MITRE has developed a set of inspec benchmarks mapped to NIST Controls for GCP/AWS - none yet for Azure. There is also https://github.com/devsec profiles, no known Azure benchmarks exist there either. No known complimentary terraform hardening modules are tied to the inspec test directly.
Options:
Research and Select a vendored inspec profile.
Develop our own minimal profile for Auth2 and password policies.
Determine to forgo effort if the investment is not worth the associated risk of not - vs using managed services native to Azure to implement.
Determine:
[ ] proceed with inspec (to keep tooling consistent across IaaS)
[ ] proceed with Azure native managed services in-lieu
Implementation Steps
[ ] Setup inspec to run as part of CI against all accounts as a:
[ ] CRON runner
[ ] part of the standard PR (might be too long to run each time)
[ ] Determine how to best store/track/display test results
[ ] consider deploying https://github.com/mitre/heimdall2 as a cloud.gov app to serve as a {{ account }}-{{ timestamp }}.json endpoint to save and diff results over time
[ ] forgo tracking and just invest in upfront remediation to assume 100% pass
AC
[ ] Azure CIS Benchmark status is known and tracked continuously for all managed accounts
MITRE has developed a set of inspec benchmarks mapped to NIST Controls for GCP/AWS - none yet for Azure. There is also https://github.com/devsec profiles, no known Azure benchmarks exist there either. No known complimentary terraform hardening modules are tied to the inspec test directly.
Options:
Determine:
Implementation Steps
{{ account }}-{{ timestamp }}.json
endpoint to save and diff results over timeAC