last sync: 2025-Mar-23 22:31:03 UTC

CIS Azure Foundations v2.1.0

Azure BuiltIn Policy Initiative (PolicySet)

Source Azure Portal
Display nameCIS Azure Foundations v2.1.0
Idfe7782e4-6ff3-4e39-8d8a-64b6f7b82c85
Version1.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0
Built-in Versioning [Preview]
CategoryRegulatory Compliance
Microsoft Learn
DescriptionSecurity guidance for Microsoft Azure, providing best practices to enhance security posture.
Cloud environmentsAzureCloud = true
AzureChinaCloud = unknown
AzureUSGovernment = unknown
Available in AzUSGovUnknown, no evidence if Policy definition is/not available in AzureUSGovernment
TypeBuiltIn
DeprecatedFalse
PreviewFalse
Policy count Total Policies: 31
Builtin Policies: 31
Static Policies: 0
Policy used
Policy DisplayName Policy Id Category Version Versioning Effect Roles# Roles State policy in AzUSGov
[Preview]: Secure Boot should be enabled on supported Windows virtual machines 97566dd7-78ae-4997-8b36-1c7bfe0d8121 Security Center 4.0.0-preview 1x
4.0.0-preview
Default
Audit
Allowed
Audit, Disabled
0 Preview true
[Preview]: vTPM should be enabled on supported virtual machines 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 Security Center 2.0.0-preview 1x
2.0.0-preview
Default
Audit
Allowed
Audit, Disabled
0 Preview true
An activity log alert should exist for specific Administrative operations b954148f-4c11-4c38-8221-be76711e194a Monitoring 1.0.0 1x
1.0.0
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA true
An activity log alert should exist for specific Policy operations c5447c04-a4d7-4ba8-a263-c9ee321a6858 Monitoring 3.0.0 1x
3.0.0
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA true
App Service apps should only be accessible over HTTPS a4af4a39-4135-47fb-b175-47fbdf85311d App Service 4.0.0 1x
4.0.0
Default
Audit
Allowed
Audit, Disabled, Deny
0 GA true
App Service apps should require FTPS only 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b App Service 3.0.0 1x
3.0.0
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA true
App Service apps should use latest 'HTTP Version' 8c122334-9d20-4eb8-89ea-ac9a705b74ae App Service 4.0.0 1x
4.0.0
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA true
App Service apps should use managed identity 2b9ad585-36bc-4615-b300-fd4435808332 App Service 3.0.0 1x
3.0.0
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA true
App Service apps should use the latest TLS version f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service 2.1.0 2x
2.1.0, 2.0.1
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA true
Audit VMs that do not use managed disks 06a78e20-9358-41c9-923c-fb736d382a4d Compute 1.0.0 1x
1.0.0
Fixed
audit
0 GA true
Auditing on SQL server should be enabled a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 SQL 2.0.0 1x
2.0.0
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA true
Email notification for high severity alerts should be enabled 6e2593d9-add6-4083-9c9b-4b7d2188c899 Security Center 1.2.0 3x
1.2.0, 1.1.0, 1.0.1
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA true
Enforce SSL connection should be enabled for MySQL database servers e802a67a-daf5-4436-9ea6-f6d821dd0c5d SQL 1.0.1 1x
1.0.1
Default
Audit
Allowed
Audit, Disabled
0 GA true
Enforce SSL connection should be enabled for PostgreSQL database servers d158790f-bfb0-486c-8631-2dc6b4e8e6af SQL 1.0.1 1x
1.0.1
Default
Audit
Allowed
Audit, Disabled
0 GA true
Function apps should require FTPS only 399b2637-a50f-4f95-96f8-3a145476eb15 App Service 3.0.0 1x
3.0.0
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA true
Function apps should use latest 'HTTP Version' e2c1c086-2d84-4019-bff3-c44ccd95113c App Service 4.0.0 1x
4.0.0
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA true
Function apps should use the latest TLS version f9d614c5-c173-4d56-95a7-b4437057d193 App Service 2.1.0 2x
2.1.0, 2.0.1
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA true
Generate internal security alerts 171e377b-5224-4a97-1eaa-62a3b5231dac Regulatory Compliance 1.1.0 1x
1.1.0
Default
Manual
Allowed
Manual, Disabled
0 GA true
Key Vault keys should have an expiration date 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 Key Vault 1.0.2 1x
1.0.2
Default
Audit
Allowed
Audit, Deny, Disabled
0 GA true
Key Vault secrets should have an expiration date 98728c90-32c7-4049-8429-847dc0f4fe37 Key Vault 1.0.2 1x
1.0.2
Default
Audit
Allowed
Audit, Deny, Disabled
0 GA true
Machines should be configured to periodically check for missing system updates bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Azure Update Manager 3.7.0 4x
3.7.0, 3.6.0, 3.5.0, 3.4.1
Default
Audit
Allowed
Audit, Deny, Disabled
0 GA true
Management ports should be closed on your virtual machines 22730e10-96f6-4aac-ad84-9383d35b5917 Security Center 3.0.0 1x
3.0.0
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA true
Public network access on Azure SQL Database should be disabled 1b8ca024-1d5c-4dec-8995-b1a932b41780 SQL 1.1.0 1x
1.1.0
Default
Audit
Allowed
Audit, Deny, Disabled
0 GA true
Public network access should be disabled for PostgreSQL flexible servers 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 SQL 3.1.0 2x
3.1.0, 3.0.1
Default
Audit
Allowed
Audit, Deny, Disabled
0 GA unknown
Public network access should be disabled for PostgreSQL servers b52376f7-9612-48a1-81cd-1ffe4b61032c SQL 2.0.1 1x
2.0.1
Default
Audit
Allowed
Audit, Deny, Disabled
0 GA true
Secure transfer to storage accounts should be enabled 404c3081-a854-4457-ae30-26a93ef643f9 Storage 2.0.0 1x
2.0.0
Default
Audit
Allowed
Audit, Deny, Disabled
0 GA true
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 89099bee-89e0-4b26-a5f4-165451757743 SQL 3.0.0 1x
3.0.0
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA true
Storage account public access should be disallowed 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 Storage 3.1.1 2x
3.1.1, 3.1.0-preview
Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA unknown
Storage accounts should have the specified minimum TLS version fe83a0eb-a853-422d-aac2-1bffd182c5d0 Storage 1.0.0 1x
1.0.0
Default
Audit
Allowed
Audit, Deny, Disabled
0 GA true
Subscriptions should have a contact email address for security issues 4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 Security Center 1.0.1 1x
1.0.1
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA true
Use automated mechanisms for security alerts b8689b2e-4308-a58b-a0b4-6f3343a000df Regulatory Compliance 1.1.0 1x
1.1.0
Default
Manual
Allowed
Manual, Disabled
0 GA unknown
Roles used No Roles used
History
Date/Time (UTC ymd) (i) Changes
2025-01-30 19:27:00 add Initiative fe7782e4-6ff3-4e39-8d8a-64b6f7b82c85
JSON compare n/a
JSON
api-version=2023-04-01
EPAC