Also read Governance Tasks for any Azure Subscription - Azure Data Protection Services

Overview

What should you include in a detailed cloud security audit? This post focuses on an Azure audit, but the parallels can be easily drawn for GCP or AWS.

Key and Secrets Management

  • Azure Defender for Key Vault should be enabled
  • Key Vault keys should have an expiration date
  • Key Vault secrets should have an expiration date
  • Azure Key Vault Managed HSM should have purge protection enabled
  • Key vaults should have purge protection enabled
  • Resource logs in Azure Key Vault Managed HSM should be enabled
  • Resource logs in Key Vault should be enabled

Azure VMS

  • Azure Defender for servers should be enabled
  • Only approved VM extensions should be installed
  • System updates should be installed on your machines
  • Monitor missing Endpoint Protection in Azure Security Center
  • Management ports of virtual machines should be protected with just-in-time network access control
  • Adaptive application controls for defining safe applications should be enabled on your machines
Azure Networking
  • Network Watcher should be enabled. A network watcher resource group should be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.
  • Subnets should be associated with a Network Security Group
  • Internet-facing virtual machines should be protected with network security groups
  • Adaptive network hardening recommendations should be applied on internet facing virtual machines
Databases
  • Azure Defender for SQL servers on machines should be enabled
  • Enforce SSL connection should be enabled for MySQL or SQL Server database servers. This configuration enforces that SSL is always enabled for accessing your database server.
  • Auditing on SQL server should be enabled
  • Transparent Data Encryption on SQL databases should be enabled
Storage
  • Azure Defender for Storage should be enabled
  • Storage account public access should be disallowed
Logging, Monitoring and Alerting
  • Auto provisioning of the Log Analytics agent should be enabled on your subscription
  • Azure subscriptions should have a log profile for Activity Log
  • Activity log should be retained for at least one year
  • Monitor missing Endpoint Protection in Azure Security Center
  • Subscriptions should have a contact email address for security issues
  • Email notification for high severity alerts should be enabled
  • Email notification to subscription owner for high severity alerts should be enabled
Summary
Security Audits on Azure should comprise of the majority of the tasks listed in this post.




Need an experienced Cloud Security Expert?  Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.