Security Control V2: Asset Management
Note
The most up-to-date Azure Security Benchmark is available here.
Asset Management covers controls to ensure security visibility and governance over Azure resources. This includes recommendations on permissions for security personnel, security access to asset inventory, and managing approvals for services and resources (inventory, track, and correct).
To see the applicable built-in Azure Policy, see Details of the Azure Security Benchmark Regulatory Compliance built-in initiative: Network Security
AM-1: Ensure security team has visibility into risks for assets
Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
---|---|---|
AM-1 | 1.1, 1.2 | CM-8, PM-5 |
Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Azure Security Center.
Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. That said, security insights and risks must always be aggregated centrally within an organization.
Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.
Note: Additional permissions might be required to get visibility into workloads and services.
Responsibility: Customer
Customer Security Stakeholders (Learn more):
AM-2: Ensure security team has access to asset inventory and metadata
Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
---|---|---|
AM-2 | 1.1, 1.2, 1.4, 1.5, 9.1, 12.1 | CM-8, PM-5 |
Ensure that security teams have access to a continuously updated inventory of assets on Azure. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input to continuously security improvements.
The Azure Security Center inventory feature and Azure Resource Graph can query for and discover all resources in your subscriptions, including Azure services, applications, and network resources.
Logically organize assets according to your organization's taxonomy using Tags as well as other metadata in Azure (Name, Description, and Category).
Responsibility: Customer
Customer Security Stakeholders (Learn more):
AM-3: Use only approved Azure services
Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
---|---|---|
AM-3 | 2.3, 2.4 | CM-7, CM-8 |
Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.
Responsibility: Customer
Customer Security Stakeholders (Learn more):
AM-4: Ensure security of asset lifecycle management
Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
---|---|---|
AM-4 | 2.3, 2.4, 2.5 | CM-7, CM-8, CM-10, CM-11 |
Establish or update security policies that address asset lifecycle management processes for potentially high impact modifications. These modifications include changes to: identity providers and access, data sensitivity, network configuration, and administrative privilege assignment.
Remove Azure resources when they are no longer needed.
Responsibility: Customer
Customer Security Stakeholders (Learn more):
AM-5: Limit users' ability to interact with Azure Resource Manager
Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
---|---|---|
AM-5 | 2.9 | AC-3 |
Use Azure AD Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App.
Responsibility: Customer
Customer Security Stakeholders (Learn more):
AM-6: Use only approved applications in compute resources
Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
---|---|---|
AM-6 | 2.6, 2.7 | AC-3, CM-7, CM-8, CM-10, CM-11 |
Ensure that only authorized software executes, and all unauthorized software is blocked from executing on Azure Virtual Machines.
Use Azure Security Center's adaptive application controls to discover and generate an application allow list. You can also use the adaptive application controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.
Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. Software name, version, publisher, and refresh time are available from the Azure portal. To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to Log Analytics workspace.
Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources.
You can also use a third-party solution to discover and identify unapproved software.
How to use Azure Security Center adaptive application controls
How to control PowerShell script execution in Windows environments
Responsibility: Customer
Customer Security Stakeholders (Learn more):