Setup an Automated CIS Benchmark Scan for all managed Azure accounts

[JJediny]

MITRE has developed a set of inspec benchmarks mapped to NIST Controls for GCP/AWS - none yet for Azure. There is also https://github.com/devsec profiles, no known Azure benchmarks exist there either. No known complimentary terraform hardening modules are tied to the inspec test directly.

Options:

1. Research and Select a vendored inspec profile.
2. Develop our own minimal profile for Auth2 and password policies.
3. Determine to forgo effort if the investment is not worth the associated risk of not - vs using managed services native to Azure to implement.

Determine:

• [ ] proceed with inspec (to keep tooling consistent across IaaS)
• [ ] proceed with Azure native managed services in-lieu

Implementation Steps

• [ ] Setup inspec to run as part of CI against all accounts as a:
  • [ ] CRON runner
  • [ ] part of the standard PR (might be too long to run each time)
• [ ] Determine how to best store/track/display test results
  • [ ] consider deploying https://github.com/mitre/heimdall2 as a cloud.gov app to serve as a {{ account }}-{{ timestamp }}.json endpoint to save and diff results over time
  • [ ] forgo tracking and just invest in upfront remediation to assume 100% pass

AC

• [ ] Azure CIS Benchmark status is known and tracked continuously for all managed accounts

[JJediny]

Needs to be reassessed during PRISMA implementation cc @nateprice18f @MichaelSides