Azure Security Checks
207+ Azure Security Checks
Complete list of Azure security checks across 19+ services based on CIS Azure Foundations Benchmark v2.1, PCI-DSS v4.0, ISO 27001:2022, SOC 2, and 13+ compliance frameworks.
207+
Security Checks
18+
Azure Services
13+
Compliance Frameworks
v2.1
CIS Benchmark
Security Checks by Azure Service
Comprehensive security checks organized by Azure service. Click any check for detailed remediation guidance.
Azure Storage Accounts
Ensure storage account secure transfer is enabled
CIS 3.1high
Ensure storage account has infrastructure encryption enabled
medium
Ensure storage account uses customer-managed keys
CIS 3.2medium
Ensure storage account public access is disabled
CIS 3.7critical
Ensure storage account minimum TLS version is 1.2
CIS 3.12high
Ensure storage account has private endpoints enabled
medium
Ensure storage account network rules are restrictive
CIS 3.8high
Ensure storage account has blob soft delete enabled
CIS 3.11medium
Ensure storage account has container soft delete enabled
medium
Ensure storage account has versioning enabled
medium
Ensure storage account shared key access is disabled
medium
Ensure storage account logging is enabled
CIS 3.3medium
Ensure storage account queue logging is enabled
CIS 3.4low
Ensure storage account uses immutable storage
medium
Ensure storage account has cross-tenant replication disabled
medium
Azure Virtual Network
Ensure NSG flow logs are enabled
CIS 6.4medium
Ensure NSG does not allow SSH from internet
CIS 6.1high
Ensure NSG does not allow RDP from internet
CIS 6.2high
Ensure NSG does not allow unrestricted access to high-risk ports
high
Ensure Network Watcher is enabled
CIS 6.5medium
Ensure virtual networks use DDoS Protection
medium
Ensure VNet has a gateway subnet for VPN
low
Ensure Azure Firewall is deployed for egress filtering
medium
Ensure Azure Firewall has threat intelligence enabled
medium
Ensure Application Gateway has WAF enabled
high
Ensure Application Gateway WAF is in Prevention mode
high
Ensure private DNS zones are used
low
Ensure VNet peering is properly configured
medium
Ensure Express Route has redundant connections
medium
Ensure VPN Gateway uses strong encryption
high
Ensure Load Balancer diagnostic logs are enabled
low
Ensure Front Door has WAF policy configured
high
Ensure Traffic Manager has monitoring configured
medium
Ensure Bastion is used for VM access
medium
Ensure NAT Gateway is used for outbound connections
low
Azure Virtual Machines
Ensure VM disk encryption is enabled
CIS 7.2high
Ensure VMs do not have public IP addresses
medium
Ensure VMs have approved extensions only
CIS 7.4medium
Ensure VM boot diagnostics are enabled
low
Ensure VMs use managed disks
CIS 7.1medium
Ensure VMs have automatic OS updates enabled
medium
Ensure VMs have endpoint protection installed
CIS 7.6high
Ensure VM scale sets have automatic instance repairs
low
Ensure VMs use managed identities
high
Ensure VMs are properly tagged
low
Ensure VMs have JIT access enabled
CIS 7.5medium
Ensure VMs use confidential computing where required
medium
Ensure VM backup is enabled
high
Ensure VM availability sets or zones are used
medium
Ensure VMs have Azure Monitor agent installed
medium
Ensure VM images are from trusted sources
medium
Ensure VMs have network isolation configured
medium
Ensure VM guest configuration is enabled
low
Ensure VMs have disaster recovery configured
medium
Ensure VM serial console access is logged
low
Azure Active Directory
Ensure MFA is enabled for all users
CIS 1.1critical
Ensure MFA is enabled for privileged accounts
CIS 1.2critical
Ensure guest user access is restricted
CIS 1.13medium
Ensure self-service password reset is enabled
CIS 1.5medium
Ensure password hash sync is enabled for hybrid identity
CIS 1.7medium
Ensure privileged identity management is used
high
Ensure conditional access policies block legacy authentication
CIS 1.4high
Ensure Conditional Access policies require compliant devices
medium
Ensure security defaults are enabled if no Conditional Access
CIS 1.22high
Ensure access reviews are configured for privileged roles
medium
Ensure service principals use certificates instead of secrets
medium
Ensure sign-in risk policy is enabled
high
Ensure user risk policy is enabled
high
Ensure directory audit logs are retained
medium
Ensure emergency access accounts exist
high
Azure SQL Database
Ensure Azure SQL auditing is enabled
CIS 4.1.1high
Ensure Azure SQL has Advanced Threat Protection enabled
CIS 4.2.1high
Ensure Azure SQL TDE is enabled
CIS 4.1.2high
Ensure Azure SQL uses customer-managed TDE key
CIS 4.5medium
Ensure Azure SQL uses Azure AD authentication
CIS 4.4high
Ensure Azure SQL firewall denies public access
CIS 4.1.3high
Ensure Azure SQL has private endpoint enabled
medium
Ensure Azure SQL has vulnerability assessment enabled
CIS 4.2.2medium
Ensure Azure SQL audit logs are retained adequately
CIS 4.1.6medium
Ensure Azure SQL has geo-redundant backups enabled
medium
Ensure Azure SQL minimum TLS version is 1.2
high
Ensure Azure SQL data masking is configured
medium
Azure Key Vault
Ensure Key Vault has soft delete enabled
CIS 8.4high
Ensure Key Vault has purge protection enabled
CIS 8.5high
Ensure Key Vault uses RBAC for access control
medium
Ensure Key Vault has private endpoint enabled
medium
Ensure Key Vault network access is restricted
CIS 8.6high
Ensure Key Vault diagnostic logging is enabled
CIS 8.1medium
Ensure Key Vault keys have expiration dates
CIS 8.2medium
Ensure Key Vault secrets have expiration dates
CIS 8.3medium
Ensure Key Vault certificates are renewed before expiration
high
Ensure Key Vault uses HSM-protected keys where required
medium
Ensure Key Vault access policies follow least privilege
high
Ensure Key Vault is properly tagged
low
Azure Kubernetes Service (AKS)
Ensure AKS cluster has Azure AD integration enabled
CIS 8.5high
Ensure AKS cluster has Azure RBAC enabled
high
Ensure AKS cluster API server is not publicly accessible
high
Ensure AKS uses Azure Policy add-on
medium
Ensure AKS cluster has network policy enabled
CIS 8.2.1medium
Ensure AKS cluster uses managed identities
high
Ensure AKS nodes use managed disks with encryption
medium
Ensure AKS uses latest Kubernetes version
high
Ensure AKS has Defender for Containers enabled
high
Ensure AKS uses Azure Container Registry with scanning
medium
Ensure AKS monitoring is enabled
medium
Ensure AKS cluster has secret store CSI driver enabled
medium
Ensure AKS uses user node pools
low
Ensure AKS has audit logging enabled
medium
Ensure AKS has HTTP application routing disabled
medium
Microsoft Defender for Cloud
Ensure Microsoft Defender for Cloud is enabled
CIS 2.1high
Ensure Defender for Servers is enabled
CIS 2.2high
Ensure Defender for App Service is enabled
CIS 2.3medium
Ensure Defender for Azure SQL is enabled
CIS 2.4high
Ensure Defender for Storage is enabled
CIS 2.6medium
Ensure Defender for Containers is enabled
CIS 2.7high
Ensure Defender for Key Vault is enabled
CIS 2.8medium
Ensure Defender for Resource Manager is enabled
medium
Ensure Defender for DNS is enabled
medium
Ensure security contact email is configured
CIS 2.14medium
Ensure high severity alerts trigger email notifications
CIS 2.15medium
Ensure auto-provisioning of Log Analytics agent is enabled
CIS 2.11medium
Ensure secure score is monitored
medium
Ensure regulatory compliance assessments are enabled
medium
Ensure Defender alerts are integrated with SIEM
medium
Azure App Service
Ensure App Service uses HTTPS only
CIS 9.1high
Ensure App Service uses latest TLS version
CIS 9.2high
Ensure App Service has managed identity enabled
CIS 9.5medium
Ensure App Service authentication is enabled
CIS 9.3high
Ensure App Service uses latest runtime version
medium
Ensure App Service has diagnostic logging enabled
CIS 9.6medium
Ensure App Service has client certificates enabled
medium
Ensure App Service has CORS restrictions configured
medium
Ensure App Service has remote debugging disabled
CIS 9.4high
Ensure App Service uses virtual network integration
medium
Ensure App Service has backup configured
medium
Ensure App Service uses private endpoints
medium
Azure Cosmos DB
Ensure Cosmos DB has firewall rules configured
high
Ensure Cosmos DB uses encryption at rest
medium
Ensure Cosmos DB disables public network access
high
Ensure Cosmos DB has diagnostic logging enabled
medium
Ensure Cosmos DB uses Azure AD authentication
medium
Ensure Cosmos DB has automatic failover enabled
medium
Ensure Cosmos DB uses private endpoints
medium
Ensure Cosmos DB has backup retention configured
medium
Azure Monitor
Ensure activity log is retained for at least 90 days
CIS 5.1.1medium
Ensure activity log alert exists for Create Policy Assignment
CIS 5.2.1low
Ensure activity log alert exists for Create or Update Security Solution
CIS 5.2.2low
Ensure activity log alert exists for Create or Update NSG
CIS 5.2.3medium
Ensure activity log alert exists for Delete NSG
CIS 5.2.4medium
Ensure activity log alert exists for Create or Update NSG Rule
CIS 5.2.5medium
Ensure activity log alert exists for Delete NSG Rule
CIS 5.2.6medium
Ensure activity log alert exists for Create or Update SQL Server Firewall Rule
CIS 5.2.7medium
Ensure activity log alert exists for Delete SQL Server Firewall Rule
CIS 5.2.8medium
Ensure Log Analytics workspace has appropriate retention
medium
Azure Functions
Ensure Azure Functions uses HTTPS only
high
Ensure Azure Functions uses managed identity
medium
Ensure Azure Functions has diagnostic logging enabled
medium
Ensure Azure Functions uses latest runtime version
medium
Ensure Azure Functions uses minimum TLS 1.2
high
Ensure Azure Functions has CORS configured properly
medium
Ensure Azure Functions uses VNet integration
medium
Ensure Azure Functions remote debugging is disabled
high
Azure Event Grid
Azure Service Bus
Ensure Service Bus uses customer-managed keys
medium
Ensure Service Bus has network access restrictions
high
Ensure Service Bus uses private endpoints
medium
Ensure Service Bus has diagnostic logging enabled
medium
Ensure Service Bus uses managed identity
medium
Ensure Service Bus disables local authentication
medium
Azure Container Registry
Ensure Container Registry has admin account disabled
high
Ensure Container Registry uses customer-managed keys
medium
Ensure Container Registry has vulnerability scanning enabled
high
Ensure Container Registry has private endpoints enabled
medium
Ensure Container Registry has network access restrictions
medium
Ensure Container Registry has content trust enabled
medium
Ensure Container Registry has quarantine policies configured
medium
Ensure Container Registry has geo-replication enabled
low
Ensure Container Registry has diagnostic logging enabled
medium
Ensure Container Registry uses Premium SKU for production
low
Azure API Management
Ensure API Management uses HTTPS for APIs
high
Ensure API Management has subscription keys required
high
Ensure API Management has rate limiting configured
medium
Ensure API Management uses managed identity
medium
Ensure API Management has diagnostic logging enabled
medium
Ensure API Management uses virtual network integration
medium
Ensure API Management has OAuth 2.0 authorization configured
medium
Ensure API Management has client certificate authentication
medium
Ensure API Management has IP filtering configured
low
Ensure API Management validates API request schemas
medium
Azure Logic Apps
Ensure Logic Apps use managed identity
medium
Ensure Logic Apps use HTTPS for triggers and actions
high
Ensure Logic Apps have secure input/output parameters
high
Ensure Logic Apps use virtual network integration
medium
Ensure Logic Apps have diagnostic logging enabled
medium
Ensure Logic Apps use access control for triggers
high
Ensure Logic Apps connections use OAuth
medium
Azure Data Factory
Ensure Data Factory uses managed identity
medium
Ensure Data Factory uses customer-managed keys
medium
Ensure Data Factory has public network access disabled
medium
Ensure Data Factory has diagnostic logging enabled
medium
Ensure Data Factory integration runtime uses VNet
medium
Ensure Data Factory linked services use Key Vault for secrets
high
Ensure Data Factory has Git integration enabled
low
Supported Compliance Frameworks
Every check is mapped to relevant compliance framework controls
CIS Azure v2.0
CIS Azure v2.1
CIS Azure v3.0
CIS Azure v4.0
PCI-DSS v4.0
SOC 2 Type II
ISO 27001:2022
HIPAA
MITRE ATT&CK
NIS2 Directive
ENS RD2022
C5
Azure Security Benchmark
Run All 207+ Azure Security Checks
Get a comprehensive Azure security assessment in minutes. See all misconfigurations and compliance gaps.
No credit card required • Free tier available • 14-day trial