between peered virtual networks is private and is kept on the Azure backbone network. What are the ExpressRoute connectivity models: https://docs.microsoft.com/azure/expressroute/expressroute-connectivity-models Azure VPN overview: https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways Virtual network peering: https://docs.microsoft.com/azure/virtual-network/virtual-network-peering-overview Azure Private Link: https://docs.microsoft.com/azure/private-link/private-link-service-overview n/a link 15
Azure_Security_Benchmark_v2.0 NS-3 Azure_Security_Benchmark_v2.0_NS-3 Azure Security Benchmark NS-3 Network Security Establish private network access to Azure services Customer Use Azure Private Link to enable private access to Azure services from your virtual networks, without crossing the internet. In situations where Azure Private Link is not yet available, use Azure Virtual Network service endpoints. Azure Virtual Network service endpoints provide secure access to services via an optimized route over the Azure backbone network. Private access is an additional defense in depth measure in addition to authentication and traffic security offered by Azure services. Understand Azure Private Link: https://docs.microsoft.com/azure/private-link/private-link-overview Understand Virtual Network service endpoints: https://docs.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview n/a link 13
Azure_Security_Benchmark_v3.0 DP-8 Azure_Security_Benchmark_v3.0_DP-8 Microsoft cloud security benchmark DP-8 Data Protection Ensure security of key and certificate repository Shared **Security Principle:** Ensure the security of the key vault service used for the cryptographic key and certificate lifecycle management. Harden your key vault service through access control, network security, logging and monitoring and backup to ensure keys and certificates are always protected using the maximum security. **Azure Guidance:** Secure your cryptographic keys and certificates by hardening your Azure Key Vault service through the following controls: - Restrict the access to keys and certificates in Azure Key Vault using built-in access policies or Azure RBAC to ensure the least privileges principle are in place for management plane access and data plane access. - Secure the Azure Key Vault using Private Link and Azure Firewall to ensure the minimal exposure of the service - Ensure separation of duties is place for users who manages encryption keys not have the ability to access encrypted data, and vice versa. - Use managed identity to access keys stored in the Azure Key Vault in your workload applications. - Never have the keys stored in plaintext format outside of the Azure Key Vault. - When purging data, ensure your keys are not deleted before the actual data, backups and archives are purged. - Backup your keys and certificates using the Azure Key Vault. Enable soft delete and purge protection to avoid accidental deletion of keys. - Turn on Azure Key Vault logging to ensure the critical management plane and data plane activities are logged. **Implementation and additional context:** Azure Key Vault overview: https://docs.microsoft.com/azure/key-vault/general/overview Azure Key Vault security best practices: https://docs.microsoft.com/azure/key-vault/general/best-practices Use managed identity to access Azure Key Vault: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad n/a link 6
Azure_Security_Benchmark_v3.0 NS-2 Azure_Security_Benchmark_v3.0_NS-2 Microsoft cloud security benchmark NS-2 Network Security Secure cloud services with network controls Shared **Security Principle:** Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible. **Azure Guidance:** Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for the resources. You should also disable or restrict public network access to services where feasible. For certain services, you also have the option to deploy VNet integration for the service where you can restrict the VNET to establish a private access point for the service. **Implementation and additional context:** Understand Azure Private Link: https://docs.microsoft.com/azure/private-link/private-link-overview n/a link 40
CIS_Azure_2.0.0 8.7 CIS_Azure_2.0.0_8.7 CIS Microsoft Azure Foundations Benchmark recommendation 8.7 8 Ensure that Private Endpoints are Used for Azure Key Vault Shared Incorrect or poorly-timed changing of network configuration could result in service interruption. There are also additional costs tiers for running a private endpoint per petabyte or more of networking traffic. Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys. Private endpoints will keep network requests to Azure Key Vault limited to the endpoints attached to the resources that are whitelisted to communicate with each other. Assigning the Key Vault to a network without an endpoint will allow other resources on that network to view all traffic from the Key Vault to its destination. In spite of the complexity in configuration, this is recommended for high security secrets. link 1
CMMC_2.0_L2 AC.L1-3.1.1 CMMC_2.0_L2_AC.L1-3.1.1 404 not found n/a n/a 54
CMMC_2.0_L2 AC.L2-3.1.12 CMMC_2.0_L2_AC.L2-3.1.12 404 not found n/a n/a 35
CMMC_2.0_L2 AC.L2-3.1.13 CMMC_2.0_L2_AC.L2-3.1.13 404 not found n/a n/a 29
CMMC_2.0_L2 AC.L2-3.1.14 CMMC_2.0_L2_AC.L2-3.1.14 404 not found n/a n/a 29
CMMC_2.0_L2 AC.L2-3.1.3 CMMC_2.0_L2_AC.L2-3.1.3 404 not found n/a n/a 52
CMMC_2.0_L2 SC.L1-3.13.1 CMMC_2.0_L2_SC.L1-3.13.1 404 not found n/a n/a 56
CMMC_2.0_L2 SC.L1-3.13.5 CMMC_2.0_L2_SC.L1-3.13.5 404 not found n/a n/a 51
CMMC_2.0_L2 SC.L2-3.13.2 CMMC_2.0_L2_SC.L2-3.13.2 404 not found n/a n/a 51
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 306
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 306
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 306
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 306
FedRAMP_High_R4 AC-17 FedRAMP_High_R4_AC-17 FedRAMP High AC-17 Access Control Remote Access Shared n/a The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. link 41
FedRAMP_High_R4 AC-17(1) FedRAMP_High_R4_AC-17(1) FedRAMP High AC-17 (1) Access Control Automated Monitoring / Control Shared n/a The information system monitors and controls remote access methods. Supplemental Guidance: Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. link 37
FedRAMP_High_R4 AC-4 FedRAMP_High_R4_AC-4 FedRAMP High AC-4 Access Control Information Flow Enforcement Shared n/a The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. References: None. link 52
FedRAMP_High_R4 SC-7 FedRAMP_High_R4_SC-7 FedRAMP High SC-7 System And Communications Protection Boundary Protection Shared n/a The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13. References: FIPS Publication 199; NIST Special Publications 800-41, 800-77. link 52
FedRAMP_High_R4 SC-7(3) FedRAMP_High_R4_SC-7(3) FedRAMP High SC-7 (3) System And Communications Protection Access Points Shared n/a The organization limits the number of external network connections to the information system. Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections. link 51
FedRAMP_Moderate_R4 AC-17 FedRAMP_Moderate_R4_AC-17 FedRAMP Moderate AC-17 Access Control Remote Access Shared n/a The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. link 41
FedRAMP_Moderate_R4 AC-17(1) FedRAMP_Moderate_R4_AC-17(1) FedRAMP Moderate AC-17 (1) Access Control Automated Monitoring / Control Shared n/a The information system monitors and controls remote access methods. Supplemental Guidance: Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. link 37
FedRAMP_Moderate_R4 AC-4 FedRAMP_Moderate_R4_AC-4 FedRAMP Moderate AC-4 Access Control Information Flow Enforcement Shared n/a The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. References: None. link 52
FedRAMP_Moderate_R4 SC-7 FedRAMP_Moderate_R4_SC-7 FedRAMP Moderate SC-7 System And Communications Protection Boundary Protection Shared n/a The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13. References: FIPS Publication 199; NIST Special Publications 800-41, 800-77. link 52
FedRAMP_Moderate_R4 SC-7(3) FedRAMP_Moderate_R4_SC-7(3) FedRAMP Moderate SC-7 (3) System And Communications Protection Access Points Shared n/a The organization limits the number of external network connections to the information system. Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections. link 51
New_Zealand_ISM 10.8.35.C.01 New_Zealand_ISM_10.8.35.C.01 New_Zealand_ISM_10.8.35.C.01 10. Infrastructure 10.8.35.C.01 Security Architecture n/a Security architectures MUST apply the principles of separation and segregation. 31
NIST_SP_800-171_R2_3 .1.1 NIST_SP_800-171_R2_3.1.1 NIST SP 800-171 R2 3.1.1 Access Control Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Shared Microsoft and the customer share responsibilities for implementing this requirement. Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2. link 52
NIST_SP_800-171_R2_3 .1.12 NIST_SP_800-171_R2_3.1.12 NIST SP 800-171 R2 3.1.12 Access Control Monitor and control remote access sessions. Shared Microsoft and the customer share responsibilities for implementing this requirement. Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). [SP 800-46], [SP 800-77], and [SP 800-113] provide guidance on secure remote access and virtual private networks. link 36
NIST_SP_800-171_R2_3 .1.13 NIST_SP_800-171_R2_3.1.13 NIST SP 800-171 R2 3.1.13 Access Control Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. Shared Microsoft and the customer share responsibilities for implementing this requirement. Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. See [NIST CRYPTO]; [NIST CAVP]; [NIST CMVP]; National Security Agency Cryptographic Standards. link 31
NIST_SP_800-171_R2_3 .1.14 NIST_SP_800-171_R2_3.1.14 NIST SP 800-171 R2 3.1.14 Access Control Route remote access via managed access control points. Shared The customer is responsible for implementing this requirement. Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI. link 30
NIST_SP_800-171_R2_3 .1.3 NIST_SP_800-171_R2_3.1.3 NIST SP 800-171 R2 3.1.3 Access Control Control the flow of CUI in accordance with approved authorizations. Shared Microsoft and the customer share responsibilities for implementing this requirement. Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping export-controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels. link 56
NIST_SP_800-171_R2_3 .13.1 NIST_SP_800-171_R2_3.13.1 NIST SP 800-171 R2 3.13.1 System and Communications Protection Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies. [28] There is no prescribed format or specified level of detail for system security plans. However, organizations ensure that the required information in 3.12.4 is conveyed in those plans. link 51
NIST_SP_800-171_R2_3 .13.2 NIST_SP_800-171_R2_3.13.2 NIST SP 800-171 R2 3.13.2 System and Communications Protection Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. [SP 800-160-1] provides guidance on systems security engineering. link 51
NIST_SP_800-171_R2_3 .13.5 NIST_SP_800-171_R2_3.13.5 NIST SP 800-171 R2 3.13.5 System and Communications Protection Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Shared Microsoft and the customer share responsibilities for implementing this requirement. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies link 51
NIST_SP_800-53_R4 AC-17 NIST_SP_800-53_R4_AC-17 NIST SP 800-53 Rev. 4 AC-17 Access Control Remote Access Shared n/a The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. link 41
NIST_SP_800-53_R4 AC-17(1) NIST_SP_800-53_R4_AC-17(1) NIST SP 800-53 Rev. 4 AC-17 (1) Access Control Automated Monitoring / Control Shared n/a The information system monitors and controls remote access methods. Supplemental Guidance: Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. link 37
NIST_SP_800-53_R4 AC-4 NIST_SP_800-53_R4_AC-4 NIST SP 800-53 Rev. 4 AC-4 Access Control Information Flow Enforcement Shared n/a The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. References: None. link 52
NIST_SP_800-53_R4 SC-7 NIST_SP_800-53_R4_SC-7 NIST SP 800-53 Rev. 4 SC-7 System And Communications Protection Boundary Protection Shared n/a The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13. References: FIPS Publication 199; NIST Special Publications 800-41, 800-77. link 52
NIST_SP_800-53_R4 SC-7(3) NIST_SP_800-53_R4_SC-7(3) NIST SP 800-53 Rev. 4 SC-7 (3) System And Communications Protection Access Points Shared n/a The organization limits the number of external network connections to the information system. Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections. link 51
NIST_SP_800-53_R5 AC-17 NIST_SP_800-53_R5_AC-17 NIST SP 800-53 Rev. 5 AC-17 Access Control Remote Access Shared n/a a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections. link 41
NIST_SP_800-53_R5 AC-17(1) NIST_SP_800-53_R5_AC-17(1) NIST SP 800-53 Rev. 5 AC-17 (1) Access Control Monitoring and Control Shared n/a Employ automated mechanisms to monitor and control remote access methods. link 37
NIST_SP_800-53_R5 AC-4 NIST_SP_800-53_R5_AC-4 NIST SP 800-53 Rev. 5 AC-4 Access Control Information Flow Enforcement Shared n/a Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. link 52
NIST_SP_800-53_R5 SC-7 NIST_SP_800-53_R5_SC-7 NIST SP 800-53 Rev. 5 SC-7 System and Communications Protection Boundary Protection Shared n/a a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically;logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. link 52
NIST_SP_800-53_R5 SC-7(3) NIST_SP_800-53_R5_SC-7(3) NIST SP 800-53 Rev. 5 SC-7 (3) System and Communications Protection Access Points Shared n/a Limit the number of external network connections to the system. link 51
RBI_CSF_Banks_v2016 14.1 RBI_CSF_Banks_v2016_14.1 Anti-Phishing Anti-Phishing-14.1 n/a Subscribe to Anti-phishing/anti-rouge app services from external service providers for identifying and taking down phishing websites/rouge applications. 28
RBI_CSF_Banks_v2016 21.1 RBI_CSF_Banks_v2016_21.1 Metrics Metrics-21.1 n/a Develop a comprehensive set of metrics that provide for prospective and retrospective measures, like key performance indicators and key risk indicators 15
RBI_CSF_Banks_v2016 7.7 RBI_CSF_Banks_v2016_7.7 Patch/Vulnerability & Change Management Patch/Vulnerability & Change Management-7.7 n/a Periodically evaluate the access device configurations and patch levels to ensure that all access points, nodes between (i) different VLANs in the Data Centre (ii) LAN/WAN interfaces (iii) bank???s network to external network and interconnections with partner, vendor and service provider networks are to be securely configured. 25
RBI_ITF_NBFC_v2017 3.1.h RBI_ITF_NBFC_v2017_3.1.h RBI IT Framework 3.1.h Information and Cyber Security Public Key Infrastructure (PKI)-3.1 n/a The IS Policy must provide for a IS framework with the following basic tenets: Public Key Infrastructure (PKI) - NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. link 31
SWIFT_CSCF_v2021 1.1 SWIFT_CSCF_v2021_1.1 SWIFT CSCF v2021 1.1 SWIFT Environment Protection SWIFT Environment Protection n/a Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. link 28
U.07.1 - Isolated U.07.1 - Isolated 404 not found n/a n/a 62
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn true
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn true
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn unknown
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn unknown
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
Evaluate Private Link Usage Across All Supported Azure Resources 7379ef4c-89b0-48b6-a5cc-fd3a75eaef93 SDN GA BuiltIn unknown
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn true
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn true
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn true
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn true
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2023-02-03 18:39:01 change Minor (1.0.1 > 1.2.1)
2023-01-23 18:07:09 change Patch, old suffix: preview (1.0.0-preview > 1.0.1)
2021-04-21 13:28:46 add a6abeaec-4d90-4a02-805f-6b26c4d3fbe9
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC