GSA-TTS / tts-tech-operations

TTS Technology Operations
https://handbook.tts.gsa.gov/tech-operations/
Other
6 stars 0 forks source link

Setup an Automated CIS Benchmark Scan for all managed Azure accounts #1083

Open JJediny opened 3 years ago

JJediny commented 3 years ago

MITRE has developed a set of inspec benchmarks mapped to NIST Controls for GCP/AWS - none yet for Azure. There is also https://github.com/devsec profiles, no known Azure benchmarks exist there either. No known complimentary terraform hardening modules are tied to the inspec test directly.

Options:

  1. Research and Select a vendored inspec profile.
  2. Develop our own minimal profile for Auth2 and password policies.
  3. Determine to forgo effort if the investment is not worth the associated risk of not - vs using managed services native to Azure to implement.

Determine:

Implementation Steps

AC

JJediny commented 5 months ago

Needs to be reassessed during PRISMA implementation cc @nateprice18f @MichaelSides