last sync: 2025-Feb-05 19:33:00 UTC

Only approved VM extensions should be installed

Azure BuiltIn Policy definition

Source Azure Portal
Display name Only approved VM extensions should be installed
Id c0e996f8-39cf-4af9-9f45-83fbde810432
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0
Built-in Versioning [Preview]
Category Compute
Microsoft Learn
Description This policy governs the virtual machine extensions that are not approved.
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Compute/virtualMachines/extensions/type Microsoft.Compute virtualMachines/extensions properties.type True False
Rule resource types IF (1)
Microsoft.Compute/virtualMachines/extensions
Compliance
The following 36 compliance controls are associated with this Policy definition 'Only approved VM extensions should be installed' (c0e996f8-39cf-4af9-9f45-83fbde810432)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 7.4 CIS_Azure_1.1.0_7.4 CIS Microsoft Azure Foundations Benchmark recommendation 7.4 7 Virtual Machines Ensure that only approved extensions are installed Shared The customer is responsible for implementing this recommendation. Only install organization-approved extensions on VMs. link 1
CIS_Azure_1.3.0 7.4 CIS_Azure_1.3.0_7.4 CIS Microsoft Azure Foundations Benchmark recommendation 7.4 7 Virtual Machines Ensure that only approved extensions are installed Shared The customer is responsible for implementing this recommendation. Only install organization-approved extensions on VMs. link 1
CIS_Azure_1.4.0 7.4 CIS_Azure_1.4.0_7.4 CIS Microsoft Azure Foundations Benchmark recommendation 7.4 7 Virtual Machines Ensure that Only Approved Extensions Are Installed Shared The customer is responsible for implementing this recommendation. For added security only install organization-approved extensions on VMs. link 1
CIS_Azure_2.0.0 7.5 CIS_Azure_2.0.0_7.5 CIS Microsoft Azure Foundations Benchmark recommendation 7.5 7 Ensure that Only Approved Extensions Are Installed Shared Functionality by unsupported extensions will be disabled. For added security, only install organization-approved extensions on VMs. Azure virtual machine extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. These extensions run with administrative privileges and could potentially access anything on a virtual machine. The Azure Portal and community provide several such extensions. Each organization should carefully evaluate these extensions and ensure that only those that are approved for use are actually implemented. link 1
CMMC_L2_v1.9.0 CM.L2_3.4.1 CMMC_L2_v1.9.0_CM.L2_3.4.1 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.1 Configuration Management System Baselining Shared Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. To ensure consistency, security, and compliance with organizational standards and requirements. 17
CMMC_L2_v1.9.0 CM.L2_3.4.2 CMMC_L2_v1.9.0_CM.L2_3.4.2 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.2 Configuration Management Security Configuration Enforcement Shared Establish and enforce security configuration settings for information technology products employed in organizational systems. To mitigate vulnerabilities and enhance overall security posture. 11
CMMC_L2_v1.9.0 CM.L2_3.4.6 CMMC_L2_v1.9.0_CM.L2_3.4.6 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.6 Configuration Management Least Functionality Shared Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. To reduce the risk of unauthorized access or exploitation of system vulnerabilities. 11
CSA_v4.0.12 AIS_02 CSA_v4.0.12_AIS_02 CSA Cloud Controls Matrix v4.0.12 AIS 02 Application & Interface Security Application Security Baseline Requirements Shared n/a Establish, document and maintain baseline requirements for securing different applications. 11
CSA_v4.0.12 CCC_02 CSA_v4.0.12_CCC_02 CSA Cloud Controls Matrix v4.0.12 CCC 02 Change Control and Configuration Management Quality Testing Shared n/a Follow a defined quality change control, approval and testing process with established baselines, testing, and release standards. 12
CSA_v4.0.12 CCC_03 CSA_v4.0.12_CCC_03 CSA Cloud Controls Matrix v4.0.12 CCC 03 Change Control and Configuration Management Change Management Technology Shared n/a Manage the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e., outsourced). 31
CSA_v4.0.12 CCC_04 CSA_v4.0.12_CCC_04 CSA Cloud Controls Matrix v4.0.12 CCC 04 Change Control and Configuration Management Unauthorized Change Protection Shared n/a Restrict the unauthorized addition, removal, update, and management of organization assets. 25
CSA_v4.0.12 CCC_09 CSA_v4.0.12_CCC_09 CSA Cloud Controls Matrix v4.0.12 CCC 09 Change Control and Configuration Management Change Restoration Shared n/a Define and implement a process to proactively roll back changes to a previous known good state in case of errors or security concerns. 11
CSA_v4.0.12 IVS_04 CSA_v4.0.12_IVS_04 CSA Cloud Controls Matrix v4.0.12 IVS 04 Infrastructure & Virtualization Security OS Hardening and Base Controls Shared n/a Harden host and guest OS, hypervisor or infrastructure control plane according to their respective best practices, and supported by technical controls, as part of a security baseline. 3
CSA_v4.0.12 UEM_03 CSA_v4.0.12_UEM_03 CSA Cloud Controls Matrix v4.0.12 UEM 03 Universal Endpoint Management Compatibility Shared n/a Define and implement a process for the validation of the endpoint device's compatibility with operating systems and applications. 11
CSA_v4.0.12 UEM_05 CSA_v4.0.12_UEM_05 CSA Cloud Controls Matrix v4.0.12 UEM 05 Universal Endpoint Management Endpoint Management Shared n/a Define, implement and evaluate processes, procedures and technical measures to enforce policies and controls for all endpoints permitted to access systems and/or store, transmit, or process organizational data. 11
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 194
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 311
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 311
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 311
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 311
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .7 FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 404 not found n/a n/a 96
ISO_IEC_27002_2022 8.9 ISO_IEC_27002_2022_8.9 ISO IEC 27002 2022 8.9 Protection, Preventive Control Configuration management Shared Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes. 21
NIST_SP_800-171_R3_3 .1.16 NIST_SP_800-171_R3_3.1.16 NIST 800-171 R3 3.1.16 Access Control Wireless Access Shared Establishing usage restrictions, configuration requirements, and connection requirements for wireless access to the system provides criteria to support access authorization decisions. These restrictions and requirements reduce susceptibility to unauthorized system access through wireless technologies. Wireless networks use authentication protocols that provide credential protection and mutual authentication. Organizations authenticate individuals and devices to protect wireless access to the system. Special attention is given to the variety of devices with potential wireless access to the system, including small form factor mobile devices (e.g., smart phones, smart watches). Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential missions or business functions can help reduce susceptibility to threats by adversaries involving wireless technologies. a. Establish usage restrictions, configuration requirements, and connection requirements for each type of wireless access to the system. b. Authorize each type of wireless access to the system prior to establishing such connections. c. Disable, when not intended for use, wireless networking capabilities prior to issuance and deployment. 8
NIST_SP_800-171_R3_3 .4.1 NIST_SP_800-171_R3_3.4.1 404 not found n/a n/a 10
NIST_SP_800-53_R5.1.1 CM.2 NIST_SP_800-53_R5.1.1_CM.2 NIST SP 800-53 R5.1.1 CM.2 Configuration Management Control Baseline Configuration Shared a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: Assignment organization-defined circumstances]; and 3. When system components are installed or upgraded. Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture. 10
NIST_SP_800-53_R5.1.1 CM.6.1 NIST_SP_800-53_R5.1.1_CM.6.1 NIST SP 800-53 R5.1.1 CM.6.1 Configuration Management Control Configuration Settings | Automated Management, Application, and Verification Shared Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms]. Automated tools (e.g., hardening tools, baseline configuration tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities, alerting mechanisms, and dashboards to support risk-based decision-making within the organization. 3
RMiT_v1.0 11.4 RMiT_v1.0_11.4 RMiT 11.4 Cyber Risk Management Cyber Risk Management - 11.4 Shared n/a A large financial institution is required to' (a) implement a centralised automated tracking system to manage its technology asset inventory; and (b) establish a dedicated in-house cyber risk management function to manage cyber risks or emerging cyber threats. The cyber risk management function shall be responsible for the following: (i) perform detailed analysis on cyber threats, provide risk assessments on potential cyber-attacks and ensure timely review and escalation of all high-risk cyber threats to senior management and the board; and (ii) proactively identify potential vulnerabilities including those arising from infrastructure hosted with third party service providers through the simulation of sophisticated 'Red Team' attacks on its current security controls. link 3
SOC_2 CC6.8 SOC_2_CC6.8 SOC 2 Type 2 CC6.8 Logical and Physical Access Controls Prevent or detect against unauthorized or malicious software Shared The customer is responsible for implementing this recommendation. Restricts Application and Software Installation — The ability to install applications and software is restricted to authorized individuals. • Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. • Uses a Defined Change Control Process — A management-defined change control process is used for the implementation of software. • Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware. • Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network. 47
SOC_2 CC8.1 SOC_2_CC8.1 SOC 2 Type 2 CC8.1 Change Management Changes to infrastructure, data, and software Shared The customer is responsible for implementing this recommendation. Manages Changes Throughout the System Life Cycle — A process for managing system changes throughout the life cycle of the system and its components (infrastructure, data, software, and procedures) is used to support system availability and processing integrity. • Authorizes Changes — A process is in place to authorize system changes prior to development. • Designs and Develops Changes — A process is in place to design and develop system changes. • Documents Changes — A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities. • Tracks System Changes — A process is in place to track system changes prior to implementation. • Configures Software — A process is in place to select and implement the configuration parameters used to control the functionality of software. • Tests System Changes — A process is in place to test system changes prior to implementation. • Approves System Changes — A process is in place to approve system changes prior to implementation. • Deploys System Changes — A process is in place to implement system changes. • Identifies and Evaluates System Changes — Objectives affected by system changes are identified and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle. • Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents — Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified and the change process is initiated upon identification. • Creates Baseline Configuration of IT Technology — A baseline configuration of IT and control systems is created and maintained. • Provides for Changes Necessary in Emergency Situations — A process is in place for authorizing, designing, testing, approving, and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent time frame). Additional points of focus that apply only in an engagement using the trust services criteria for confidentiality: • Protects Confidential Information — The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality. Additional points of focus that apply only in an engagement using the trust services criteria for privacy: • Protects Personal Information — The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy. 52
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication To facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 219
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities To maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 230
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 214
SOC_2023 CC8.1 SOC_2023_CC8.1 SOC 2023 CC8.1 Change Management To minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. Shared n/a The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. 148
SWIFT_CSCF_2024 2.1 SWIFT_CSCF_2024_2.1 SWIFT Customer Security Controls Framework 2024 2.1 Risk Management Internal Data Flow Security Shared The protection of internal data flows safeguards against unintended disclosure, modification, and access of the data while in transit. To ensure the confidentiality, integrity, and authenticity of application data flows between ’user’s Swift-related components. 48
SWIFT_CSCF_2024 2.3 SWIFT_CSCF_2024_2.3 SWIFT Customer Security Controls Framework 2024 2.3 Risk Management System Hardening Shared 1. System hardening applies the security concept of “least privilege” to a system by disabling features and services that are not required for normal system operations. 2. This process reduces the system capabilities, features, and protocols that a malicious person may use during an attack. To reduce the cyber-attack surface of Swift-related components by performing system hardening. 3
SWIFT_CSCF_2024 9.2 SWIFT_CSCF_2024_9.2 404 not found n/a n/a 16
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn
ISO/IEC 27002 2022 e3030e83-88d5-4f23-8734-6577a2c97a32 Regulatory Compliance GA BuiltIn
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn
SWIFT Customer Security Controls Framework 2024 7499005e-df5a-45d9-810f-041cf346678c Regulatory Compliance GA BuiltIn
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC