Azure Policy Regulatory Compliance controls for Azure Virtual Machines
Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets ✔️ Uniform scale sets
Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure Virtual Machines . You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.
The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.
Important
Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.
Australian Government ISM PROTECTED
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Guidelines for Personnel Security - Access to systems and their resources | 415 | User identification - 415 | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 415 | User identification - 415 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 415 | User identification - 415 | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 415 | User identification - 415 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Guidelines for System Hardening - Authentication hardening | 421 | Single-factor authentication - 421 | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Guidelines for System Hardening - Authentication hardening | 421 | Single-factor authentication - 421 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Guidelines for System Hardening - Authentication hardening | 421 | Single-factor authentication - 421 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Guidelines for System Hardening - Authentication hardening | 421 | Single-factor authentication - 421 | Windows machines should meet requirements for 'Security Settings - Account Policies' | 3.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 445 | Privileged access to systems - 445 | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 445 | Privileged access to systems - 445 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 445 | Privileged access to systems - 445 | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 445 | Privileged access to systems - 445 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Guidelines for System Monitoring - Event logging and auditing | 582 | Events to be logged - 582 | Virtual machines should be connected to a specified workspace | 1.1.0 |
| Guidelines for System Management - System patching | 940 | When to patch security vulnerabilities - 940 | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Guidelines for System Management - System patching | 940 | When to patch security vulnerabilities - 940 | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| Guidelines for Cryptography - Transport Layer Security | 1139 | Using Transport Layer Security - 1139 | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Guidelines for Cryptography - Transport Layer Security | 1139 | Using Transport Layer Security - 1139 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Guidelines for Cryptography - Transport Layer Security | 1139 | Using Transport Layer Security - 1139 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Guidelines for Cryptography - Transport Layer Security | 1139 | Using Transport Layer Security - 1139 | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| Guidelines for System Management - System patching | 1144 | When to patch security vulnerabilities - 1144 | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Guidelines for System Management - System patching | 1144 | When to patch security vulnerabilities - 1144 | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| Guidelines for Networking - Network design and configuration | 1182 | Network access controls - 1182 | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| Guidelines for Database Systems - Database servers | 1277 | Communications between database servers and web servers - 1277 | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Guidelines for Database Systems - Database servers | 1277 | Communications between database servers and web servers - 1277 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Guidelines for Database Systems - Database servers | 1277 | Communications between database servers and web servers - 1277 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Guidelines for Database Systems - Database servers | 1277 | Communications between database servers and web servers - 1277 | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| Guidelines for Gateways - Content filtering | 1288 | Antivirus scanning - 1288 | Microsoft IaaSAntimalware extension should be deployed on Windows servers | 1.1.0 |
| Guidelines for System Management - System administration | 1386 | Restriction of management traffic flows - 1386 | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| Guidelines for System Hardening - Operating system hardening | 1417 | Antivirus software - 1417 | Microsoft IaaSAntimalware extension should be deployed on Windows servers | 1.1.0 |
| Guidelines for System Management - System patching | 1472 | When to patch security vulnerabilities - 1472 | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Guidelines for System Management - System patching | 1472 | When to patch security vulnerabilities - 1472 | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| Guidelines for System Management - System patching | 1494 | When to patch security vulnerabilities - 1494 | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Guidelines for System Management - System patching | 1494 | When to patch security vulnerabilities - 1494 | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| Guidelines for System Management - System patching | 1495 | When to patch security vulnerabilities - 1495 | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Guidelines for System Management - System patching | 1495 | When to patch security vulnerabilities - 1495 | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| Guidelines for System Management - System patching | 1496 | When to patch security vulnerabilities - 1496 | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Guidelines for System Management - System patching | 1496 | When to patch security vulnerabilities - 1496 | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1503 | Standard access to systems - 1503 | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1503 | Standard access to systems - 1503 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1503 | Standard access to systems - 1503 | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1503 | Standard access to systems - 1503 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1507 | Privileged access to systems - 1507 | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1507 | Privileged access to systems - 1507 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1507 | Privileged access to systems - 1507 | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1507 | Privileged access to systems - 1507 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1508 | Privileged access to systems - 1508 | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1508 | Privileged access to systems - 1508 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1508 | Privileged access to systems - 1508 | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1508 | Privileged access to systems - 1508 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1508 | Privileged access to systems - 1508 | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| Guidelines for System Management - Data backup and restoration | 1511 | Performing backups - 1511 | Audit virtual machines without disaster recovery configured | 1.0.0 |
| Guidelines for System Hardening - Authentication hardening | 1546 | Authenticating to systems - 1546 | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Guidelines for System Hardening - Authentication hardening | 1546 | Authenticating to systems - 1546 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Guidelines for System Hardening - Authentication hardening | 1546 | Authenticating to systems - 1546 | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| Guidelines for System Hardening - Authentication hardening | 1546 | Authenticating to systems - 1546 | Audit Linux machines that have accounts without passwords | 3.1.0 |
| Guidelines for System Hardening - Authentication hardening | 1546 | Authenticating to systems - 1546 | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | 3.1.0 |
Canada Federal PBMM
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.
CIS Microsoft Azure Foundations Benchmark 1.1.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.1.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 2 Security Center | 2.10 | Ensure ASC Default policy setting "Monitor Vulnerability Assessment" is not "Disabled" | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| 2 Security Center | 2.12 | Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled" | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| 2 Security Center | 2.4 | Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled" | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| 2 Security Center | 2.9 | Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| 7 Virtual Machines | 7.4 | Ensure that only approved extensions are installed | Only approved VM extensions should be installed | 1.0.0 |
CIS Microsoft Azure Foundations Benchmark 1.3.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.3.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 7 Virtual Machines | 7.1 | Ensure Virtual Machines are utilizing Managed Disks | Audit VMs that do not use managed disks | 1.0.0 |
| 7 Virtual Machines | 7.4 | Ensure that only approved extensions are installed | Only approved VM extensions should be installed | 1.0.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Monitor missing Endpoint Protection in Azure Security Center | 3.0.0 |
CIS Microsoft Azure Foundations Benchmark 1.4.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for CIS v1.4.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 7 Virtual Machines | 7.1 | Ensure Virtual Machines are utilizing Managed Disks | Audit VMs that do not use managed disks | 1.0.0 |
| 7 Virtual Machines | 7.4 | Ensure that Only Approved Extensions Are Installed | Only approved VM extensions should be installed | 1.0.0 |
CIS Microsoft Azure Foundations Benchmark 2.0.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for CIS v2.0.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 2.1 | 2.1.13 | Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' | Machines should be configured to periodically check for missing system updates | 3.7.0 |
| 6 | 6.1 | Ensure that RDP access from the Internet is evaluated and restricted | Management ports should be closed on your virtual machines | 3.0.0 |
| 6 | 6.2 | Ensure that SSH access from the Internet is evaluated and restricted | Management ports should be closed on your virtual machines | 3.0.0 |
| 7 | 7.2 | Ensure Virtual Machines are utilizing Managed Disks | Audit VMs that do not use managed disks | 1.0.0 |
| 7 | 7.4 | Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) | Managed disks should be double encrypted with both platform-managed and customer-managed keys | 1.0.0 |
| 7 | 7.5 | Ensure that Only Approved Extensions Are Installed | Only approved VM extensions should be installed | 1.0.0 |
CMMC Level 3
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Access Control | AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| Access Control | AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| Access Control | AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| Access Control | AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| Access Control | AC.1.003 | Verify and control/limit connections to and use of external information systems. | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| Access Control | AC.2.007 | Employ the principle of least privilege, including for specific security functions and privileged accounts. | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| Access Control | AC.2.008 | Use non-privileged accounts or roles when accessing nonsecurity functions. | Windows machines should meet requirements for 'Security Options - User Account Control' | 3.0.0 |
| Access Control | AC.2.008 | Use non-privileged accounts or roles when accessing nonsecurity functions. | Windows machines should meet requirements for 'User Rights Assignment' | 3.0.0 |
| Access Control | AC.2.013 | Monitor and control remote access sessions. | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Access Control | AC.2.013 | Monitor and control remote access sessions. | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Access Control | AC.2.013 | Monitor and control remote access sessions. | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| Access Control | AC.2.013 | Monitor and control remote access sessions. | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Access Control | AC.2.013 | Monitor and control remote access sessions. | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| Access Control | AC.2.013 | Monitor and control remote access sessions. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Access Control | AC.2.016 | Control the flow of CUI in accordance with approved authorizations. | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| Access Control | AC.2.016 | Control the flow of CUI in accordance with approved authorizations. | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| Access Control | AC.3.017 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Audit Windows machines missing any of specified members in the Administrators group | 2.0.0 |
| Access Control | AC.3.017 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Access Control | AC.3.018 | Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. | Windows machines should meet requirements for 'System Audit Policies - Privilege Use' | 3.0.0 |
| Access Control | AC.3.021 | Authorize remote execution of privileged commands and remote access to security-relevant information. | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Access Control | AC.3.021 | Authorize remote execution of privileged commands and remote access to security-relevant information. | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Access Control | AC.3.021 | Authorize remote execution of privileged commands and remote access to security-relevant information. | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | 3.1.0 |
| Access Control | AC.3.021 | Authorize remote execution of privileged commands and remote access to security-relevant information. | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Access Control | AC.3.021 | Authorize remote execution of privileged commands and remote access to security-relevant information. | Guest Configuration extension should be installed on your machines | 1.0.3 |
| Access Control | AC.3.021 | Authorize remote execution of privileged commands and remote access to security-relevant information. | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | 1.0.1 |
| Access Control | AC.3.021 | Authorize remote execution of privileged commands and remote access to security-relevant information. | Windows machines should meet requirements for 'Security Options - User Account Control' | 3.0.0 |
| Access Control | AC.3.021 | Authorize remote execution of privileged commands and remote access to security-relevant information. | Windows machines should meet requirements for 'User Rights Assignment' | 3.0.0 |
| Audit and Accountability | AU.2.041 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | [Preview]: Log Analytics Extension should be enabled for listed virtual machine images | 2.0.1-preview |
| Audit and Accountability | AU.2.041 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | 2.0.1 |
| Audit and Accountability | AU.2.041 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | The Log Analytics extension should be installed on Virtual Machine Scale Sets | 1.0.1 |
| Audit and Accountability | AU.2.041 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | Virtual machines should be connected to a specified workspace | 1.1.0 |
| Audit and Accountability | AU.2.041 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | Virtual machines should have the Log Analytics extension installed | 1.0.1 |
| Audit and Accountability | AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | [Preview]: Log Analytics Extension should be enabled for listed virtual machine images | 2.0.1-preview |
| Audit and Accountability | AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | 2.0.1 |
| Audit and Accountability | AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | The Log Analytics extension should be installed on Virtual Machine Scale Sets | 1.0.1 |
| Audit and Accountability | AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | Virtual machines should be connected to a specified workspace | 1.1.0 |
| Audit and Accountability | AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | Virtual machines should have the Log Analytics extension installed | 1.0.1 |
| Audit and Accountability | AU.3.046 | Alert in the event of an audit logging process failure. | [Preview]: Log Analytics Extension should be enabled for listed virtual machine images | 2.0.1-preview |
| Audit and Accountability | AU.3.046 | Alert in the event of an audit logging process failure. | Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | 2.0.1 |
| Audit and Accountability | AU.3.046 | Alert in the event of an audit logging process failure. | Virtual machines should be connected to a specified workspace | 1.1.0 |
| Audit and Accountability | AU.3.048 | Collect audit information (e.g., logs) into one or more central repositories. | [Preview]: Log Analytics Extension should be enabled for listed virtual machine images | 2.0.1-preview |
| Audit and Accountability | AU.3.048 | Collect audit information (e.g., logs) into one or more central repositories. | Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | 2.0.1 |
| Audit and Accountability | AU.3.048 | Collect audit information (e.g., logs) into one or more central repositories. | The Log Analytics extension should be installed on Virtual Machine Scale Sets | 1.0.1 |
| Audit and Accountability | AU.3.048 | Collect audit information (e.g., logs) into one or more central repositories. | Virtual machines should be connected to a specified workspace | 1.1.0 |
| Audit and Accountability | AU.3.048 | Collect audit information (e.g., logs) into one or more central repositories. | Virtual machines should have the Log Analytics extension installed | 1.0.1 |
| Security Assessment | CA.2.158 | Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Security Assessment | CA.3.161 | Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Configuration Management | CM.2.061 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Linux machines should meet requirements for the Azure compute security baseline | 2.2.0 |
| Configuration Management | CM.2.062 | Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. | Windows machines should meet requirements for 'System Audit Policies - Privilege Use' | 3.0.0 |
| Configuration Management | CM.2.063 | Control and monitor user-installed software. | Windows machines should meet requirements for 'Security Options - User Account Control' | 3.0.0 |
| Configuration Management | CM.2.064 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| Configuration Management | CM.2.064 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Configuration Management | CM.2.065 | Track, review, approve or disapprove, and log changes to organizational systems. | Windows machines should meet requirements for 'System Audit Policies - Policy Change' | 3.0.0 |
| Configuration Management | CM.3.068 | Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| Configuration Management | CM.3.068 | Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| Configuration Management | CM.3.068 | Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| Configuration Management | CM.3.068 | Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. | Non-internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| Identification and Authentication | IA.1.077 | Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Identification and Authentication | IA.1.077 | Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Identification and Authentication | IA.1.077 | Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. | Audit Linux machines that do not have the passwd file permissions set to 0644 | 3.1.0 |
| Identification and Authentication | IA.1.077 | Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. | Audit Linux machines that have accounts without passwords | 3.1.0 |
| Identification and Authentication | IA.1.077 | Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Identification and Authentication | IA.1.077 | Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Identification and Authentication | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Identification and Authentication | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Identification and Authentication | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. | Audit Linux machines that have accounts without passwords | 3.1.0 |
| Identification and Authentication | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. | Audit Windows machines that do not have the password complexity setting enabled | 2.0.0 |
| Identification and Authentication | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. | Audit Windows machines that do not restrict the minimum password length to specified number of characters | 2.1.0 |
| Identification and Authentication | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Identification and Authentication | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Identification and Authentication | IA.2.079 | Prohibit password reuse for a specified number of generations. | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Identification and Authentication | IA.2.079 | Prohibit password reuse for a specified number of generations. | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Identification and Authentication | IA.2.079 | Prohibit password reuse for a specified number of generations. | Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | 2.1.0 |
| Identification and Authentication | IA.2.079 | Prohibit password reuse for a specified number of generations. | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Identification and Authentication | IA.2.079 | Prohibit password reuse for a specified number of generations. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Identification and Authentication | IA.2.081 | Store and transmit only cryptographically-protected passwords. | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Identification and Authentication | IA.2.081 | Store and transmit only cryptographically-protected passwords. | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Identification and Authentication | IA.2.081 | Store and transmit only cryptographically-protected passwords. | Audit Windows machines that do not store passwords using reversible encryption | 2.0.0 |
| Identification and Authentication | IA.2.081 | Store and transmit only cryptographically-protected passwords. | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Identification and Authentication | IA.2.081 | Store and transmit only cryptographically-protected passwords. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Identification and Authentication | IA.3.084 | Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| Recovery | RE.2.137 | Regularly perform and test data back-ups. | Audit virtual machines without disaster recovery configured | 1.0.0 |
| Recovery | RE.2.137 | Regularly perform and test data back-ups. | Azure Backup should be enabled for Virtual Machines | 3.0.0 |
| Recovery | RE.3.139 | Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. | Audit virtual machines without disaster recovery configured | 1.0.0 |
| Recovery | RE.3.139 | Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. | Azure Backup should be enabled for Virtual Machines | 3.0.0 |
| Risk Assessment | RM.2.141 | Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Risk Assessment | RM.2.142 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Risk Assessment | RM.2.143 | Remediate vulnerabilities in accordance with risk assessments. | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Risk Assessment | RM.2.143 | Remediate vulnerabilities in accordance with risk assessments. | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| System and Communications Protection | SC.1.175 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| System and Communications Protection | SC.1.175 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| System and Communications Protection | SC.1.175 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| System and Communications Protection | SC.1.175 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Non-internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| System and Communications Protection | SC.1.175 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| System and Communications Protection | SC.1.175 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| System and Communications Protection | SC.1.175 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| System and Communications Protection | SC.1.176 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| System and Communications Protection | SC.1.176 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| System and Communications Protection | SC.2.179 | Use encrypted sessions for the management of network devices. | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| System and Communications Protection | SC.3.177 | Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. | Audit Windows machines that do not store passwords using reversible encryption | 2.0.0 |
| System and Communications Protection | SC.3.181 | Separate user functionality from system management functionality. | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| System and Communications Protection | SC.3.183 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| System and Communications Protection | SC.3.183 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| System and Communications Protection | SC.3.183 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| System and Communications Protection | SC.3.183 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Non-internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| System and Communications Protection | SC.3.183 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| System and Communications Protection | SC.3.183 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| System and Communications Protection | SC.3.185 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| System and Communications Protection | SC.3.190 | Protect the authenticity of communications sessions. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| System and Information Integrity | SI.1.210 | Identify, report, and correct information and information system flaws in a timely manner. | Microsoft Antimalware for Azure should be configured to automatically update protection signatures | 1.0.0 |
| System and Information Integrity | SI.1.210 | Identify, report, and correct information and information system flaws in a timely manner. | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| System and Information Integrity | SI.1.211 | Provide protection from malicious code at appropriate locations within organizational information systems. | Microsoft Antimalware for Azure should be configured to automatically update protection signatures | 1.0.0 |
| System and Information Integrity | SI.1.211 | Provide protection from malicious code at appropriate locations within organizational information systems. | Microsoft IaaSAntimalware extension should be deployed on Windows servers | 1.1.0 |
| System and Information Integrity | SI.1.212 | Update malicious code protection mechanisms when new releases are available. | Microsoft Antimalware for Azure should be configured to automatically update protection signatures | 1.0.0 |
| System and Information Integrity | SI.1.213 | Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. | Microsoft Antimalware for Azure should be configured to automatically update protection signatures | 1.0.0 |
| System and Information Integrity | SI.1.213 | Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. | Microsoft IaaSAntimalware extension should be deployed on Windows servers | 1.1.0 |
FedRAMP High
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.
FedRAMP Moderate
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP Moderate. For more information about this compliance standard, see FedRAMP Moderate.
HIPAA HITRUST 9.2
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| User Identification and Authentication | 11210.01q2Organizational.10 - 01.q | Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records. | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| User Identification and Authentication | 11211.01q2Organizational.11 - 01.q | Signed electronic records shall contain information associated with the signing in human-readable format. | Audit Windows machines missing any of specified members in the Administrators group | 2.0.0 |
| 02 Endpoint Protection | 0201.09j1Organizational.124-09.j | 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code | Deploy default Microsoft IaaSAntimalware extension for Windows Server | 1.1.0 |
| 02 Endpoint Protection | 0201.09j1Organizational.124-09.j | 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code | Microsoft Antimalware for Azure should be configured to automatically update protection signatures | 1.0.0 |
| 06 Configuration Management | 0605.10h1System.12-10.h | 0605.10h1System.12-10.h 10.04 Security of System Files | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| 06 Configuration Management | 0605.10h1System.12-10.h | 0605.10h1System.12-10.h 10.04 Security of System Files | Windows machines should meet requirements for 'Security Options - Audit' | 3.0.0 |
| 06 Configuration Management | 0605.10h1System.12-10.h | 0605.10h1System.12-10.h 10.04 Security of System Files | Windows machines should meet requirements for 'System Audit Policies - Account Management' | 3.0.0 |
| 06 Configuration Management | 0635.10k1Organizational.12-10.k | 0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0636.10k2Organizational.1-10.k | 0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0637.10k2Organizational.2-10.k | 0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0638.10k2Organizational.34569-10.k | 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0639.10k2Organizational.78-10.k | 0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0641.10k2Organizational.11-10.k | 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0642.10k3Organizational.12-10.k | 0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 07 Vulnerability Management | 0709.10m1Organizational.1-10.m | 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| 07 Vulnerability Management | 0709.10m1Organizational.1-10.m | 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| 07 Vulnerability Management | 0709.10m1Organizational.1-10.m | 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management | Windows machines should meet requirements for 'Security Options - Microsoft Network Server' | 3.0.0 |
| 07 Vulnerability Management | 0711.10m2Organizational.23-10.m | 0711.10m2Organizational.23-10.m 10.06 Technical Vulnerability Management | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| 07 Vulnerability Management | 0713.10m2Organizational.5-10.m | 0713.10m2Organizational.5-10.m 10.06 Technical Vulnerability Management | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| 07 Vulnerability Management | 0718.10m3Organizational.34-10.m | 0718.10m3Organizational.34-10.m 10.06 Technical Vulnerability Management | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| 08 Network Protection | 0805.01m1Organizational.12-01.m | 0805.01m1Organizational.12-01.m 01.04 Network Access Control | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| 08 Network Protection | 0806.01m2Organizational.12356-01.m | 0806.01m2Organizational.12356-01.m 01.04 Network Access Control | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| 08 Network Protection | 0809.01n2Organizational.1234-01.n | 0809.01n2Organizational.1234-01.n 01.04 Network Access Control | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| 08 Network Protection | 0810.01n2Organizational.5-01.n | 0810.01n2Organizational.5-01.n 01.04 Network Access Control | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| 08 Network Protection | 0811.01n2Organizational.6-01.n | 0811.01n2Organizational.6-01.n 01.04 Network Access Control | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| 08 Network Protection | 0812.01n2Organizational.8-01.n | 0812.01n2Organizational.8-01.n 01.04 Network Access Control | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| 08 Network Protection | 0814.01n1Organizational.12-01.n | 0814.01n1Organizational.12-01.n 01.04 Network Access Control | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| 08 Network Protection | 0835.09n1Organizational.1-09.n | 0835.09n1Organizational.1-09.n 09.06 Network Security Management | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | 1.0.2-preview |
| 08 Network Protection | 0835.09n1Organizational.1-09.n | 0835.09n1Organizational.1-09.n 09.06 Network Security Management | Virtual machines should be migrated to new Azure Resource Manager resources | 1.0.0 |
| 08 Network Protection | 0836.09.n2Organizational.1-09.n | 0836.09.n2Organizational.1-09.n 09.06 Network Security Management | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | 1.0.2-preview |
| 08 Network Protection | 0858.09m1Organizational.4-09.m | 0858.09m1Organizational.4-09.m 09.06 Network Security Management | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| 08 Network Protection | 0858.09m1Organizational.4-09.m | 0858.09m1Organizational.4-09.m 09.06 Network Security Management | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| 08 Network Protection | 0858.09m1Organizational.4-09.m | 0858.09m1Organizational.4-09.m 09.06 Network Security Management | Windows machines should meet requirements for 'Windows Firewall Properties' | 3.0.0 |
| 08 Network Protection | 0861.09m2Organizational.67-09.m | 0861.09m2Organizational.67-09.m 09.06 Network Security Management | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| 08 Network Protection | 0885.09n2Organizational.3-09.n | 0885.09n2Organizational.3-09.n 09.06 Network Security Management | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | 1.0.2-preview |
| 08 Network Protection | 0887.09n2Organizational.5-09.n | 0887.09n2Organizational.5-09.n 09.06 Network Security Management | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | 1.0.2-preview |
| 08 Network Protection | 0894.01m2Organizational.7-01.m | 0894.01m2Organizational.7-01.m 01.04 Network Access Control | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| Back-up | 1699.09l1Organizational.10 - 09.l | Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices. | Azure Backup should be enabled for Virtual Machines | 3.0.0 |
| 09 Transmission Protection | 0945.09y1Organizational.3-09.y | 0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services | Audit Windows machines that do not contain the specified certificates in Trusted Root | 3.0.0 |
| 11 Access Control | 11180.01c3System.6-01.c | 11180.01c3System.6-01.c 01.02 Authorized Access to Information Systems | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| 11 Access Control | 1119.01j2Organizational.3-01.j | 1119.01j2Organizational.3-01.j 01.04 Network Access Control | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| 11 Access Control | 1123.01q1System.2-01.q | 1123.01q1System.2-01.q 01.05 Operating System Access Control | Audit Windows machines that have extra accounts in the Administrators group | 2.0.0 |
| 11 Access Control | 1125.01q2System.1-01.q | 1125.01q2System.1-01.q 01.05 Operating System Access Control | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| 11 Access Control | 1127.01q2System.3-01.q | 1127.01q2System.3-01.q 01.05 Operating System Access Control | Audit Windows machines missing any of specified members in the Administrators group | 2.0.0 |
| 11 Access Control | 1143.01c1System.123-01.c | 1143.01c1System.123-01.c 01.02 Authorized Access to Information Systems | Management ports should be closed on your virtual machines | 3.0.0 |
| 11 Access Control | 1148.01c2System.78-01.c | 1148.01c2System.78-01.c 01.02 Authorized Access to Information Systems | Windows machines should meet requirements for 'Security Options - Accounts' | 3.0.0 |
| 11 Access Control | 1150.01c2System.10-01.c | 1150.01c2System.10-01.c 01.02 Authorized Access to Information Systems | Management ports should be closed on your virtual machines | 3.0.0 |
| 11 Access Control | 1175.01j1Organizational.8-01.j | 1175.01j1Organizational.8-01.j 01.04 Network Access Control | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| 11 Access Control | 1179.01j3Organizational.1-01.j | 1179.01j3Organizational.1-01.j 01.04 Network Access Control | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| 11 Access Control | 1192.01l1Organizational.1-01.l | 1192.01l1Organizational.1-01.l 01.04 Network Access Control | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| 11 Access Control | 1193.01l2Organizational.13-01.l | 1193.01l2Organizational.13-01.l 01.04 Network Access Control | Management ports should be closed on your virtual machines | 3.0.0 |
| 12 Audit Logging & Monitoring | 12100.09ab2System.15-09.ab | 12100.09ab2System.15-09.ab 09.10 Monitoring | Virtual machines should have the Log Analytics extension installed | 1.0.1 |
| 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3-09.ab | 12101.09ab1Organizational.3-09.ab 09.10 Monitoring | The Log Analytics extension should be installed on Virtual Machine Scale Sets | 1.0.1 |
| 12 Audit Logging & Monitoring | 12102.09ab1Organizational.4-09.ab | 12102.09ab1Organizational.4-09.ab 09.10 Monitoring | Audit Windows machines on which the Log Analytics agent is not connected as expected | 2.0.0 |
| 12 Audit Logging & Monitoring | 1215.09ab2System.7-09.ab | 1215.09ab2System.7-09.ab 09.10 Monitoring | Virtual machines should have the Log Analytics extension installed | 1.0.1 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | The Log Analytics extension should be installed on Virtual Machine Scale Sets | 1.0.1 |
| 12 Audit Logging & Monitoring | 1217.09ab3System.3-09.ab | 1217.09ab3System.3-09.ab 09.10 Monitoring | Audit Windows machines on which the Log Analytics agent is not connected as expected | 2.0.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Windows machines should meet requirements for 'User Rights Assignment' | 3.0.0 |
| 12 Audit Logging & Monitoring | 1277.09c2Organizational.4-09.c | 1277.09c2Organizational.4-09.c 09.01 Documented Operating Procedures | Windows machines should meet requirements for 'Security Options - User Account Control' | 3.0.0 |
| 16 Business Continuity & Disaster Recovery | 1620.09l1Organizational.8-09.l | 1620.09l1Organizational.8-09.l 09.05 Information Back-Up | Azure Backup should be enabled for Virtual Machines | 3.0.0 |
| 16 Business Continuity & Disaster Recovery | 1625.09l3Organizational.34-09.l | 1625.09l3Organizational.34-09.l 09.05 Information Back-Up | Azure Backup should be enabled for Virtual Machines | 3.0.0 |
| 16 Business Continuity & Disaster Recovery | 1634.12b1Organizational.1-12.b | 1634.12b1Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management | Audit virtual machines without disaster recovery configured | 1.0.0 |
| 16 Business Continuity & Disaster Recovery | 1637.12b2Organizational.2-12.b | 1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management | Windows machines should meet requirements for 'Security Options - Recovery console' | 3.0.0 |
| 16 Business Continuity & Disaster Recovery | 1638.12b2Organizational.345-12.b | 1638.12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management | Audit virtual machines without disaster recovery configured | 1.0.0 |
IRS 1075 September 2016
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - IRS 1075 September 2016. For more information about this compliance standard, see IRS 1075 September 2016.
ISO 27001:2013
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.
Microsoft Cloud for Sovereignty Baseline Confidential Policies
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for MCfS Sovereignty Baseline Confidential Policies. For more information about this compliance standard, see Microsoft Cloud for Sovereignty Policy portfolio.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| SO.3 - Customer-Managed Keys | SO.3 | Azure products must be configured to use Customer-Managed Keys when possible. | Managed disks should be double encrypted with both platform-managed and customer-managed keys | 1.0.0 |
| SO.4 - Azure Confidential Computing | SO.4 | Azure products must be configured to use Azure Confidential Computing SKUs when possible. | Allowed virtual machine size SKUs | 1.0.1 |
Microsoft Cloud for Sovereignty Baseline Global Policies
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for MCfS Sovereignty Baseline Global Policies. For more information about this compliance standard, see Microsoft Cloud for Sovereignty Policy portfolio.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| SO.5 - Trusted Launch | SO.5 | VMs should be configured with Trusted Launch SKUs and Trusted Launch enabled when possible. | Disks and OS image should support TrustedLaunch | 1.0.0 |
| SO.5 - Trusted Launch | SO.5 | VMs should be configured with Trusted Launch SKUs and Trusted Launch enabled when possible. | Virtual Machine should have TrustedLaunch enabled | 1.0.0 |
Microsoft cloud security benchmark
The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Microsoft cloud security benchmark, see the Azure Security Benchmark mapping files.
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Microsoft cloud security benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Network Security | NS-1 | Establish network segmentation boundaries | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| Network Security | NS-1 | Establish network segmentation boundaries | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| Network Security | NS-1 | Establish network segmentation boundaries | Non-internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| Network Security | NS-3 | Deploy firewall at the edge of enterprise network | IP Forwarding on your virtual machine should be disabled | 3.0.0 |
| Network Security | NS-3 | Deploy firewall at the edge of enterprise network | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| Network Security | NS-3 | Deploy firewall at the edge of enterprise network | Management ports should be closed on your virtual machines | 3.0.0 |
| Identity Management | IM-3 | Manage application identities securely and automatically | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | 1.0.1 |
| Identity Management | IM-6 | Use strong authentication controls | Authentication to Linux machines should require SSH keys | 3.2.0 |
| Identity Management | IM-8 | Restrict the exposure of credential and secrets | Machines should have secret findings resolved | 1.0.2 |
| Privileged Access | PA-2 | Avoid standing access for accounts and permissions | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| Data Protection | DP-3 | Encrypt sensitive data in transit | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| Data Protection | DP-4 | Enable data at rest encryption by default | Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | 1.2.1 |
| Data Protection | DP-4 | Enable data at rest encryption by default | Virtual machines and virtual machine scale sets should have encryption at host enabled | 1.0.0 |
| Data Protection | DP-4 | Enable data at rest encryption by default | Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | 1.1.1 |
| Asset Management | AM-2 | Use only approved services | Virtual machines should be migrated to new Azure Resource Manager resources | 1.0.0 |
| Logging and Threat Detection | LT-1 | Enable threat detection capabilities | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| Logging and Threat Detection | LT-2 | Enable threat detection for identity and access management | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| Logging and Threat Detection | LT-4 | Enable network logging for security investigation | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | 1.0.2-preview |
| Logging and Threat Detection | LT-4 | Enable network logging for security investigation | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | 1.0.2-preview |
| Posture and Vulnerability Management | PV-4 | Audit and enforce secure configurations for compute resources | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines | 6.0.0-preview |
| Posture and Vulnerability Management | PV-4 | Audit and enforce secure configurations for compute resources | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | 5.1.0-preview |
| Posture and Vulnerability Management | PV-4 | Audit and enforce secure configurations for compute resources | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines | 4.0.0-preview |
| Posture and Vulnerability Management | PV-4 | Audit and enforce secure configurations for compute resources | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets | 3.1.0-preview |
| Posture and Vulnerability Management | PV-4 | Audit and enforce secure configurations for compute resources | [Preview]: Linux virtual machines should use only signed and trusted boot components | 1.0.0-preview |
| Posture and Vulnerability Management | PV-4 | Audit and enforce secure configurations for compute resources | [Preview]: Secure Boot should be enabled on supported Windows virtual machines | 4.0.0-preview |
| Posture and Vulnerability Management | PV-4 | Audit and enforce secure configurations for compute resources | [Preview]: vTPM should be enabled on supported virtual machines | 2.0.0-preview |
| Posture and Vulnerability Management | PV-4 | Audit and enforce secure configurations for compute resources | Guest Configuration extension should be installed on your machines | 1.0.3 |
| Posture and Vulnerability Management | PV-4 | Audit and enforce secure configurations for compute resources | Linux machines should meet requirements for the Azure compute security baseline | 2.2.0 |
| Posture and Vulnerability Management | PV-4 | Audit and enforce secure configurations for compute resources | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | 1.0.1 |
| Posture and Vulnerability Management | PV-4 | Audit and enforce secure configurations for compute resources | Windows machines should meet requirements of the Azure compute security baseline | 2.0.0 |
| Posture and Vulnerability Management | PV-5 | Perform vulnerability assessments | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Posture and Vulnerability Management | PV-5 | Perform vulnerability assessments | Machines should have secret findings resolved | 1.0.2 |
| Posture and Vulnerability Management | PV-6 | Rapidly and automatically remediate vulnerabilities | Machines should be configured to periodically check for missing system updates | 3.7.0 |
| Posture and Vulnerability Management | PV-6 | Rapidly and automatically remediate vulnerabilities | SQL servers on machines should have vulnerability findings resolved | 1.0.0 |
| Posture and Vulnerability Management | PV-6 | Rapidly and automatically remediate vulnerabilities | System updates should be installed on your machines (powered by Update Center) | 1.0.1 |
| Posture and Vulnerability Management | PV-6 | Rapidly and automatically remediate vulnerabilities | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| Endpoint Security | ES-2 | Use modern anti-malware software | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| Backup and Recovery | BR-1 | Ensure regular automated backups | Azure Backup should be enabled for Virtual Machines | 3.0.0 |
| Backup and Recovery | BR-2 | Protect backup and recovery data | Azure Backup should be enabled for Virtual Machines | 3.0.0 |
NIST SP 800-171 R2
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-171 R2. For more information about this compliance standard, see NIST SP 800-171 R2.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Audit Linux machines that have accounts without passwords | 3.1.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Authentication to Linux machines should require SSH keys | 3.2.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | 3.1.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Disk access resources should use private link | 1.0.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Virtual machines should be migrated to new Azure Resource Manager resources | 1.0.0 |
| Access Control | 3.1.12 | Monitor and control remote access sessions. | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Access Control | 3.1.12 | Monitor and control remote access sessions. | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Access Control | 3.1.12 | Monitor and control remote access sessions. | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| Access Control | 3.1.12 | Monitor and control remote access sessions. | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | 3.1.0 |
| Access Control | 3.1.12 | Monitor and control remote access sessions. | Disk access resources should use private link | 1.0.0 |
| Access Control | 3.1.13 | Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. | Disk access resources should use private link | 1.0.0 |
| Access Control | 3.1.14 | Route remote access via managed access control points. | Disk access resources should use private link | 1.0.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Virtual machines should be migrated to new Azure Resource Manager resources | 1.0.0 |
| Access Control | 3.1.3 | Control the flow of CUI in accordance with approved authorizations. | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| Access Control | 3.1.3 | Control the flow of CUI in accordance with approved authorizations. | Disk access resources should use private link | 1.0.0 |
| Access Control | 3.1.3 | Control the flow of CUI in accordance with approved authorizations. | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| Access Control | 3.1.3 | Control the flow of CUI in accordance with approved authorizations. | IP Forwarding on your virtual machine should be disabled | 3.0.0 |
| Access Control | 3.1.3 | Control the flow of CUI in accordance with approved authorizations. | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| Access Control | 3.1.3 | Control the flow of CUI in accordance with approved authorizations. | Management ports should be closed on your virtual machines | 3.0.0 |
| Access Control | 3.1.3 | Control the flow of CUI in accordance with approved authorizations. | Non-internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| Access Control | 3.1.4 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Audit Windows machines missing any of specified members in the Administrators group | 2.0.0 |
| Access Control | 3.1.4 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | SQL servers on machines should have vulnerability findings resolved | 1.0.0 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | SQL servers on machines should have vulnerability findings resolved | 1.0.0 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| System and Communications Protection | 3.13.1 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| System and Communications Protection | 3.13.1 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Disk access resources should use private link | 1.0.0 |
| System and Communications Protection | 3.13.1 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| System and Communications Protection | 3.13.1 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | IP Forwarding on your virtual machine should be disabled | 3.0.0 |
| System and Communications Protection | 3.13.1 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| System and Communications Protection | 3.13.1 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Management ports should be closed on your virtual machines | 3.0.0 |
| System and Communications Protection | 3.13.1 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Non-internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| System and Communications Protection | 3.13.10 | Establish and manage cryptographic keys for cryptography employed in organizational systems. | Managed disks should be double encrypted with both platform-managed and customer-managed keys | 1.0.0 |
| System and Communications Protection | 3.13.10 | Establish and manage cryptographic keys for cryptography employed in organizational systems. | OS and data disks should be encrypted with a customer-managed key | 3.0.0 |
| System and Communications Protection | 3.13.16 | Protect the confidentiality of CUI at rest. | Virtual machines and virtual machine scale sets should have encryption at host enabled | 1.0.0 |
| System and Communications Protection | 3.13.2 | Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| System and Communications Protection | 3.13.2 | Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. | Disk access resources should use private link | 1.0.0 |
| System and Communications Protection | 3.13.2 | Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| System and Communications Protection | 3.13.2 | Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. | IP Forwarding on your virtual machine should be disabled | 3.0.0 |
| System and Communications Protection | 3.13.2 | Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| System and Communications Protection | 3.13.2 | Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. | Management ports should be closed on your virtual machines | 3.0.0 |
| System and Communications Protection | 3.13.2 | Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. | Non-internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| System and Communications Protection | 3.13.5 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| System and Communications Protection | 3.13.5 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | Disk access resources should use private link | 1.0.0 |
| System and Communications Protection | 3.13.5 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| System and Communications Protection | 3.13.5 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | IP Forwarding on your virtual machine should be disabled | 3.0.0 |
| System and Communications Protection | 3.13.5 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| System and Communications Protection | 3.13.5 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | Management ports should be closed on your virtual machines | 3.0.0 |
| System and Communications Protection | 3.13.5 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | Non-internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| System and Communications Protection | 3.13.6 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| System and Communications Protection | 3.13.6 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| System and Communications Protection | 3.13.6 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| System and Communications Protection | 3.13.6 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Management ports should be closed on your virtual machines | 3.0.0 |
| System and Communications Protection | 3.13.6 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Non-internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| System and Communications Protection | 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Microsoft Antimalware for Azure should be configured to automatically update protection signatures | 1.0.0 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Microsoft IaaSAntimalware extension should be deployed on Windows servers | 1.1.0 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| System and Information Integrity | 3.14.4 | Update malicious code protection mechanisms when new releases are available. | Microsoft Antimalware for Azure should be configured to automatically update protection signatures | 1.0.0 |
| System and Information Integrity | 3.14.4 | Update malicious code protection mechanisms when new releases are available. | Microsoft IaaSAntimalware extension should be deployed on Windows servers | 1.1.0 |
| System and Information Integrity | 3.14.4 | Update malicious code protection mechanisms when new releases are available. | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| System and Information Integrity | 3.14.5 | Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. | Microsoft Antimalware for Azure should be configured to automatically update protection signatures | 1.0.0 |
| System and Information Integrity | 3.14.5 | Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. | Microsoft IaaSAntimalware extension should be deployed on Windows servers | 1.1.0 |
| System and Information Integrity | 3.14.5 | Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | 1.0.2-preview |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | 1.0.2-preview |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Guest Configuration extension should be installed on your machines | 1.0.3 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | 1.0.1 |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | 1.0.2-preview |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | 1.0.2-preview |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | Guest Configuration extension should be installed on your machines | 1.0.3 |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | 1.0.1 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | 1.0.2-preview |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | 1.0.2-preview |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Guest Configuration extension should be installed on your machines | 1.0.3 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | The Log Analytics extension should be installed on Virtual Machine Scale Sets | 1.0.1 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Virtual machines should be connected to a specified workspace | 1.1.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Virtual machines should have the Log Analytics extension installed | 1.0.1 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | 1.0.1 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | 1.0.2-preview |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | 1.0.2-preview |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Guest Configuration extension should be installed on your machines | 1.0.3 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | The Log Analytics extension should be installed on Virtual Machine Scale Sets | 1.0.1 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Virtual machines should be connected to a specified workspace | 1.1.0 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Virtual machines should have the Log Analytics extension installed | 1.0.1 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | 1.0.1 |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Linux machines should meet requirements for the Azure compute security baseline | 2.2.0 |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Windows machines should meet requirements of the Azure compute security baseline | 2.0.0 |
| Configuration Management | 3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | Linux machines should meet requirements for the Azure compute security baseline | 2.2.0 |
| Configuration Management | 3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | Windows machines should meet requirements of the Azure compute security baseline | 2.0.0 |
| Identification and Authentication | 3.5.10 | Store and transmit only cryptographically-protected passwords. | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Identification and Authentication | 3.5.10 | Store and transmit only cryptographically-protected passwords. | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Identification and Authentication | 3.5.10 | Store and transmit only cryptographically-protected passwords. | Audit Linux machines that do not have the passwd file permissions set to 0644 | 3.1.0 |
| Identification and Authentication | 3.5.10 | Store and transmit only cryptographically-protected passwords. | Audit Windows machines that do not store passwords using reversible encryption | 2.0.0 |
| Identification and Authentication | 3.5.10 | Store and transmit only cryptographically-protected passwords. | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | 3.1.0 |
| Identification and Authentication | 3.5.10 | Store and transmit only cryptographically-protected passwords. | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Identification and Authentication | 3.5.10 | Store and transmit only cryptographically-protected passwords. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Audit Linux machines that do not have the passwd file permissions set to 0644 | 3.1.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Audit Windows machines that do not store passwords using reversible encryption | 2.0.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Authentication to Linux machines should require SSH keys | 3.2.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | 3.1.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Identification and Authentication | 3.5.4 | Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Identification and Authentication | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created. | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Identification and Authentication | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created. | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Identification and Authentication | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created. | Audit Windows machines that do not have the password complexity setting enabled | 2.0.0 |
| Identification and Authentication | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created. | Audit Windows machines that do not restrict the minimum password length to specified number of characters | 2.1.0 |
| Identification and Authentication | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created. | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Identification and Authentication | 3.5.8 | Prohibit password reuse for a specified number of generations. | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Identification and Authentication | 3.5.8 | Prohibit password reuse for a specified number of generations. | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Identification and Authentication | 3.5.8 | Prohibit password reuse for a specified number of generations. | Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | 2.1.0 |
| Identification and Authentication | 3.5.8 | Prohibit password reuse for a specified number of generations. | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| Media Protection | 3.8.9 | Protect the confidentiality of backup CUI at storage locations. | Azure Backup should be enabled for Virtual Machines | 3.0.0 |
NIST SP 800-53 Rev. 4
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 4. For more information about this compliance standard, see NIST SP 800-53 Rev. 4.
NIST SP 800-53 Rev. 5
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5. For more information about this compliance standard, see NIST SP 800-53 Rev. 5.
NL BIO Cloud Theme
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for NL BIO Cloud Theme. For more information about this compliance standard, see Baseline Information Security Government Cybersecurity - Digital Government (digitaleoverheid.nl).
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| C.04.8 Technical vulnerability management - Evaluated | C.04.8 | The evaluation reports contain suggestions for improvement and are communicated with managers/owners. | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| C.04.8 Technical vulnerability management - Evaluated | C.04.8 | The evaluation reports contain suggestions for improvement and are communicated with managers/owners. | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| U.03.1 Business Continuity Services - Redundancy | U.03.1 | The agreed continuity is guaranteed by sufficiently logical or physically multiple system functions. | Audit virtual machines without disaster recovery configured | 1.0.0 |
| U.03.1 Business Continuity Services - Redundancy | U.03.1 | The agreed continuity is guaranteed by sufficiently logical or physically multiple system functions. | Azure Backup should be enabled for Virtual Machines | 3.0.0 |
| U.03.2 Business Continuity Services - Continuity requirements | U.03.2 | The continuity requirements for cloud services agreed with the CSC are ensured by the system architecture. | Audit virtual machines without disaster recovery configured | 1.0.0 |
| U.03.2 Business Continuity Services - Continuity requirements | U.03.2 | The continuity requirements for cloud services agreed with the CSC are ensured by the system architecture. | Azure Backup should be enabled for Virtual Machines | 3.0.0 |
| U.04.1 Data and Cloud Service Recovery - Restore function | U.04.1 | The data and cloud services are restored within the agreed period and maximum data loss and made available to the CSC. | Audit virtual machines without disaster recovery configured | 1.0.0 |
| U.04.2 Data and Cloud Service Recovery - Restore function | U.04.2 | The continuous process of recoverable protection of data is monitored. | Audit virtual machines without disaster recovery configured | 1.0.0 |
| U.04.3 Data and Cloud Service Recovery - Tested | U.04.3 | The functioning of recovery functions is periodically tested and the results are shared with the CSC. | Audit virtual machines without disaster recovery configured | 1.0.0 |
| U.05.1 Data protection - Cryptographic measures | U.05.1 | Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| U.05.2 Data protection - Cryptographic measures | U.05.2 | Data stored in the cloud service shall be protected to the latest state of the art. | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines | 6.0.0-preview |
| U.05.2 Data protection - Cryptographic measures | U.05.2 | Data stored in the cloud service shall be protected to the latest state of the art. | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | 5.1.0-preview |
| U.05.2 Data protection - Cryptographic measures | U.05.2 | Data stored in the cloud service shall be protected to the latest state of the art. | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines | 4.0.0-preview |
| U.05.2 Data protection - Cryptographic measures | U.05.2 | Data stored in the cloud service shall be protected to the latest state of the art. | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets | 3.1.0-preview |
| U.05.2 Data protection - Cryptographic measures | U.05.2 | Data stored in the cloud service shall be protected to the latest state of the art. | [Preview]: Secure Boot should be enabled on supported Windows virtual machines | 4.0.0-preview |
| U.05.2 Data protection - Cryptographic measures | U.05.2 | Data stored in the cloud service shall be protected to the latest state of the art. | [Preview]: vTPM should be enabled on supported virtual machines | 2.0.0-preview |
| U.05.2 Data protection - Cryptographic measures | U.05.2 | Data stored in the cloud service shall be protected to the latest state of the art. | Managed disks should be double encrypted with both platform-managed and customer-managed keys | 1.0.0 |
| U.05.2 Data protection - Cryptographic measures | U.05.2 | Data stored in the cloud service shall be protected to the latest state of the art. | OS and data disks should be encrypted with a customer-managed key | 3.0.0 |
| U.05.2 Data protection - Cryptographic measures | U.05.2 | Data stored in the cloud service shall be protected to the latest state of the art. | Virtual machines and virtual machine scale sets should have encryption at host enabled | 1.0.0 |
| U.07.1 Data separation - Isolated | U.07.1 | Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| U.07.1 Data separation - Isolated | U.07.1 | Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. | Disk access resources should use private link | 1.0.0 |
| U.07.1 Data separation - Isolated | U.07.1 | Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| U.07.1 Data separation - Isolated | U.07.1 | Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. | IP Forwarding on your virtual machine should be disabled | 3.0.0 |
| U.07.1 Data separation - Isolated | U.07.1 | Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| U.07.1 Data separation - Isolated | U.07.1 | Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. | Management ports should be closed on your virtual machines | 3.0.0 |
| U.07.1 Data separation - Isolated | U.07.1 | Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. | Non-internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 | The malware protection runs on different environments. | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 | The malware protection runs on different environments. | IP Forwarding on your virtual machine should be disabled | 3.0.0 |
| U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 | The malware protection runs on different environments. | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 | The malware protection runs on different environments. | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | Audit Linux machines that have accounts without passwords | 3.1.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | Audit VMs that do not use managed disks | 1.0.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | Virtual machines should be migrated to new Azure Resource Manager resources | 1.0.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | Audit Linux machines that have accounts without passwords | 3.1.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | Audit VMs that do not use managed disks | 1.0.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | Virtual machines should be migrated to new Azure Resource Manager resources | 1.0.0 |
| U.10.5 Access to IT services and data - Competent | U.10.5 | Access to IT services and data is limited by technical measures and has been implemented. | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| U.10.5 Access to IT services and data - Competent | U.10.5 | Access to IT services and data is limited by technical measures and has been implemented. | Audit Linux machines that have accounts without passwords | 3.1.0 |
| U.10.5 Access to IT services and data - Competent | U.10.5 | Access to IT services and data is limited by technical measures and has been implemented. | Audit VMs that do not use managed disks | 1.0.0 |
| U.10.5 Access to IT services and data - Competent | U.10.5 | Access to IT services and data is limited by technical measures and has been implemented. | Virtual machines should be migrated to new Azure Resource Manager resources | 1.0.0 |
| U.11.1 Cryptoservices - Policy | U.11.1 | In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. | Audit Windows machines that do not store passwords using reversible encryption | 2.0.0 |
| U.11.1 Cryptoservices - Policy | U.11.1 | In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| U.11.2 Cryptoservices - Cryptographic measures | U.11.2 | In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. | Audit Windows machines that do not store passwords using reversible encryption | 2.0.0 |
| U.11.2 Cryptoservices - Cryptographic measures | U.11.2 | In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| U.11.3 Cryptoservices - Encrypted | U.11.3 | Sensitive data is always encrypted, with private keys managed by the CSC. | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines | 6.0.0-preview |
| U.11.3 Cryptoservices - Encrypted | U.11.3 | Sensitive data is always encrypted, with private keys managed by the CSC. | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | 5.1.0-preview |
| U.11.3 Cryptoservices - Encrypted | U.11.3 | Sensitive data is always encrypted, with private keys managed by the CSC. | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines | 4.0.0-preview |
| U.11.3 Cryptoservices - Encrypted | U.11.3 | Sensitive data is always encrypted, with private keys managed by the CSC. | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets | 3.1.0-preview |
| U.11.3 Cryptoservices - Encrypted | U.11.3 | Sensitive data is always encrypted, with private keys managed by the CSC. | [Preview]: Secure Boot should be enabled on supported Windows virtual machines | 4.0.0-preview |
| U.11.3 Cryptoservices - Encrypted | U.11.3 | Sensitive data is always encrypted, with private keys managed by the CSC. | [Preview]: vTPM should be enabled on supported virtual machines | 2.0.0-preview |
| U.11.3 Cryptoservices - Encrypted | U.11.3 | Sensitive data is always encrypted, with private keys managed by the CSC. | Managed disks should be double encrypted with both platform-managed and customer-managed keys | 1.0.0 |
| U.11.3 Cryptoservices - Encrypted | U.11.3 | Sensitive data is always encrypted, with private keys managed by the CSC. | OS and data disks should be encrypted with a customer-managed key | 3.0.0 |
| U.11.3 Cryptoservices - Encrypted | U.11.3 | Sensitive data is always encrypted, with private keys managed by the CSC. | Virtual machines and virtual machine scale sets should have encryption at host enabled | 1.0.0 |
| U.12.1 Interfaces - Network connections | U.12.1 | In connection points with external or untrusted zones, measures are taken against attacks. | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| U.12.1 Interfaces - Network connections | U.12.1 | In connection points with external or untrusted zones, measures are taken against attacks. | IP Forwarding on your virtual machine should be disabled | 3.0.0 |
| U.12.2 Interfaces - Network connections | U.12.2 | Network components are such that network connections between trusted and untrusted networks are limited. | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| U.12.2 Interfaces - Network connections | U.12.2 | Network components are such that network connections between trusted and untrusted networks are limited. | IP Forwarding on your virtual machine should be disabled | 3.0.0 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | [Preview]: Log Analytics Extension should be enabled for listed virtual machine images | 2.0.1-preview |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | 1.0.2-preview |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | 1.0.2-preview |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | Dependency agent should be enabled for listed virtual machine images | 2.0.0 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images | 2.0.0 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | Guest Configuration extension should be installed on your machines | 1.0.3 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | 2.0.1 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | 1.0.1 |
| U.15.3 Logging and monitoring - Events logged | U.15.3 | CSP maintains a list of all assets that are critical in terms of logging and monitoring and reviews this list. | [Preview]: Log Analytics Extension should be enabled for listed virtual machine images | 2.0.1-preview |
| U.15.3 Logging and monitoring - Events logged | U.15.3 | CSP maintains a list of all assets that are critical in terms of logging and monitoring and reviews this list. | Dependency agent should be enabled for listed virtual machine images | 2.0.0 |
| U.15.3 Logging and monitoring - Events logged | U.15.3 | CSP maintains a list of all assets that are critical in terms of logging and monitoring and reviews this list. | Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images | 2.0.0 |
| U.15.3 Logging and monitoring - Events logged | U.15.3 | CSP maintains a list of all assets that are critical in terms of logging and monitoring and reviews this list. | Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | 2.0.1 |
| U.17.1 Multi-tenant architecture - Encrypted | U.17.1 | CSC data on transport and at rest is encrypted. | Audit virtual machines without disaster recovery configured | 1.0.0 |
| U.17.1 Multi-tenant architecture - Encrypted | U.17.1 | CSC data on transport and at rest is encrypted. | Azure Backup should be enabled for Virtual Machines | 3.0.0 |
PCI DSS 3.2.1
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see PCI DSS 3.2.1. For more information about this compliance standard, see PCI DSS 3.2.1.
PCI DSS v4.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for PCI DSS v4.0. For more information about this compliance standard, see PCI DSS v4.0.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Requirement 01: Install and Maintain Network Security Controls | 1.3.2 | Network access to and from the cardholder data environment is restricted | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.4.2 | Network connections between trusted and untrusted networks are controlled | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.2 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Virtual machines should be migrated to new Azure Resource Manager resources | 1.0.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.3.3 | Audit logs are protected from destruction and unauthorized modifications | Virtual machines should be migrated to new Azure Resource Manager resources | 1.0.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.3.1 | External and internal vulnerabilities are regularly identified, prioritized, and addressed | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.3.1 | External and internal vulnerabilities are regularly identified, prioritized, and addressed | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.1 | Malicious software (malware) is prevented, or detected and addressed | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.1 | Malicious software (malware) is prevented, or detected and addressed | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.2 | Malicious software (malware) is prevented, or detected and addressed | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.2 | Malicious software (malware) is prevented, or detected and addressed | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.3 | Malicious software (malware) is prevented, or detected and addressed | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.3 | Malicious software (malware) is prevented, or detected and addressed | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.3.3 | Security vulnerabilities are identified and addressed | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.3.3 | Security vulnerabilities are identified and addressed | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.4.1 | Public-facing web applications are protected against attacks | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.4.1 | Public-facing web applications are protected against attacks | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.6 | Strong authentication for users and administrators is established and managed | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.6 | Strong authentication for users and administrators is established and managed | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.6 | Strong authentication for users and administrators is established and managed | Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | 2.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.6 | Strong authentication for users and administrators is established and managed | Audit Windows machines that do not have the maximum password age set to specified number of days | 2.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.6 | Strong authentication for users and administrators is established and managed | Audit Windows machines that do not restrict the minimum password length to specified number of characters | 2.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.6 | Strong authentication for users and administrators is established and managed | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
Reserve Bank of India - IT Framework for NBFC
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Reserve Bank of India - IT Framework for NBFC. For more information about this compliance standard, see Reserve Bank of India - IT Framework for NBFC.
Reserve Bank of India IT Framework for Banks v2016
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RBI ITF Banks v2016. For more information about this compliance standard, see RBI ITF Banks v2016 (PDF).
RMIT Malaysia
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RMIT Malaysia. For more information about this compliance standard, see RMIT Malaysia.
Spain ENS
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for Spain ENS. For more information about this compliance standard, see CCN-STIC 884.
SWIFT CSP-CSCF v2021
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for SWIFT CSP-CSCF v2021. For more information about this compliance standard, see SWIFT CSP CSCF v2021.
SWIFT CSP-CSCF v2022
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for SWIFT CSP-CSCF v2022. For more information about this compliance standard, see SWIFT CSP CSCF v2022.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.1 | Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | 1.0.2-preview |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.1 | Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | 1.0.2-preview |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.1 | Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.1 | Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.1 | Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. | IP Forwarding on your virtual machine should be disabled | 3.0.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.3 | Secure the virtualisation platform and virtual machines (VMs) that host SWIFT-related components to the same level as physical systems. | Audit VMs that do not use managed disks | 1.0.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.4 | Control/Protect Internet access from operator PCs and systems within the secure zone. | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.4 | Control/Protect Internet access from operator PCs and systems within the secure zone. | Non-internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.5A | Ensure the protection of the customer's connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | 1.0.2-preview |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.5A | Ensure the protection of the customer's connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | 1.0.2-preview |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.5A | Ensure the protection of the customer's connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.5A | Ensure the protection of the customer's connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.5A | Ensure the protection of the customer's connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. | IP Forwarding on your virtual machine should be disabled | 3.0.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Authentication to Linux machines should require SSH keys | 3.2.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.2 | Minimise the occurrence of known technical vulnerabilities on operator PCs and within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk. | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.2 | Minimise the occurrence of known technical vulnerabilities on operator PCs and within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk. | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.2 | Minimise the occurrence of known technical vulnerabilities on operator PCs and within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk. | Audit Windows VMs with a pending reboot | 2.0.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.2 | Minimise the occurrence of known technical vulnerabilities on operator PCs and within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk. | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Audit Linux machines that do not have the passwd file permissions set to 0644 | 3.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Audit Windows machines that contain certificates expiring within the specified number of days | 2.0.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Audit Windows machines that do not store passwords using reversible encryption | 2.0.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | 3.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.4A | Back-office Data Flow Security | Authentication to Linux machines should require SSH keys | 3.2.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.4A | Back-office Data Flow Security | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.5A | External Transmission Data Protection | Audit virtual machines without disaster recovery configured | 1.0.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.5A | External Transmission Data Protection | Audit VMs that do not use managed disks | 1.0.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.5A | External Transmission Data Protection | Azure Backup should be enabled for Virtual Machines | 3.0.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Windows machines should meet requirements for 'Security Options - Interactive Logon' | 3.0.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.7 | Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.7 | Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. | Vulnerabilities in security configuration on your machines should be remediated | 3.1.0 |
| 3. Physically Secure the Environment | 3.1 | Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. | Audit VMs that do not use managed disks | 1.0.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Audit Linux machines that have accounts without passwords | 3.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | 2.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Audit Windows machines that do not have the maximum password age set to specified number of days | 2.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Audit Windows machines that do not have the minimum password age set to specified number of days | 2.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Audit Windows machines that do not have the password complexity setting enabled | 2.0.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Audit Windows machines that do not restrict the minimum password length to specified number of characters | 2.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | 3.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Audit Windows machines that contain certificates expiring within the specified number of days | 2.0.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| 5. Manage Identities and Segregate Privileges | 5.2 | Ensure the proper management, tracking, and use of connected and disconnected hardware authentication or personal tokens (when tokens are used). | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| 5. Manage Identities and Segregate Privileges | 5.4 | Protect physically and logically the repository of recorded passwords. | Audit Windows machines that do not store passwords using reversible encryption | 2.0.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Microsoft Antimalware for Azure should be configured to automatically update protection signatures | 1.0.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Microsoft IaaSAntimalware extension should be deployed on Windows servers | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | [Preview]: Log Analytics Extension should be enabled for listed virtual machine images | 2.0.1-preview |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | 1.0.2-preview |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | 1.0.2-preview |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | 4.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | 4.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Audit virtual machines without disaster recovery configured | 1.0.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Azure Backup should be enabled for Virtual Machines | 3.0.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | 1.2.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | 2.0.1 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | The Log Analytics extension should be installed on Virtual Machine Scale Sets | 1.0.1 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Virtual machines should have the Log Analytics extension installed | 1.0.1 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Detect and contain anomalous network activity into and within the local or remote SWIFT environment. | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | 1.0.2-preview |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Detect and contain anomalous network activity into and within the local or remote SWIFT environment. | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | 1.0.2-preview |
System and Organization Controls (SOC) 2
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for System and Organization Controls (SOC) 2. For more information about this compliance standard, see System and Organization Controls (SOC) 2.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Additional Criteria For Availability | A1.2 | Environmental protections, software, data back-up processes, and recovery infrastructure | Azure Backup should be enabled for Virtual Machines | 3.0.0 |
| Risk Assessment | CC3.2 | COSO Principle 7 | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Authentication to Linux machines should require SSH keys | 3.2.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Management ports should be closed on your virtual machines | 3.0.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Non-internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Authentication to Linux machines should require SSH keys | 3.2.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | IP Forwarding on your virtual machine should be disabled | 3.0.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Management ports should be closed on your virtual machines | 3.0.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Non-internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | All network ports should be restricted on network security groups associated to your virtual machine | 3.0.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Management ports of virtual machines should be protected with just-in-time network access control | 3.0.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Management ports should be closed on your virtual machines | 3.0.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Non-internet-facing virtual machines should be protected with network security groups | 3.0.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines | 6.0.0-preview |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | 5.1.0-preview |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines | 4.0.0-preview |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets | 3.1.0-preview |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | [Preview]: Secure Boot should be enabled on supported Windows virtual machines | 4.0.0-preview |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | [Preview]: vTPM should be enabled on supported virtual machines | 2.0.0-preview |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Audit VMs that do not use managed disks | 1.0.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Guest Configuration extension should be installed on your machines | 1.0.3 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Linux machines should meet requirements for the Azure compute security baseline | 2.2.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Only approved VM extensions should be installed | 1.0.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | 1.0.1 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Windows machines should meet requirements of the Azure compute security baseline | 2.0.0 |
| System Operations | CC7.1 | Detection and monitoring of new vulnerabilities | A vulnerability assessment solution should be enabled on your virtual machines | 3.0.0 |
| System Operations | CC7.2 | Monitor system components for anomalous behavior | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines | 6.0.0-preview |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | 5.1.0-preview |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines | 4.0.0-preview |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets | 3.1.0-preview |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | [Preview]: Secure Boot should be enabled on supported Windows virtual machines | 4.0.0-preview |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | [Preview]: vTPM should be enabled on supported virtual machines | 2.0.0-preview |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Audit VMs that do not use managed disks | 1.0.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Guest Configuration extension should be installed on your machines | 1.0.3 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Linux machines should meet requirements for the Azure compute security baseline | 2.2.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Only approved VM extensions should be installed | 1.0.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | 1.0.1 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Windows machines should meet requirements of the Azure compute security baseline | 2.0.0 |
| Additional Criteria For Processing Integrity | PI1.5 | Store inputs and outputs completely, accurately, and timely | Azure Backup should be enabled for Virtual Machines | 3.0.0 |
UK OFFICIAL and UK NHS
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - UK OFFICIAL and UK NHS. For more information about this compliance standard, see UK OFFICIAL.
Next steps
- Learn more about Azure Policy Regulatory Compliance.
- See the built-ins on the Azure Policy GitHub repo.