Interpretation of the Columns in Benchmark Compliance Rules:
Rule ID: A unique identifier for the specific security rule or check
Title: A brief description of the security issue or misconfiguration
Severity — Low to High: Determines the risk of being exposed to attacks
Service Type: The AWS service affected or evaluated by the rule
Resource Type: The specific AWS resource being audited
| Rule ID | Title | Description | Severity | Service Type | Resource Type |
| CSPM-AZURE-2024-0001 | The Use of Guest Users Detected | Refrain from generating guest users, as they are often incorporated outside the established employee onboarding and offboarding procedures. This practice could inadvertently go unnoticed indefinitely, introducing a potential security vulnerability. | Medium | Microsoft Graph API | Guest Users |
| CSPM-AZURE-2024-0047 | Microsoft Cloud App Security (MCAS) is Disabled in Security Center | Security Center provides an additional layer of protection by leveraging Azure Resource Manager events, which serve as the control plane for Azure. Through analysis of these Azure Resource Manager records, Security Center identifies unusual or potentially harmful operations within the Azure subscription environment. It’s worth noting that several of the analytics mentioned are powered by Microsoft Cloud App Security. | High | Security | Security Settings |
| CSPM-AZURE-2024-0048 | Windows Defender ATP (WDATP) is Disabled in Security Center | The integration of Windows Defender Advanced Threat Protection (WDATP) into Azure Security Center provides extensive Endpoint Detection and Response (EDR) capabilities. This integration enables the identification of anomalies and the detection and response to advanced attacks on Windows server endpoints. Windows Defender ATP within Security Center supports detection on operating systems such as Windows Server 2016, 2012 R2, and 2008 R2 SP1 in a Standard service subscription. | High | Security | Security Settings |
| CSPM-AZURE-2024-0082 | Ensure Security Defaults is enabled on Microsoft Entra ID | Security defaults in Microsoft Entra ID simplify the process of securing your organization and enhancing protection. These defaults include preconfigured settings designed to guard against common attacks. Available to all users, security defaults aim to provide a fundamental level of security at no additional cost. You can enable these defaults through the Azure portal. | Medium | Microsoft Entra ID | Security Defaults |
| CSPM-AZURE-2024-0086 | Ensure Trusted Locations Are Defined (Manual) | In Azure Active Directory, it’s important to define trusted locations to enhance security and streamline access control. Trusted locations are IP ranges or geographic areas from which users can access resources with fewer security restrictions, such as bypassing certain Conditional Access policies. To verify that trusted locations are properly defined, log in to the Azure portal, navigate to Azure Active Directory, and go to ‘Security’ > ‘Conditional Access’ > ‘Named locations.’ Ensure that appropriate trusted locations are configured to balance security with user convenience. Manually review and update these settings as necessary to ensure that they align with your organization’s security requirements and access policies. | Medium | Microsoft Entra ID Conditional Access | Named Locations |
| CSPM-AZURE-2024-0104 | Ensure That ‘Guest users access restrictions’ is set to ‘Guest user access is restricted to properties and memberships of their own directory objects’ (Manual) | This helps prevent unauthorized access to sensitive data within your Azure environment. By restricting guest users to their own resources, you can reduce the risk of data breaches and maintain a secure perimeter. | Medium | Microsoft Entra ID | Authorization Policies |
| CSPM-AZURE-2024-0105 | Ensure that ‘Guest invite restrictions’ is set to “Only users assigned to specific admin roles can invite guest users” (Manual) | To enhance security and maintain control over guest user access, ensure that only users with designated administrative roles have the authority to invite external users to your Azure environment. This restriction helps prevent unauthorized access and mitigate potential risks. | Medium | Microsoft Entra ID | Authorization Policies |
| CSPM-AZURE-2024-0114 | Ensure That Microsoft Defender for App Services Is Set To ‘On’ (Automated) | Enabling Microsoft Defender for App Service activates advanced threat detection, including threat intelligence, anomaly detection, and behavior analytics, within Microsoft Defender for Cloud. This provides automated protection, helping to secure your App Service applications against potential threats. | Medium | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0115 | Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To ‘On’ (Automated) | By enabling Microsoft Defender for Azure SQL Databases, you activate threat detection for your Managed Instance databases. This feature provides advanced threat intelligence, anomaly detection, and behavior analytics through Microsoft Defender for Cloud, helping safeguard your databases with proactive, automated protection against potential security threats. | High | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0116 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To ‘On’ (Automated) | Enabling Microsoft Defender for SQL servers on machines activates threat detection for SQL servers hosted on machines. This feature provides advanced threat intelligence, anomaly detection, and behavior analytics through Microsoft Defender for Cloud, offering proactive protection to help secure your SQL servers from potential threats. | High | Microsoft Defender | Pricings |
| CSPM-AZURE-2024-0117 | Ensure That Microsoft Defender for Open Source Relational Databases Is Set To ‘On’ (Automated) | Enabling Microsoft Defender for open-source relational databases activates comprehensive threat detection capabilities tailored for these databases. This feature leverages advanced threat intelligence, anomaly detection, and behavior analytics within Microsoft Defender for Cloud to provide continuous monitoring and proactive security. By doing so, it ensures that your open-source relational databases are safeguarded against potential vulnerabilities and emerging threats, offering robust, automated protection in a cloud environment. | Medium | Microsoft Defender | Pricings |
| CSPM-AZURE-2024-0118 | Ensure That Microsoft Defender for Azure Cosmos DB Is Set To ‘On’ (Automated) | Microsoft Defender for Azure Cosmos DB continuously monitors and scans all incoming network requests for potential threats targeting your Azure Cosmos DB resources. This provides proactive security, ensuring that your data is protected from malicious activities and vulnerabilities by detecting and responding to threats in real-time. | High | Microsoft Defender | Pricings |
| CSPM-AZURE-2024-0119 | Ensure That Microsoft Defender for Storage Is Set To ‘On’ (Automated) | Enabling Microsoft Defender for Storage activates advanced threat detection for your storage accounts. This includes real-time threat intelligence, anomaly detection, and behavior analytics, all integrated within Microsoft Defender for Cloud. These capabilities help protect your storage resources by identifying and responding to potential security threats, ensuring enhanced data security and proactive risk management. | High | Microsoft Defender | Pricings |
| CSPM-AZURE-2024-0120 | Ensure That Microsoft Defender for Containers Is Set To ‘On’ (Automated) | Enabling Microsoft Defender for Containers activates advanced threat detection for Container Registries and Kubernetes environments. It utilizes threat intelligence, anomaly detection, and behavior analytics in Microsoft Defender for Cloud to enhance security. Key features include continuous monitoring, compliance enforcement with Azure Policy for Kubernetes, agentless resource discovery, and vulnerability assessments for container images. These tools provide comprehensive protection for your containerized applications. | High | Microsoft Defender | Pricings |
| CSPM-AZURE-2024-0121 | Ensure That Microsoft Defender for Key Vault Is Set To ‘On’ (Automated) | Enabling Microsoft Defender for Key Vault activates threat detection for your Key Vault resources, utilizing advanced threat intelligence, anomaly detection, and behavior analytics within Microsoft Defender for Cloud. This proactive approach enhances the security of your sensitive data by identifying and responding to potential threats, ensuring that your Key Vault remains protected against unauthorized access and vulnerabilities. | High | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0122 | Ensure That Microsoft Defender for DNS Is Set To ‘On’ (Automated) | Microsoft Defender for DNS monitors and scans all network traffic leaving your subscription, providing critical insights into potential security threats. This service helps identify suspicious DNS activity, ensuring that any malicious behavior is detected and addressed promptly. As of August 1, customers with an existing subscription to Defender for DNS can continue using the service, while new subscribers will receive alerts about suspicious DNS activity as part of Defender for Servers P2, enhancing their overall security posture. | High | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0123 | Ensure That Microsoft Defender for Resource Manager Is Set To ‘On’ (Automated) | Microsoft Defender for Resource Manager actively scans incoming administrative requests aimed at modifying your infrastructure, whether they originate from the command-line interface (CLI) or the Azure portal. This proactive monitoring helps detect and mitigate potential security threats, ensuring that unauthorized changes are identified and addressed swiftly, thereby enhancing the overall security and integrity of your cloud resources. | High | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0129 | Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) | An organization’s attack surface includes assets with public network identifiers or URIs that external threat actors can access from outside the cloud. A larger attack surface increases security challenges. Defender EASM can scan your infrastructure, including domains, hosts, CIDR blocks, and SSL certificates, and store them in an inventory. This inventory, generated by scanning provided Seeds (FQDNs, IP CIDR blocks, WHOIS records), includes insights such as vulnerabilities (CVEs), open ports, and weak SSL certificates. Within 24-48 hours, results are classified as High/Medium/Low, along with proposed mitigations for potential risks. | High | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0130 | Ensure That Microsoft Defender for IoT Hub Is Set To ‘On’ (Manual) | Microsoft Defender for IoT serves as a central security hub for managing and protecting IoT devices across your organization. It provides continuous monitoring, threat detection, and response capabilities, ensuring that all connected devices are safeguarded against potential security risks. By integrating with Microsoft Defender for Cloud, it offers a comprehensive view of your IoT environment, helping to identify vulnerabilities and prevent cyberattacks, while maintaining a secure and resilient infrastructure for your IoT operations. | High | Microsoft Defender | Security Configurations |
| CSPM-AZURE-2024-0167-01 | Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) | Although Basic or Free SKUs in Azure may offer cost savings, they have considerable limitations in terms of monitoring and support. These lower-tier SKUs often do not include full service level agreements (SLAs) and may not be eligible for Microsoft support. Consequently, Basic/Free SKUs are unsuitable for production workloads, where strong monitoring, reliability, and support are essential. To ensure optimal performance and support in production environments, always choose higher-tier SKUs. | Medium | Virtual Networks | Public IP Addresses |
| CSPM-AZURE-2024-0167-02 | Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) | While Basic or Free SKUs in Azure may be cost-effective, they come with significant limitations regarding monitoring and support. These SKUs typically lack comprehensive service level agreements (SLAs) and may not qualify for Microsoft support. As a result, Basic/Free SKUs should never be used for production workloads, where robust monitoring, reliability, and support are critical. For production environments, always opt for higher-tier SKUs to ensure adequate performance and support. | Medium | Load Balancer | Load Balancer |
| CSPM-AZURE-2024-0167-05 | Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) | While Basic or Free SKUs in Azure may be cost-effective, they come with significant limitations regarding monitoring and support. These SKUs typically lack comprehensive service level agreements (SLAs) and may not qualify for Microsoft support. As a result, Basic/Free SKUs should never be used for production workloads, where robust monitoring, reliability, and support are critical. For production environments, always opt for higher-tier SKUs to ensure adequate performance and support. | Medium | SQL Database | Database |
