Skip to content

Mapping with the CIS Microsoft Azure Foundations Benchmark

This section shows the control-level alignment for the CIS Microsoft Azure Foundations Benchmark v4.0.0.

CIS ID TrustOnCloud Control ID Comments
2.1.1.1.1
2.1.1.2.1 Keyvault.C95 under Keyvault.CO27
2.2.1.1
2.2.1.2 Network.C192 under Network.CO3
2.2.2 Network.C196 under Network.CO21
3.1.1 Databricks.C3 under Databricks.CO2 Our control also mentions to not use public IPs in addition to using a VNet
3.1.2 Network.C224 under Network.CO19 This control applies to all services, not only Databricks, and our control additionally recommends using Azure policy to audit NSGs are configured for a subnet.
3.1.3 Databricks.C21 under Databricks.CO10
3.1.4 Databricks.C20 under Databricks.CO1 Our control asks the end users to define which users are synchronized to Entra ID instead of syncing all of them.
3.1.5 Databricks.C28 under Databricks.CO11
3.1.6 Databricks.C4 under Databricks.CO3
3.1.7 Databricks.C10 under Databricks.CO6
3.1.8 Databricks.C22 under Databricks.CO10
4.1.1 Entra.C3 under Entra.CO3 The CIS control is a control in Entra ID, not Compute. You cannot assign MFA to identities within the compute resource.
6.1.1 Requiring security defaults to be enabled disables conditional access policies
6.1.2 Entra.C3 under Entra.CO3
6.1.3
6.2.1 Entra.C115 under Entra.CO3 Our control asks to maintain the entire conditional access policy instead of individual parameters.
6.2.2 Entra.C115 under Entra.CO3 Our control asks to maintain the entire conditional access policy instead of individual parameters.
6.2.3 Entra.C115 under Entra.CO3 Our control asks to maintain the entire conditional access policy instead of individual parameters.
6.2.4 Entra.C115 under Entra.CO3 Our control asks to maintain the entire conditional access policy instead of individual parameters.
6.2.5 Entra.C3 under Entra.CO3 Our control asks for all users to be subject to MFA, not just risky users
6.2.6 Entra.C3 under Entra.CO3 Our control asks for all users to be subject to MFA, not just specific APIs
6.2.7 Entra.C3 under Entra.CO3
6.3.1
6.3.2 Entra.C42 under Entra.CO3
6.3.3 Entra.C5 under Entra.CO1 Our control is to limit access to all roles, not just UAA
6.3.4 Entra.C16 under Entra.CO1
6.4
6.5 Entra.C3 under Entra.CO3
6.6 Entra.C112 under Entra.CO3 Our control is to use a smart lockout policy instead of threshold numbers
6.7 Entra.C112 under Entra.CO3 Our control is to use a smart lockout policy instead of threshold numbers
6.8
6.9
6.1
6.11 Entra.C92 under Entra.CO6
6.12 Entra.C49 under Entra.CO6 Our control asks admins to consent
6.13 Entra.C49 under Entra.CO6 Our control asks admins to consent
6.14 Entra.C94 under Entra.CO6
6.15 Entra.C122 under Entra.CO4
6.16
6.17
6.18 Entra.C30 under Entra.CO8
6.19
6.2
6.21
6.22 Entra.C3 under Entra.CO3
6.23 Entra.C5 under Entra.CO1 Our control is to limit all roles, not only custom ones
6.24
6.25 Subscription.C5 under Subscription.CO3
6.26 Entra.C2 under Entra.CO1 Our control is to limit all roles, not only global admin
7.1.1.1
7.1.1.2
7.1.1.3 Storage.C61 under Storage.CO12 Our control asks all containers to be encrypted with CMKs
7.1.1.4
7.1.1.5 Network.C237 under Network.CO2
7.1.1.6
7.1.1.7 Network.C237 under Network.CO2
7.1.1.8 Entra.C1 under Entra.CO5
7.1.1.9 Entra.C1 under Entra.CO5
7.1.1.10
7.1.2.1 Resourcemanager.C51 under Resourcemanager.CO2 Our control asks to monitor any attack given the IAM action
7.1.2.2 Resourcemanager.C51 under Resourcemanager.CO2 Our control asks to monitor any attack given the IAM action
7.1.2.3 Resourcemanager.C51 under Resourcemanager.CO2 Our control asks to monitor any attack given the IAM action
7.1.2.4 Resourcemanager.C51 under Resourcemanager.CO2 Our control asks to monitor any attack given the IAM action
7.1.2.5 Resourcemanager.C51 under Resourcemanager.CO2 Our control asks to monitor any attack given the IAM action
7.1.2.6 Resourcemanager.C51 under Resourcemanager.CO2 Our control asks to monitor any attack given the IAM action
7.1.2.7 Resourcemanager.C51 under Resourcemanager.CO2 Our control asks to monitor any attack given the IAM action
7.1.2.8 Resourcemanager.C51 under Resourcemanager.CO2 Our control asks to monitor any attack given the IAM action
7.1.2.9 Resourcemanager.C51 under Resourcemanager.CO2 Our control asks to monitor any attack given the IAM action
7.1.2.10 Resourcemanager.C51 under Resourcemanager.CO2 Our control asks to monitor any attack given the IAM action
7.1.2.11
7.1.3.1
7.1.4
7.1.5
7.2
8.1 Network.C11 under Network.CO4 Our control asks for all firewall rules to be monitored
8.2 Network.C11 under Network.CO4 Our control asks for all firewall rules to be monitored
8.3 Network.C11 under Network.CO4 Our control asks for all firewall rules to be monitored
8.4 Network.C11 under Network.CO4 Our control asks for all firewall rules to be monitored
8.5 Network.C237 under Network.CO2
8.6
8.7 Network.C272 under Network.CO17
8.8
9.1.3.1
9.1.3.2
9.1.3.3
9.1.3.4
9.1.3.5
9.1.4.1
9.1.5.1
9.1.6.1
9.1.7.1
9.1.7.2
9.1.7.3
9.1.7.4
9.1.8.1
9.1.9.1
9.1.10
9.1.11
9.1.12
9.1.13
9.1.14
9.1.15
9.1.16
9.1.17
9.2.1
9.3.1 Keyvault.C24 under Keyvault.CO6 Our control covers all key vault items and vault types
9.3.2 Keyvault.C24 under Keyvault.CO6 Our control covers all key vault items and vault types
9.3.3 Keyvault.C24 under Keyvault.CO6 Our control covers all key vault items and vault types
9.3.4 Keyvault.C24 under Keyvault.CO6 Our control covers all key vault items and vault types
9.3.5 Keyvault.C75 under Keyvault.CO18
9.3.6 Keyvault.C93 under Keyvault.CO26
9.3.7 Will not cover
9.3.8 Keyvault.C10 under Keyvault.CO3
9.3.9 Keyvault.C95 under Keyvault.CO27 Our control covers just customer managed keys
9.3.10 Keyvault.C103 under Keyvault.CO29
9.4.1 Will not cover
10.1.1 Storage.C33 under Storage.CO24
10.1.2 Storage.C120 under Storage.CO8 Our control covers all security settings
10.1.3 Storage.C120 under Storage.CO8 Our control covers all security settings
10.2.1 Storage.C33 under Storage.CO24
10.2.2 Storage.C144 under Storage.CO24
10.3.1.1
10.3.1.2
10.3.1.3 Storage.C148 under Storage.CO4 Our control is for all required authentication methods, not just shared keys.
10.3.2.1 Storage.C38 under Storage.CO9
10.3.2.2 Storage.C7 under Storage.CO4
10.3.3.1 Storage.C142 under Storage.CO4 Our control asks for all authentication to be Entra unless otherwise required, not just the portal.
10.3.4 Storage.C120 under Storage.CO8 Our control covers all security settings
10.3.6 Storage.C33 under Storage.CO24
10.3.7 Storage.C120 under Storage.CO8 Our control covers all security settings
10.3.8 Storage.C48 under Storage.CO5
10.3.9 Storage.C56 under Storage.CO4
10.3.12 Storage.C72 under Storage.CO5 Our control asks for general redundancy requirements instead of a specific one