Streamlining Your Azure Security Posture with the Microsoft Azure CIS Checker Script
As an Azure administrator, ensuring your Azure environment complies with industry standards is paramount. Regular checks and reviews against benchmarks like the CIS (Center for Internet Security) standards are essential to maintain a secure and compliant infrastructure. However, performing these checks manually can be time-consuming and prone to human error. To address this challenge, I’ve developed the Microsoft Azure CIS Checker script. This script automates the compliance verification process, saving time and increasing accuracy.
Why I Created the Microsoft Azure CIS Checker Script
The primary motivation behind developing this script was to streamline the process of performing regular checks and reviews of Azure environments based on CIS benchmarks. As an Azure administrator, I often found myself spending a significant amount of time manually verifying compliance with these controls. The repetitive nature of this task not only consumed valuable time but also introduced the risk of missing critical compliance issues.
With the Microsoft Azure CIS Checker script, I aim to:
- Automate Compliance Checks: The script automatically evaluates Azure subscriptions against selected CIS controls, providing a quick and reliable method to verify compliance.
- Save Time: By automating the compliance checks, the script significantly reduces the time required to perform these reviews.
- Increase Accuracy: The script ensures a consistent and thorough evaluation of each control, reducing the likelihood of human error.
- Generate Comprehensive Reports: The script exports the compliance results to an Excel file, offering a clear and organized view of the compliance status across multiple subscriptions.
Features of the Microsoft Azure CIS Checker Script
- Module Import Prompt: The script prompts the user to import the required modules, ensuring that all necessary dependencies are available.
- Azure and Microsoft Graph Connectivity: The script connects to both Azure and Microsoft Graph to gather the necessary data for compliance checks.
- Silenced Warnings: Azure warnings are suppressed to provide a clean output, focusing only on the compliance status.
- Subscription Highlighting: Changes in subscription during the compliance checks are highlighted to stand out, making it easier to track progress.
- Export to Excel: The compliance results are exported to an Excel file with improved formatting, making it easier to review and share the findings.
Controls Checked by the Script
The Microsoft Azure CIS Checker script evaluates the following controls:
- Identity and Access Management
- Ensure Multi-Factor Auth Status is Enabled for all Non-Privileged Users
- Ensure ‘Allow users to remember multi-factor authentication on devices they trust’ is Disabled
- Ensure Trusted Locations Are Defined
- Microsoft Defender for Cloud
- Ensure Microsoft Defender for Servers is set to ‘On’
- Ensure Microsoft Defender for App Services is set to ‘On’
- Storage Accounts
- Ensure ‘Secure transfer required’ is set to ‘Enabled’ for Storage Accounts
- Ensure ‘Enable Infrastructure Encryption’ for each Storage Account is set to ‘Enabled’
- Database Services
- Ensure ‘Auditing’ is set to ‘On’ for SQL Servers
- Ensure SQL server’s Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
- Logging and Monitoring
- Ensure a ‘Diagnostic Setting’ exists for Subscription Activity Logs
- Ensure Network Security Group Flow logs are captured and sent to Log Analytics
- Networking
- Ensure RDP access from the Internet is evaluated and restricted
- Ensure SSH access from the Internet is evaluated and restricted
- Virtual Machines
- Ensure an Azure Bastion Host Exists
- Ensure Virtual Machines are utilizing Managed Disks
- Key Vault
- Ensure the Expiration Date is set for all Keys and Secrets in RBAC Key Vaults
- Ensure Private Endpoints are used for Azure Key Vault
- App Service
- Ensure App Service Authentication is set up for apps in Azure App Service
- Ensure Web App redirects all HTTP traffic to HTTPS in Azure App Service
Understanding Compliance Status
- Green: Indicates that the control is compliant and meets the CIS benchmark requirements.
- Red: Indicates that the control is not compliant and requires attention to meet the CIS benchmark requirements.
Future Updates
In the next version of the script, I plan to add more checks to enhance its capabilities. This will further streamline the compliance verification process and ensure a more comprehensive evaluation of your Azure environment.
How to Use the Script
- Ensure you have the necessary permissions and modules installed.
- Clone the repository and navigate to the script directory.
- Run the script in PowerShell:
Copy code
1 |
.\AzureCISComplianceChecker.ps1 |
- Follow the prompts to import required modules and connect to your Azure account.
For detailed instructions and to download the script, visit the Microsoft Azure CIS Checker GitHub repository.
Contact for Collaboration
If you’re interested in collaborating on this project or have suggestions for improvements, please reach out to me at Shaun@Thatlazyadmin.com. I welcome contributions from the community to make this script even more robust and comprehensive. Let’s work together to enhance Azure security compliance and streamline the review process!
Stay compliant and secure with the Microsoft Azure CIS Checker!
Be First to Comment