Microsoft Cloud Security Benchmark v

This spreadsheet is designed to provide you a private preview version of the Microsoft Cloud Security Benchmark v1. For the
ttps://docs.microsoft.com/en-us/security/benchmark/azure/overview

a. The control mappings between MCSB and industry benchmarks (such as NIST, CIS and PCI) only indicate that a specific Azu
address a control requirement defined in NIST, CIS or PCI. You should be aware that such implementation does not necessar
corresponding control in CIS, NIST or PCI.
b. This document is developed as a reference and should not be used to define all means by which a customer can meet spe
regulations. Customers should seek legal support from their organization on approved customer implementations.

This multi-cloud guidance follows the below principles:

1. The security guidance for non-Azure platforms will follow the same cloud-neutral security principles at each control level a
2. The security guidance for non-Azure platforms will provide the same level of granularity and same scope in the technical g
3. The non-Microsoft cloud service provider’s (CSP) native solution or feature will usually be recommended as the first prefe
there is a more mature multi-cloud solution available in Azure, it'll be prioritized as the default recommendation.
4. If neither the CSP's native technology nor Azure solutions are available to satisfy a security principle, third-party solutions
other CSP's Marketplace. However, Microsoft Cloud Security Benchmark will not name any specific third-party vendor produ

Guidance - Column Header

ID#
Control Domain
Security Principle
Recommendation
Azure Guidance
AWS Guidance
Implementation and additional context
 Microsoft Cloud Security Benchmark v1
ou a private preview version of the Microsoft Cloud Security Benchmark v1. For the web version of the content, please refer to
/benchmark/azure/overview

and industry benchmarks (such as NIST, CIS and PCI) only indicate that a specific Azure feature can be used to fully or partially
NIST, CIS or PCI. You should be aware that such implementation does not necessarily translate to the full compliance of the

ence and should not be used to define all means by which a customer can meet specific compliance requirements and
support from their organization on approved customer implementations.

low principles:
atforms will follow the same cloud-neutral security principles at each control level as Azure's.
atforms will provide the same level of granularity and same scope in the technical guidance as Azure's.
der’s (CSP) native solution or feature will usually be recommended as the first preference for each control. However, when
on available in Azure, it'll be prioritized as the default recommendation.
nor Azure solutions are available to satisfy a security principle, third-party solutions will be recommended from the Azure or the
osoft Cloud Security Benchmark will not name any specific third-party vendor product or solution.

Descriptions
The Microsoft Cloud Security Benchmark ID.
The security control domain.
The technology-agnostic and cloud neutral principle for various security topics in each control domains.
The control recommendation in summarized format.
The technical guidance for Azure platforms.
The technical guidance for Amazon Web Services platforms.
The implementation details and other relevant context which links to the Azure or AWS service offering
documentation articles.
ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s)
NS-1 Network Security 9.2 - Ensure Only 3.12 - Segment Data AC-4: INFORMATION
Approved Ports, Processing and Storage FLOW ENFORCEMENT
Protocols and Services Based on Sensitivity SC-2: APPLICATION
Are Running 13.4 - Perform Traffic PARTITIONING
9.4 - Apply Host-Based Filtering Between SC-7: BOUNDARY
Firewalls or Port Filtering Network Segments PROTECTION
12.3 - Deny 4.4 - Implement and
Communications with Manage a Firewall on
Known Malicious IP Severs
Addresses
12.4 - Deny
Communication over
Unauthorized Ports
14.1 - Segment the
Network Based on
Sensitivity
14.2 - Enable Firewall
Filtering Between VLANs

NS-2 Network Security 14.1 - Segment the 3.12 - Segment Data AC-4: INFORMATION
Network Based on Processing and Storage FLOW ENFORCEMENT
Sensitivity Based on Sensitivity SC-2: APPLICATION
4.4 - Implement and PARTITIONING
Manage a Firewall on SC-7: BOUNDARY
Servers PROTECTION
NS-3 Network Security 9.2 - Ensure Only 4.4 - Implement and AC-4: INFORMATION
Approved Ports, Manage a Firewall on FLOW ENFORCEMENT
Protocols and Services Servers SC-7: BOUNDARY
Are Running 4.8 - Uninstall or PROTECTION
9.4 - Apply Host-Based Disable Unnecessary CM-7: LEAST
Firewalls or Port Filtering Services on Enterprise FUNCTIONALITY
12.3 - Deny Assets and Software
Communications with 13.10 Perform
Known Malicious IP Application Layer
Addresses Filtering
12.4 - Deny
Communication over
Unauthorized Ports
14.1 - Segment the
Network Based on
Sensitivity
14.2 - Enable Firewall
Filtering Between VLANs

NS-4 Network Security 12.6 - Deploy Network- 13.2 Deploy a Host- SC-7: BOUNDARY
Based IDS Sensors Based Intrusion PROTECTION
12.7 - Deploy Network- Detection Solution SI-4: INFORMATION
Based Intrusion 13.3 - Deploy a SYSTEM MONITORING
Prevention Systems Network Intrusion
Detection Solution
13.7 Deploy a Host-
Based Intrusion
Prevention Solution
13.8 - Deploy a
Network Intrusion
Prevention Solution

NS-5 Network Security 9.5 - Implement 13.10 - Perform SC-5: DENIAL OF SERVICE
Application Firewalls Application Layer PROTECTION
12.3 - Deny Filtering SC-7: BOUNDARY
Communications with PROTECTION
Known Malicious IP
Addresses
NS-6 Network Security 9.5 - Implement 13.10 - Perform SC-7: BOUNDARY
Application Firewalls Application Layer PROTECTION
12.3 - Deny Filtering
Communications with
Known Malicious IP
Addresses
12.9 - Deploy Application
Layer Filtering Proxy
Server
18.10 - Deploy Web
Application Firewalls
(WAFs)

NS-7 Network Security 9.2 - Ensure Only 4.4 - Implement and AC-4: INFORMATION
Approved Ports, Manage a Firewall on FLOW ENFORCEMENT
Protocols and Services Severs SC-2: APPLICATION
Are Running 4.8 - Uninstall or PARTITIONING
Disable Unnecessary SC-7: BOUNDARY
Services on Enterprise PROTECTION
Assets and Software

NS-8 Network Security 9.2 - Ensure Only 4.4 - Implement and CM-2: BASELINE
Approved Ports, Manage a Firewall on CONFIGURATION
Protocols and Services Severs CM-6: CONFIGURATION
Are Running 4.8 - Uninstall or SETTINGS
Disable Unnecessary CM-7: LEAST
Services on Enterprise FUNCTIONALITY
Assets and Software
NS-9 Network Security N/A 12.7 - Ensure Remote CA-3: SYSTEM
Devices Utilize a VPN INTERCONNECTIONS
and are Connecting to AC-17: REMOTE ACCESS
an Enterprise’s AAA AC-4: INFORMATION
Infrastructure FLOW ENFORCEMENT
NS-10 Network Security 7.7 - Use of DNS Filtering 4.9 - Configure Trusted SC-20: SECURE NAME /
Services DNS Servers on ADDRESS RESOLUTION
Enterprise Assets SERVICE
9.2 - Use DNS Filtering (AUTHORITATIVE
Services SOURCE)
SC-21: SECURE NAME /
ADDRESS RESOLUTION
SERVICE (RECURSIVE OR
CACHING RESOLVER)
PCI-DSS v3.2.1 IDRecommendation Security Principle
1.1 Establish network Ensure that your virtual network deployment aligns to your enterprise
1.2 segmentation segmentation strategy defined in the GS-2 security control. Any workload
1.3 boundaries that could incur higher risk for the organization should be in isolated
virtual networks.
Examples of high-risk workload include:
- An application storing or processing highly sensitive data.
- An external network-facing application accessible by the public or users
outside of your organization.
- An application using insecure architecture or containing vulnerabilities
that cannot be easily remediated.

To enhance your enterprise segmentation strategy, restrict or monitor

traffic between internal resources using network controls. For specific,
well-defined applications (such as a 3-tier app), this can be a highly secure
"deny by default, permit by exception" approach by restricting the ports,
protocols, source, and destination IPs of the network traffic. If you have
many applications and endpoints interacting with each other, blocking
traffic may not scale well, and you may only be able to monitor traffic.

1.1 Secure cloud native Secure cloud services by establishing a private access point for the
1.2 services with resources. You should also disable or restrict access from public network
1.3 network controls when possible.
1.1 Deploy firewall at Deploy a firewall to perform advanced filtering on network traffic to and
1.2 the edge of from external networks. You can also use firewalls between internal
1.3 enterprise network segments to support a segmentation strategy. If required, use custom
routes for your subnet to override the system route when you need to
force the network traffic to go through a network appliance for security
control purpose.

At a minimum, block known bad IP addresses and high-risk protocols,

such as remote management (for example, RDP and SSH) and intranet
protocols (for example, SMB and Kerberos).

11.4 Deploy intrusion Use network intrusion detection and intrusion prevention systems
detection/intrusion (IDS/IPS) to inspect the network and payload traffic to or from your
prevention systems workload. Ensure that IDS/IPS is always tuned to provide high-quality
(IDS/IPS) alerts to your SIEM solution.

For more in-depth host level detection and prevention capability, use
host-based IDS/IPS or a host-based endpoint detection and response
(EDR) solution in conjunction with the network IDS/IPS.

1.1 Deploy DDOS Deploy distributed denial of service (DDoS) protection to protect your
1.2 protection network and applications from attacks.
1.3
6.6
1.1 Deploy web Deploy a web application firewall (WAF) and configure the appropriate
1.2 application firewall rules to protect your web applications and APIs from application-specific
1.3 attacks.
6.6

1.1 Simplify network When managing a complex network environment, use tools to simplify,
1.2 security centralize and enhance the network security management.
1.3 configuration

4.1 Detect and disable Detect and disable insecure services and protocols at the OS, application,
A2.1 insecure services or software package layer. Deploy compensating controls if disabling
A2.2 and protocols insecure services and protocols are not possible.
A2.3
N/A Connect on- Use private connections for secure communication between different
premises or cloud networks, such as cloud service provider datacenters and on-premises
network privately infrastructure in a colocation environment.
N/A Ensure Domain Ensure that Domain Name System (DNS) security configuration protects
Name System (DNS) against known risks:
security - Use trusted authoritative and recursive DNS services across your cloud
environment to ensure the client (such as operating systems and
applications) receive the correct resolution result.
- Separate the public and private DNS resolution so the DNS resolution
process for the private network can be isolated from the public network.
- Ensure your DNS security strategy also includes mitigations against
common attacks, such as dangling DNS, DNS amplifications attacks, DNS
poisoning and spoofing, and so on.
Azure Guidance
Create a virtual network (VNet) as a fundamental segmentation approach in your Azure
network, so resources such as VMs can be deployed into the VNet within a network boundary.
To further segment the network, you can create subnets inside VNet for smaller sub-networks.

Use network security groups (NSG) as a network layer control to restrict or monitor traffic by
port, protocol, source IP address, or destination IP address. Refer to NS-7 Simplify network
security configuration to use Adaptive Network Hardening to recommend NSG hardening rules
based on threat intelligence and traffic analysis result.

You can also use application security groups (ASGs) to simplify complex configuration. Instead of
defining policy based on explicit IP addresses in network security groups, ASGs enable you to
configure network security as a natural extension of an application's structure, allowing you to
group virtual machines and define network security policies based on those groups.

Deploy private endpoints for all Azure resources that support the Private Link feature, to
establish a private access point for the resources. Using Private Link will keep the private
connection from routing through the public network.

Note: Certain Azure services may also allow private communication through the service
endpoint feature, though it is recommended to use Azure Private Link for secure and private
access to services hosted on Azure platform.

For certain services, you can choose to deploy VNet integration for the service where you can
restrict/isolate the VNET to establish a private access point for the service.

You also have the option to configure the service native network ACL rules or simply disable
public network access to block access from the public network.

For Azure VMs, unless there is a strong use case, you should avoid assigning public IPs/subnet
directly to the VM interface and instead use gateway or load balancer services as the front-end
for access by the public network.
Use Azure Firewall to provide fully stateful application layer traffic restriction (such as URL
filtering) and/or central management over a large number of enterprise segments or spokes (in
a hub/spoke topology).

If you have a complex network topology, such as a hub/spoke setup, you may need to create
user-defined routes (UDR) to ensure the traffic goes through the desired route. For example,
you have the option to use an UDR to redirect egress internet traffic through a specific Azure
Firewall or a network virtual appliance.

Use Azure Firewall’s IDPS capability to protect your virtual network to alert on and/or block
traffic to and from known malicious IP addresses and domains.

For more in-depth host-level detection and prevention capabilities, deploy host-based IDS/IPS
or a host-based endpoint detection and response (EDR) solution, such as Microsoft Defender for
Endpoint, at the VM level in conjunction with the network IDS/IPS.

DDoS Protection Basic is automatically enabled to protect the Azure underlying platform
infrastructure (e.g., Azure DNS) and requires no configuration from the users.

For higher levels of protection of your application layer (Layer 7) attacks such as HTTP floods
and DNS floods, enable the DDoS standard protection plan on your VNet to protect resources
that are exposed to the public networks.
Use web application firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door,
and Azure Content Delivery Network (CDN) to protect your applications, services and APIs
against application layer attacks at the edge of your network.

Set your WAF in "detection" or "prevention mode," depending on your needs and threat
landscape.

Choose a built-in ruleset, such as OWASP Top 10 vulnerabilities, and tune it to your application
needs.

Use the following features to simplify the implementation and management of the virtual
network, NSG rules, and Azure Firewall rules:
- Use Azure Virtual Network Manager to group, configure, deploy, and manage virtual networks
and NSG rules across regions and subscriptions.
- Use Microsoft Defender for Cloud Adaptive Network Hardening to recommend NSG hardening
rules that further limit ports, protocols and source IPs based on threat intelligence and traffic
analysis result.
- Use Azure Firewall Manager to centralize the firewall policy and route management of the
virtual network. To simplify the firewall rules and network security groups implementation, you
can also use the Azure Firewall Manager Azure Resource Manager (ARM) template.

Use Microsoft Sentinel’s built-in Insecure Protocol Workbook to discover the use of insecure
services and protocols such as SSL/TLSv1, SSHv1, SMBv1, LM/NTLMv1, wDigest, weak ciphers in
Kerberos, and Unsigned LDAP Binds. Disable insecure services and protocols that do not meet
the appropriate security standard.

Note: If disabling insecure services or protocols is not possible, use compensating controls such
as blocking access to the resources through network security groups, Azure Firewall, or Azure
Web Application Firewall to reduce the attack surface.
For lightweight site-to-site or point-to-site connectivity, use Azure virtual private network (VPN)
to create a secure connection between your on-premises site or end-user device and the Azure
virtual network.

For enterprise-level high performance connections, use Azure ExpressRoute (or Virtual WAN) to
connect Azure datacenters and on-premises infrastructure in a co-location environment.

When connecting two or more Azure virtual networks together, use virtual network peering.
Network traffic between peered virtual networks is private and is kept on the Azure backbone
network.
Use Azure recursive DNS (usually assigned to your VM through DHCP or preconfigured in the
service) or a trusted external DNS server in your workload recursive DNS setup, such as in the
VM's operating system or in the application.

Use Azure Private DNS for a private DNS zone setup where the DNS resolution process does not
leave the designated virtual network. Use a custom DNS to restrict the DNS resolution to only
allow trusted resolution to your client.

Use Microsoft Defender for DNS for the advanced protection against the following security
threats to your workload or your DNS service:
- Data exfiltration from your Azure resources using DNS tunneling
- Malware communicating with a command-and-control server
- Communication with malicious domains such as as phishing and crypto mining
- DNS attacks in communication with malicious DNS resolvers

You can also use Microsoft Defender for App Service to detect dangling DNS records if you
decommission an App Service website without removing its custom domain from your DNS
registrar.
Implementation and additional context
Azure Virtual Network concepts and best practices:
https://docs.microsoft.com/azure/virtual-network/concepts-and-best-
practices

Add, change, or delete a virtual network subnet:

https://docs.microsoft.com/azure/virtual-network/virtual-network-
manage-subnet

How to create a network security group with security rules:

https://docs.microsoft.com/azure/virtual-network/tutorial-filter-
network-traffic

Understand and use application security groups:

https://docs.microsoft.com/azure/virtual-network/network-security-
groups-overview#application-security-groups

Understand Azure Private Link:

https://docs.microsoft.com/azure/private-link/private-link-overview

Integrate Azure services with virtual networks for network isolation:

https://learn.microsoft.com/en-us/azure/virtual-network/vnet-
integration-for-azure-services
How to deploy Azure Firewall:
https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-
portal

Virtual network traffic routing:

https://docs.microsoft.com/azure/virtual-network/virtual-networks-
udr-overview

Azure Firewall IDPS:

https://docs.microsoft.com/azure/firewall/premium-features#idps

Microsoft Defender for Endpoint capability:

https://docs.microsoft.com/windows/security/threat-protection/micr
osoft-defender-atp/overview-endpoint-detection-response

Manage Azure DDoS Protection Standard using the Azure portal:

https://docs.microsoft.com/azure/virtual-network/manage-ddos-
protection
How to deploy Azure WAF:
https://docs.microsoft.com/azure/web-application-firewall/overview

Adaptive Network Hardening in Microsoft Defender for Cloud:

https://docs.microsoft.com/azure/security-center/security-center-
adaptive-network-hardening

Azure Firewall Manager:

https://docs.microsoft.com/azure/firewall-manager/overview

Create an Azure Firewall and a firewall policy - ARM template

https://docs.microsoft.com/azure/firewall-manager/quick-firewall-
policy

Azure Sentinel insecure protocols workbook:

https://docs.microsoft.com/azure/sentinel/quickstart-get-
visibility#use-built-in-workbooks
Azure VPN overview:
https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-
vpngateways

What are the ExpressRoute connectivity models:

https://docs.microsoft.com/azure/expressroute/expressroute-
connectivity-models

Virtual network peering:

https://docs.microsoft.com/azure/virtual-network/virtual-network-
peering-overview
Azure DNS overview:
https://docs.microsoft.com/azure/dns/dns-overview

Secure Domain Name System (DNS) Deployment Guide:

https://csrc.nist.gov/publications/detail/sp/800-81/2/final

Azure Private DNS:

https://docs.microsoft.com/azure/dns/private-dns-overview

Azure Defender for DNS:

https://docs.microsoft.com/azure/security-center/defender-for-dns-
introduction

Prevent dangling DNS entries and avoid subdomain takeover:

https://docs.microsoft.com/azure/security/fundamentals/subdomain-
takeover
AWS Guidance
Create a Virtual Private Cloud (VPC) as a fundamental segmentation approach
in your AWS network, so resources such as EC2 instances can be deployed into
the VPC within a network boundary. To further segment the network, you can
create subnets inside VPC for smaller sub-networks.

For EC2 instances, use Security Groups, as a stateful firewall to restrict traffic
by port, protocol, source IP address, or destination IP address. At the VPC
subnet level, use Network Access Control List (NACL) as a stateless firewall to
have explicit rules for ingress and egress traffic to the subnet.

Note: To control VPC traffic, Internet and NAT Gateway should be configured
to ensure the traffic from/to the internet are restricted.

Deploy VPC PrivateLink for all AWS resources that support the PrivateLink
feature, to allow private connection to the supported AWS services or services
hosted by other AWS accounts (VPC endpoint services). Using PrivateLink will
keep the private connection from routing through the public network.

For certain services, you can choose to deploy the service instance into your
own VPC to isolate the traffic.

You also have the option to configure the service native ACL rules to block
access from the public network. For example, Amazon S3 allows you to block
public access at the bucket or account level.

When assigning IPs to your service resources in your VPC, unless there is a
strong use case, you should avoid assigning public IPs/subnet directly to your
resources and instead use private IPs/subnet.
Use AWS Network Firewall to provide fully stateful application layer traffic
restriction (such as URL filtering) and/or central management over a large
number of enterprise segments or spokes (in a hub/spoke topology).

If you have a complex network topology, such as a hub/spoke setup, you may
need to create custom VPC route tables to ensure the traffic goes through the
desired route. For example, you have the option to use a custom route to
redirect egress internet traffic through a specific AWS Firewall or a network
virtual appliance.

Use AWS Network Firewall’s IPS capability to protect your VPC to alert on
and/or block traffic to and from known malicious IP addresses and domains.

For more in-depth host-level detection and prevention capabilities, deploy

host-based IDS/IPS or a host-based endpoint detection and response (EDR)
solution, such as third-party solution for host-based IDS/IPS, at the VM level in
conjunction with the network IDS/IPS.

Note: If using a third-party IDS/IPS from marketplace, use Transit Gateway and
Gateway Balancer to direct the traffic for in-line inspection.

AWS Shield Standard is automatically enabled with standard mitigations, to

protect your workload from common network and transport layer (Layer 3
and 4) DDoS attacks

For higher levels of protection of your applications against application layer

(Layer 7) attack such as HTTPS floods, and DNS floods, enable AWS Shield
Advanced protection on Amazon EC2, Elastic Load Balancing (ELB), Amazon
CloudFront, AWS Global Accelerator, and Amazon Route 53.
Use AWS Web Application Firewall (WAF) in Amazon CloudFront distribution,
Amazon API Gateway, Application Load Balancer, or AWS AppSync to protect
your applications, services, and APIs against application layer attacks at the
edge of your network.

Use AWS Managed Rules for WAF to deploy built-in baseline groups, and
customize it to your application needs for the user-case rule groups.

To simplify the WAF rules deployment, you can also use the AWS WAF
Security Automations solution to automatically deploy pre-defined AWS WAF
rules that filters web-based attacks on your web ACL.

Use AWS Firewall Manager to centralize the network protection policy

management across the following services.
- AWS WAF policies
- AWS Shield Advanced policies
- VPC security group policies
- Network Firewall policies
AWS Firewall Manager can automatically analyze your firewall-related policies
and create findings for non-compliant resources and for detected attacks and
sends them to AWS Security Hub for investigation.

Enable VPC Flow Logs and use GuardDuty to analyze the VPC Flow Logs to
identify the possible insecure services and protocols that do not meet the
appropriate security standard.

If the logs in the AWS environment can be forwarded to Microsoft Sentinel,

you can also use Microsoft Sentinel’s built-in Insecure Protocol Workbook to
discover the use of insecure services and protocols

Note: If disabling insecure services or protocols is not possible, use

compensating controls such as blocking access to the resources through
security groups, AWS Network Firewall, or AWS Web Application Firewall to
reduce the attack surface.
For lightweight site-to-site or point-to-site connectivity, use AWS VPN to
create a secure connection (when IPsec overhead is not a concern) between
your on-premises site or end-user device to the AWS network.

For enterprise-level high performance connections, use AWS Direct Connect

to connect AWS VPCs and resources with your on-premises infrastructure in a
co-location environment.

You have the option to use VPC Peering or Transit Gateway to establish
connectivity between two or more VPCs within or across regions. Network
traffic between peered VPC is private and is kept on the AWS backbone
network. When you need to join multiple VPCs to create a large flat subnet,
you also have the option to use VPC Sharing.
Use the Amazon DNS Server (i.e. Amazon Route 53 Resolver server which is
usually assigned to you through DHCP or preconfigured in the service) or a
centralized trusted DNS resolver server in your workload recursive DNS setup,
such as in the VM's operating system or in the application.

Use Amazon Route 53 to create a private hosted zone setup where the DNS
resolution process does not leave the designated VPCs. Use Amazon Route 53
firewall to regulate and filter the outbound DNS/UDP traffic in your VPC for
the following use cases:
- Prevent attacks such as DNS exfiltration in your VPC
- Set up allow or deny lists for the domains that your applications can query

Configure Domain Name System Security Extensions (DNSSEC) feature in

Amazon Route 53 to secure DNS traffic to protect your domain from DNS
spoofing or a man-in-the-middle attack.

Amazon Route 53 also provides a DNS registration service where Route 53 can
be used as the authoritative name servers for your domains. The following
best practices should be followed to ensure the security of your domain
names:
- Domain names should be automatically renewed by the Amazon Route 53
service.
- Domain names should have the Transfer Lock feature enabled in order to
keep them secure.
- he Sender Policy Framework (SPF) is should be used to stop spammers from
spoofing your domain.
Implementation and additional context:
Control traffic to EC2 instances with security groups:
https://docs.aws.amazon.com/vpc/latest/userguide/
VPC_SecurityGroups.html

Compare security groups and network ACLs:

https://docs.aws.amazon.com/vpc/latest/userguide/
VPC_Security.html#VPC_Security_Comparison

Internet Gateway:
https://docs.aws.amazon.com/vpc/latest/userguide/
VPC_Internet_Gateway.html

NAT Gateway:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-
nat-gateway.html

AWS PrivateLink:
https://docs.aws.amazon.com/vpc/latest/privatelink/
endpoint-service.html

Blocking public access to your Amazon S3 storage:

https://docs.aws.amazon.com/AmazonS3/latest/
userguide/access-control-block-public-access.html
AWS Network Firewall:
https://docs.aws.amazon.com/network-firewall/latest/
developerguide/what-is-aws-network-firewall.html

AWS VPC configure custom route tables:

https://docs.aws.amazon.com/vpc/latest/userguide/
VPC_Route_Tables.html

IPS stateful rule groups in AWS Network Firewall:

https://docs.aws.amazon.com/network-firewall/latest/
developerguide/stateful-rule-groups-ips.html

https://aws.amazon.com/marketplace/search?
searchTerms=IPS

AWS Shield Features:

https://docs.aws.amazon.com/waf/latest/developerguide/
ddos-overview.html
How AWS WAF works:
https://docs.aws.amazon.com/waf/latest/developerguide/
how-aws-waf-works.html

AWS WAF Security Automations:

https://docs.aws.amazon.com/solutions/latest/aws-waf3-
security-automations/welcome.html

AWS Managed Rules for AWS WAF:

https://docs.aws.amazon.com/waf/latest/developerguide/
aws-managed-rule-groups.html

AWS Firewall Manager:

https://docs.aws.amazon.com/waf/latest/developerguide/
getting-started-fms-intro.html

https://docs.aws.amazon.com/waf/latest/developerguide/
fms-findings.html

Use GuardDuty with VPC Flow Logs as the data source:

https://docs.aws.amazon.com/guardduty/latest/ug/
guardduty_data-sources.html#guardduty_vpc
AWS Direct Connect introduction:
https://docs.aws.amazon.com/directconnect/latest/
UserGuide/Welcome.html

AWS VPN introduction:

https://docs.aws.amazon.com/vpn/

Transit Gateway:
https://docs.aws.amazon.com/vpc/latest/tgw/what-is-
transit-gateway.html

Create and accept VPC peering connections:

https://docs.aws.amazon.com/vpc/latest/peering/create-
vpc-peering-connection.html

VPC Sharing:
https://docs.aws.amazon.com/whitepapers/latest/building-
scalable-secure-multi-vpc-network-infrastructure/amazon-
vpc-sharing.html
Amazon Route 53 DNSSEC configuration:
https://docs.aws.amazon.com/Route53/latest/
DeveloperGuide/domain-configure-dnssec.html

Amazon Route 53 firewall:

https://docs.aws.amazon.com/Route53/latest/
DeveloperGuide/resolver-dns-firewall.html

Amazon Route 53 domain registration:

https://docs.aws.amazon.com/Route53/latest/
DeveloperGuide/registrar.html
Customer Security Stakeholders:
Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops
Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops
Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops
Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops
Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops
ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s)
IM-1 Identity Management 16.1 - Maintain an 6.7 - Centralize Access
Inventory of Control
Authentication Systems 12.5 - Centralize Network
16.2 - Configure Centralized Authentication,
Point of Authentication Authorization, and Auditing
(AAA)

IM-2 Identity Management 4.3 - Ensure the Use of 5.4 - Restrict Administrator
Dedicated Administrative Privileges to Dedicated
Accounts Administrator Accounts
4.5 - Use Multi-Factor 6.5 - Require MFA for
Authentication for All Administrative Access
Administrative Access
IM-3 Identity Management N/A N/A

IM-4 Identity Management N/A N/A

IM-5 Identity Management 16.2 - Configure Centralized 12.5 - Centralize Network

Point of Authentication Authentication,
Authorization, and Auditing
(AAA)
IM-6 Identity Management 4.2 - Change Default 6.3 - Require MFA for
Passwords Externally-Exposed
4.5 - Use Multifactor Applications
Authentication For All 6.4 - Require MFA for
Administrative Access Administrative Access
12.11 - Require All Remote
Logins to Use Multi-Factor
Authentication
16.3 - Require Multi-Factor
Authentication

IM-7 Identity Management 12.11 - Require All Remote 3.3 - Configure Data Access
Logins to Use Multi-Factor Control Lists
Authentication 6.4 - Require MFA for
12.12 - Manage All Devices Administrative Access
Remotely Logging Into 13.5 - Manage Access
Internal Network Control for Remote Assets
14.6 - Protect Information
Through Access Control
Lists
16.3 - Require Multi-Factor
Authentication
IM-8 Identity Management 18.1 - Establish Secure 16.9 - Train Developers in
Coding Practices Application Security
18.6 - Ensure Software Concepts and Secure Coding
Development Personnel Are 16.12 - Implement Code-
Trained in Secure Coding Level Security Checks
18.7 - Apply Static and
Dynamic Code Analysis
Tools

IM-9 Identity Management 12.10 Decrypt Network 6.7 - Centralize Access

Traffic at Proxy Control
16.2 Configure Centralized 12.5 - Centralize Network
Point of Authentication Authentication,
Authorization, and Auditing
(AAA)
NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation
AC-2: ACCOUNT MANAGEMENT 7.2 Use centralized
AC-3: ACCESS ENFORCEMENT 8.3 identity and
IA-2: IDENTIFICATION AND authentication system
AUTHENTICATION
(ORGANIZATIONAL USERS)
IA-8: IDENTIFICATION AND
AUTHENTICATION (NON-
ORGANIZATIONAL USERS)

AC-2: ACCOUNT MANAGEMENT 8.2 Protect identity and

AC-3: ACCESS ENFORCEMENT 8.3 authentication
IA-2: IDENTIFICATION AND systems
AUTHENTICATION
(ORGANIZATIONAL USERS)
IA-8: IDENTIFICATION AND
AUTHENTICATION (NON-
ORGANIZATIONAL USERS)
SI-4: INFORMATION SYSTEM
MONITORING
AC-2: ACCOUNT MANAGEMENT N/A Manage application
AC-3: ACCESS ENFORCEMENT identities securely
IA-4: IDENTIFIER MANAGEMENT and automatically
IA-5: AUTHENTICATOR
MANAGEMENT
IA-9: SERVICE IDENTIFICATION
AND AUTHENTICATION

IA-9: SERVICE IDENTITIFICATION N/A Authenticate server

AND AUTHENTICATION and services

IA-4: IDENTIFIER MANAGEMENT N/A Use single sign-on

IA-2: IDENTIFICATION AND (SSO) for application
AUTHENTICATION access
(ORGANIZATIONAL USERS)
IA-8: IDENTIFICATION AND
AUTHENTICATION (NON-
ORGANIZATIONAL USERS)
AC-2: ACCOUNT MANAGEMENT 7.2 Use strong
AC-3: ACCESS ENFORCEMENT 8.2 authentication
IA-2: IDENTIFICATION AND 8.3 controls
AUTHENTICATION 8.4
(ORGANIZATIONAL USERS)
IA-5: AUTHENTICATOR
MANAGEMENT
IA-8: IDENTIFICATION AND
AUTHENTICATION (NON-
ORGANIZATIONAL USERS)

AC-2: ACCOUNT MANAGEMENT 7.2 Restrict resource

AC-3: ACCESS ENFORCEMENT access based on
AC-6: LEAST PRIVILEGE conditions
IA-5: AUTHENTICATOR 3.5 Restrict the exposure
MANAGEMENT 6.3 of credential and
8.2 secrets

AC-2: ACCOUNT MANAGEMENT N/A Secure user access to

AC-3: ACCESS ENFORCEMENT existing applications
SC-11: TRUSTED PATH
Security Principle
Use a centralized identity and authentication
system to govern your organization's identities
and authentications for cloud and non-cloud
resources.

Secure your identity and authentication system

as a high priority in your organization's cloud
security practice. Common security controls
include:
- Restrict privileged roles and accounts
- Require strong authentication for all privileged
access
- Monitor and audit high risk activities
Use managed application identities instead of
creating human accounts for applications to
access resources and execute code. Managed
application identities provide benefits such as
reducing the exposure of credentials. Automate
the rotation of credentials to ensure the security
of the identities.

Authenticate remote servers and services from

your client side to ensure you are connecting to
trusted server and services. The most common
server authentication protocol is Transport Layer
Security (TLS), where the client-side (often a
browser or client device) verifies the server by
verifying the server’s certificate was issued by a
trusted certificate authority.

Note: Mutual authentication can be used when

both the server and the client authenticate one-
another.

Use single sign-on (SSO) to simplify the user

experience for authenticating to resources
including applications and data across cloud
services and on-premises environments.
Enforce strong authentication controls (strong
passwordless authentication or multi-factor
authentication) with your centralized identity and
authentication management system for all access
to resources. Authentication based on password
credentials alone is considered legacy, as it is
insecure and does not stand up to popular attack
methods.

When deploying strong authentication, configure

administrators and privileged users first, to
ensure the highest level of the strong
authentication method, quickly followed by
rolling out the appropriate strong authentication
policy to all users.

Note: If legacy password-based authentication is

required for legacy applications and scenarios,
ensure password security best practices such as
complexity requirements, are followed.

Explicitly validate trusted signals to allow or deny

user access to resources, as part of a zero-trust
access model. Signals to validate should include
strong authentication of user account, behavioral
analytics of user account, device trustworthiness,
user or group membership, locations and so on.
Ensure that application developers securely
handle credentials and secrets:
- Avoid embedding the credentials and secrets
into the code and configuration files
- Use key vault or a secure key store service to
store the credentials and secrets
- Scan for credentials in source code.

Note: This is often governed and enforced

through a secure software development lifecycle
(SDLC) and DevOps security process

In a hybrid environment, where you have on-

premises applications or non-native cloud
applications using legacy authentication, consider
solutions such as cloud access security broker
(CASB), application proxy, single sign-on (SSO) to
govern the access to these applications for the
following benefits:
- Enforce a centralized strong authentication
- Monitor and control risky end-user activities
- Monitor and remediate risky legacy applications
activities
- Detect and prevent sensitive data transmission
Azure Guidance
Azure Active Directory (Azure AD) is Azure's identity and authentication management
service. You should standardize on Azure AD to govern your organization's identity and
authentication in:
- Microsoft cloud resources, such as Azure Storage, Azure Virtual Machines (Linux and
Windows), Azure Key Vault, PaaS, and SaaS applications.
- Your organization's resources, such as applications on Azure, third-party applications
running on your corporate network resources, and third-party SaaS applications.
- Your enterprise identities in Active Directory by synchronization to Azure AD to ensure a
consistent and centrally managed identity strategy.

For the Azure services that apply, avoid use of local authentication methods and instead
use Azure Active Directory to centralize your service authentications.

Note: As soon as it is technically feasible, you should migrate on-premises Active Directory-
based applications to Azure AD. This could be an Azure AD Enterprise Directory, Business to
Business configuration, or Business to consumer configuration.

Use the Azure AD security baseline and the Azure AD Identity Secure Score to evaluate your
Azure AD identity security posture, and remediate security and configuration gaps.
The Azure AD Identity Secure Score evaluates Azure AD for the following configurations:
- Use limited administrative roles
- Turn on user risk policy
- Designate more than one global admin
- Enable policy to block legacy authentication
- Ensure all users can complete multi-factor authentication for secure access
- Require MFA for administrative roles
- Enable self-service password reset
- Do not expire passwords
- Turn on sign-in risk policy
- Do not allow users to grant consent to unmanaged applications

Use Azure AD Identity Protection to detect, investigate, and remediate identity-based risks.
To similarly protect your on-premises Active Directory domain, use Defender for Identity.

Note: Follow published best practices for all other identity components, including your on-
premises Active Directory and any third party capabilities, and the infrastructure (such as
operating systems, networks, databases) that host them.
Use Azure managed identities, which can authenticate to Azure services and resources that
support Azure AD authentication. Managed identity credentials are fully managed, rotated,
and protected by the platform, avoiding hard-coded credentials in source code or
configuration files.

For services that don't support managed identities, use Azure AD to create a service
principal with restricted permissions at the resource level. It is recommended to configure
service principals with certificate credentials and fall back to client secrets for
authentication.

Many Azure services support TLS authentication by default. For services that don't support
this by default or support TLS disabling, ensure it is always enabled to support the
server/service authentication. Your client application should also be designed to verify
server/service identity (by verifying the server’s certificate issued by a trusted certificate
authority) in the handshake stage.

Note: Services such as API Management and API Gateway support TLS mutual
authentication.

Use Azure AD for workload application workload access (customer facing) through Azure
AD single sign-on (SSO), reducing the need for duplicate accounts. Azure AD provides
identity and access management to Azure resources (in the management plane including
CLI, PowerShell, portal), cloud applications, and on-premises applications.

Azure AD also supports SSO for enterprise identities such as corporate user identities, as
well as external user identities from trusted third-party and public users.
Azure AD supports strong authentication controls through passwordless methods and
multi-factor authentication (MFA).
- Passwordless authentication: Use passwordless authentication as your default
authentication method. There are three options available in passwordless authentication:
Windows Hello for Business, Microsoft Authenticator app phone sign-in, and FIDO2 security
keys. In addition, customers can use on-premises authentication methods such as smart
cards.
- Multi-factor authentication: Azure MFA can be enforced on all users, select users, or at
the per-user level based on sign-in conditions and risk factors. Enable Azure MFA and follow
Microsoft Defender for Cloud identity and access management recommendations for your
MFA setup.

If legacy password-based authentication is still used for Azure AD authentication, be aware

that cloud-only accounts (user accounts created directly in Azure) have a default baseline
password policy. And hybrid accounts (user accounts that come from on-premises Active
Directory) follow the on-premises password policies.

For third-party applications and services that may have default IDs and passwords, you
should disable or change them during initial service setup.

Use Azure AD conditional access for more granular access controls based on user-defined
conditions, such as requiring user logins from certain IP ranges (or devices) to use MFA.
Azure AD Conditional Access allows you to enforce access controls on your organization’s
apps based on certain conditions.

Define the applicable conditions and criteria for Azure AD conditional access in the
workload. Consider the following common use cases:
- Requiring multi-factor authentication for users with administrative roles
- Requiring multi-factor authentication for Azure management tasks
- Blocking sign-ins for users attempting to use legacy authentication protocols
- Requiring trusted locations for Azure AD Multi-Factor Authentication registration
- Blocking or granting access from specific locations
- Blocking risky sign-in behaviors
- Requiring organization-managed devices for specific applications

Note: Granular authentication session management controls can also be implemented

through Azure AD conditional access policies such as sign-in frequency and persistent
browser session.
When using a managed identity is not an option, ensure that secrets and credentials are
stored in secure locations such as Azure Key Vault, instead of embedding them into the
code and configuration files.

If you use Azure DevOps and GitHub for your code management platform:
- Implement Azure DevOps Credential Scanner to identify credentials within the code.
- For GitHub, use the native secret scanning feature to identify credentials or other forms of
secrets within the code.

Clients such as Azure Functions, Azure Apps services, and VMs can use managed identities
to access Azure Key Vault securely. See Data Protection controls related to the use of Azure
Key Vault for secrets management.

Note: Azure Key Vault provides automatic rotation for supported services. For secrets which
cannot be automatically rotated, ensure they are manually rotated periodically and purged
when no longer in use.

Protect your on-premises and non-native cloud applications using legacy authentication by
connecting them to:
- Azure AD Application Proxy and configure header-based authentication to allow single
sign-on (SSO) access to the applications for remote users while explicitly validating the
trustworthiness of both remote users and devices with Azure AD Conditional Access. If
required, use a third-party Software-Defined Perimeter (SDP) solution which can offer
similar functionality.
- Microsoft Defender for Cloud Apps which serves as a cloud access security broker (CASB)
service to monitor and block user access to unapproved third-party SaaS applications.
- Your existing third-party application delivery controllers and networks.

Note: VPNs are commonly used to access legacy applications and often only have basic
access control and limited session monitoring.
Implementation and additional context
Tenancy in Azure AD:
https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-
tenant-apps

How to create and configure an Azure AD instance:

https://docs.microsoft.com/azure/active-directory/fundamentals/active-
directory-access-create-new-tenant

Define Azure AD tenants:

https://azure.microsoft.com/resources/securing-azure-environments-with-
azure-active-directory/

Use external identity providers for an application:

https://docs.microsoft.com/azure/active-directory/b2b/identity-providers

What is the identity secure score in Azure AD:

https://docs.microsoft.com/azure/active-directory/fundamentals/identity-
secure-score

Best Practices for Securing Active Directory:

https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-
best-practices/best-practices-for-securing-active-directory

What is Identity Protection?

https://learn.microsoft.com/en-us/azure/active-directory/identity-
protection/overview-identity-protection

What is Microsoft Defender for Identity?

https://learn.microsoft.com/en-us/defender-for-identity/what-is
Azure managed identities:
https://docs.microsoft.com/azure/active-directory/managed-identities-
azure-resources/overview

Services that support managed identities for Azure resources:

https://docs.microsoft.com/azure/active-directory/managed-identities-
azure-resources/services-support-managed-identities

Azure service principal:

https://docs.microsoft.com/powershell/azure/create-azure-service-principal-
azureps

Create a service principal with certificates:

https://docs.microsoft.com/azure/active-directory/develop/howto-
authenticate-service-principal-powershell

Enforce Transport Layer Security (TLS) for a storage account:

https://docs.microsoft.com/azure/storage/common/transport-layer-security-
configure-minimum-version?tabs=portal#use-azure-policy-to-enforce-the-
minimum-tls-version

Understand application SSO with Azure AD:

https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-
single-sign-on
How to enable MFA in Azure:
https://docs.microsoft.com/azure/active-directory/authentication/howto-
mfa-getstarted

Introduction to passwordless authentication options for Azure Active

Directory:
https://docs.microsoft.com/azure/active-directory/authentication/concept-
authentication-passwordless

Azure AD default password policy:

https://docs.microsoft.com/azure/active-directory/authentication/concept-
sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts

Eliminate bad passwords using Azure AD Password Protection:

https://docs.microsoft.com/azure/active-directory/authentication/concept-
password-ban-bad

Block legacy authentication:

https://docs.microsoft.com/azure/active-directory/conditional-access/block-
legacy-authentication

Azure Conditional Access overview:

https://docs.microsoft.com/azure/active-directory/conditional-access/
overview

Common Conditional Access policies:

https://docs.microsoft.com/azure/active-directory/conditional-access/
concept-conditional-access-policy-common

Conditional Access insights and reporting:

https://docs.microsoft.com/azure/active-directory/conditional-access/
howto-conditional-access-insights-reporting

Configure authentication session management with Conditional Access:

https://docs.microsoft.com/azure/active-directory/conditional-access/
howto-conditional-access-session-lifetime
How to setup Credential Scanner:
https://secdevtools.azurewebsites.net/helpcredscan.html

GitHub secret scanning:

https://docs.github.com/github/administering-a-repository/about-secret-
scanning

Azure AD Application Proxy:

https://docs.microsoft.com/azure/active-directory/manage-apps/
application-proxy#what-is-application-proxy

Microsoft Cloud App Security best practices:

https://docs.microsoft.com/cloud-app-security/best-practices

Azure AD secure hybrid access:

https://docs.microsoft.com/azure/active-directory/manage-apps/secure-
hybrid-access
AWS Guidance
AWS IAM (Identity and Access Management) is AWS' default identity and authentication management service. Use
AWS IAM to govern your AWS identity and access management. Alternatively, through AWS and Azure Sigle Sign-On
(SSO), you can also use Azure AD to manage the identity and access control of AWS to avoid managing duplicate
accounts separately in two cloud platforms.

AWS supports Single Sign-On which allows you to bridge your corporate's third party identities (such as Windows
Active Directory, or other identity stores) with the AWS identities to avoid creating duplicate accounts to access AWS
resources.

Use the following security best practices to secure your AWS IAM:
- Set up AWS account root user access keys for emergency access as described in PA-5 (Set up emergency access)
- Follow least privilege principles for access assignments
- Leverage IAM groups to apply policies instead of individual user(s).
- Follow strong authentication guidance in IM-6 (Use strong authentication controls) for all users
- Use AWS Organizations SCP (Service Control Policy) and permission boundaries
- Use IAM Access Advisor to audit service access
- Use IAM credential report to track user accounts and credential status

Note: Follow published best practices if you have other identity and authentication systems, e.g., follow the Azure AD
security baseline if you use Azure AD to manage AWS identity and access.
Use AWS IAM roles instead of creating user accounts for resources that support this feature. IAM roles are managed
by the platform at the backend and the credentials are temporary and rotated automatically. This avoids creating
long-term access keys or a username/password for applications and hard-coded credentials in source code or
configuration files.

You may use service-linked roles which are attached with pre-defined permission policies for access between AWS
services instead of customizing your own role permissions for the IAM roles.

Note: For services that don't support IAM roles, use access keys but follow the security best practice such as IM-8:
Restrict the exposure of credential and secrets to secure your keys.

Many AWS services support TLS authentication by default. For services that don't support this by default or support
TLS disabling, ensure it is always enabled to support the server/service authentication. Your client application should
also be designed to verify server/service identity (by verifying the server’s certificate issued by a trusted certificate
authority) in the handshake stage.

Note: Services such as API Gateway support TLS mutual authentication.

Use AWS Cognito to manage access to your customer facing workload application through single sign-on (SSO) to
allow customers to bridge their third-party identities from different identity providers.

For SSO access to the AWS native resources (including AWS console access or service management and data plane
level access), use AWS Sigle Sign-On to reduce the need for duplicate accounts.

AWS SSO also allows you to bridge corporate identities (such as identities from Azure Active Directory) with AWS
identities, as well as external user identities from trusted third-party and public users.
AWS IAM supports strong authentication controls through multi-factor authentication (MFA). MFA can be enforced on
all users, select users, or at the per-user level based on defined conditions.

If you use corporate accounts from a third-party directory (such as Windows Active Directory) with AWS identities,
follow the respective security guidance to enforce strong authentication. Refer to the Azure Guidance for this control
if you use Azure AD to manage AWS access.

Note: For third-party applications and AWS services that may have default IDs and passwords, you should disable or
change them during initial service setup.

Create IAM policy and define conditions for more granular access controls based on user-defined conditions, such as
requiring user logins from certain IP ranges (or devices) to use multi-factor authentication. Condition settings may
include single or multiple conditions as well as logic.

Policies can be defined from six different dimensions: identity-based policies, resource-based policies, permissions
boundaries, AWS Organizations service control policy (SCP) , Access Control Lists(ACL), and session policies.
When using an IAM role for application access is not an option, ensure that secrets and credentials are stored in
secure locations such as AWS Secret Manager or Systems Manager Parameter Store, instead of embedding them into
the code and configuration files.

Use CodeGuru Reviewer for static code analysis which can detect the secrets hard-coded in your source code.

If you use the Azure DevOps and GitHub for your code management platform:
- Implement Azure DevOps Credential Scanner to identify credentials within the code.
- For GitHub, use the native secret scanning feature to identify credentials or other forms of secrets within the code.

Note: Secrets Manager provides automatic secrets rotation for supported services. For secrets which cannot be
automatically rotated, ensure they are manually rotated periodically and purged when no longer in use.

Follow Azure's guidance to protect your on-premises and non-native cloud applications using legacy authentication by
connecting them to:
- Azure AD Application Proxy and configure header-based authentication to allow single sign-on (SSO) access to the
applications for remote users while explicitly validating the trustworthiness of both remote users and devices with
Azure AD Conditional Access. If required, use a third-party Software-Defined Perimeter (SDP) solution which can offer
similar functionality.
- Microsoft Defender for Cloud Apps which serves as a cloud access security broker (CASB) service to monitor and
block user access to unapproved third-party SaaS applications.
- Your existing third-party application delivery controllers and networks.

Note: VPNs are commonly used to access legacy applications and often only have basic access control and limited
session monitoring.
Implementation and additional context:
AWS IAM:
https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

AWS Single Sign-On:

https://docs.aws.amazon.com/singlesignon/index.html

Security Best Practice in IAM:

https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

IAM Access Advisor:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html

IAM Credential Report:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
AWS IAM Roles:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

Providing access to an AWS service:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html

AWS Certificate Manager certificate pinning.

https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-
practices-pinning

SSL certificate for backend authentication:

https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-
side-ssl-authentication.html

AWS Single Sign-On:

https://docs.aws.amazon.com/singlesignon/

AWS Cognito Single Sign-On Adding SAML identity providers:

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-
idp.html
Using multi-factor authentication (MFA) in AWS:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html

IAM supported MFA form factors:

https://aws.amazon.com/iam/features/mfa/

Policies and permissions in IAM:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

Conditions key table:

https://docs.aws.amazon.com/service-authorization/latest/reference/
reference_policies_actions-resources-contextkeys.html#context_keys_table
AWS IAM roles in EC2:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

AWS Secrets Manager integrated services:

https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating.html

CodeGuru Reviewer Secrets Detection:

https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/recommendations.html

AWS Marketplace Application Proxy solutions:

https://aws.amazon.com/marketplace/search/results?searchTerms=Application+proxy

AWS Marketplace CASB solutions:

https://aws.amazon.com/marketplace/search/results?searchTerms=CASB
Customer Security Stakeholders:
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-identity-keys

Security architecture: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-architecture

Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-

adoption-framework/organize/cloud-security-application-security-devsecops

Posture management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-posture-management

Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-identity-keys

Security architecture: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-architecture

Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-

adoption-framework/organize/cloud-security-application-security-devsecops

Posture management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-posture-management
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-identity-keys

Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-

adoption-framework/organize/cloud-security-application-security-devsecops

Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-identity-keys

Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-

adoption-framework/organize/cloud-security-application-security-devsecops

Security architecture: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-architecture

Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-identity-keys

Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-

adoption-framework/organize/cloud-security-application-security-devsecops
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-architecture

Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-identity-keys

Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-

adoption-framework/organize/cloud-security-application-security-devsecops

Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-identity-keys

Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-

adoption-framework/organize/cloud-security-application-security-devsecops

Posture management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-posture-management

Threat intelligence:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-
security-threat-intelligence
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-
adoption-framework/organize/cloud-security-application-security-devsecops

Posture management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-posture-management

Security architecture: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-architecture

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-

adoption-framework/organize/cloud-security-architecture

Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-

adoption-framework/organize/cloud-security-application-security-devsecops
ID Control D CIS Controls v7.1 ID(s) CIS Controls v8 ID(s)
PA-1 Privileged 4.3 - Ensure the Use of 5.4 - Restrict Administrator
Dedicated Administrative Privileges to Dedicated
Accounts Administrator Accounts
14.6 - Protect Information 6.8 - Define and Maintain
Through Access Control Lists Role-Based Access Control

PA-2 Privileged N/A N/A

PA-3 Privileged 16.7 - Establish Process for 6.1 - Establish an Access
Revoking Access Granting Process
6.2 - Establish an Access
Revoking Process

PA-4 Privileged 4.1 - Maintain Inventory of 5.1 - Establish and Maintain

Administrative Accounts an Inventory of Accounts
16.6 - Maintain an Inventory 5.3 - Disable Dormant
of Accounts Accounts
16.8 - Disable Any 5.5 - Establish and Maintain
Unassociated Accounts an Inventory of Service
Disable Dormant Accounts Accounts
16.9 - Disable Dormant
Accounts

PA-5 Privileged N/A N/A

PA-6 Privileged 4.6 - Use Dedicated 12.8 - Establish and

Workstations For All Maintain Dedicated
Administrative Tasks Computing Resources for All
11.6 - Use Dedicated Administrative Work
Machines For All Network 13.5 Manage Access Control
Administrative Tasks for Remote Assets
12.12 - Manage All Devices
Remotely Logging into
Internal Network
PA-7 Privileged 14.6 - Protect Information 3.3 - Configure Data Access
Through Access Control Lists Control Lists
6.8 - Define and Maintain
Role-Based Access Control

PA-8 Privileged 16.7 - Establish Process for 6.1 - Establish an Access

Revoking Access Granting Process
6.2 - Establish an Access
Revoking Process
NIST SP800-53 r4 ID(s) PCI-DSS v3.2.Recommendation
AC-2: ACCOUNT MANAGEMENT 7.1 Separate and limit
AC-6: LEAST PRIVILEGE 7.2 highly
8.1 privileged/administrat
ive users

AC-2: ACCOUNT MANAGEMENT N/A Avoid standing access

for user accounts and
permissions
AC-2: ACCOUNT MANAGEMENT 7.1 Manage lifecycle of
AC-5: SEPARATION OF DUTIES 7.2 identities and
AC-6: LEAST PRIVILEGE 8.1 entitlements

AC-2: ACCOUNT MANAGEMENT 7.1 Review and reconcile

AC-6: LEAST PRIVILEGE 7.2 user access regularly
8.1
A3.4

AC-2: ACCOUNT MANAGEMENT N/A Set up emergency

access

AC-2: ACCOUNT MANAGEMENT N/A Use privileged access

SC-2 APPLICATION workstations /
PARTITIONING channel for
SC-7: BOUNDARY PROTECTION administrative tasks
AC-2: ACCOUNT MANAGEMENT 7.1 Follow just enough
AC-3: ACCESS ENFORCEMENT 7.2 administration (least
AC-6: LEAST PRIVILEGE privilege) principle

AC-4: INFORMATION FLOW N/A Determine access

ENFORCEMENT process for cloud
AC-2: ACCOUNT MANAGEMENT provider support
AC-3: ACCESS ENFORCEMENT
Security Principle
Ensure you identify all high business impact accounts. Limit the number
of privileged/administrative accounts in your cloud's control plane,
management plane and data/workload plane.

Instead of creating standing privileges, use just-in-time (JIT) mechanism

to assign privileged access to the different resource tiers.
Use an automated process or technical control to manage the identity
and access lifecycle including the request, review, approval, provision,
and deprovision.

Conduct regular review of privileged account entitlements. Ensure the

access granted to the accounts are valid for administration of control
plane, management plane, and workloads.

Set up emergency access to ensure that you are not accidentally locked
out of your critical cloud infrastructure (such as your identity and access
management system) in an emergency.

Emergency access accounts should be rarely used and can be highly

damaging to the organization if compromised, but their availability to
the organization is also critically important for the few scenarios when
they are required.

Secured, isolated workstations are critically important for the security of

sensitive roles like administrator, developer, and critical service
operator.
Follow the just enough administration (least privilege) principle to
manage permissions at fine-grained level. Use features such as role-
based access control (RBAC) to manage resource access through role
assignments.

Establish an approval process and access path for requesting and

approving vendor support request and temporary access to your data
through a secure channel.
Azure Guidance
You must secure all roles with direct or indirect administrative access to Azure hosted resources.

Azure Active Directory (Azure AD) is Azure's default identity and access management service. The most critical built-in roles in
Azure AD are Global Administrator and Privileged Role Administrator, because users assigned to these two roles can delegate
administrator roles. With these privileges, users can directly or indirectly read and modify every resource in your Azure
environment:
- Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD as
as services that use Azure AD identities.
- Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD
Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units

Outside of Azure AD, Azure has built-in roles that can be critical for privileged access at the resource level.
- Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
- Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage
assignments in Azure Blueprints, or share image galleries.
- User Access Administrator: Lets you manage user access to Azure resources.
Note: You may have other critical roles that need to be governed if you use custom roles in the Azure AD level or resource leve
with certain privileged permissions assigned.

In addition, users with the following three roles in Azure Enterprise Agreement (EA) portal should also be restricted as they ca
used to directly or indirectly manage Azure subscriptions.
- Account Owner: Users with this role can manage subscriptions, including the creation and deletion of subscriptions.
- Enterprise Administrator: Users assigned with this role can manage (EA) portal users.
- Department Administrator: Users assigned with this role can change account owners within the department.

Lastly, ensure that you also restrict privileged accounts in other management, identity, and security systems that have
administrative access to your business-critical assets, such as Active Directory Domain Controllers (DCs), security tools, and sys
management tools with agents installed on business-critical systems. Attackers who compromise these management and secu
systems can immediately weaponize them to compromise business critical assets.

Enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD Privileged Identity Management (PI
JIT is a model in which users receive temporary permissions to perform privileged tasks, which prevents malicious or unauthor
users from gaining access after the permissions have expired. Access is granted only when users need it. PIM can also generat
security alerts when there is suspicious or unsafe activity in your Azure AD organization.

Restrict inbound traffic to your sensitive virtual machines (VM) management ports with Microsoft Defender for Cloud's just-in
time (JIT) for VM access feature. This ensures privileged access to the VM is granted only when users need it.
Use Azure AD entitlement management features to automate access request workflows (for Azure resource groups). This enab
workflows for Azure resource groups to manage access assignments, reviews, expiration, and dual or multi-stage approval.

Use Permissions Management to detect, automatically right-size, and continuously monitor unused and excessive permissions
assigned to user and workload identities across multi-cloud infrastructures.

Review all privileged accounts and the access entitlements in Azure including Azure tenants, Azure services, VM/IaaS, CI/CD
processes, and enterprise management and security tools.

Use Azure AD access reviews to review Azure AD roles, Azure resource access roles, group memberships, and access to enterp
applications. Azure AD reporting can also provide logs to help discover stale accounts, or accounts which have not been used f
certain amount of time.

In addition, Azure AD Privileged Identity Management can be configured to alert when an excessive number of administrator
accounts are created for a specific role, and to identify administrator accounts that are stale or improperly configured.

To prevent being accidentally locked out of your Azure AD organization, set up an emergency access account (e.g., an account
with Global Administrator role) for access when normal administrative accounts cannot be used. Emergency access accounts a
usually highly privileged, and they should not be assigned to specific individuals. Emergency access accounts are limited to
emergency or "break glass"' scenarios where normal administrative accounts can't be used.

You should ensure that the credentials (such as password, certificate, or smart card) for emergency access accounts are kept
secure and known only to individuals who are authorized to use them only in an emergency. You may also use additional cont
such dual controls (e.g., splitting the credential into two pieces and giving it to separate persons) to enhance the security of th
process. You should also monitor the sign-in and audit logs to ensure that emergency access accounts are only used when
authorized.

Use Azure Active Directory, Microsoft Defender, and/or Microsoft Intune to deploy privileged access workstations (PAW) on-
premises or in Azure for privileged tasks. The PAW should be centrally managed to enforce secured configuration, including st
authentication, software and hardware baselines, and restricted logical and network access.

You may also use Azure Bastion which is a fully platform-managed PaaS service that can be provisioned inside your virtual
network. Azure Bastion allows RDP/SSH connectivity to your virtual machines directly from the Azure portal using a web brow
Use Azure role-based access control (Azure RBAC) to manage Azure resource access through role assignments. Through RBAC,
can assign roles to users, groups, service principals, and managed identities. There are pre-defined built-in roles for certain
resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, and the Azure por

The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. Limited
privileges will complement the just-in-time (JIT) approach of Azure AD Privileged Identity Management (PIM), and those privile
should be reviewed periodically. If required, you can also use PIM to define a time-bound assignment, which is a condition in a
role assignment where a user can only activate the role within the specified start and end dates.

Note: Use Azure built-in roles to allocate permissions and only create custom roles when required.

In support scenarios where Microsoft needs to access your data, use Customer Lockbox to review and either approve or reject
each data access request made by Microsoft.
Implementation and additional context
Administrator role permissions in Azure AD:
https://docs.microsoft.com/azure/active-
directory/users-groups-roles/directory-assign-
admin-roles

Use Azure Privileged Identity Management

security alerts:
https://docs.microsoft.com/azure/active-
directory/privileged-identity-management/pim-
how-to-configure-security-alerts

Securing privileged access for hybrid and cloud

deployments in Azure AD:
https://docs.microsoft.com/azure/active-
directory/users-groups-roles/directory-admin-
roles-secure

Azure PIM just-in-time access deployment:

https://docs.microsoft.com/azure/active-
directory/privileged-identity-management/pim-
deployment-plan

Understanding just-in-time (JIT) VM access:

https://learn.microsoft.com/azure/defender-for-
cloud/just-in-time-access-overview?
tabs=defender-for-container-arch-aks
What are Azure AD access reviews:
https://docs.microsoft.com/azure/active-
directory/governance/access-reviews-overview

What is Azure AD entitlement management:

https://docs.microsoft.com/azure/active-
directory/governance/entitlement-management-
overview

Overview of Permissions Management:

https://learn.microsoft.com/azure/active-
directory/cloud-infrastructure-entitlement-
management/overview

Create an access review of Azure resource roles

in Privileged Identity Management (PIM):
https://docs.microsoft.com/azure/active-
directory/privileged-identity-management/pim-
resource-roles-start-access-review

How to use Azure AD identity and access

reviews:
https://docs.microsoft.com/azure/active-
directory/governance/access-reviews-overview

Manage emergency access accounts in Azure AD:

https://docs.microsoft.com/azure/active-
directory/users-groups-roles/directory-
emergency-access

Understand privileged access workstations:

https://learn.microsoft.com/en-us/security/
privileged-access-workstations/overview

Privileged access workstations deployment:

https://docs.microsoft.com/security/compass/
privileged-access-deploymenthttps
What is Azure role-based access control (Azure
RBAC):
https://docs.microsoft.com/azure/role-based-
access-control/overview

How to configure RBAC in Azure:

https://docs.microsoft.com/azure/role-based-
access-control/role-assignments-portal

How to use Azure AD identity and access

reviews:
https://docs.microsoft.com/azure/active-
directory/governance/access-reviews-overview

Azure AD Privileged Identity Management -

Time-bound assignment:
Understand Customer Lockbox:
https://docs.microsoft.com/azure/security/
fundamentals/customer-lockbox-overview
AWS Guidance
You must secure all roles with direct or indirect administrative access to AWS hosted resources.

The privileged/administrative users need to be secured include:

- Root user: Root user is the highest-level privileged accounts in your AWS account. Root accounts should be highly restricted
and only used in emergency situation. Refer to emergency access controls in PA-5 (Setup emergency access).
- IAM identities (users, groups, roles) with the privileged permission policy: IAM identities assigned with a permission policy su
as AdministratorAccess can have full access to AWS services and resources.

If you are using Azure Active Directory (Azure AD) as the identity provider for AWS, refer to the Azure guidance for managing t
privileged roles in Azure AD.

Ensure that you also restrict privileged accounts in other management, identity, and security systems that have administrative
access to your business-critical assets, such as AWS Cognito, security tools, and system management tools with agents installe
on business critical systems. Attackers who compromise these management and security systems can immediately weaponize
them to compromise business critical assets.

Use AWS Security Token Service (AWS STS) to create temporary security credentials to access the resources through the AWS
API. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can us
with the following differences:
- Temporary security credentials have a short-term life, from minutes to hours.
- Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when
requested.
Use AWS Access Advisor to pull the access logs for the user accounts and entitlements for resources. Build a manual or
automated workflow to integrate with AWS IAM to manage access assignments, reviews, and deletions.

Note: There are third-party solutions available on AWS Marketplace for managing the lifecycle of identities and entitlements.

Review all privileged accounts and the access entitlements in AWS including AWS accounts, services, VM/IaaS, CI/CD processe
and enterprise management and security tools.

Use IAM Access Advisor, Access Analyzer and Credential Reports to review resource access roles, group memberships, and
access to enterprise applications. IAM Access Analyzer and Credential Reports reporting can also provide logs to help discover
stale accounts, or accounts which have not been used for certain amount of time.

If you are using Azure Active Directory (Azure AD) as the identity provider for AWS, use Azure AD access review to review the
privileged accounts and access entitlements periodically.

AWS "root" accounts should not be used for regular administrative tasks. As the "root" account is highly privileged, it should n
be assigned to specific individuals. It's use should be limited to only emergency or "break glass” scenarios when normal
administrative accounts can't be used. For daily administrative tasks, separate privileged user accounts should be used and
assigned the appropriate permissions via IAM roles.

You should also ensure that the credentials (such as password, MFA tokens and access keys) for root accounts are kept secure
and known only to individuals who are authorized to use them only in an emergency. MFA should be enabled for the root
account, and you may also use additional controls, such as dual controls (e.g., splitting the credential into two pieces and givin
it to separate persons) to enhance the security of this process.

You should also monitor the sign-in and audit logs in CloudTrail or EventBridge to ensure that root access accounts are only us
when authorized.

Use Session Manager in AWS Systems Manager to create an access path (a connection session) to the EC2 instance or a brows
session to the AWS resources for privileged tasks. Session Manager allows RDP, SSH, and HTTPS connectivity to your destinatio
hosts through port forwarding.

You may also choose to deploy a privileged access workstations (PAW) centrally managed through Azure Active Directory,
Microsoft Defender, and/or Microsoft Intune. The central management should enforce secured configuration, including strong
authentication, software and hardware baselines, and restricted logical and network access.
Use AWS policy to manage AWS resource access. There are six types of policies: identity-based policies, resource-based policie
permissions boundaries, AWS Organizations service control policy (SCP), Access Control List, and session policies. You may use
AWS managed policies for common permission use cases. However, you should be mindful that managed policies may carry
excessive permissions that should not be assigned to the users.

You may also use AWS ABAC (attribute-based access control) to assign permissions based on attributes (tags) attached to IAM
resources, including IAM entities (users or roles) and AWS resources.

In support scenarios where AWS support teams need to access your data, create an account in the AWS Support portal to
request support. Review the available options such as providing read-only data access, or the screen sharing option for AWS
support to access to your data.
Implementation and additional context
AWS Best Practices for Root User:
https://docs.aws.amazon.com/accounts/latest/reference/best-practices-root-user.html

IAM Temporary credentials through AWS Security Token Service (AWS STS):
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
IAM Access Advisor:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data.html

AWS Marketplace Identity and Access Management solutions:

https://aws.amazon.com/marketplace/solutions/security/identity-access-management

IAM Access Analyzer:

https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html

Credential report:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html

IAM Access Advisor:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data.html

Best practices to protect your account's root user:

https://docs.aws.amazon.com/accounts/latest/reference/best-practices-root-user.html

AWS Systems Manager Session Manager:

https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
IAM access policies:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

AWS ABAC:
https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html

Access permissions for AWS Support:

https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html
Customer Security Stakeholders:
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-identity-keys

Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-compliance-management

Security Operations:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
operations-center

Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-identity-keys

Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-compliance-management

Security Operations:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
operations-center
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-identity-keys

Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-compliance-management

Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-identity-keys

Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-compliance-management

Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-identity-keys

Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-compliance-management

Security Operations (SecOps): https://docs.microsoft.com//azure/cloud-adoption-

framework/organize/cloud-security-operations-center

Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Security Operations (SecOps): https://docs.microsoft.com/en-us/azure/cloud-adoption-

framework/organize/cloud-security-operations-center

Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-identity-keys
Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-application-security-devsecops

Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-compliance-management

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-identity-keys

Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-compliance-management

Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-identity-keys
ID Control D CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s)
DP-1 Data Prote13.1 - Maintain an 3.2 - Establish and Maintain RA-2: SECURITY
Inventory of Sensitive a Data Inventory CATEGORIZATION
Information 3.7 - Establish and Maintain SC-28: PROTECTION OF
14.5 - Utilize an Active a Data Classification Scheme INFORMATION AT REST
Discovery Tool to Identify 3.13 - Deploy a Data Loss
Sensitive Data Prevention Solution

DP-2 Data Prote13.3 - Monitor and Block 3.13 - Deploy a Data Loss AC-4: INFORMATION FLOW
Unauthorized Network Prevention Solution ENFORCEMENT
Traffic SI-4: INFORMATION SYSTEM
14.7 - Enforce Access MONITORING
Control to Data through
Automated Tools
DP-3 Data Prote14.4 - Encrypt All Sensitive 3.10 - Encrypt Sensitive SC-8: TRANSMISSION
Information in Transit Data In Transit CONFIDENTIALITY AND
INTEGRITY

DP-4 Data Prote14.8 - Encrypt Sensitive 3.11 - Encrypt Sensitive SC-28: PROTECTION OF
Information at Rest Data at Rest INFORMATION AT REST
DP-5 Data Prote14.8 - Encrypt Sensitive 3.11 - Encrypt Sensitive SC-12: CRYPTOGRAPHIC KEY
Information at Rest Data at Rest ESTABLISHMENT AND
MANAGEMENT
SC-28: PROTECTION OF
INFORMATION AT REST

DP-6 Data ProteN/A N/A IA-5: AUTHENTICATOR

MANAGEMENT
SC-12: CRYPTOGRAPHIC KEY
ESTABLISHMENT AND
MANAGEMENT
SC-28: PROTECTION OF
INFORMATION AT REST
DP-7 Data ProteN/A N/A IA-5: AUTHENTICATOR
MANAGEMENT
SC-12: CRYPTOGRAPHIC KEY
ESTABLISHMENT AND
MANAGEMENT
SC-17: PUBLIC KEY
INFRASTRUCTURE CERTIFICATES
DP-8 Data ProteN/A N/A IA-5: AUTHENTICATOR
MANAGEMENT
SC-12: CRYPTOGRAPHIC KEY
ESTABLISHMENT AND
MANAGEMENT
SC-17: PUBLIC KEY
INFRASTRUCTURE CERTIFICATES
PCI-DSS v3.2.Recommendation Security Principle
A3.2 Discover, classify, and Establish and maintain an inventory of the sensitive data,
label sensitive data based on the defined sensitive data scope. Use tools to
discover, classify and label the in- scope sensitive data.

A3.2 Monitor anomalies Monitor for anomalies around sensitive data, such as
and threats targeting unauthorized transfer of data to locations outside of
sensitive data enterprise visibility and control. This typically involves
monitoring for anomalous activities (large or unusual
transfers) that could indicate unauthorized data
exfiltration.
3.5 Encrypt sensitive data Protect the data in transit against 'out of band' attacks
3.6 in transit (such as traffic capture) using encryption to ensure that
4.1 attackers cannot easily read or modify the data.

Set the network boundary and service scope where data in

transit encryption is mandatory inside and outside of the
network. While this is optional for traffic on private
networks, this is critical for traffic on external and public
networks.

3.4 Enable data at rest To complement access controls, data at rest should be
3.5 encryption by default protected against 'out of band' attacks (such as accessing
underlying storage) using encryption. This helps ensure that
attackers cannot easily read or modify the data.
3.4 Use customer- If required for regulatory compliance, define the use case
3.5 managed key option and service scope where customer-managed key option is
3.6 in data at rest needed. Enable and implement data at rest encryption
encryption when using customer-managed key in services.
required

3.6 Use a secure key Document and implement an enterprise cryptographic key
management process management standard, processes, and procedures to
control your key lifecycle. When there is a need to use
customer-managed key in the services, use a secured key
vault service for key generation, distribution, and storage.
Rotate and revoke your keys based on the defined schedule
and when there is a key retirement or compromise.
3.6 Use a secure Document and implement an enterprise certificate
certificate management standard, processes and procedures which
management process includes the certificate lifecycle control, and certificate
policies (if a public key infrastructure is needed).

Ensure certificates used by the critical services in your

organization are inventoried, tracked, monitored, and
renewed timely using automated mechanism to avoid
service disruption.
3.6 Ensure security of key Ensure the security of the key vault service used for the
and certificate cryptographic key and certificate lifecycle management.
repository Harden your key vault service through access control,
network security, logging and monitoring and backup to
ensure keys and certificates are always protected using the
maximum security.
Azure Guidance
Use tools such as Microsoft Purview, which combines the former Azure Purview and Microsoft
365 compliance solutions, and Azure SQL Data Discovery and Classification to centrally scan,
classify, and label the sensitive data that reside in the Azure, on-premises, Microsoft 365, and
other locations.

Use Azure Information protection (AIP) to monitor the data that has been classified and labeled.

Use Microsoft Defender for Storage, Microsoft Defender for SQL, Microsoft Defender for open-
source relational databases, and Microsoft Defender for Cosmos DB to alert on anomalous
transfer of information that might indicate unauthorized transfers of sensitive data information.

Note: If required for compliance of data loss prevention (DLP), you can use a host-based DLP
solution from Azure Marketplace or a Microsoft 365 DLP solution to enforce detective and/or
preventative controls to prevent data exfiltration.
Enforce secure transfer in services such as Azure Storage, where a native data in transit
encryption feature is built in.

Enforce HTTPS for web application workloads and services by ensuring that any clients
connecting to your Azure resources use transport layer security (TLS) v1.2 or later. For remote
management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted
protocol.

For remote management of Azure virtual machines, use SSH (for Linux) or RDP/TLS (for Windows)
instead of an unencrypted protocol. For secure file transfer, use the SFTP/FTPS service in Azure
Storage Blob, App Service apps, and Function apps, instead of using the regular FTP service.

Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure
datacenters. TLS v1.2 or later is enabled on most Azure services by default. And some services
such as Azure Storage and Application Gateway can enforce TLS v1.2 or later on the server side.

Many Azure services have data at rest encryption enabled by default at the infrastructure layer
using a service-managed key. These service-managed keys are generated on the customer’s
behalf and automatically rotated every two years.

Where technically feasible and not enabled by default, you can enable data at rest encryption in
the Azure services, or in your VMs at the storage level, file level, or database level.
Azure also provides an encryption option using keys managed by yourself (customer-managed
keys) for most services.

Azure Key Vault Standard, Premium, and Managed HSM are natively integrated with many Azure
Services for customer-managed key use cases. You may use Azure Key Vault to generate your key
or bring your own keys.

However, using the customer-managed key option requires additional operational effort to
manage the key lifecycle. This may include encryption key generation, rotation, revoke, and
access control, etc.

Use Azure Key Vault to create and control your encryption keys life cycle, including key
generation, distribution, and storage. Rotate and revoke your keys in Azure Key Vault and your
service based on the defined schedule and when there is a key retirement or compromise.
Require a certain cryptographic type and minimum key size when generating keys.

When there is a need to use customer-managed key (CMK) in the workload services or
applications, ensure you follow the best practices:
- Use a key hierarchy to generate a separate data encryption key (DEK) with your key encryption
key (KEK) in your key vault.
- Ensure keys are registered with Azure Key Vault and implemented via key IDs in each service or
application.

To maximize the key material lifetime and portability, bring your own key (BYOK) to the services
(i.e., importing HSM-protected keys from your on-premises HSMs into Azure Key Vault). Follow
the recommended guideline to perform the key generation and key transfer.

Note: Refer to the below for the FIPS 140-2 level for Azure Key Vault types and FIPS
compliance/validation level.
- Software-protected keys in vaults (Premium & Standard SKUs): FIPS 140-2 Level 1
- HSM-protected keys in vaults (Premium SKU): FIPS 140-2 Level 2
- HSM-protected keys in Managed HSM: FIPS 140-2 Level 3
Azure Key Vault Premium uses a shared HSM infrastructure in the backend. Azure Key Vault
Managed HSM uses dedicated, confidential service endpoints with a dedicated HSM for when
you need a higher level of key security.
Use Azure Key Vault to create and control the certificate lifecycle, including the creation/import,
rotation, revocation, storage, and purge of the certificate. Ensure the certificate generation
follows the defined standard without using any insecure properties, such as insufficient key size,
overly long validity period, insecure cryptography and so on. Setup automatic rotation of the
certificate in Azure Key Vault and supported Azure services based on the defined schedule and
when a certificate expires. If automatic rotation is not supported in the frontend application, use
a manual rotation in Azure Key Vault.

Avoid using a self-signed certificate and wildcard certificate in your critical services due to the
limited security assurance. Instead, you can create public signed certificates in Azure Key Vault.
The following Certificate Authorities (CAs) are the partnered providers that are currently
integrated with Azure Key Vault.
- DigiCert: Azure Key Vault offers OV TLS/SSL certificates with DigiCert.
- GlobalSign: Azure Key Vault offers OV TLS/SSL certificates with GlobalSign.

Note: Use only approved CA and ensure that known bad root/intermediate certificates issued by
these CAs are disabled.
Secure your cryptographic keys and certificates by hardening your Azure Key Vault service
through the following controls:
- Implement access control using RBAC policies in Azure Key Vault Managed HSM at the key level
to ensure the least privilege and separation of duties principles are followed. For example,
ensure separation of duties are in place for users who manage encryption keys so they do not
have the ability to access encrypted data, and vice versa. For Azure Key Vault Standard and
Premium, create unique vaults for different applications to ensure the least privilege and
separation of duties principles are followed.
- Turn on Azure Key Vault logging to ensure critical management plane and data plane activities
are logged.
- Secure the Azure Key Vault using Private Link and Azure Firewall to ensure minimal exposure of
the service
- Use managed identity to access keys stored in Azure Key Vault in your workload applications.
- When purging data, ensure your keys are not deleted before the actual data, backups and
archives are purged.
- Backup your keys and certificates using Azure Key Vault. Enable soft delete and purge
protection to avoid accidental deletion of keys.When keys need to be deleted, consider disabling
keys instead of deleting them to avoid accidental deletion of keys and cryptographic erasure of
data.
- For bring your own key (BYOK) use cases, generate keys in an on-premises HSM and import
them to maximize the lifetime and portability of the keys.
- Never store keys in plaintext format outside of the Azure Key Vault. Keys in all key vault services
are not exportable by default.
- Use HSM-backed key types (RSA-HSM) in Azure Key Vault Premium and Azure Managed HSM
for the hardware protection and the strongest FIPS levels.

Enable Microsoft Defender for Key Vault for Azure-native, advanced threat protection for Azure
Key Vault, providing an additional layer of security intelligence.
Implementation and additional context
Data classification overview:
https://docs.microsoft.com/azure/cloud-adoption-framework/govern/policy-
compliance/data-classification

Labeling in the Microsoft Purview Data Map:

https://docs.microsoft.com/azure/purview/create-sensitivity-label

Tag sensitive information using Azure Information Protection:

https://docs.microsoft.com/azure/information-protection/what-is-information-
protection

How to implement Azure SQL Data Discovery:

https://docs.microsoft.com/azure/sql-database/sql-database-data-discovery-
and-classification

Microsoft Purview data sources:

https://docs.microsoft.com/azure/purview/purview-connector-
overview#purview-data-sources

Enable Azure Defender for SQL:

https://docs.microsoft.com/azure/azure-sql/database/azure-defender-for-sql

Enable Azure Defender for Storage:

https://docs.microsoft.com/azure/storage/common/storage-advanced-threat-
protection?tabs=azure-security-center

Enable Microsoft Defender for Azure Cosmos DB:

https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-
enable-cosmos-protections?tabs=azure-portal

Enable Microsoft Defender for open-source relational databases and respond to

alerts:
https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-
usage
Double encryption for Azure data in transit:
https://docs.microsoft.com/azure/security/fundamentals/double-
encryption#data-in-transit

Understand encryption in transit with Azure:

https://docs.microsoft.com/azure/security/fundamentals/encryption-
overview#encryption-of-data-in-transit

Information on TLS Security:

https://docs.microsoft.com/security/engineering/solving-tls1-problem

Enforce secure transfer in Azure storage:

https://docs.microsoft.com/azure/storage/common/storage-require-secure-
transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-
storage-account

Understand encryption at rest in Azure:

https://docs.microsoft.com/azure/security/fundamentals/encryption-
atrest#encryption-at-rest-in-microsoft-cloud-services

Data at rest double encryption in Azure:

https://docs.microsoft.com/azure/security/fundamentals/encryption-models

Encryption model and key management table:

https://docs.microsoft.com/azure/security/fundamentals/encryption-models
Encryption model and key management table:
https://docs.microsoft.com/azure/security/fundamentals/encryption-models

Services that support encryption using customer-managed key:

https://docs.microsoft.com/azure/security/fundamentals/encryption-
models#supporting-services

How to configure customer managed encryption keys in Azure Storage:

https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-
portal

Azure Key Vault overview:

https://docs.microsoft.com/azure/key-vault/general/overview

Azure data encryption at rest--Key Hierarchy:

https://docs.microsoft.com/azure/security/fundamentals/encryption-
atrest#key-hierarchy

BYOK(Bring Your Own Key) specification:

https://docs.microsoft.com/azure/key-vault/keys/byok-specification
Get started with Key Vault certificates:
https://docs.microsoft.com/azure/key-vault/certificates/certificate-scenarios

Certificate Access Control in Azure Key Vault:

https://docs.microsoft.com/azure/key-vault/certificates/certificate-access-
control
Azure Key Vault overview:
https://docs.microsoft.com/azure/key-vault/general/overview

Azure Key Vault security best practices:

https://docs.microsoft.com/azure/key-vault/general/best-practices

Use managed identity to access Azure Key Vault:

https://docs.microsoft.com/azure/active-directory/managed-identities-azure-
resources/tutorial-windows-vm-access-nonaad

Overview of Microsoft Defender for Key Vault:

https://learn.microsoft.com/azure/defender-for-cloud/defender-for-key-vault-
introduction
AWS Guidance
Replicate your data from various sources to a S3 storage bucket and use AWS Macie to scan, classify and label the
sensitive data stored in the bucket. AWS Macie can detect sensitive data such as security credentials, financial
information, PHI and PII data, or other data pattern based on the custom data identifier rules.

You may also use the Azure Purview multi-cloud scanning connector to scan, classify and label the sensitive data
residing in a S3 storage bucket.

Note: You can also use third-party enterprise solutions from AWS marketplace for the purpose of data discovery
classification and labeling

Use AWS Macie to monitor the data that has been classified and labeled, and use GuardDuty to detect anomalous
activities on some resources (S3, EC2 or Kubernetes or IAM resources). Findings and alerts can be triaged, analyzed,
and tracked using EventBridge and forwarded to Microsoft Sentinel or Security Hub for incident aggregation and
tracking.

You may also connect your AWS accounts to Microsoft Defender for Cloud for compliance checks, container security,
and endpoint security capabilities.

Note: If required for compliance of data loss prevention (DLP), you can use a host-based DLP solution from AWS
Marketplace.
Enforce secure transfer in services such as Amazon S3, RDS and CloudFront, where a native data in transit encryption
feature is built in.

Enforce HTTPS (such as in AWS Elastic Load Balancer) for workload web application and services (either on the server
side or client side, or on both) by ensuring that any clients connecting to your AWS resources use TLS v1.2 or later.

For remote management of EC2 instances, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted
protocol. For secure file transfer, use AWS Transfer SFTP or FTPS service instead of a regular FTP service.

Note: All network traffic between AWS data centers is transparently encrypted at the physical layer. All traffic within a
VPC and between peered VPCs across regions is transparently encrypted at the network layer when using supported
Amazon EC2 instance types. TLS v1.2 or later is enabled on most AWS services by default. And some services such as
AWS Load Balancer can enforce TLS v1.2 or later on the server side.

Many AWS services have data at rest encryption enabled by default at the infrastructure/platform layer using an AWS-
managed customer master key. These AWS-managed customer master keys are generated on the customer's behalf
and rotated automatically every three years.

Where technically feasible and not enabled by default, you can enable data at rest encryption in the AWS services, or
in your VMs at the storage level, file level, or database level
AWS also provides an encryption option using keys managed by yourself (customer-managed customer master key
stored in AWS Key Management Service) for certain services.

AWS Key Management Service (KMS) is natively integrated with many AWS services for customer-managed customer
master key use cases. You may either use AWS Key Management Service (KMS) to generate your master keys or bring
your own keys.

However, using the customer-managed key option requires additional operational efforts to manage the key lifecycle.
This may include encryption key generation, rotation, revoke, and access control, etc.

Use AWS Key Management Service (KMS) to create and control your encryption keys life cycle, including key
generation, distribution, and storage. Rotate and revoke your keys in KMS and your service based on the defined
schedule and when there is a key retirement or compromise.

When there is a need to use customer-managed customer master key in the workload services or applications, ensure
you follow the best practices:
- Use a key hierarchy to generate a separate data encryption key (DEK) with your key encryption key (KEK) in your KMS.
- Ensure keys are registered with KMS and implement via IAM policies in each service or application.

To maximize the key material lifetime and portability, bring your own key (BYOK) to the services (i.e., importing HSM-
protected keys from your on-premises HSMs into KMS or Cloud HSM). Follow the recommended guideline to perform
the key generation and key transfer.

Note: AWS KMS uses shared HSM infrastructure in the backend. Use AWS KMS Custom Key Store backed by AWS
CloudHSM when you need to manage your own key store and dedicated HSMs (e.g. regulatory compliance
requirement for higher level of key security) to generate and store your encryption keys.

Note: Refer to the below for the FIPS 140-2 level for FIPS compliance level in AWS KMS and CloudHSM
- AWS KMS default: FIPS 140-2 Level 2 validated
- AWS KMS using CloudHSM: FIPS 140-2 Level 3 (for certain services) validated
- AWS CloudHSM: FIPS 140-2 Level 3 validated

Note: For secrets management(credentials, password, API keys etc.), use AWS Secrets Manager.
Use AWS Certificate Manager (ACM) to create and control the certificate lifecycle, including creation/import, rotation,
revocation, storage, and purge of the certificate. Ensure the certificate generation follows the defined standard
without using any insecure properties, such as insufficient key size, overly long validity period, insecure cryptography
and so on. Setup automatic rotation of the certificate in ACM and supported AWS services based on the defined
schedule and when a certificate expires. If automatic rotation is not supported in the frontend application, use manual
rotation in ACM. In the meantime, you should always track your certificate renewal status to ensure the certificate
validity.

Avoid using a self-signed certificate and wildcard certificate in your critical services due to the limited security
assurance. Instead, create public-signed certificates (signed by the Amazon Certificate Authority) in ACM and deploy it
programmatically in services such as CloudFront, Load Balancers, API Gateway etc. You also can use ACM to establish
your private certificate authority (CA) to sign the private certificates.

Note: Use only an approved CA and ensure that known bad CA root/intermediate certificates issued by these CAs are
disabled.
For cryptographic keys security, secure your keys by hardening your AWS Key Management Service (KMS) service
through the following controls:
- Implement access control using key policies (key-level access control) in conjunction with IAM policies (identity-based
access control) to ensure the least privilege and separation of duties principles are followed. For example, ensure
separation of duties are in place for users who manage encryption keys so they do not have the ability to access
encrypted data, and vice versa.
- Use detective controls such as CloudTrails to log and track the usage of keys in KMS and alert you on critical actions.
- Never store keys in plaintext format outside of KMS.
- When keys need to be deleted, consider disabling keys in KMS instead of deleting them to avoid accidental deletion
of keys and cryptographic erasure of data.
- When purging data, ensure your keys are not deleted before the actual data, backups and archives are purged.
- For bring your own key (BYOK) uses cases, generate keys in an on-premise HSM and import them to maximize the
lifetime and portability of the keys.

For certificates security, secure your certificates by hardening your AWS Certificate Manager (ACM) service through the
following controls:
- Implement access control using resource-level policies in conjunction with IAM policies (identity-based access
control) to ensure the least privilege and separation of duties principles are followed. For example, ensure separation
of duties is in place for user accounts: user accounts who generate certificates are separate from the user accounts
who only require read-only access to certificates.
- Use detective controls such as CloudTrails to log and track the usage of the certificates in ACM, and alert you on
critical actions.
- Follow the KMS security guidance to secure your private key (generated for certificate request) used for service
certificate integration.
Implementation and additional context:
Data Classification Process:
https://docs.aws.amazon.com/whitepapers/latest/data-
classification/data-classification-process.html

AWS Marketplace - DLP Solution:

https://aws.amazon.com/marketplace/search/results?
searchTerms=DLP

GuardDuty S3 finding types:

https://docs.aws.amazon.com/guardduty/latest/ug/
guardduty_finding-types-s3.html

Amazon S3 protection in Amazon GuardDuty:

https://docs.aws.amazon.com/guardduty/latest/ug/s3-
protection.html
TLS security policies in Elastic Load Balancer:
https://docs.aws.amazon.com/elasticloadbalancing/latest/
application/create-https-listener.html#tls-security-policies

AWS Transfer SFTP and FTPS:

https://aws.amazon.com/aws-transfer-family/getting-
started/?pg=ln&cp=bn

AWS Protecting Data at Rest:

https://docs.aws.amazon.com/wellarchitected/latest/
security-pillar/protecting-data-at-rest.html
AWS Services Integrated with AWS KMS:
https://aws.amazon.com/kms/features/

AWS-managed and Customer-managed CMKs:

https://docs.aws.amazon.com/kms/latest/developerguide/
concepts.html#key-mgmt

AWS-managed and Customer-managed CMKs:

https://docs.aws.amazon.com/whitepapers/latest/kms-best-
practices/aws-managed-and-customer-managed-cmks.html

Importing key material in AWS KMS keys:

https://docs.aws.amazon.com/kms/latest/developerguide/
importing-keys.html

Secure transfer of keys into to CloudHSM:

https://aws.amazon.com/premiumsupport/knowledge-
center/cloudhsm-import-keys-openssl/

Creating a custom key store backed by CloudHSM:

https://docs.aws.amazon.com/kms/latest/developerguide/
key-store-concepts.html
AWS Certificate Manager - Check a certificate's renewal
status:
https://docs.aws.amazon.com/acm/latest/userguide/check-
certificate-renewal-status.html
Security best practice for AWS Key Management Service:
https://docs.aws.amazon.com/kms/latest/developerguide/
best-practices.html

Security in AWS Certificate Manager:

https://docs.aws.amazon.com/acm/latest/userguide/
security.html
Customer Security Stakeholders:
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-application-security-devsecops

Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/

cloud-security-data-security

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Security operations:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security

Application security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint
Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/

cloud-security-data-security

Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/

cloud-security-data-security
Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/

cloud-security-data-security

Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-identity-keys

Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/

cloud-security-data-security
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-identity-keys

Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/

cloud-security-data-security
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-identity-keys

Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/

cloud-security-data-security
ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s)

AM-1 Asset Management 1.1 - Utilize an Active 1.1 - Establish and Maintain
Discovery Tool Detailed Enterprise Asset
1.2 - Use a Passive Asset Inventory
Discovery Tool 1.5 - Use a Passive Asset
1.4 - Maintain Detailed Discovery Tool
Asset Inventory 2.1 - Establish and Maintain
1.5 - Maintain Asset a Software Inventory
Inventory Information 2.4 - Utilize Automated
2.1 - Maintain Inventory of Software Inventory Tools
Authorized Software

AM-2 Asset Management 2.7 - Utilize Application 2.5 - Allowlist Authorized

Whitelisting Software
2.8 - Implement Application 2.6 - Allowlist Authorized
Whitelisting of Libraries Libraries
2.9 - Implement Application 2.7 - Allowlist Authorized
Whitelisting of Scripts Scripts
9.2 - Ensure Only Approved 4.8 - Uninstall or Disable
Ports, Protocols, and Unnecessary Services on
Services Are Running Enterprise Assets and
Software

AM-3 Asset Management 1.4 - Maintain Detailed 1.1 - Establish and Maintain
Asset Inventory Detailed Enterprise Asset
1.5 - Maintain Asset Inventory
Inventory Information 2.1 - Establish and Maintain
2.1 - Maintain Inventory of a Software Inventory
Authorized Software
2.4 - Track Software
Inventory Information
AM-4 Asset Management 14.6 - Protect Information 3.3 - Configure Data Access
Through Access Control Lists Control Lists

AM-5 Asset Management 2.7 - Utilize Application 2.5 - Allowlist Authorized

Whitelisting Software
2.8 - Implement Application 2.6 - Allowlist Authorized
Whitelisting of Libraries Libraries
2.9 - Implement Application 2.7 - Allowlist Authorized
Whitelisting of Scripts Scripts
9.2 - Ensure Only Approved 4.8 - Uninstall or Disable
Ports, Protocols, and Unnecessary Services on
Services Are Running Enterprise Assets and
Software
NIST SP800-53 r4 ID(s) PCI-DSS v3.2.Recommendation

CM-8: INFORMATION SYSTEM 2.4 Track asset inventory

COMPONENT INVENTORY and their risks
PM-5: INFORMATION SYSTEM
INVENTORY

CM-8: INFORMATION SYSTEM 6.3 Use only approved

COMPONENT INVENTORY services
PM-5: INFORMATION SYSTEM
INVENTORY

CM-8: INFORMATION SYSTEM 2.4 Ensure security of

COMPONENT INVENTORY asset lifecycle
CM-7: LEAST FUNCTIONALITY management
AC-3: ACCESS ENFORCEMENT N/A Limit access to asset
management

CM-8: INFORMATION SYSTEM 6.3 Use only approved

COMPONENT INVENTORY applications in virtual
CM-7: LEAST FUNCTIONALITY machine
CM-10: SOFTWARE USAGE
RESTRICTIONS
CM-11: USER-INSTALLED
SOFTWARE
Security Principle

Track your asset inventory by query and discover all your cloud
resources. Logically organize your assets by tagging and grouping your
assets based on their service nature, location, or other characteristics.
Ensure your security organization has access to a continuously updated
inventory of assets.

Ensure your security organization can monitor the risks of the cloud
assets by always having security insights and risks aggregated centrally

Ensure that only approved cloud services can be used, by auditing and
restricting which services users can provision in the environment.

Ensure security attributes or configurations of the assets are always

updated during the asset lifecycle.
Limit users' access to asset management features, to avoid accidental or
malicious modification of the assets in your cloud.

Ensure that only authorized software executes by creating an allow list

and block the unauthorized software from executing in your
environment.
Azure Guidance

The Microsoft Defender for Cloud inventory feature and Azure Resource Graph can query for
and discover all resources in your subscriptions, including Azure services, applications, and
network resources. Logically organize assets according to your organization's taxonomy
using tags as well as other metadata in Azure (Name, Description, and Category).

Ensure that security organizations have access to a continuously updated inventory of assets
on Azure. Security teams often need this inventory to evaluate their organization's potential
exposure to emerging risks, and as an input for continuous security improvements.

Ensure security organizations are granted Security Reader permissions in your Azure tenant
and subscriptions so they can monitor for security risks using Microsoft Defender for Cloud.
Security Reader permissions can be applied broadly to an entire tenant (Root Management
Group) or scoped to management groups or specific subscriptions.

Note: Additional permissions might be required to get visibility into workloads and services.

Use Azure Policy to audit and restrict which services users can provision in your
environment. Use Azure Resource Graph to query for and discover resources within their
subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-
approved service is detected.

Establish or update security policies/process that address asset lifecycle management

processes for potentially high impact modifications. These modifications include changes to
identity providers and access, data sensitivity level, network configuration, and
administrative privilege assignment.

Identify and remove Azure resources when they are no longer needed.
Azure Resource Manager is the deployment and management service for Azure. It provides a
management layer that enables you to create, update, and delete resources (assets) in
Azure. Use Azure AD Conditional Access to limit users' ability to interact with Azure Resource
Manager by configuring "Block access" for the "Microsoft Azure Management" App.

Use Azure Role-based Access Control (Azure RBAC) to assign roles to identities to control
their permissions and access to Azure resources. For example, a user with only the 'Reader'
Azure RBAC role can view all resources, but is not allowed to make any changes.

Use Resource Locks to prevent either deletions or modifications to resources. Resource

Locks may also be administered through Azure Blueprints.

Use Microsoft Defender for Cloud adaptive application controls to discover and generate an
application allow list. You can also use ASC adaptive application controls to ensure that only
authorized software can executes, and all unauthorized software is blocked from executing
on Azure Virtual Machines.

Use Azure Automation Change Tracking and Inventory to automate the collection of
inventory information from your Windows and Linux VMs. Software name, version,
publisher, and refresh time information are available from the Azure portal. To get the
software installation date and other information, enable guest-level diagnostics and direct
the Windows Event Logs to a Log Analytics workspace.

Depending on the type of scripts, you can use operating system-specific configurations or
third-party resources to limit users' ability to execute scripts in Azure compute resources.

You can also use a third-party solution to discover and identify unapproved software.
Implementation and additional context

How to create queries with Azure Resource

Graph Explorer:
https://docs.microsoft.com/azure/
governance/resource-graph/first-query-
portal

Microsoft Defender for Cloud asset inventory

management:
https://docs.microsoft.com/azure/security-
center/asset-inventory

For more information about tagging assets,

see the resource naming and tagging decision
guide:
https://docs.microsoft.com/azure/cloud-
adoption-framework/decision-guides/
resource-tagging/?toc=/azure/azure-
resource-manager/management/toc.json

Overview of Security Reader Role:

https://docs.microsoft.com/azure/role-based-
access-control/built-in-roles#security-reader

Configure and manage Azure Policy:

https://docs.microsoft.com/azure/
governance/policy/tutorials/create-and-
manage

How to deny a specific resource type with

Azure Policy:
https://docs.microsoft.com/azure/
governance/policy/samples/not-allowed-
resource-types

How to create queries with Azure Resource

Graph Explorer:
https://docs.microsoft.com/azure/
governance/resource-graph/first-query-
portal

Delete Azure resource group and resource:

https://docs.microsoft.com/azure/azure-
resource-manager/management/delete-
resource-group
How to configure Conditional Access to block
access to Azure Resources Manager:
https://docs.microsoft.com/azure/role-based-
access-control/conditional-access-azure-
management

Lock your resources to protect your

infrastructure:
https://learn.microsoft.com/azure/azure-
resource-manager/management/lock-
resources?tabs=json

Protect new resources with Azure Blueprints

resource locks:
https://learn.microsoft.com/azure/
governance/blueprints/tutorials/protect-
new-resources

How to use Microsoft Defender for Cloud

adaptive application controls:
https://docs.microsoft.com/azure/security-
center/security-center-adaptive-application

Understand Azure Automation Change

Tracking and Inventory:
https://docs.microsoft.com/azure/
automation/change-tracking

How to control PowerShell script execution in

Windows environments:
https://docs.microsoft.com/powershell/
module/microsoft.powershell.security/set-
executionpolicy?view=powershell-6
AWS Guidance

Use the AWS Systems Manager Inventory feature to query for and discover all resources in your EC2 instances, including
application level and operating system level details. In addition, use AWS Resource Groups - Tag Editor to browse AWS resourc
inventories.

Logically organize assets according to your organization's taxonomy using tags as well as other metadata in AWS (Name,
Description, and Category).

Ensure that security organizations have access to a continuously updated inventory of assets on AWS. Security teams often ne
this inventory to evaluate their organization's potential exposure to emerging risks, and as an input for continuous security
improvements.

Note: Additional permissions might be required to get visibility into workloads and services.

Use AWS Config to audit and restrict which services users can provision in your environment. Use AWS Resource Groups to
query for and discover resources within their accounts. You can also use CloudWatch and/or AWS Config to create rules to
trigger alerts when a non-approved service is detected.

Establish or update security policies/process that address asset lifecycle management processes for potentially high impact
modifications. These modifications include changes to identity providers and access, data sensitivity level, network
configuration, and administrative privilege assignment.

Identify and remove AWS resources when they are no longer needed.
Use AWS IAM to restrict access to a specific resource. You can specify allowed or deny actions as well as the conditions under
which actions are triggered. You may specify one condition or combine methods of resource-level permissions, resource-base
policies, tag-based authorization, temporary credentials, or service-linked roles to have a fine-grain control access control for
your resources.

Use the AWS Systems Manager Inventory feature to discover the applications installed in your EC2 instances. Use AWS Config
rules to ensure that non-authorized software is blocked from executing on EC2 instances.

You can also use a third-party solution to discover and identify unapproved software.
Implementation and additional context

AWS Systems Manager Inventory:

https://docs.aws.amazon.com/systems-manager/latest/
userguide/systems-manager-inventory.html

AWS Resource Groups and Tags:

https://docs.aws.amazon.com/ARG/latest/userguide/tag-
editor.html

AWS Resource Groups:

https://docs.aws.amazon.com/ARG/latest/userguide/
gettingstarted.html

How do I check for active resources that I no longer need on

my AWS account?
https://aws.amazon.com/premiumsupport/knowledge-
center/check-for-active-resources/

How do I terminate active resources that I no longer need on

my AWS account?
https://aws.amazon.com/premiumsupport/knowledge-
center/terminate-resources-account-closure/
AWS services that work with IAM:
https://docs.aws.amazon.com/IAM/latest/UserGuide/
reference_aws-services-that-work-with-iam.html

Preventing blacklisted applications with AWS Systems

Manager and AWS Config:
https://aws.amazon.com/blogs/mt/preventing-blacklisted-
applications-with-aws-systems-manager-and-aws-config/
Customer Security Stakeholders:

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-compliance-management

Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-compliance-management

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-compliance-management
Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-compliance-management
ID Control D CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s)
LT-1 Logging 6.7 - Regularly Review Logs 8.11 - Conduct Audit Log AU-3: CONTENT OF AUDIT
and Reviews RECORDS
threat AU-6: AUDIT REVIEW, ANALYSIS,
detection AND REPORTING
AU-12: AUDIT GENERATION
SI-4: INFORMATION SYSTEM
MONITORING

LT-2 Logging 4.9 - Log and Alert on 8.11 - Conduct Audit Log AU-3: CONTENT OF AUDIT
and Unsuccessful Administrative Reviews RECORDS
threat Account Login AU-6: AUDIT REVIEW, ANALYSIS,
detection 6.7 - Regularly Review Logs AND REPORTING
16.13 - Alert on Account AU-12: AUDIT GENERATION
Login Behavior Deviation SI-4: INFORMATION SYSTEM
MONITORING
LT-3 Logging 6.2 - Activate Audit Logging 8.2 - Collect Audit Logs AU-3: CONTENT OF AUDIT
and 6.3 - Enable Detailed 8.5 - Collect Detailed Audit RECORDS
threat Logging Logs AU-6: AUDIT REVIEW, ANALYSIS,
detection 8.8 - Enable Command-Line 8.12 - Collect Service AND REPORTING
Audit Logging Provider Logs AU-12: AUDIT GENERATION
SI-4: INFORMATION SYSTEM
MONITORING

LT-4 Logging 6.2 - Activate Audit Logging 8.2 - Collect Audit Logs AU-3: CONTENT OF AUDIT
and 6.3 - Enable Detailed 8.5 - Collect Detailed Audit RECORDS
threat Logging Logs AU-6: AUDIT REVIEW, ANALYSIS,
detection 7.6 - Log All URL Requests 8.6 - Collect DNS Query AND REPORTING
8.7 - Enable DNS Query Audit Logs AU-12: AUDIT GENERATION
Logging 8.7 - Collect URL Request SI-4: INFORMATION SYSTEM
12.8 - Deploy NetFlow Audit Logs MONITORING
Collection on Networking 13.6 - Collect Network
Boundary Devices Traffic Flow Logs
LT-5 Logging 6.5 - Central Log 8.9 - Centralize Audit Logs AU-3: CONTENT OF AUDIT
and Management 8.11 - Conduct Audit Log RECORDS
threat 6.6 - Deploy SIEM or Log Reviews AU-6: AUDIT REVIEW, ANALYSIS,
detection Analytic tool 13.1 - Centralize Security AND REPORTING
6.7 - Regularly Review Logs Event Alerting AU-12: AUDIT GENERATION
8.6 - Centralize Anti- SI-4: INFORMATION SYSTEM
Malware Logging MONITORING

LT-6 Logging 6.4 - Ensure Adequate 8.3 - Ensure Adequate Audit AU-11: AUDIT RECORD
and Storage for Logs Log Storage RETENTION
threat 8.10 - Retain Audit Logs
detection

LT-7 Logging 6.1 - Utilize Three 8.4 - Standardize Time AU-8: TIME STAMPS
and Synchronized Time Sources Synchronization
threat
detection
PCI-DSS v3.2.RecommendationSecurity Principle
Enable threat To support threat detection scenarios, monitor all known
detection resource types for known and expected threats and anomalies.
capabilities Configure your alert filtering and analytics rules to extract high-
quality alerts from log data, agents, or other data sources to
reduce false positives.

10.6 Enable threat Detect threats for identities and access management by
10.8 detection for monitoring the user and application sign-in and access
A3.5 identity and anomalies. Behavioral patterns such as excessive number of
access failed login attempts, and deprecated accounts in the
management subscription, should be alerted.
10.1 Enable logging Enable logging for your cloud resources to meet the
10.2 for security requirements for security incident investigations and security
10.3 investigation response and compliance purposes.

10.8 Enable network Enable logging for your network services to support network-
logging for related incident investigations, threat hunting, and security
security alert generation. The network logs may include logs from
investigation network services such as IP filtering, network and application
firewall, DNS, flow monitoring and so on.
N/A Centralize Centralize logging storage and analysis to enable correlation
security log across log data. For each log source, ensure that you have
management assigned a data owner, access guidance, storage location, what
and analysis tools are used to process and access the data, and data
retention requirements.

Use Cloud native SIEM if you don't have an existing SIEM

solution for CSPs. or aggregate logs/alerts into your existing
SIEM.

10.5 Configure log Plan your log retention strategy according to your compliance,
10.7 storage regulation, and business requirements. Configure the log
retention retention policy at the individual logging services to ensure the
logs are archived appropriately.

10.4 Use approved Use approved time synchronization sources for your logging
time time stamp which include date, time and time zone
synchronization information.
sources
Azure Guidance
Use the threat detection capability of Microsoft Defender for Cloud for the respective Azure services.

For threat detection not included in Microsoft Defender services, refer to Microsoft Cloud Security
Benchmark service baselines for the respective services to enable the threat detection or security alert
capabilities within the service. Ingest alerts and log data from Microsoft Defender for Cloud, Microsoft 365
Defender, and log data from other resources into your Azure Monitor or Microsoft Sentinel instances to
build analytics rules, which hunt detect threats and create alerts that match specific criteria across your
environment.

For Operational Technology (OT) environments that include computers that control or monitor Industrial
Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) resources, use Microsoft
Defender for IoT to inventory assets and detect threats and vulnerabilities.

For services that do not have a native threat detection capability, consider collecting the data plane logs
and analyze the threats through Microsoft Sentinel.

Azure AD provides the following logs that can be viewed in Azure AD reporting or integrated with Azure
Monitor, Microsoft Sentinel or other SIEM/monitoring tools for more sophisticated monitoring and
analytics use cases:
- Sign-ins: The sign-ins report provides information about the usage of managed applications and user
sign-in activities.
- Audit logs: Provides traceability through logs for all changes done by various features within Azure AD.
Examples of audit logs include changes made to any resources within Azure AD like adding or removing
users, apps, groups, roles and policies.
- Risky sign-ins: A risky sign-in is an indicator for a sign-in attempt that might have been performed by
someone who is not the legitimate owner of a user account.
- Users flagged for risk: A risky user is an indicator for a user account that might have been compromised.

Azure AD also provides an Identity Protection module to detect and remediate risks related to user
accounts and sign-in behaviors. Examples of risks include leaked credentials, sign-in from anonymous or
malware linked IP addresses, password spray. The policies in Azure AD Identity Protection allow you to
enforce risk-based MFA authentication in conjunction with Azure Conditional Access on user accounts.

In addition, Microsoft Defender for Cloud can be configured to alert on deprecated accounts in the
subscription and suspicious activities such as an excessive number of failed authentication attempts. In
addition to the basic security hygiene monitoring, Microsoft Defender for Cloud's Threat Protection
module can also collect more in-depth security alerts from individual Azure compute resources (such as
virtual machines, containers, app service), data resources (such as SQL DB and storage), and Azure service
layers. This capability allows you to see account anomalies inside the individual resources.

Note: If you are connecting your on-premises Active Directory for synchronization, use the Microsoft
Defender for Identity solution to consume your on-premises Active Directory signals to identify, detect,
and investigate advanced threats, compromised identities, and malicious insider actions directed at your
organization.
Enable logging capability for resources at the different tiers, such as logs for Azure resources, operating
systems and applications inside in your VMs and other log types.

Be mindful about different types of logs for security, audit, and other operational logs at the
management/control plane and data plane tiers. There are three types of the logs available at the Azure
platform:
- Azure resource log: Logging of operations that are performed within an Azure resource (the data plane).
For example, getting a secret from a key vault or making a request to a database. The content of resource
logs varies by the Azure service and resource type.
- Azure activity log: Logging of operations on each Azure resource at the subscription layer, from the
outside (the management plane). You can use the Activity Log to determine what, who, and when for any
write operations (PUT, POST, DELETE) taken on the resources in your subscription. There is a single Activity
log for each Azure subscription.
- Azure Active Directory logs: Logs of the history of sign-in activity and audit trail of changes made in the
Azure Active Directory for a particular tenant.

You can also use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data
collecting on Azure resources.

Enable and collect network security group (NSG) resource logs, NSG flow logs, Azure Firewall logs, and
Web Application Firewall (WAF) logs, and logs from virtual machines via the network traffic data collection
agent for security analysis to support incident investigations, and security alert generation. You can send
the flow logs to an Azure Monitor Log Analytics workspace and then use Traffic Analytics to provide
insights.

Collect DNS query logs to assist in correlating other network data.

Ensure that you are integrating Azure activity logs into a centralized Log Analytics workspace. Use Azure
Monitor to query and perform analytics and create alert rules using the logs aggregated from Azure
services, endpoint devices, network resources, and other security systems.

In addition, enable and onboard data to Microsoft Sentinel which provides security information event
management (SIEM) and security orchestration automated response (SOAR) capabilities.

Logs such as Azure Activity Logs are retained for 90 days and then deleted. You should create a diagnostic
setting and route the logs to another location (such as Azure Monitor Log Analytics workspace, Event Hubs
or Azure Storage) based on your needs. This strategy also applies to other resource logs and resources
managed by yourself such as logs in the operating systems and applications inside VMs.

You have the log retention option as below:

- Use Azure Monitor Log Analytics workspace for a log retention period of up to 1 year or per your
response team requirements.
- Use Azure Storage, Data Explorer or Data Lake for long-term and archival storage for greater than 1 year
and to meet your security compliance requirements.
- Use Azure Event Hubs to forward logs to an external resource outside of Azure.

Note: Microsoft Sentinel uses Log Analytics workspace as its backend for log storage. You should consider
a long-term storage strategy if you plan to retain SIEM logs for longer time.

Microsoft maintains time sources for most Azure PaaS and SaaS services. For your compute resources
operating systems, use a Microsoft default NTP server for time synchronization unless you have a specific
requirement. If you need to stand up your own network time protocol (NTP) server, ensure you secure the
UDP service port 123.

All logs generated by resources within Azure provide time stamps with the time zone specified by default.
Implementation and additional context
Introduction to Microsoft Defender for Cloud:
https://learn.microsoft.com/azure/defender-for-
cloud/defender-for-cloud-introduction

Microsoft Defender for Cloud security alerts reference

guide:
https://docs.microsoft.com/azure/security-center/
alerts-reference

Create custom analytics rules to detect threats:

https://docs.microsoft.com/azure/sentinel/tutorial-
detect-threats-custom

Threat indicators for cyber threat intelligence in

Microsoft Sentinel:
https://docs.microsoft.com/azure/architecture/
example-scenario/data/sentinel-threat-intelligence

Audit activity reports in Azure AD:

https://docs.microsoft.com/azure/active-directory/
reports-monitoring/concept-audit-logs

Enable Azure Identity Protection:

https://docs.microsoft.com/azure/active-directory/
identity-protection/overview-identity-protection

Threat protection in Microsoft Defender for Cloud:

https://docs.microsoft.com/azure/security-center/
threat-protection

Overview of Microsoft Defender for Identity:

https://learn.microsoft.com/defender-for-identity/
what-is
Understand logging and different log types in Azure:
https://docs.microsoft.com/azure/azure-monitor/
platform/platform-logs-overview

Understand Microsoft Defender for Cloud data

collection:
https://docs.microsoft.com/azure/security-center/
security-center-enable-data-collection

Enable and configure antimalware monitoring:

https://docs.microsoft.com/azure/security/
fundamentals/antimalware#enable-and-configure-
antimalware-monitoring-using-powershell-cmdlets

Operating systems and application logs inside in your

compute resources:
https://docs.microsoft.com/azure/azure-monitor/
agents/data-sources#operating-system-guest

How to enable network security group flow logs:

https://docs.microsoft.com/azure/network-watcher/
network-watcher-nsg-flow-logging-portal

Azure Firewall logs and metrics:

https://docs.microsoft.com/azure/firewall/logs-and-
metrics

Azure networking monitoring solutions in Azure

Monitor:
https://docs.microsoft.com/azure/azure-monitor/
insights/azure-networking-analytics

Gather insights about your DNS infrastructure with the

DNS Analytics solution:
https://docs.microsoft.com/azure/azure-monitor/
insights/dns-analytics
How to collect platform logs and metrics with Azure
Monitor:
https://docs.microsoft.com/azure/azure-monitor/
platform/diagnostic-settings

How to onboard Azure Sentinel:

https://docs.microsoft.com/azure/sentinel/quickstart-
onboard

Change the data retention period in Log Analytics:

https://docs.microsoft.com/azure/azure-monitor/
platform/manage-cost-storage#change-the-data-
retention-period

How to configure retention policy for Azure Storage

account logs:
https://docs.microsoft.com/azure/storage/common/
storage-monitor-storage-account#configure-logging

Microsoft Defender for Cloud alerts and

recommendations export:
https://docs.microsoft.com/azure/security-center/cont
inuous-export

How to configure time synchronization for Azure

Windows compute resources:
https://docs.microsoft.com/azure/virtual-machines/
windows/time-sync

How to configure time synchronization for Azure Linux

compute resources:
https://docs.microsoft.com/azure/virtual-machines/
linux/time-sync

How to disable inbound UDP for Azure services:

https://support.microsoft.com/help/4558520/how-to-
disable-inbound-udp-for-azure-services
AWS Guidance
Use Amazon GuardDuty for threat detection which analyzes and processes the following data sources: VPC Flow Logs, AWS
CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, and DNS logs. GuardDuty is capable of
reporting on security issues such as privilege escalation, exposed credential usage , or communication with malicious IP
addresses, or domains.

Configure AWS Config to check rules in SecurityHub for compliance monitoring such as configuration drift, and create findings
when needed.

For threat detection not included in GuardDuty and SecurityHub, enable threat detection or security alert capabilities within t
supported AWS services. Extract the alerts to your CloudTrail, CloudWatch, or Microsoft Sentinel to build analytics rules, which
hunt threats that match specific criteria across your environment.

You can also use Microsoft Defender for Cloud to monitor certain services in AWS such as EC2 instances.

For Operational Technology (OT) environments that include computers that control or monitor Industrial Control System (ICS)
Supervisory Control and Data Acquisition (SCADA) resources, use Microsoft Defender for IoT to inventory assets and detect
threats and vulnerabilities.

AWS IAM provides the following reporting the logs and reports for console user activities through IAM Access Advisor and IAM
credential report:
- Every successful sign-in and unsuccessful login attempts.
- Multi-factor authentication (MFA) status for each user.
- Dormant IAM user

For API level access monitoring and threat detection, use Amazon GuadDuty to identify the findings related to the IAM.
Examples of these findings include:
- An API used to gain access to an AWS environment and was invoked in an anomalous way, or was used to evade defensive
measures
- An API used to:
a) discover resources was invoked in an anomalous way
b) collect data from an AWS environment was invoked in an anomalous way.
b) tamper with data or processes in an AWS environment was invoked in an anomalous way.
c) gain unauthorized access to an AWS environment was invoked in an anomalous way.
d) maintain unauthorized access to an AWS environment was invoked in an anomalous way.
e) obtain high-level permissions to an AWS environment was invoked in an anomalous way.
f) be invoked from a known malicious IP address.
g) be invoked using root credentials.
- AWS CloudTrail logging was disabled.
- Account password policy was weakened.
- Multiple worldwide successful console logins were observed.
- Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from another
account within AWS.
- Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from an externa
IP address.
- An API was invoked from a known malicious IP address.
- An API was invoked from an IP address on a custom threat list.
- An API was invoked from a Tor exit node IP address.
Use AWS CloudTrail logging for management events (control plane operations) and data events (data plane operations) and
monitor these trails with CloudWatch for automated actions.

The Amazon CloudWatch Logs service allows you to collect and store logs from your resources, applications, and services in ne
real time. There are three main categories of logs:
- Vended logs: Logs natively published by AWS services on your behalf. Currently, Amazon VPC Flow Logs and Amazon Route 5
logs are the two supported types. These two logs are enabled by default.
- Logs published by AWS services: Logs from more than 30 AWS services publish to CloudWatch. They include Amazon API
Gateway, AWS Lambda, AWS CloudTrail, and many others. These logs can be enabled directly in the services and CloudWatch.
- Custom logs: Logs from your own application and on-premises resources. You may need to collect these logs by installing
CloudWatch Agent in your operating systems and forward them to CloudWatch.

While many services publish logs only to CloudWatch Logs, some AWS services can publish logs directly to AmazonS3 or Amaz
Kinesis Data Firehose where you can use different logging storage and retention policies.

Enable and collect network logs such as VPC Flow Logs, WAF Logs, and Route53 Resolver query logs for security analysis to
support incident investigations, and security alert generation. The logs can be exported to CloudWatch for monitoring or an S3
storage bucket for ingesting into the Microsoft Sentinel solution for centralized analytics.
Ensure that you are integrating your AWS logs into a centralized resource for storage and analysis. Use CloudWatch to query
and perform analytics, and to create alert rules using the logs aggregated from AWS services, services, endpoint devices,
network resources, and other security systems.

In addition, you can aggregate the logs in a S3 storage bucket and onboard the log data to Microsoft Sentinel which provides
security information event management (SIEM) and security orchestration automated response (SOAR) capabilities.

By default, logs are kept indefinitely and never expire in CloudWatch. You can adjust the retention policy for each log group,
keeping the indefinite retention, or choosing a retention period between 10 years and one day.

Use Amazon S3 for log archival from CloudWatch and apply object lifecycle management and archival policy to the bucket. Yo
can use Azure Storage for central log archival by transferring the files from Amazon S3 to Azure Storage.

AWS maintains time sources for most AWS services. For resources or services where the operating system time setting is
configured, use AWS default Amazon Time Sync Service for time synchronization unless you have a specific requirement. If you
need to stand up your own network time protocol (NTP) server, ensure you secure the UDP service port 123.

All logs generated by resources within AWS provide time stamps with the time zone specified by default.
Implementation and additional context
Amazon GuardDuty:
https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html

Amazon GuardDuty data sources:

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html

Connect your AWS accounts to Microsoft Defender for Cloud:

https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings

How Defender for Cloud Apps helps protect your Amazon Web Services (AWS) environment
https://docs.microsoft.com/en-us/defender-cloud-apps/protect-aws

Security recommendations for AWS resources - a reference guide:

https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-aws

IAM credential reports:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html

GuardDuty data source:

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html

GuardDuty IAM finding types:

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html
Enabling logging from certain AWS services:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html

https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/monitoring-and-logging.html

https://aws.amazon.com/cloudwatch/features/

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html
Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data:
https://docs.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3

Altering CloudWatch log retention:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html

Copy data from Amazon S3 to Azure Storage by using AzCopy:

https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-s3

Set the time for a Linux instance:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html

Set the time for a Windows instance:

https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/windows-set-time.html
Customer Security Stakeholders:
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-infrastructure-endpoint

Security operations:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
operations-center

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Threat intelligence:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
threat-intelligence

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Security operations:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
operations-center

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Threat intelligence:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
threat-intelligence
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-infrastructure-endpoint

Security operations:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
operations-center

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Threat intelligence:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
threat-intelligence

Security operations:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
operations-center

Infrastructure and endpoint security

Application security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Threat intelligence:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
threat-intelligence
Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Security operations:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
operations-center

Security compliance management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-compliance-management

Policy and standards:

https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
policy-standards

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint
ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s)
IR-1 Incident Response 19.1 - Document Incident 17.4 - Establish and
Response Procedures Maintain an Incident
19.7 - Conduct Periodic Response Process
Incident Scenario Sessions 17.7 - Conduct Routine
for Personnel Incident Response Exercises

IR-2 Incident Response 19.2 - Assign Job Titles and 17.1 - Designate Personnel
Duties for Incident Response to Manage Incident
19.3 - Designate Handling
Management Personnel to 17.3 - Establish and
Support Incident Handling Maintain an Enterprise
19.4 - Devise Organization- Process for Reporting
wide Standards for Incidents
Reporting Incidents 17.6 - Define Mechanisms
19.5 - Maintain Contact for Communicating During
Information For Reporting Incident Response
IR-3 Incident Response 19.8 - Create
Security Incident
Incidents 17.9 - Establish and
Scoring and Prioritization Maintain Security Incident
Schema Thresholds
IR-4 Incident Response N/A N/A

IR-5 Incident Response 19.8 - Create Incident 17.4 - Establish and

Scoring and Prioritization Maintain an Incident
Schema Response Process
17.9 - Establish and
Maintain Security Incident
Thresholds
IR-6 Incident Response N/A N/A

IR-7 Incident Response N/A 17.8 - Conduct Post-Incident

Reviews
NIST SP800-53 r4 ID(s) PCI-DSS v3.2.Recommendation
IR-4: INCIDENT HANDLING 10.8 Preparation - update
IR-8: INCIDENT RESPONSE PLAN incident response
plan and handling
process

IR-4: INCIDENT HANDLING 12.10 Preparation - setup

IR-8: INCIDENT RESPONSE PLAN incident contact
IR-5: INCIDENT MONITORING information
IR-6: INCIDENT REPORTING

IR-4: INCIDENT HANDLING 10.8 Detection and

IR-5: INCIDENT MONITORING analysis - create
IR-7 INCIDENT RESPONSE incidents based on
ASSISTANCE high-quality alerts
IR-4: INCIDENT HANDLING 12.10 Detection and
analysis - investigate
an incident

IR-4: INCIDENT HANDLING 12.10 Detection and

analysis - prioritize
incidents
IR-4: INCIDENT HANDLING 12.10 Containment,
IR-5: INCIDENT MONITORING eradication and
IR-6: INCIDENT REPORTING recovery - automate
the incident handling

IR-4 INCIDENT HANDLING 12.10 Post-incident activity -

conduct lesson
learned and retain
evidence
Security Principle
Ensure your organization follows industry best practice to develop processes and plans to
respond to security incidents on the cloud platforms. Be mindful about the shared
responsibility model and the variances across IaaS, PaaS, and SaaS services. This will have a
direct impact to how you collaborate with your cloud provider in incident response and
handling activities, such as incident notification and triage, evidence collection,
investigation, eradication, and recovery.

Regularly test the incident response plan and handling process to ensure they're up to date.

Ensure the security alerts and incident notification from the cloud service provider's
platform and your environments can be received by correct contact in your incident
response organization.

Ensure you have a process to create high-quality alerts and measure the quality of alerts.
This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they
don't waste time on false positives.

High-quality alerts can be built based on experience from past incidents, validated
community sources, and tools designed to generate and clean up alerts by fusing and
correlating diverse signal sources.
Ensure the security operation team can query and use diverse data sources as they
investigate potential incidents, to build a full view of what happened. Diverse logs should be
collected to track the activities of a potential attacker across the kill chain to avoid blind
spots. You should also ensure insights and learnings are captured for other analysts and for
future historical reference.

Use the cloud native SIEM and incident management solution if your organization does not
have an existing solution to aggregate security logs and alerts information. Correlate
incident data based on the data sourced from different sources to facility the incident
investigations.

Provide context to security operations teams to help them determine which incidents ought
to first be focused on, based on alert severity and asset sensitivity defined in your
organization’s incident response plan.

Additionally, mark resources using tags and create a naming system to identify and
categorize your cloud resources, especially those processing sensitive data. It is your
responsibility to prioritize the remediation of alerts based on the criticality of the resources
and environment where the incident occurred.
Automate the manual, repetitive tasks to speed up response time and reduce the burden on
analysts. Manual tasks take longer to execute, slowing each incident and reducing how
many incidents an analyst can handle. Manual tasks also increase analyst fatigue, which
increases the risk of human error that causes delays and degrades the ability of analysts to
focus effectively on complex tasks.

Conduct lessons learned in your organization periodically and/or after major incidents, to
improve your future capability in incident response and handling.

Based on the nature of the incident, retain the evidence related to the incident for the
period defined in the incident handling standard for further analysis or legal actions.
Azure Guidance
Update your organization's incident response process to include the handling of incidents in the
Azure platform. Based on the Azure services used and your application nature, customize the
incident response plan and playbook to ensure they can be used to respond to the incident in
the cloud environment.

Set up security incident contact information in Microsoft Defender for Cloud. This contact
information is used by Microsoft to contact you if the Microsoft Security Response Center
(MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. You
also have options to customize incident alerts and notification in different Azure services based
on your incident response needs.

Microsoft Defender for Cloud provides high-quality alerts across many Azure assets. You can use
the Microsoft Defender for Cloud data connector to stream the alerts to Microsoft Sentinel.
Microsoft Sentinel lets you create advanced alert rules to generate incidents automatically for
an investigation.

Export your Microsoft Defender for Cloud alerts and recommendations using the export feature
to help identify risks to Azure resources. Export alerts and recommendations either manually or
in an ongoing, continuous fashion.
Ensure your security operations team can query and use diverse data sources that are collected
from the in-scope services and systems. In addition, it sources can also include:
- Identity and access log data: Use Azure AD logs and workload (such as operating systems or
application level) access logs for correlating identity and access events.
- Network data: Use network security groups' flow logs, Azure Network Watcher, and Azure
Monitor to capture network flow logs and other analytics information.
- Incident related activity data of from snapshots of the impacted systems, which can be
obtained through:
a) The azure virtual machine's snapshots capability, to create a snapshot of the running system's
disk.
b) The operating system's native memory dump capability, to create a snapshot of the running
system's memory.
c) The snapshot feature of the other supported Azure services or your software's own capability,
to create snapshots of the running systems.

Microsoft Sentinel provides extensive data analytics across virtually any log source and a case
management portal to manage the full lifecycle of incidents. Intelligence information during an
investigation can be associated with an incident for tracking and reporting purposes.

Note: When incident related data is captured for investigation, ensure there is adequate
security in place to protect the data from unauthorized alteration, such as disabling logging or
removing logs, which can be performed by the attackers during an in-flight data breach activity.

Microsoft Defender for Cloud assigns a severity to each alert to help you prioritize which alerts
should be investigated first. The severity is based on how confident Microsoft Defender for
Cloud is in the finding or the analytics used to issue the alert, as well as the confidence level that
there was malicious intent behind the activity that led to the alert.

Similarly, Microsoft Sentinel creates alerts and incidents with an assigned severity and other
details based on analytics rules. Use analytic rule templates and customize the rules according
to your organization's needs to support incident prioritization. Use automation rules in
Microsoft Sentinel to manage and orchestrate threat response in order to maximize your
security operation's team efficiency and effectiveness, including tagging incidents to classify
them.
Use workflow automation features in Microsoft Defender for Cloud and Microsoft Sentinel to
automatically trigger actions or run a playbooks to respond to incoming security alerts.
Playbooks take actions, such as sending notifications, disabling accounts, and isolating
problematic networks.

Use the outcome from the lessons learned activity to update your incident response plan,
playbook (such as a Microsoft Sentinel playbook) and reincorporate findings into your
environments (such as logging and threat detection to address any gaps in logging) to improve
your future capability in detecting, responding, and handling of incidents in Azure.

Keep the evidence collected during the "Detection and analysis - investigate an incident step"
such as system logs, network traffic dumps and running system snapshots in storage such as an
Azure Storage account for immutable retention.
Implementation and additional context
Implement security across the enterprise environment:
https://docs.microsoft.com/azure/cloud-adoption-
framework/secure/security-top-10#4-process-update-
incident-response-processes-for-cloud

Incident response reference guide:

https://docs.microsoft.com/microsoft-365/downloads/
IR-Reference-Guide.pdf

NIST SP800-61 Computer Security Incident Handling

Guide
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-61r2.pdf

Incident response overview:

https://docs.microsoft.com/en-us/security/compass/
incident-response-overview
How to set the Microsoft Defender for Cloud security
contact:
https://docs.microsoft.com/azure/security-center/
security-center-provide-security-contact-details

How to configure export:

https://docs.microsoft.com/azure/security-center/
continuous-export

How to stream alerts into Microsoft Sentinel:

https://docs.microsoft.com/azure/sentinel/connect-
azure-security-center
Snapshot a Windows machine's disk:
https://docs.microsoft.com/azure/virtual-machines/
windows/snapshot-copy-managed-disk

Snapshot a Linux machine's disk:

https://docs.microsoft.com/azure/virtual-machines/
linux/snapshot-copy-managed-disk

Microsoft Azure Support diagnostic information and

memory dump collection:
https://azure.microsoft.com/support/legal/support-
diagnostic-information-collection/

Investigate incidents with Azure Sentinel:

https://docs.microsoft.com/azure/sentinel/tutorial-
investigate-cases

Security alerts in Microsoft Defender for Cloud:

https://docs.microsoft.com/azure/security-center/
security-center-alerts-overview

Use tags to organize your Azure resources:

https://docs.microsoft.com/azure/azure-resource-
manager/resource-group-using-tags

Create incidents from Microsoft security alerts:

https://learn.microsoft.com/azure/sentinel/create-
incidents-from-alerts
Configure workflow automation in Security Center:
https://docs.microsoft.com/azure/security-center/
workflow-automation

Set up automated threat responses in Microsoft

Defender for Cloud:
https://docs.microsoft.com/azure/security-center/
tutorial-security-incident#triage-security-alerts

Set up automated threat responses in Microsoft

Sentinel:
https://docs.microsoft.com/azure/sentinel/tutorial-
respond-threats-playbook

Incident response process - Post-incident cleanup:

https://docs.microsoft.com/security/compass/incident-
response-process#2-post-incident-cleanup
AWS Guidance
Update your organization's incident response process to include the handling of incidents.
Ensure a unified multi-cloud incident response plan is in place by updating your organization's
incident response process to include the handling of incidents in the AWS platform. Based on
the AWS services used and your application nature, follow the AWS Security Incident Response
Guide to customize the incident response plan and playbook to ensure they can be used to
respond to the incident in the cloud environment.

Set up security incident contact information in AWS Systems Manager Incident Manager (the
incident management center for AWS). This contact information is used for incident
management communication between you and AWS through the different channels (i.e., Email,
SMS, or Voice). You can define a contact's engagement plan and escalation plan to describe how
and when the Incident Manager engages the contact and to escalate if the contact(s) does not
response to an incident.

Use security tools like SecurityHub or GuardDuty and other third-party tools to send alerts to
Amazon CloudWatch or Amazon EventBridge so incidents can be automatically created in
Incident Manager based on the defined criteria and rule sets. You can also manually create
incidents in the Incident Manager for further incident handling and tracking.

If you use Microsoft Defender for Cloud to monitor your AWS accounts, you can also use
Microsoft Sentinel to monitor and alert the incidents identified by Microsoft Defender for Cloud
on AWS resources.
The data sources for investigation are the centralized logging sources that collect from the in-
scope services and running systems, but can also include:
- Identity and access log data: Use IAM logs and workload (such as operating systems or
application level) access logs for correlating identity and access events.
- Network data: Use VPC Flow Logs, VPC Traffic Mirrors, and Azure CloudTrail and CloudWatch
to capture network flow logs and other analytics information.
- Snapshots of running systems, which can be obtained through:
a) Snapshot capability in Amazon EC2(EBS) to create a snapshot of the running system's disk.
b) The operating system's native memory dump capability, to create a snapshot of the running
system's memory.
c) The snapshot feature of the AWS services or your software's own capability, to create
snapshots of the running systems.

If you aggregate your SIEM related data into Microsoft Sentinel, it provides extensive data
analytics across virtually any log source and a case management portal to manage the full
lifecycle of incidents. Intelligence information during an investigation can be associated with an
incident for tracking and reporting purposes.

Note: When incident related data is captured for investigation, ensure there is adequate
security in place to protect the data from unauthorized alteration, such as disabling logging or
removing logs, which can be performed by the attackers during an in-flight data breach activity.

For each incident created in the Incident Manager, assign an impact level based on your
organization's defined criteria, such as a measure of the severity of the incident and criticality
level of the assets impacted.
If you use Microsoft Sentinel to centrally manage your incident, you can also create automated
actions or run a playbooks to respond to incoming security alerts.

Alternatively, use automation features in AWS System Manager to automatically trigger actions
defined in the incident response plan, including notifying the contacts and/or running a runbook
to respond to alerts, such as disabling accounts, and isolating problematic networks.

Create incident analysis for a closed incident in Incident Manager using the standard incident
analysis template or your own custom template. Use the outcome from the lessons learned
activity to update your incident response plan, playbook (such as the AWS Systems Manager
runbook and Microsoft Sentinel playbook) and reincorporate findings into your environments
(such as logging and threat detection to address any gaps in logging) to improve your future
capability in detecting, responding, and handling of the incidents in AWS.

Keep the evidence collected during the "Detection and analysis - investigate an incident step"
such as system logs, network traffic dumps and running system snapshot in storage such as an
Amazon S3 bucket or Azure Storage account for immutable retention.
Implementation and additional context Customer Security Stakeholders:
AWS Security Incident Response Guide: Security operations:
https://docs.aws.amazon.com/whitepapers/latest/a https://docs.microsoft.com/azure/cloud-adoption-
ws-security-incident-response-guide/welcome.html framework/organize/cloud-security-operations-center

Incident preparation: https://docs.microsoft.com/en-

us/azure/cloud-adoption-framework/organize/cloud-
security-incident-preparation

Threat intelligence:
https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-threat-intelligence

Incident Manager Contact: Security operations:

https://docs.aws.amazon.com/incident-manager/lat https://docs.microsoft.com/azure/cloud-adoption-
est/userguide/contacts.html framework/organize/cloud-security-operations-center

Incident preparation: https://docs.microsoft.com/en-

us/azure/cloud-adoption-framework/organize/cloud-
security-incident-preparation

Incident creation in Incident Manager: Security operations:

https://docs.aws.amazon.com/incident-manager/ https://docs.microsoft.com/azure/cloud-adoption-
latest/userguide/incident-creation.html framework/organize/cloud-security-operations-center

How Defender for Cloud Apps helps protect your Incident preparation: https://docs.microsoft.com/en-
Amazon Web Services (AWS) environment: us/azure/cloud-adoption-framework/organize/cloud-
https://docs.microsoft.com/en-us/defender-cloud- security-incident-preparation
apps/protect-aws
Threat intelligence:
https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-threat-intelligence
Traffic Mirroring: Security operations:
https://docs.aws.amazon.com/vpc/latest/ https://docs.microsoft.com/azure/cloud-adoption-
mirroring/traffic-mirroring-how-it-works.html framework/organize/cloud-security-operations-center

Creating EBS volume backups with AMIs and EBS Incident preparation: https://docs.microsoft.com/en-
snapshots: us/azure/cloud-adoption-framework/organize/cloud-
https://docs.aws.amazon.com/prescriptive- security-incident-preparation
guidance/latest/backup-recovery/ec2-backup.html
Threat intelligence:
https://docs.aws.amazon.com/whitepapers/latest/ https://docs.microsoft.com/azure/cloud-adoption-
aws-security-incident-response-guide/use- framework/organize/cloud-security-threat-intelligence
immutable-storage.html

Define your naming convention best practice: Security operations:

https://docs.microsoft.com/en-us/azure/cloud- https://docs.microsoft.com/azure/cloud-adoption-
adoption-framework/ready/azure-best-practices/ framework/organize/cloud-security-operations-center
resource-naming
Incident preparation: https://docs.microsoft.com/en-
us/azure/cloud-adoption-framework/organize/cloud-
security-incident-preparation

Threat intelligence:
https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-threat-intelligence
AWS Systems Manager - runbooks and automation: Security operations:
https://docs.aws.amazon.com/incident-manager/ https://docs.microsoft.com/azure/cloud-adoption-
latest/userguide/runbooks.html framework/organize/cloud-security-operations-center

Incident preparation: https://docs.microsoft.com/en-

us/azure/cloud-adoption-framework/organize/cloud-
security-incident-preparation

Threat intelligence:
https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-threat-intelligence

Post-incident analysis: Security operations:

https://docs.aws.amazon.com/incident-manager/ https://docs.microsoft.com/azure/cloud-adoption-
latest/userguide/analysis.html framework/organize/cloud-security-operations-center

Incident preparation: https://docs.microsoft.com/en-

us/azure/cloud-adoption-framework/organize/cloud-
security-incident-preparation

Threat intelligence:
https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-threat-intelligence
ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s)
PV-1 Posture and 5.1 - Establish Secure 4.1 - Establish and Maintain
Vulnerability Configurations a Secure Configuration
Management 11.1 - Maintain Standard Process
Security Configurations for 4.2 - Establish and Maintain
Network Devices a Secure Configuration
Process for Network
Infrastructure

PV-2 Posture and 5.4 - Deploy System 4.1 - Establish and Maintain
Vulnerability Configuration Management a Secure Configuration
Management Tools Process
5.5 - Implement Automated 4.2 - Establish and Maintain
Configuration Monitoring a Secure Configuration
Systems Process for Network
11.3 - Use Automated Tools Infrastructure
to Verify Standard Device
Configurations and Detect
Changes
PV-3 Posture and 5.1 - Establish Secure 4.1 - Establish and Maintain
Vulnerability Configurations a Secure Configuration
Management 5.5 - Implement Automated Process
Configuration Monitoring
Systems

PV-4 Posture and 5.4 - Deploy System 4.1 - Establish and Maintain
Vulnerability Configuration Management a Secure Configuration
Management Tools Process
5.5 - Implement Automated
Configuration Monitoring
Systems
11.3 - Use Automated Tools
to Verify Standard Device
Configurations and Detect
Changes
PV-5 Posture and 3.1 - Run Automated 5.5 - Establish and Maintain
Vulnerability Vulnerability Scanning Tools an Inventory of Service
Management 3.3 - Protect Dedicated Accounts
Assessment Accounts 7.1 - Establish and Maintain
3.6 - Compare Back-to-back a Vulnerability Management
Vulnerability Scans Process
7.5 - Perform Automated
Vulnerability Scans of
Internal Enterprise Assets
7.6 - Perform Automated
Vulnerability Scans of
Externally-Exposed
Enterprise Assets

PV-6 Posture and 3.4 - Deploy Automated 7.2 - Establish and Maintain
Vulnerability Operating System Patch a Remediation Process
Management Management Tools 7.3 - Perform Automated
3.5 - Deploy Automated Operating System Patch
Software Patch Management
Management Tools 7.4 - Perform Automated
3.7 - Utilize a Risk-rating Application Patch
Process Management
7.7 - Remediate Detected
Vulnerabilities

PV-7 Posture and 20.1 - Establish a 18.1 - Establish and

Vulnerability Penetration Testing Program Maintain a Penetration
Management 20.2 - Conduct Regular Testing Program
External and Internal 18.2 - Perform Periodic
Penetration Tests External Penetration Tests
20.3 - Perform Periodic Red 18.3 - Remediate
Team Exercises Penetration Test Findings
18.4 - Validate Security
Measures
18.5 - Perform Periodic
Internal Penetration Tests
NIST SP800-53 r4 ID(s) PCI-DSS v3Recommendation
CM-2: BASELINE 1.1 Define and establish
CONFIGURATION 2.2 secure configurations
CM-6: CONFIGURATION
SETTINGS

CM-2: BASELINE 2.2 Audit and enforce

CONFIGURATION secure configurations
CM-6: CONFIGURATION
SETTINGS
CM-2: BASELINE 2.2 Define and establish
CONFIGURATION 11.5 secure configurations
CM-6: CONFIGURATION for compute
SETTINGS resources

CM-2: BASELINE 2.2 Audit and enforce

CONFIGURATION secure configurations
CM-6: CONFIGURATION for compute
SETTINGS resources
RA-3: RISK ASSESSMENT 6.1 Perform vulnerability
RA-5: VULNERABILITY SCANNING 6.2 assessments
6.6
11.2

RA-3: RISK ASSESSMENT 6.1 Rapidly and

RA-5: VULNERABILITY SCANNING 6.2 automatically
SI-2: FLAW REMEDIATION 6.5 remediate
11.2 vulnerabilities

CA-8: PENETRATION TESTING 6.6 Conduct regular red

RA-5: VULNERABILITY SCANNING 11.2 team operations
11.3
Security Principle
Define the security configuration baselines for different resource types in
the cloud. Alternatively, use configuration management tools to
establish the configuration baseline automatically before or during
resource deployment so the environment can be compliant by default
after the deployment.

Continuously monitor and alert when there is a deviation from the

defined configuration baseline. Enforce the desired configuration
according to the baseline configuration by denying the non-compliant
configuration or deploying a configuration.
Define the secure configuration baselines for your compute resources,
such as VMs and containers. Use configuration management tools to
establish the configuration baseline automatically before or during the
compute resource deployment so the environment can be compliant by
default after the deployment. Alternatively, use a pre-configured image
to build the desired configuration baseline into the compute resource
image template.

Continuously monitor and alert when there is a deviation from the

defined configuration baseline in your compute resources. Enforce the
desired configuration according to the baseline configuration by denying
the non-compliant configuration or deploying a configuration in compute
resources.
Perform vulnerabilities assessment for your cloud resources at all tiers in
a fixed schedule or on-demand. Track and compare the scan results to
verify the vulnerabilities are remediated. The assessment should include
all type of vulnerabilities, such as vulnerabilities in Azure services,
network, web, operating systems, misconfigurations, and so on.

Be aware of the potential risks associated with the privileged access used
by the vulnerability scanners. Follow the privileged access security best
practice to secure any administrative accounts used for the scanning.

Rapidly and automatically deploy patches and updates to remediate

vulnerabilities in your cloud resources. Use the appropriate risk-based
approach to prioritize the remediation of vulnerabilities. For example,
more severe vulnerabilities in a higher value asset should be addressed
as a higher priority.

Prioritize which updates to deploy first using a common risk scoring

program (such as Common Vulnerability Scoring System) or the default
risk ratings provided by your third-party scanning tool and tailor to your
environment. You should also consider which applications present a high
security risk and which ones require high uptime.

Simulate real-world attacks to provide a more complete view of your

organization's vulnerability. Red team operations and penetration testing
complement the traditional vulnerability scanning approach to discover
risks.

Follow industry best practices to design, prepare and conduct this kind
of testing to ensure it will not cause damage or disruption to your
environment. This should always include discussing testing scope and
constraints with relevant stakeholders and resource owners.
Azure Guidance
Use the Microsoft Cloud Security Benchmark and service baseline to define your configuration baseline for each respective
Azure offering or service. Refer to the Azure reference architecture and Cloud Adoption Framework landing zone
architecture to understand the critical security controls and configurations that may be needed across Azure resources.

Use Azure landing zone (and Blueprints) to accelerate the workload deployment by setting up configuration of services and
application environments, including Azure Resource Manager templates, Azure RBAC controls, and Azure Policy.

Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources.
Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources.

Use Azure Policy [deny] and [deploy if not exist] rules to enforce secure configuration across Azure resources.

For resource configuration audit and enforcement not supported by Azure Policy, you may need to write custom scripts or
use third-party tooling to implement the configuration audit and enforcement.
Use Azure recommended operating system security baselines (for both Windows and Linux) as a benchmark to define your
compute resource configuration baseline.

Additionally, you can use a custom VM image (using Azure Image Builder) or container image with Azure Automanage
Machine Configuration (formerly called Azure Policy Guest Configuration) and Azure Automation State Configuration to
establish the desired security configuration.

Use Microsoft Defender for Cloud and Azure Automanage Machine Configuration (formerly called Azure Policy Guest
Configuration) to regularly assess and remediate configuration deviations on your Azure compute resources, including VMs,
containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or
Azure Automation State Configuration to maintain the security configuration of the operating system. Microsoft VM
templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security
requirements. Use Change Tracking and Inventory in Azure Automation to track changes in virtual machines hosted in
Azure, on-premises, and other cloud environments to help you pinpoint operational and environmental issues with
software managed by the Distribution Package Manager. Install the Guest Attestation agent on virtual machines to monitor
for boot integrity on confidential virtual machines.

Note: Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft.
Follow recommendations from Microsoft Defender for Cloud for performing vulnerability assessments on your Azure virtual
machines, container images, and SQL servers. Microsoft Defender for Cloud has a built-in vulnerability scanner for virtual
machines. Use a third-party solution for performing vulnerability assessments on network devices and applications (e.g.,
web applications)

Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have
been remediated. When using vulnerability management recommendations suggested by Microsoft Defender for Cloud,
you can pivot into the selected scan solution's portal to view historical scan data.

When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT (Just In
Time) provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored,
and used only for vulnerability scanning.

Note: Microsoft Defender services (including Defender for servers, containers, App Service, Database, and DNS) embed
certain vulnerability assessment capabilities. The alerts generated from Azure Defender services should be monitored and
reviewed together with the result from Microsoft Defender for Cloud vulnerability scanning tool.

Note: Ensure you setup email notifications in Microsoft Defender for Cloud.

Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are
installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update
automatically.

For third-party software, use a third-party patch management solution or Microsoft System Center Updates Publisher for
Configuration Manager.

As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all
critical security findings.

Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of
Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against
Microsoft-managed cloud infrastructure, services, and applications.
Implementation and additional context
Illustration of Guardrails implementation in
Enterprise Scale Landing Zone:
https://docs.microsoft.com/azure/cloud-
adoption-framework/ready/enterprise-scale/
architecture#landing-zone-expanded-definition

Working with security policies in Microsoft

Defender for Cloud:
https://docs.microsoft.com/azure/security-
center/tutorial-security-policy

Tutorial: Create and manage policies to enforce

compliance:
https://docs.microsoft.com/azure/
governance/policy/tutorials/create-and-
manage

Azure Blueprints:
https://docs.microsoft.com/azure/
governance/blueprints/overview

Understand Azure Policy effects:

https://docs.microsoft.com/azure/
governance/policy/concepts/effects

Create and manage policies to enforce

compliance:
https://docs.microsoft.com/azure/
governance/policy/tutorials/create-and-
manage

Get compliance data of Azure resources:

https://docs.microsoft.com/azure/
governance/policy/how-to/get-compliance-
data
Linux OS security configuration baseline:
https://docs.microsoft.com/azure/
governance/policy/samples/guest-
configuration-baseline-linux

Windows OS security configuration baseline:

https://docs.microsoft.com/azure/
governance/policy/samples/guest-
configuration-baseline-windows

Security configuration recommendation for

compute resources:
https://docs.microsoft.com/azure/security-
center/recommendations-reference

Azure
How toAutomation
implement State Configuration
Microsoft Defender for
Overview:
Cloud vulnerability assessment
recommendations:
https://docs.microsoft.com/azure/security-
center/security-center-vulnerability-
assessment-recommendations

How to create an Azure virtual machine from an

ARM template:
https://docs.microsoft.com/azure/virtual-
machines/windows/ps-template

Azure Automation State Configuration

overview:
https://docs.microsoft.com/azure/
automation/automation-dsc-overview

Create a Windows virtual machine in the Azure

portal:
https://docs.microsoft.com/azure/virtual-
machines/windows/quick-create-portal

Container security in Microsoft Defender for

Cloud:
https://docs.microsoft.com/azure/security-
center/container-security

Change Tracking and Inventory overview:

https://learn.microsoft.com/azure/
automation/change-tracking/overview?
tabs=python-2

Guest attestation for confidential VMs:

https://learn.microsoft.com/azure/confidential-
computing/guest-attestation-confidential-vms
How to implement Microsoft Defender for
Cloud vulnerability assessment
recommendations:
https://docs.microsoft.com/azure/security-
center/security-center-vulnerability-
assessment-recommendations

Integrated vulnerability scanner for virtual

machines:
https://docs.microsoft.com/azure/security-
center/built-in-vulnerability-assessment

SQL vulnerability assessment:

https://docs.microsoft.com/azure/azure-sql/
database/sql-vulnerability-assessment

Exporting Microsoft Defender for Cloud

vulnerability scan results:
https://docs.microsoft.com/azure/security-
center/built-in-vulnerability-
assessment#exporting-results

How to configure Update Management for

virtual machines in Azure:
https://docs.microsoft.com/azure/
automation/update-management/overview

Manage updates and patches for your Azure

VMs:
https://docs.microsoft.com/azure/
automation/update-management/manage-
updates-for-vm

Penetration testing in Azure:

https://docs.microsoft.com/azure/security/
fundamentals/pen-testing

Penetration Testing Rules of Engagement:

https://www.microsoft.com/msrc/pentest-
rules-of-engagement?rtc=1

Microsoft Cloud Red Teaming:

https://download.microsoft.com/download/C/
1/9/C1990DBA-502F-4C2A-848D-
392B93D9B9C3/
Microsoft_Enterprise_Cloud_Red_Teaming.pdf
AWS Guidance
Use the Microsoft Cloud Security Benchmark - multi-cloud guidance for AWS and other input to define your configuration
baseline for each respective AWS offering or service. Refer to the security pillar and other pillars in the AWS Well-Architecture
Framework to understand the critical security controls and configurations that may be needed across AWS resources.

Use AWS CloudFormation templates and AWS Config rules in the AWS landing zone definition to automate deployment and
configuration of services and application environments.

Use AWS Config rules to audit configurations of your AWS resources. And you can choose to resolve the configuration drift
using AWS Systems Manager Automation associated with the AWS Config rule. Use Amazon CloudWatch to create alerts when
there is a configuration deviation detected on the resources.

For resource configuration audit and enforcement not supported by AWS Config, you may need to write custom scripts or use
third-party tooling to implement the configuration audit and enforcement.

You can also centrally monitor your configuration drifting by onboarding your AWS account to Microsoft Defender for Cloud.
Use EC2 AWS Machine Images (AMI) from trusted sources on marketplace as a benchmark to define your EC2 configuration
baseline.

Additionally, you can use EC2 Image Builder to build custom AMI template with a Systems Manager agent to establish the
desired security configuration.
Note: The AWS Systems Manager Agent is preinstalled on some Amazon Machine Images (AMIs) provided by AWS.

For workload applications running within your EC2 instances, AWS Lambda or containers environment, you may use AWS
System Manager AppConfig to establish the desired configuration baseline.

Use AWS System Manager's State Manager feature to regularly assess and remediate configuration deviations on your EC2
instances. In addition, you can use CloudFormation templates, custom operating system images to maintain the security
configuration of the operating system. AMI templates in conjunction with Systems Manager can assist in meeting and
maintaining security requirements.

You can also centrally monitor and manage the operating system configuration drift through Azure Automation State
Configuration and onboard the applicable resources to Azure security governance using the following methods :
- Onboard your AWS account into Microsoft Defender for Cloud
- Use Azure Arc for servers to connect your EC2 instances to Microsoft Defender for Cloud

For workload applications running within your EC2 instances, AWS Lambda or containers environment, you may use AWS
System Manager AppConfig to audit and enforce the desired configuration baseline.

Note: AMIs published by Amazon Web Services in AWS Marketplace are managed and maintained by Amazon Web Services.
Use Amazon Inspector to scan your Amazon EC2 instances and container images residing in Amazon Elastic Container Registry
(Amazon ECR) for software vulnerabilities and unintended network exposure. Use a third-party solution for performing
vulnerability assessments on network devices and applications (e.g., web applications)

Refer to control ES-1, "Use Endpoint Detection and Response (EDR)", to onboard your AWS account into Microsoft Defender
for Cloud and deploy Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) in your EC2 instances.
Microsoft Defender for servers provides a native threat and vulnerability management capability for your VMs. The
vulnerability scanning result will be consolidated in the Microsoft Defender for Cloud dashboard.

Track the status of vulnerability findings to ensure they are properly remediated or suppressed if they're considered false
positive.

When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing a temporary
provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used
only for vulnerability scanning.

Use AWS Systems Manager - Patch Manager to ensure that the most recent security updates are installed on your operating
systems and applications. Patch Manager supports patch baselines to allow you to define a list of approved and rejected
patches for your systems.

You can also use Azure Automation Update Management to centrally manage the patches and updates of your AWS EC2
Windows and Linux instances.

For third-party software, use a third-party patch management solution or Microsoft System Center Updates Publisher for
Configuration Manager.

As required, conduct penetration testing or red team activities on your AWS resources and ensure remediation of all critical
security findings.

Follow the AWS Customer Support Policy for Penetration Testing to ensure your penetration tests are not in violation of AWS
policies.
Implementation and additional context
AWS Control Tower:
https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html

AWS Config rules:

https://aws.amazon.com/config/

AWS landing zone

Remediating Noncompliant AWS Resources by AWS Config Rules:

https://docs.aws.amazon.com/config/latest/developerguide/remediation.html

Detecting unmanaged configuration changes to stacks and resources:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html

AWS Config Comformance Pack:

https://aws.amazon.com/about-aws/whats-new/2019/11/introducing-aws-config-conformance-packs/
Enable Azure Automation State Configuration:
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#enable-
physicalvirtual-windows-machines

Enable Azure Automation State Configuration:

https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#enable-
physicalvirtual-windows-machines

AWS System Manager State Manager:

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-state.html

Connect your AWS accounts to Microsoft Defender for Cloud:

https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-
settings

Enable Azure Automation State Configuration:

https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#enable-
physicalvirtual-windows-machines
Amazon Inspector:
https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html

Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm

AWS Systems Manager - Patch Manager:

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html

Update Management overview:

https://docs.microsoft.com/en-us/azure/automation/update-management/overview

AWS Customer Support Policy for Penetration Testing:

https://aws.amazon.com/security/penetration-testing/
Customer Security Stakeholders:
Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops
Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops
Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
posture-management

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-application-security-devsecops
ID
Control D CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s)
ES-1 Endpoint 9.4 - Apply Host-Based 13.7 - Deploy a Host-Based SC-3: SECURITY FUNCTION
security Firewalls or Port Filtering Intrusion Prevention ISOLATION
Solution SI-2: FLAW REMEDIATION
SI-3: MALICIOUS CODE
PROTECTION
SI-16 MEMORY PROTECTION

ES-2 Endpoint 8.1 - Utilize Centrally 10.1 - Deploy and Maintain SC-3: SECURITY FUNCTION
security Managed Anti-malware Anti-Malware Software ISOLATION
Software SI-2: FLAW REMEDIATION
SI-3: MALICIOUS CODE
PROTECTION
SI-16 MEMORY PROTECTION
ES-3 Endpoint 8.2 - Ensure Anti-Malware 10.2 - Configure Automatic SI-2: FLAW REMEDIATION
security Software and Signatures are Anti-Malware Signature SI-3: MALICIOUS CODE
Updated Updates PROTECTION
PCI-DSS v3.2.Recommendation Security Principle
11.5 Use Endpoint Enable Endpoint Detection and Response (EDR)
Detection and capabilities for VMs and integrate with SIEM and
Response (EDR) security operations processes.

5.1 Use modern anti- Use anti-malware solutions (also known as

malware software endpoint protection) capable of real-time
protection and periodic scanning.
5.2 Ensure anti-malware Ensure anti-malware signatures are updated
5.3 software and rapidly and consistently for the anti-malware
signatures are solution.
updated
Azure Guidance
Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) provides
EDR capability to prevent, detect, investigate, and respond to advanced threats.

Use Microsoft Defender for Cloud to deploy Microsoft Defender for servers on your
endpoints and integrate the alerts to your SIEM solution such as Microsoft Sentinel.

Microsoft Defender for Cloud can automatically identify the use of a number of popular anti-
malware solutions for your virtual machines and on-premises machines with Azure Arc
configured and report the endpoint protection running status and make recommendations.

Microsoft Defender Antivirus is the default anti-malware solution for Windows server 2016
and above. For Windows server 2012 R2, use Microsoft Antimalware extension to enable
SCEP (System Center Endpoint Protection). For Linux VMs, use Microsoft Defender for
Endpoint on Linux for the endpoint protection feature.

For both Windows and Linux, you can use Microsoft Defender for Cloud to discover and
assess the health status of the anti-malware solution.

Note: You can also use Microsoft Defender for Cloud's Defender for Storage to detect
malware uploaded to Azure Storage accounts.
Follow recommendations in Microsoft Defender for Cloud to keep all endpoints up to date
with the latest signatures. Microsoft Antimalware (for Windows) and Microsoft Defender for
Endpoint (for Linux) will automatically install the latest signatures and engine updates by
default.

For third-party solutions, ensure the signatures are updated in the third-party anti-malware
solution.
Implementation and additional context
Microsoft Defender for servers introduction:
https://docs.microsoft.com/azure/security-center/
defender-for-servers-introduction

Microsoft Defender for Endpoint overview:

https://docs.microsoft.com/microsoft-365/security/
defender-endpoint/microsoft-defender-endpoint?
view=o365-worldwide

Microsoft Defender for Cloud feature coverage for

machines:
https://docs.microsoft.com/azure/security-center/
security-center-services?tabs=features-windows

Connector for Defender for servers integration into

SIEM:
https://docs.microsoft.com/azure/security-center/
security-center-wdatp?WT.mc_id=Portal-
Microsoft_Azure_Security_CloudNativeCompute&tabs
=windows

Supported endpoint protection solutions:

https://docs.microsoft.com/azure/security-center/
security-center-services?tabs=features-
windows#supported-endpoint-protection-solutions-

How to configure Microsoft Antimalware for Cloud

Services and virtual machines:
https://docs.microsoft.com/azure/security/
fundamentals/antimalware
How to deploy Microsoft Antimalware for Cloud
Services and virtual machine:
https://docs.microsoft.com/azure/security/
fundamentals/antimalware

Endpoint protection assessment and

recommendations in Microsoft Defender for Cloud:
https://docs.microsoft.com/azure/security-center/
security-center-endpoint-protection
AWS Guidance
Onboard your AWS account into Microsoft Defender for Cloud and deploy Microsoft Defender for servers (with Microsoft
Defender for Endpoint integrated) on your EC2 instances to provide EDR capabilities to prevent, detect, investigate, and respo
to advanced threats.

Alternatively, use Amazon GuardDuty integrated threat intelligence capability to monitor and protect your EC2 instances.
Amazon GuardDuty can detect anomalous activities such as activity indicating an instance compromise, such as cryptocurrenc
mining, malware using domain generation algorithms (DGAs), outbound denial of service activity, unusually high volume of
network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon
EC2 credentials use by an external IP address, and data exfiltration using DNS.

Onboard your AWS account into Microsoft Defender for Cloud to allow Microsoft Defender for Cloud to automatically identify
the use some popular anti-malware solutions for EC2 instances with Azure Arc configured and report the endpoint protection
running status and make recommendations.

Deploy Microsoft Defender Antivirus which is the default anti-malware solution for Windows server 2016 and above. For EC2
instances running Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint
Protection). For EC2 instances running Linux, use Microsoft Defender for Endpoint on Linux for the endpoint protection featur

For both Windows and Linux, you can use Microsoft Defender for Cloud to discover and assess the health status of the anti-
malware solution.

Note: Microsoft Defender Cloud also supports certain third-party endpoint protection products for the discovery and health
status assessment.
With your AWS account onboarded into Microsoft Defender for Cloud, follow recommendations in Microsoft Defender for Clo
to keep all endpoints up to date with the latest signatures. Microsoft Antimalware (for Windows) and Microsoft Defender for
Endpoint (for Linux) will automatically install the latest signatures and engine updates by default.

For third-party solutions, ensure the signatures are updated in the third-party anti-malware solution.
Implementation and additional context
Protect your endpoints with Defender for Cloud's integrated EDR solution:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html

Microsoft Defender supported endpoint protection solutions:

https://docs.microsoft.com/en-us/azure/defender-for-cloud/supported-machines-endpoint-solutions-clouds-servers?
tabs=features-windows#supported-endpoint-protection-solutions-

Endpoint protection recommendations in Microsoft Defender for Clouds:

https://docs.microsoft.com/en-us/azure/defender-for-cloud/endpoint-protection-recommendations-technical
Connect your AWS accounts to Microsoft Defender for Cloud:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings
Customer Security Stakeholders:
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security

Threat intelligence:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
threat-intelligence

Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-compliance-management

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
compliance-management

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security

Threat intelligence:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
threat-intelligence

Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-compliance-management

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
compliance-management
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security

Threat intelligence:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
threat-intelligence

Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-compliance-management

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
compliance-management
ID Control D CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s)
BR-1 Backup 10.1 - Ensure Regular 11.2 - Perform Automated CP-2: CONTINGENCY PLAN
and Automated Backups Backups CP-4: CONTINGENCY PLAN
recovery TESTING
CP-9: INFORMATION SYSTEM
BACKUP

BR-2 Backup 10.4 - Ensure Protection of 11.3 - Protect Recovery CP-6: ALTERNATE STORAGE SITE
and Backups Data CP-9: INFORMATION SYSTEM
recovery BACKUP
BR-3 Backup 10.4 - Ensure Protection of 11.3 - Protect Recovery CP-9: INFORMATION SYSTEM
and Backups Data BACKUP
recovery

BR-4 Backup 10.3 - Test Data on Backup 11.5 - Test Data Recovery CP-4: CONTINGENCY PLAN
and Media TESTING
recovery CP-9: INFORMATION SYSTEM
BACKUP
PCI-DSS v3.2.Recommendation Security Principle
N/A Ensure regular Ensure backup of business-critical resources, either during resource
automated backups creation or enforced through policy for existing resources.

3.4 Protect backup and Ensure backup data and operations are protected from data exfiltration,
recovery data data compromise, ransomware/malware and malicious insiders. The
security controls that should be applied include user and network access
control, data encryption at-rest and in-transit.
N/A Monitor backups Ensure all business-critical protectable resources are compliant with the
defined backup policy and standard.

N/A Regularly test backup Periodically perform data recovery tests of your backup to verify that the
backup configurations and availability of the backup data meets the
recovery needs as per defined in the RTO (Recovery Time Objective) and
RPO (Recovery Point Objective).
Azure Guidance
For Azure Backup supported resources (such as Azure VMs, SQL Server, HANA databases, Azure PostgreSQL
Database, File Shares, Blobs or Disks), enable Azure Backup and configure the desired frequency and
retention period. For Azure VM, you can use Azure Policy to have backup automatically enabled using Azure
Policy.

For resources or services not supported by Azure Backup, use the native backup capability provided by the
resource or service. For example, Azure Key Vault provides a native backup capability.

For resources/services that are neither supported by Azure Backup nor have a native backup capability,
evaluate your backup and disaster needs, and create your own mechanism as per your business
requirements. For example:
- If you use Azure Storage for data storage, enable blob versioning for your storage blobs which will allow
you to preserve, retrieve, and restore every version of every object stored in your Azure Storage.
- Service configuration settings can usually be exported to Azure Resource Manager templates.

Use multi-factor-authentication and Azure RBAC to secure the critical Azure Backup operations (such as
delete, change retention, updates to backup config). For Azure Backup supported resources, use Azure
RBAC to segregate duties and enable fine grained access, and create private endpoints within your Azure
Virtual Network to securely backup and restore data from your Recovery Services vaults.

For Azure Backup supported resources, backup data is automatically encrypted using Azure platform-
managed keys with 256-bit AES encryption. You can also choose to encrypt the backups using a customer
managed key. In this case, ensure the customer-managed key in the Azure Key Vault is also in the backup
scope. If you use a customer-managed key, use soft delete and purge protection in Azure Key Vault to
protect keys from accidental or malicious deletion. For on-premises backups using Azure Backup,
encryption-at-rest is provided using the passphrase you provide.

Safeguard backup data from accidental or malicious deletion, such as ransomware attacks/attempts to
encrypt or tamper backup data. For Azure Backup supported resources, enable soft delete to ensure
recovery of items with no data loss for up to 14 days after an unauthorized deletion, and enable multifactor
authentication using a PIN generated in the Azure portal. Also enable geo-redundant storage or cross-
region restoration to ensure backup data is restorable when there is a disaster in primary region. You can
also enable Zone-redundant Storage (ZRS) to ensure backups are restorable during zonal failures.

Note: If you use a resource's native backup feature or backup services other than Azure Backup, refer to the
Microsoft Cloud Security Benchmark (and service baselines) to implement the above controls.
Monitor your Azure environment to ensure that all your critical resources are compliant from a backup
perspective. Use Azure Policy for backup to audit and enforce such controls. For Azure Backup supported
resources, Backup Center helps you centrally govern your backup estate.

Ensure critical backup operations (delete, change retention, updates to backup config) are monitored,
audited, and have alerts in place. For Azure Backup supported resources, monitor overall backup health, get
alerted to critical backup incidents, and audit triggered user actions on vaults.

Note: Where applicable, also use built-in policies (Azure Policy) to ensure that your Azure resources are
configured for backup.

Periodically perform data recovery tests of your backup to verify that the backup configurations and
availability of the backup data meets the recovery needs as defined in the RTO and RPO.

You may need to define your backup recovery test strategy, including the test scope, frequency and
method as performing the full recovery test each time can be difficult.
Implementation and additional context
How to enable Azure Backup:
https://docs.microsoft.com/azure/backup/

Auto-Enable Backup on VM Creation using Azure

Policy:
https://docs.microsoft.com/azure/backup/backup-
azure-auto-enable-backup

Overview of security features in Azure Backup:

https://docs.microsoft.com/azure/backup/security-
overview

Encryption of backup data using customer-managed

keys:
https://docs.microsoft.com/azure/backup/encryption-
at-rest-with-cmk

Security features to help protect hybrid backups from

attacks:
https://docs.microsoft.com/azure/backup/backup-
azure-security-feature#prevent-attacks

Azure Backup - set cross region restore

https://docs.microsoft.com/azure/backup/backup-
create-rs-vault#set-cross-region-restore
Govern your backup estate using Backup Center:
https://docs.microsoft.com/azure/backup/backup-
center-govern-environment

Monitor and operate backups using Backup center:

https://docs.microsoft.com/azure/backup/backup-
center-monitor-operate

Monitoring and reporting solutions for Azure Backup:

https://docs.microsoft.com/azure/backup/monitoring-
and-alerts-overview

How to recover files from Azure Virtual Machine

backup:
https://docs.microsoft.com/azure/backup/backup-
azure-restore-files-from-vm

How to restore Key Vault keys in Azure:

https://docs.microsoft.com/powershell/module/
azurerm.keyvault/restore-azurekeyvaultkey?
view=azurermps-6.13.0
AWS Guidance
For AWS Backup supported resources (such as EC2, S3, EBS or RDS), enable AWS Backup and configure the desired frequency
and retention period.

For resources/services not supported by AWS Backup, such as AWS KMS, enable the native backup feature as part of its resou
creation.

For resources/services that are neither supported by AWS Backup nor have a native backup capability, evaluate your backup a
disaster needs, and create your own mechanism as per your business requirements. For example:
- If Amazon S3 is used for data storage, enable S3 versioning for your storage backet which will allow you to preserve, retrieve
and restore every version of every object stored in your S3 bucket.
- Service configuration settings can usually be exported to CloudFormation templates.

Use AWS IAM access control to secure AWS Backup. This includes securing the AWS Backup service access and backup and
restore points. Example controls include:
- Use multi-factor authentication (MFA) for critical operations such as deletion of a backup/restore point.
- Use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) to communicate with AWS resources.
- Use AWS KMS in conjunction with AWS Backup to encrypt the backup data either using customer-managed CMK or an AWS-
managed CMK associated with the AWS Backup service.
- Use AWS Backup Vault Lock for immutable storage of critical data.
- Secure S3 buckets through access policy, disabling public access, enforcing data at-rest encryption, and versioning control.
AWS Backup works with other AWS tools to empower you to monitor its workloads. These tools include the following:
- Use AWS Backup Audit Manager to monitor the backup operations to ensure the compliance.
- Use CloudWatch and Amazon EventBridge to monitor AWS Backup processes.
- Use CloudWatch to track metrics, create alarms, and view dashboards.
- Use EventBridge to view and monitor AWS Backup events.
- Use Amazon Simple Notification Service (Amazon SNS) to subscribe to AWS Backup-related topics such as backup, restore, an
copy events.

Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup
data meets the recovery needs as defined in the RTO and RPO.

You may need to define your backup recovery test strategy, including the test scope, frequency and method as performing the
full recovery test each time can be difficult.
Implementation and additional context
AWS Backup supported resources and third-party applications:
https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html

Amazon S3 versioning:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html

AWS CloudFormation best practices:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html

Security in AWS Backup:

https://docs.aws.amazon.com/aws-backup/latest/devguide/security-considerations.html

Security Best Practices for Amazon S3:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html
AWS Backup Monitoring:
https://docs.aws.amazon.com/aws-backup/latest/devguide/monitoring.html

Monitoring AWS Backup events using EventBridge:

https://docs.aws.amazon.com/aws-backup/latest/devguide/eventbridge.html

Monitoring AWS Backup metrics with CloudWatch:

https://docs.aws.amazon.com/aws-backup/latest/devguide/cloudwatch.html

Using Amazon SNS to track AWS Backup events:

https://docs.aws.amazon.com/aws-backup/latest/devguide/sns-notifications.html

Audit backups and create reports with AWS Backup Audit Manager:
https://docs.aws.amazon.com/aws-backup/latest/devguide/aws-backup-audit-manager.html

Restoring a backup:
https://docs.aws.amazon.com/aws-backup/latest/devguide/restoring-a-backup.html
Customer Security Stakeholders:
Policy and standards:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
policy-standards

Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Incident preparation:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
incident-preparation

Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-infrastructure-endpoint

Incident preparation:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
incident-preparation
Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-
framework/organize/cloud-security-incident-preparation

Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-

framework/organize/cloud-security-compliance-management

Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-
architecture

Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-

framework/organize/cloud-security-incident-preparation

Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/

cloud-security-data-security
ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s)
DS-1 DevOps Security N/A 16.10 - Apply Secure SA-15: DEVELOPMENT
Design Principles in PROCESS,
Application STANDARDS, AND
Architectures TOOLS
16.14 - Conduct
Threat Modeling

DS-2 DevOps Security 18.3 - Verify That 16.4 - Establish and SA-12: SUPPLY CHAIN
Acquired Software is Manage an PROTECTION
Still Supported Inventory of Third- SA-15: DEVELOPMENT
18.4 - Only Use Up-to- Party Software PROCESS,
Date And Trusted Components STANDARDS, AND
Third-Party 16.6 - Establish and TOOLS
Components Maintain a Severity
18.8 - Establish a Rating System and
Process to Accept and Process for
Address Reports of Application
Software Vulnerabilities
Vulnerabilities 16.11 - Leverage
Vetted Modules or
Services for
Application Security
Components
DS-3 DevOps Security 18.11 - Use Standard 16.7 - Use Standard CM-2: BASELINE
Hardening Hardening CONFIGURATION
Configuration Configuration CM-6:
Templates for Templates for CONFIGURATION
Databases Application SETTINGS
Infrastructure AC-2: ACCOUNT
MANAGEMENT
AC-3: ACCESS
ENFORCEMENT
AC-6: LEAST
PRIVILEGE

DS-4 DevOps Security 18.7 - Apply Static and 16.12 - Implement SA-11: DEVELOPER
Dynamic Code Analysis Code-Level Security TESTING AND
Tools Checks EVALUATION
DS-5 DevOps Security 18.7 - Apply Static and 16.12 - Implement SA-11: DEVELOPER
Dynamic Code Analysis Code-Level Security TESTING AND
Tools Checks EVALUATION

DS-6 DevOps Security 5.2 - Deploy System 7.5 - Perform CM-2: BASELINE
Configuration Automated CONFIGURATION
Management Tools Vulnerability Scans CM-6:
5.3 - Securely Store of Internal CONFIGURATION
Master Images Enterprise Assets SETTINGS
5.4 - Deploy System 7.6 - Perform AC-2: ACCOUNT
Configuration Automated MANAGEMENT
Management Tools Vulnerability Scans AC-3: ACCESS
5.5 - Implement of Externally- ENFORCEMENT
Automated Exposed Enterprise AC-6: LEAST
Configuration Assets PRIVILEGE
Monitoring Systems 7.7 - Remediate
18.1 - Establish Secure Detected
Coding Practices Vulnerabilities
16.1 - Establish and
Maintain a Secure
Application
Development
Process
16.7 - Use Standard
Hardening
Configuration
Templates for
Application
Infrastructure

DS-7 DevOps Security 6.2 - Activate audit 8.2 Collect Audit AU-3: CONTENT OF
logging Logs AUDIT RECORDS
6.3 - Enable Detailed 8.5 Collect Detailed AU-6: AUDIT REVIEW,
Logging Audit Logs ANALYSIS, AND
6.5 - Central Log 8.9 Centralize Audit REPORTING
Management Logs AU-12: AUDIT
6.6 - Deploy SIEM or 8.11 Conduct Audit GENERATION
Log Analytic tool Log Reviews SI-4: INFORMATION
6.7 - Regularly Review SYSTEM MONITORING
Logs
6.8 - Regularly Tune
SIEM
PCI-DSS v3.2.1 ID(s) Recommendation
6.5 Conduct threat
12.2 modeling

6.3 Ensure software

6.5 supply chain
security
2.2 Secure DevOps
6.3 infrastructure
7.1

6.3 Integrate static

6.5 application security
testing into DevOps
pipeline
6.3 Integrate dynamic
6.5 application security
testing into DevOps
pipeline

6.1 Enforce security of

6.2 workload
6.3 throughout DevOps
lifecycle

10.1 Enable logging and

10.2 monitoring in
10.3 DevOps
10.6
Security Principle
Perform threat modeling to identify the potential threats and enumerate the mitigating
controls. Ensure your threat modeling serves the following purposes:

Secure your applications and services in the production run-time stage.

Secure the artifacts, underlying CI/CD pipeline and other tooling environment used for build,
test, and deployment. The threat modeling at least should include the following aspects:
Define the security requirements of the application. Ensure these requirements are
adequately addressed in the threat modeling.
Analyze application components, data connections and their relationship. Ensure this analysis
also includes the upstream and downstream connections outside of your application scope.
List the potential threats and attack vectors that your application components, data
connections and upstream and downstream services may be exposed to.
Identify the applicable security controls that can be used to mitigate the threats enumerated
and identify any controls gaps (e.g., security vulnerabilities) that may require additional
treatment plans.
Enumerate and design the controls that can mitigate the vulnerabilities identified.

Ensure your enterprise’s SDLC (Software Development Lifecycle) or process include a set of
security controls to govern the in-house and third-party software components (including both
proprietary and open-source software) where your applications have dependencies. Define
gating criteria to prevent vulnerable or malicious components being integrated and deployed
into the environment.

The software supply chain security controls should at least include the following aspects:

Properly manage a Software Bill of Materials (SBOM) by identifying the upstream

dependencies required for the service/resource development, build, integration and
deployment phase.
Inventory and track the in-house and third-party software components for known
vulnerability when there is a fix available in the upstream.
Assess the vulnerabilities and malware in the software components using static and dynamic
application testing for unknown vulnerabilities.
Ensure the vulnerabilities and malware are mitigated using the appropriate approach. This
may include source code local or upstream fix, feature exclusion and/or applying
compensating controls if the direct mitigation is not available.
If closed source third-party components are used in your production environment, you may
have limited visibility to its security posture. You should consider additional controls such as
access control, network isolation and endpoint security to minimize the impact if there is a
malicious activity or vulnerability associated with the component.
Ensure the DevOps infrastructure and pipeline follow security best practices across
environments including your build, test, and production stages. This typically includes the
security controls for following scope:

- Artifact repositories that store source code, built packages and images, project artifacts and
business data.
- Servers, services, and tooling that host CI/CD pipelines.
- CI/CD pipeline configuration.

Ensure static application security testing (SAST) fuzzy testing, interactive testing, mobile
application testing, are part of the gating controls in the CI/CD workflow. The gating can be
set based on the testing results to prevent vulnerable packages from committing into the
repository, building into the packages, or deploying into the production.
Ensure dynamic application security testing (DAST) are part of the gating controls in the CI/CD
workflow. The gating can be set based on the testing results to prevent vulnerability from
building into the packages or deploying into the production.

Ensure the workload is secured throughout the entire lifecycle in development, testing, and
deployment stage. Use Microsoft Cloud Security Benchmark to evaluate the controls (such as
network security, identity management, privileged access and so on) that can be set as
guardrails by default or shift left prior to the deployment stage. In particular, ensure the
following controls are in place in your DevOps process:
- Automate the deployment by using Azure or third-party tooling in the CI/CD workflow,
infrastructure management (infrastructure as code), and testing to reduce human error and
attack surface.
- Ensure VMs, container images and other artifacts are secure from malicious manipulation.
- Scan the workload artifacts (in other words, container images, dependencies, SAST and
DAST scans) prior to the deployment in the CI/CD workflow
- Deploy vulnerability assessment and threat detection capability into the production
environment and continuously use these capabilities in the run-time.

Ensure your logging and monitoring scope includes non-production environments and CI/CD
workflow elements used in DevOps (and any other development processes). The
vulnerabilities and threats targeting these environments can introduce significant risks to
your production environment if they are not monitored properly. The events from the CI/CD
build, test and deployment workflow should also be monitored to identify any deviations in
the CI/CD workflow jobs.

Follow Microsoft Cloud Security Benchmark – Logging and Threat Detection as the guideline
to implement your logging and monitoring controls for workload.
Azure Guidance
Use threat modeling tools such as the Microsoft threat modeling tool with the Azure threat model template
embedded to drive your threat modeling process. Use the STRIDE model to enumerate the threats from
both internal and external and identify the controls applicable. Ensure the threat modeling process includes
the threat scenarios in the DevOps process, such as malicious code injection through an insecure artifacts
repository with misconfigured access control policy.

If using a threat modeling tool is not applicable, you should, at minimum, use a questionnaire-based threat
modeling process to identify the threats.

Ensure the threat modeling or analysis results are recorded and updated when there is a major security-
impact change in your application or in the threat landscape.

For the GitHub platform, ensure the software supply chain security through the following capability or tools
from GitHub Advanced Security or GitHub’s native feature:- Use Dependency Graph to scan, inventory and
identify all your project’s dependencies and related vulnerabilities through Advisory Database.

- Use Dependabot to ensure that the vulnerable dependency is tracked and remediated, and ensure your
repository automatically keeps up with the latest releases of the packages and applications it depends on.
- Use GitHub's native code scanning capability to scan the source code when sourcing the code externally.
- Use Microsoft Defender for Cloud to integrate vulnerability assessment for your container image in the
CI/CD workflow.
For Azure DevOps, you can use third-party extensions to implement similar controls to inventory, analyze
and remediate the third-party software components and their vulnerabilities
As part of applying the Microsoft Cloud Security Benchmark to your DevOps infrastructure security controls,
prioritize the following controls:
- Protect artifacts and the underlying environment to ensure the CI/CD pipelines don’t become avenues to
insert malicious code. For example, review your CI/CD pipeline to identify any misconfiguration in core
areas of Azure DevOps such as Organization, Projects, Users, Pipelines (Build & Release), Connections, and
Build Agent to identify any misconfigurations such as open access, weak authentication, insecure
connection setup and so on. For GitHub, use similar controls to secure the Organization permission levels.
- Ensure your DevOps infrastructure is deployed consistently across development projects. Track
compliance of your DevOps infrastructure at scale by using Microsoft Defender for Cloud (such as
Compliance Dashboard, Azure Policy, Cloud Posture Management) or your own compliance monitoring
tools.
- Configure identity/role permissions and entitlement policies in Azure AD, native services, and CI/CD tools
in your pipeline to ensure changes to the pipelines are authorized.
- Avoid providing permanent “standing” privileged access to the human accounts such as developers or
testers by using features such as Azure managed identifies and just-in-time access.
- Remove keys, credentials, and secrets from code and scripts used in CI/CD workflow jobs and keep them in
a key store or Azure Key Vault.
- If you run self-hosted build/deployment agents, follow Microsoft Cloud Security Benchmark controls
including network security, posture and vulnerability management, and endpoint security to secure your
environment.

Note: Refer to the Logging and Threat Detection, DS-7, and the Posture and Vulnerability Management
sections to use services such as Azure Monitor and Microsoft Sentinel to enable governance, compliance,
operational auditing, and risk auditing for your DevOps infrastructure.

Integrate SAST into your pipeline (e.g., in your infrastructure as code template) so the source code can be
scanned automatically in your CI/CD workflow. Azure DevOps Pipeline or GitHub can integrate the below
tools and third-party SAST tools into the workflow.
- GitHub CodeQL for source code analysis.
- Microsoft BinSkim Binary Analyzer for Windows and *nix binary analysis.
- Azure DevOps Credential Scanner (Microsoft Security DevOps extension) and GitHub native secret
scanning for credential scan in the source code.
Integrate DAST into your pipeline so the runtime application can be tested automatically in your CI/CD
workflow set in Azure DevOps or GitHub. The automated penetration testing (with manual assisted
validation) should also be part of the DAST.

Azure DevOps Pipeline or GitHub supports the integration of third-party DAST tools into the CI/CD
workflow.

Guidance for Azure VMs:

- Use Azure Shared Image Gallery to share and control access to your images by different users, service
principals, or AD groups within your organization. Use Azure role-based access control (Azure RBAC) to
ensure that only authorized users can access your custom images.
- Define the secure configuration baselines for the VMs to eliminate unnecessary credentials, permissions,
and packages. Deploy and enforce configuration baselines through custom images, Azure Resource
Manager templates, and/or Azure Policy guest configuration.

Guidance for Azure container services:

- Use Azure Container Registry (ACR) to create your private container registry where granular access can be
restricted through Azure RBAC, so only authorized services and accounts can access the containers in the
private registry.
- Use Defender for Containers for vulnerability assessment of the images in your private Azure Container
Registry. In addition, you can use Microsoft Defender for Cloud to integrate the container image scans as
part of your CI/CD workflows.

For Azure serverless services, adopt similar controls to ensure security controls "shift-left" to the stage prior
to deployment.

Enable and configure the audit logging capabilities in non-production and CI/CD tooling environments (such
as Azure DevOps and GitHub) used throughout the DevOps process.

The events generated from Azure DevOps and the GitHub CI/CD workflow, including the build, test and
deployment jobs, should also be monitored to identify any anomalous results.

Ingest the above logs and events into Microsoft Sentinel or other SIEM tools through a logging stream or
API to ensure the security incidents are properly monitored and triaged for handling.
Azure Implementation and additional context
Threat Modeling Overview:
https://www.microsoft.com/
securityengineering/sdl/threatmodeling

Application threat analysis (including STRIDE +

questionnaire based method):
https://docs.microsoft.com/azure/
architecture/framework/security/design-
threat-model

Azure Template - Microsoft Security Threat

Model Stencil:
https://github.com/AzureArchitecture/threat-
model-templates

GitHub Dependency Graph:

https://docs.github.com/en/code-security/
supply-chain-security/understanding-your-
software-supply-chain/about-the-
dependency-graph

GitHub Dependabot:
https://docs.github.com/en/code-security/
supply-chain-security/keeping-your-
dependencies-updated-automatically/about-
dependabot-version-updates

Identify vulnerable container images in your

CI/CD workflows:
https://docs.microsoft.com/azure/security-
center/defender-for-container-registries-cicd

Azure DevOps Marketplace – supply chain

security:
https://marketplace.visualstudio.com/search?
term=tag%3ASupply%20Chain
%20Security&target=VSTS
DevSecOps controls overview – secure
pipelines:
https://docs.microsoft.com/azure/cloud-
adoption-framework/secure/devsecops-
controls

Secure your GitHub organization:

https://docs.github.com/en/code-security/
getting-started/securing-your-organization

Azure DevOps pipeline – Microsoft hosted

agent security considerations:
https://docs.microsoft.com/azure/devops/
pipelines/agents/hosted?view=azure-
devops&tabs=yaml#security

GitHub CodeQL:
https://codeql.github.com/docs/

BinSkim Binary Analyzer:

https://github.com/microsoft/binskim

Azure DevOps Credential Scan:

https://secdevtools.azurewebsites.net/
helpcredscan.html

GitHub secret scanning:

https://docs.github.com/en/code-security/
secret-security/about-secret-scanning
DAST tools in Azure DevOps marketplace:
https://marketplace.visualstudio.com/search?
term=DAST&target=AzureDevOps&category=
All%20categories

Shared Image Gallery overview:

https://docs.microsoft.com/azure/virtual-
machines/windows/shared-image-galleries

How to implement Microsoft Defender for

Cloud vulnerability assessment
recommendations:
https://docs.microsoft.com/azure/security-
center/security-center-vulnerability-
assessment-recommendations

Security considerations for Azure Container:

https://docs.microsoft.com/azure/container-
instances/container-instances-image-security

Azure Defender for container registries:

https://docs.microsoft.com/azure/security-
center/defender-for-container-registries-
introduction

Azure DevOps - audit streaming:

https://docs.microsoft.com/azure/devops/
organizations/audit/auditing-streaming?
view=azure-devops

GitHub logging:
https://docs.github.com/en/organizations/
keeping-your-organization-secure/reviewing-
the-audit-log-for-your-organization
AWS Guidance
Use threat modeling tools such as the Microsoft threat modeling tool with the Azure threat model template
embedded to drive your threat modeling process. Use the STRIDE model to enumerate the threats from both internal
and external and identify the controls applicable. Ensure the threat modeling process includes the threat scenarios in
the DevOps process, such as malicious code injection through an insecure artifacts repository with misconfigured
access control policy.

If using a threat modeling tool is not applicable, you should, at minimum, use a questionnaire-based threat modeling
process to identify the threats.

Ensure the threat modeling or analysis results are recorded and updated when there is a major security-impact change
in your application or in the threat landscape.

If you use AWS CI/CD platforms such as CodeCommit or CodePipeline, ensure the software supply chain security using
CodeGuru Reviewer to scan the source code (for Java and Python) through the CI/CD workflows. Platforms such as
CodeCommit and CodePipeline also supports third-party extensions to implement similar controls to inventory,
analyze and remediate the third-party software components and their vulnerabilities.

If you manage your source code through the GitHub platform, ensure the software supply chain security through the
following capability or tools from GitHub Advanced Security or GitHub’s native feature:
- Use Dependency Graph to scan, inventory and identify all your project’s dependencies and related vulnerabilities
through Advisory Database.
- Use Dependabot to ensure that the vulnerable dependency is tracked and remediated, and ensure your repository
automatically keeps up with the latest releases of the packages and applications it depends on.
- Use GitHub's native code scanning capability to scan the source code when sourcing the code externally.
- If applicable, use Microsoft Defender for Cloud to integrate vulnerability assessment for your container image in the
CI/CD workflow.
As part of applying the Microsoft Cloud Security Benchmark to the security controls of your DevOps infrastructure,
such as GitHub, CodeCommit, CodeArtifact, CodePipeline, CodeBuild and CodeDeploy, prioritize the following controls:
- Refer to this guidance and the AWS Well-architected Framework security pillar to secure your DevOps environments
in AWS.
- Protect artifacts and the underlying supporting infrastructure to ensure the CI/CD pipelines don’t become avenues to
insert malicious code.
- Ensure your DevOps infrastructure is deployed and sustained consistently across development projects. Track
compliance of your DevOps infrastructure at scale by using AWS Config or your own compliance check solution.
- Use CodeArtifact to securely store and share software packages used for application development. You can use
CodeArtifact with popular build tools and package managers such as Maven, Gradle, npm, yarn, pip, and twine.
- Configure identity/role permissions and permission policies in AWS IAM, native services, and CI/CD tools in your
pipeline to ensure changes to the pipelines are authorized.
- Remove keys, credentials, and secrets from code and scripts used in CI/CD workflow jobs and keep them in key store
or AWS KMS
- If you run self-hosted build/deployment agents, follow Microsoft Cloud Security Benchmark controls including
network security, posture and vulnerability management, and endpoint security to secure your environment. Use AWS
Inspector for vulnerability scanning for vulnerabilities in EC2 or containerized environment as the build environment.

Note: Refer to the Logging and Threat Detection, DS-7, and the and Posture and Vulnerability Management sections to
use services such as AWS CloudTrail, CloudWatch and Microsoft Sentinel to enable governance, compliance,
operational auditing, and risk auditing for your DevOps infrastructure.

Integrate SAST into your pipeline so the source code can be scanned automatically in your CI/CD workflow.

If using AWS CodeCommit, use AWS CodeGuru Reviewer for Python and Java source code analysis. AWS Codepipeline
can also support integration of third-part SAST tools into the code deployment pipeline.

If using GitHub, the below tools and third-party SAST tools can be integrated into the workflow.
- GitHub CodeQL for source code analysis.
- Microsoft BinSkim Binary Analyzer for Windows and *nix binary analysis.
- GitHub native secret scanning for credential scan in the source code.
- AWS CodeGuru Reviewer for Python and Java source code analysis.
Integrate DAST into your pipeline so the runtime application can be tested automatically in your CI/CD workflow set in
AWS CodePipeline or GitHub. The automated penetration testing (with manual assisted validation) should also be part
of the DAST.

AWS CodePipeline or GitHub supports integration of third-party DAST tools into the CI/CD workflow.

Use Amazon Elastic Container Registry to share and control access to your images by different users and roles within
your organization. And Use AWS IAM to ensure that only authorized users can access your custom images.

Define the secure configuration baselines for the EC2 AMI images to eliminate unnecessary credentials, permissions,
and packages. Deploy and enforce configurations baselines through custom AMI images, CloudFormation templates,
and/or AWS Config Rules.

Use AWS Inspector for vulnerability scanning of VM's and Containerized environments, securing them from malicious
manipulation.

For AWS serverless services, use AWS CodePipeline in conjunction with AWS AppConfig to adopt similar controls to
ensure security controls "shift left" to the stage prior to deployment.

Enable and configure AWS CloudTrail for audit logging capabilities in non-production and CI/CD tooling environments
(such as AWS CodePipeline, AWS CodeBuild, AWS CodeDeploy, AWS CodeStar) used throughout the DevOps process.

The events generated from the AWS CI/CD environments (such as AWS CodePipeline, AWS CodeBuild, AWS
CodeDeploy, AWS CodeStar) and the GitHub CI/CD workflow, including the build, test and deployment jobs, should
also be monitored to identify any anomalous results.

Ingest the above logs and events into AWS CloudWatch, Microsoft Sentinel or other SIEM tools through a logging
stream or API to ensure the security incidents are properly monitored and triaged for handling.
AWS Implementation and additional context
Microsoft Threat Modeling Tool:
https://docs.microsoft.com/en-us/azure/security/develop/
threat-modeling-tool

How to approach threat modeling for AWS:

https://aws.amazon.com/blogs/security/how-to-approach-
threat-modeling/

Application threat analysis (including STRIDE + questionnaire

based method):
https://docs.microsoft.com/azure/architecture/framework/
security/design-threat-model

GitHub Dependency Graph:

https://docs.github.com/en/code-security/supply-chain-
security/understanding-your-software-supply-chain/about-
the-dependency-graph

GitHub Dependabot:
https://docs.github.com/en/code-security/supply-chain-
security/keeping-your-dependencies-updated-
automatically/about-dependabot-version-updates

DevOps in AWS:
https://aws.amazon.com/devops/

Software Bill of Materials:

https://www.cisa.gov/sbom
AWS Well-architected Framework - security pillar:
https://wa.aws.amazon.com/wat.pillar.security.en.html

Building end-to-end AWS DevSecOps CI/CD pipeline with

open source SCA, SAST and DAST tools:
https://aws.amazon.com/blogs/devops/building-end-to-end-
aws-devsecops-ci-cd-pipeline-with-open-source-sca-sast-and-
dast-tools/
Building end-to-end AWS DevSecOps CI/CD pipeline with
open source SCA, SAST and DAST tools:
https://aws.amazon.com/blogs/devops/building-end-to-end-
aws-devsecops-ci-cd-pipeline-with-open-source-sca-sast-and-
dast-tools/

AWS ECR image scanning:

https://docs.aws.amazon.com/AmazonECR/latest/
userguide/image-scanning.html

AWS Inspector:
https://docs.aws.amazon.com/inspector/latest/user/
getting_started_tutorial.html

AWS AppConfig:
https://docs.aws.amazon.com/appconfig/latest/userguide/
getting-started-with-appconfig.html

Connect Microsoft Sentinel to Amazon Web Services to ingest

AWS service log data:
https://docs.microsoft.com/en-us/azure/sentinel/connect-
aws?tabs=s3

GitHub Logging:
https://docs.github.com/en/organizations/keeping-your-
organization-secure/reviewing-the-audit-log-for-your-
organization
Customer Security Stakeholders:
Policy and standards:
https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-policy-standards

Application security and DevSecOps:

https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-application-security-
devsecops

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-posture-
management

Application security and DevSecOps:

https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-application-security-
devsecops

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-posture-
management
Application security and DevSecOps:
https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-application-security-
devsecops

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-posture-
management

Infrastructure and endpoint security:

https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-infrastructure-
endpoint

Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-architecture

Application security and DevSecOps:

https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-application-security-
devsecops

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-posture-
management
Application security and DevSecOps:
https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-application-security-
devsecops

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-posture-
management

Application security and DevSecOps:

https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-application-security-
devsecops

Posture management:
https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-posture-
management

Security architecture:
https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-architecture

Security operations:
https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-operations-center

Application security and DevSecOps:

https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-application-security-
devsecops

Incident preparation:
https://docs.microsoft.com/azure/cloud-adoption-
framework/organize/cloud-security-incident-preparation
ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s)
GS-1 Governance and 17.2 - Deliver Training to Fill 14.9 - Conduct Role-Specific
Strategy the Skills Gap Security Awareness and
Skills Training

GS-2 Governance and 2.10 - Physically or Logically 3.12 - Segment Data

Strategy Segregate High Risk Processing and Storage
Applications Based on Sensitivity
14.1 - Segment the Network
Based on Sensitivity

GS-3 Governance and 14.1 - Segment the Network 3.1 - Establish and Maintain
Strategy Based on Sensitivity a Data Management
Process
3.7 - Establish and Maintain
a Data Classification Scheme
3.12 - Segment Data
Processing and Storage
Based on Sensitivity
GS-4 Governance and 12.1 - Maintain an Inventory 12.2 - Establish and
Strategy of Network Boundaries Maintain a Secure Network
Infrastructure
12.4 - Establish and
Maintain Architecture
Diagram(s)

GS-5 Governance and 5.1 - Establish Secure 4.1 - Establish and Maintain
Strategy Configurations a Secure Configuration
Process
4.2 - Establish and Maintain
a Secure Configuration
Process for Network
Infrastructure
GS-6 Governance and 4.5 - Use Multifactor 5.6 - Centralize Account
Strategy Authentication For All Management
Administrative Access 6.5 - Require MFA for
16.2 - Configure Centralized Administrative Access
Point of Authentication 6.7 - Centralize Access
Control
GS-7 Governance and 6.2 -Activate audit logging 8.1 - Establish and Maintain
Strategy 6.3 - Enable Detailed an Audit Log Management
Logging Process
6.6 - Deploy SIEM or Log 13.1 - Centralize Security
Analytic tool Event Alerting
6.7 - Regularly Review Logs 17.2 - Establish and
19.1 - Document Incident Maintain Contact
Response Procedures Information for Reporting
19.5 - Maintain Contact Security Incidents
Information For Reporting 17.4 - Establish and
Security Incidents Maintain an Incident
19.7 - Conduct Periodic Response Process
Incident Scenario Sessions 17.7 - Conduct Routine
for Personnel Incident Response Exercises

GS-8 Governance and 10.1 - Ensure Regular 11.1 - Establish and

Strategy Automated Backups Maintain a Data Recovery
Process
GS-9 Governance and 8.1 - Utilize Centrally 4.4 - Implement and
Strategy Managed Anti-malware Manage a Firewall on
Software Servers
9.4 - Apply Host-Based 10.1 - Deploy and Maintain
Firewalls or Port-Filtering Anti-Malware Software

GS-10 Governance and 5.1 - Establish Secure 4.1 - Establish and Maintain
Strategy Configurations a Secure Configuration
18.1 - Establish Secure Process
Coding Practices 4.2 - Establish and Maintain
18.8 - Establish a Process to a Secure Configuration
Accept and Address Reports Process for Network
of Software Vulnerabilities Infrastructure
16.1 - Establish and
Maintain a Secure
Application
Development Process
16.2 - Establish and
Maintain a Process to
Accept and Address
Software Vulnerabilities
GS-11 Governance and N/A N/A
Strategy
NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation
PL-9: CENTRAL MANAGEMENT 12.4 Align organization roles, responsibilities and
PM-10: SECURITY accountabilities
AUTHORIZATION PROCESS
PM-13: INFORMATION SECURITY
WORKFORCE
AT-1: SECURITY AWARENESS
AND TRAINING POLICY AND
PROCEDURES
AT-3: ROLE-BASED SECURITY
TRAINING

AC-4: INFORMATION FLOW 1.2 Define and implement enterprise

ENFORCEMENT 6.4 segmentation/separation of duties strategy
SC-7: BOUNDARY PROTECTION
SC-2: APPLICATION
PARTITIONING

AC-4: INFORMATION FLOW 3.1 Define and implement data protection

ENFORCEMENT 3.2 strategy
SI-4: INFORMATION SYSTEM 3.3
MONITORING 3.4
SC-8: TRANSMISSION 3.5
CONFIDENTIALITY AND 3.6
INTEGRITY 3.7
SC-12: CRYPTOGRAPHIC KEY 4.1
ESTABLISHMENT AND A3.2
MANAGEMENT
SC-17: PUBLIC KEY
INFRASTRUCTURE CERTIFICATES
SC-28: PROTECTION OF
INFORMATION AT REST
RA-2: SECURITY
CATEGORIZATION
AC-4: INFORMATION FLOW 1.1 Define and implement network security
ENFORCEMENT 1.2 strategy
AC-17: REMOTE ACCESS 1.3
CA-3: SYSTEM 1.5
INTERCONNECTIONS 4.1
CM-1: CONFIGURATION 6.6
MANAGEMENT POLICY AND 11.4
PROCEDURES A2.1
CM-2: BASELINE A2.2
CONFIGURATION A2.3
CM-6: CONFIGURATION A3.2
SETTINGS
CM-7: LEAST FUNCTIONALITY
SC-1: SYSTEM AND
COMMUNICATIONS PROTECTION
POLICY AND PROCEDURES
CA-1: SECURITY ASSESSMENT 1.1 Define and implement security posture
AND AUTHORIZATION POLICY 1.2 management strategy
AND PROCEDURES 2.2
CA-8: PENETRATION TESTING 6.1
CM-1: CONFIGURATION 6.2
MANAGEMENT POLICY AND 6.5
PROCEDURES 6.6
CM-2: BASELINE 11.2
CONFIGURATION 11.3
CM-6: CONFIGURATION 11.5
SETTINGS
RA-1: RISK ASSESSMENT POLICY
AND PROCEDURES
RA-3: RISK ASSESSMENT
RA-5: VULNERABILITY SCANNING
SI-1: SYSTEM AND INFORMATION
INTEGRITY POLICY AND
PROCEDURES
SI-2: FLAW REMEDIATION
SI-5: SECURITY ALERTS,
ADVISORIES, AND DIRECTIVES
AC-1: ACCESS CONTROL POLICY 7.1 Define and implement identity and privileged
AND PROCEDURES 7.2 access strategy
AC-2: ACCOUNT MANAGEMENT 7.3
AC-3: ACCESS ENFORCEMENT 8.1
AC-4: INFORMATION FLOW 8.2
ENFORCEMENT 8.3
AC-5: SEPARATION OF DUTIES 8.4
AC-6: LEAST PRIVILEGE 8.5
IA-1: IDENTIFICATION AND 8.6
AUTHENTICATION POLICY AND 8.7
PROCEDURES 8.8
IA-2: IDENTIFICATION AND A3.4
AUTHENTICATION
(ORGANIZATIONAL USERS)
IA-4: IDENTIFIER MANAGEMENT
IA-5: AUTHENTICATOR
MANAGEMENT
IA-8: IDENTIFICATION AND
AUTHENTICATION (NON-
ORGANIZATIONAL USERS)
IA-9: SERVICE IDENTIFICATION
AND AUTHENTICATION
SI-4: INFORMATION SYSTEM
MONITORING
AU-1: AUDIT AND 10.1 Define and implement logging, threat
ACCOUNTABILITY POLICY AND 10.2 detection and incident response strategy
PROCEDURES 10.3
IR-1: INCIDENT RESPONSE 10.4
POLICY AND PROCEDURES 10.5
IR-2: INCIDENT RESPONSE 10.6
TRAINING 10.7
IR-10: INTEGRATED 10.8
INFORMATION SECURITY 10.9
ANALYSIS TEAM 12.10
SI-1: SYSTEM AND INFORMATION A3.5
INTEGRITY POLICY AND
PROCEDURES
SI-5: SECURITY ALERTS,
ADVISORIES, AND DIRECTIVES

CP-1: CONTINGENCY PLANNING 3.4 Define and implement backup and recovery
POLICY AND PROCEDURES strategy
CP-9: INFORMATION SYSTEM
BACKUP
CP-10: INFORMATION SYSTEM
RECOVERY AND
RECONSTITUTION
SI-2: FLAW REMEDIATION 5.1 Define and implement endpoint security
SI-3: MALICIOUS CODE 5.2 strategy
PROTECTION 5.3
SC-3: SECURITY FUNCTION 5.4
ISOLATION 11.5

SA-12: SUPPLY CHAIN 2.2 Define and implement DevOps security

PROTECTION 6.1 strategy
SA-15: DEVELOPMENT PROCESS, 6.2
STANDARDS, AND TOOLS 6.3
CM-1: CONFIGURATION 6.5
MANAGEMENT POLICY AND 7.1
PROCEDURES 10.1
CM-2: BASELINE 10.2
CONFIGURATION 10.3
CM-6: CONFIGURATION 10.6
SETTINGS 12.2
AC-2: ACCOUNT MANAGEMENT
AC-3: ACCESS ENFORCEMENT
AC-6: LEAST PRIVILEGE
SA-11: DEVELOPER TESTING AND
EVALUATION
AU-6: AUDIT REVIEW, ANALYSIS,
AND REPORTING
AU-12: AUDIT GENERATION
SI-4: INFORMATION SYSTEM
MONITORING
N/A N/A Define and implement multi-cloud security
strategy
Security Principle
N/A

N/A

N/A
N/A

N/A
N/A
N/A

N/A
N/A

N/A
N/A
General Guidance
Ensure that you define and communicate a clear strategy for roles and responsibilities in your security organization. Prioritize
providing clear accountability for security decisions, educating everyone on the shared responsibility model, and educate
technical teams on technology to secure the cloud.

Establish an enterprise-wide strategy to segment access to assets using a combination of identity, network, application,
subscription, management group, and other controls.

Carefully balance the need for security separation with the need to enable daily operation of the systems that need to
communicate with each other and access data.

Ensure that the segmentation strategy is implemented consistently in the workload, including network security, identity and
access models, and application permission/access models, and human process controls.

Establish an enterprise-wide strategy for data protection in your cloud environment:

- Define and apply the data classification and protection standard in accordance with the enterprise data management standa
and regulatory compliance to dictate the security controls required for each level of the data classification.
- Set up your cloud resource management hierarchy aligned to the enterprise segmentation strategy. The enterprise
segmentation strategy should also be informed by the location of sensitive or business critical data and systems.
- Define and apply the applicable zero-trust principles in your cloud environment to avoid implementing trust based on netwo
location within a perimeter. Instead, use device and user trust claims to gate access to data and resources.
- Track and minimize the sensitive data footprint (storage, transmission, and processing) across the enterprise to reduce the
attack surface and data protection cost. Consider techniques such as one-way hashing, truncation, and tokenization in the
workload where possible, to avoid storing and transmitting sensitive data in its original form.
- Ensure you have a full lifecycle control strategy to provide security assurance of the data and access keys.
Establish a cloud network security strategy as part of your organization’s overall security strategy for access control. This strat
should include documented guidance, policy, and standards for the following elements:
- Design a centralized/decentralized network management and security responsibility model to deploy and maintain network
resources.
- A virtual network segmentation model aligned with the enterprise segmentation strategy.
- An Internet edge and ingress and egress strategy.
- A hybrid cloud and on-premises interconnectivity strategy.
- A network monitoring and logging strategy.
- An up-to-date network security artifacts (such as network diagrams, reference network architecture).

Establish a policy, procedure and standard to ensure the security configuration management and vulnerability management a
in place in your cloud security mandate.

The security configuration management in cloud should include the following areas:
- Define the secure configuration baselines for different resource types in the cloud, such as the web portal/console,
management and control plane, and resources running in the IaaS, PaaS and SaaS services.
- Ensure the security baselines address the risks in different control areas such as network security, identity management,
privileged access, data protection and so on.
- Use tools to continuously measure, audit, and enforce the configuration to prevent configuration deviating from the baseline
- Develop a cadence to stay updated with security features, for instance, subscribe to the service updates.
- Utilize a security health or compliance check mechanism (such as Secure Score, Compliance Dashboard in Microsoft Defende
for Cloud) to regularly review security configuration posture and remediate the gaps identified.

The vulnerability management in the cloud should include the following security aspects:
- Regularly assess and remediate vulnerabilities in all cloud resource types, such as cloud native services, operating systems, an
application components.
- Use a risk-based approach to prioritize assessment and remediation.
- Subscribe to the relevant CSPM's security advisory notices and blogs to receive the latest security updates.
- Ensure the vulnerability assessment and remediation (such as schedule, scope, and techniques) meet the regularly complian
requirements for your organization.
Establish a cloud identity and privileged access approach as part of your organization’s overall security access control strategy
This strategy should include documented guidance, policy, and standards for the following aspects:
- Centralized identity and authentication system (such as Azure AD) and its interconnectivity with other internal and external
identity systems
- Privileged identity and access governance (such as access request, review and approval)
- Privileged accounts in emergency (break-glass) situation
- Strong authentication (passwordless authentication and multifactor authentication) methods in different use cases and
conditions
- Secure access by administrative operations through web portal/console, command-line and API.

For exception cases, where an enterprise system isn’t used, ensure adequate security controls are in place for identity,
authentication and access management, and governed. These exceptions should be approved and periodically reviewed by th
enterprise team. These exceptions are typically in cases such as:
- Use of a non-enterprise designated identity and authentication system, such as cloud-based third-party systems (may introdu
unknown risks)
- Privileged users authenticated locally and/or use non-strong authentication methods
Establish a logging, threat detection and incident response strategy to rapidly detect and remediate threats and meet
compliance requirements. Security operations (SecOps / SOC) team should prioritize high quality alerts and seamless experien
so that they can focus on threats rather than log integration and manual steps.
This strategy should include documented policy, procedure and standards for the following aspects:
- The security operations (SecOps) organization's role and responsibilities
- A well-defined and regularly tested incident response plan and handling process aligning with NIST SP 800-61 (Computer
Security Incident Handling Guide) or other industry frameworks.
- Communication and notification plan with your customers, suppliers, and public parties of interest.
- Simulate both expected and unexpected security events within your cloud environment to understand the effectiveness of y
preparation. Iterate on the outcome of your simulation to improve the scale of your response posture, reduce time to value, a
further reduce risk.
- Preference of using extended detection and response (XDR) capabilities such as Azure Defender capabilities to detect threats
the various areas.
- Use of cloud native capability (e.g., as Microsoft Defender for Cloud) and third-party platforms for incident handling, such as
logging and threat detection, forensics, and attack remediation and eradication.
- Prepare the necessary runbooks, both manual and automated, to ensure reliable and consistent responses.
- Define key scenarios (such as threat detection, incident response, and compliance) and set up log capture and retention to
meet the scenario requirements.
- Centralized visibility of and correlation information about threats, using SIEM, native cloud threat detection capability, and
other sources.
- Post-incident activities, such as lessons learned and evidence retention.

Establish a backup and recovery strategy for your organization. This strategy should include documented guidance, policy, and
standards in the following aspects:
- Recovery time objective (RTO) and recovery point objective (RPO) definitions in accordance with your business resiliency
objectives, and regulatory compliance requirements.
- Redundancy design (including backup, restore and replication) in your applications and infrastructure for both in cloud and o
premises. Consider regional, region-pairs, cross-regional recovery and off-site storage location as part of your strategy.
- Protection of backup from unauthorized access and tempering using controls such as data access control, encryption and
network security.
- Use of backup and recovery to mitigate the risks from emerging threats, such as ransomware attack. And also secure the
backup and recovery data itself from these attacks.
- Monitoring the backup and recovery data and operations for audit and alerting purposes.
Establish a cloud endpoint security strategy which includes the following aspects:
- Deploy the endpoint detection and response and antimalware capability into your endpoint and integrate with the threat
detection and SIEM solution and security operations process.
- Follow Microsoft Cloud Security Benchmark to ensure endpoint related security settings in other respective areas (such as
network security, posture vulnerability management, identity and privileged access, and logging and threat detections) are als
in place to provide a defense-in-depth protection for your endpoint.
- Prioritize the endpoint security in your production environment but ensure the non-production environments (such as test a
build environment used in the DevOps process) are also secured and monitored, as these environment can also be used to
introduce the malware and vulnerabilities into the production.

Mandate the security controls as part of the organization’s DevOps engineering and operation standard. Define the security
objectives, control requirements, and tooling specifications in accordance with enterprise and cloud security standards in your
organization.

Encourage the use of DevOps as an essential operating model in your organization for its benefits in rapidly identifying and
remediating vulnerabilities using different type of automations (such as infrastructure as code provision, and automated SAST
and DAST scan) throughout the CI/CD workflow. This ‘shift left’ approach also increases visibility and ability to enforce consiste
security checks in your deployment pipeline, effectively deploying security guardrails into the environment ahead of time to
avoid last minute security surprises when deploying a workload into production.

When shifting security controls left into the pre-deployment phases, implement security guardrails to ensure the controls are
deployed and enforced throughout your DevOps process. This technology could include resource deployment templates (such
Azure ARM template) to define guardrails in the IaC (infrastructure as code), resource provisioning and audit to restrict which
services or configurations can be provisioned into the environment.

For the run-time security controls of your workload, follow the Microsoft Cloud Security Benchmark to design and implement
effective the controls, such as identity and privileged access, network security, endpoint security, and data protection inside y
workload applications and services.
Ensure a multi-cloud strategy is defined in your cloud and security governance, risk management, and operation process which
should include the following aspects:
- Multi-cloud adoption: For organizations that operate multi-cloud infrastructure and Educate your organization to ensure team
understand the feature difference between the cloud platforms and technology stack. Build, deploy, and/or migrate solutions
that are portable. Allow for ease of movement between cloud platforms with minimum vendor lock-in while utilizing cloud
native features adequately for the optimal result from the cloud adoption.
- Cloud and security operations: Streamline security operations to support the solutions across each cloud, through a central s
of governance and management processes which share common operations processes, regardless of where the solution is
deployed and operated.
- Tooling and technology stack: Choose the appropriate tooling that supports multi-cloud environment to help with establishin
unified and centralized management platforms which may include all the security domains discussed in this security benchma
Implementation and additional context
Azure Security Best Practice 1 – People: Educate Teams on Cloud
Security Journey:
https://docs.microsoft.com/azure/cloud-adoption-framework/
security/security-top-10#1-people-educate-teams-about-the-cloud-
security-journey

Azure Security Best Practice 2 - People: Educate Teams on Cloud

Security Technology:
https://docs.microsoft.com/azure/cloud-adoption-framework/
security/security-top-10#2-people-educate-teams-on-cloud-security-
technology

Azure Security Best Practice 3 - Process: Assign Accountability for Cloud

Security Decisions:
https://docs.microsoft.com/azure/cloud-adoption-framework/
security/security-top-10#4-process-update-incident-response-ir-
processes-for-cloud

Security in the Microsoft Cloud Adoption Framework for Azure -

Segmentation: Separate to protect
https://docs.microsoft.com/azure/cloud-adoption-framework/secure/
access-control#segmentation-separate-to-protect

Security in the Microsoft Cloud Adoption Framework for Azure -

Architecture: establish a single unified security strategy:
https://docs.microsoft.com/azure/cloud-adoption-framework/secure/
security-top-10#11-architecture-establish-a-single-unified-security-
strategy

Azure Security Benchmark - Data Protection:

https://docs.microsoft.com/security/benchmark/azure/security-
controls-v3-data-protection

Cloud Adoption Framework - Azure data security and encryption best

practices:
https://docs.microsoft.com/azure/security/fundamentals/data-
encryption-best-practices

Azure Security Fundamentals - Azure Data security, encryption, and

storage:
https://docs.microsoft.com/azure/security/fundamentals/encryption-
overview
Azure Security Best Practice 11 - Architecture. Single unified security
strategy:
https://docs.microsoft.com/azure/cloud-adoption-framework/
security/security-top-10#11-architecture-establish-a-single-unified-
security-strategy

Azure Security Benchmark - Network Security:

https://docs.microsoft.com/security/benchmark/azure/security-
controls-v3-network-security

Azure network security overview:

https://docs.microsoft.com/azure/security/fundamentals/network-
overview

Enterprise network architecture strategy:

https://docs.microsoft.com/azure/cloud-adoption-framework/ready/
Azure Security Benchmark - Posture and vulnerability management:
enterprise-scale/architecture
https://docs.microsoft.com/security/benchmark/azure/security-
controls-v3-posture-vulnerability-management

Azure Security Best Practice 9 - Establish security posture management:

https://docs.microsoft.com/azure/cloud-adoption-framework/secure/
security-top-10#5-process-establish-security-posture-management
Azure Security Benchmark - Identity management:
https://docs.microsoft.com//security/benchmark/azure/security-
controls-v3-identity-management

Azure Security Benchmark - Privileged access:

https://docs.microsoft.com/security/benchmark/azure/security-
controls-v3-privileged-access

Azure Security Best Practice 11 - Architecture. Single unified security

strategy:
https://docs.microsoft.com/azure/cloud-adoption-framework/
security/security-top-10#11-architecture-establish-a-single-unified-
security-strategy

Azure identity management security overview:

https://docs.microsoft.com/azure/security/fundamentals/identity-
management-overview
Azure Security Benchmark - Logging and threat detection:
https://docs.microsoft.com/azure/security/benchmarks/security-
benchmark-v3-logging-threat-detection

Azure Security Benchmark - Incident response:

https://docs.microsoft.com/azure/security/benchmarks/security-
benchmark-v3-incident-response

Azure Security Best Practice 4 - Process. Update Incident Response

Processes for Cloud:
https://aka.ms/AzSec4

Azure Adoption Framework, logging, and reporting decision guide:

https://docs.microsoft.com/azure/cloud-adoption-framework/decision-
guides/logging-and-reporting/

Azure enterprise scale, management, and monitoring:

https://docs.microsoft.com/azure/cloud-adoption-framework/ready/
enterprise-scale/management-and-monitoring

NIST SP 800-61 Computer Security Incident Handling Guide:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
61r2.pdf

Azure Security Benchmark - Backup and recovery:

https://docs.microsoft.com/azure/security/benchmarks/security-
benchmark-v3-backup-recovery

Azure Well-Architecture Framework - Backup and disaster recover for

Azure applications:
https://docs.microsoft.com/azure/architecture/framework/resiliency/
backup-and-recovery

Azure Adoption Framework-business continuity and disaster recovery:

https://docs.microsoft.com/azure/cloud-adoption-framework/ready/
enterprise-scale/business-continuity-and-disaster-recovery

Backup and restore plan to protect against ransomware:

https://docs.microsoft.com/azure/security/fundamentals/backup-plan-
to-protect-against-ransomware
Azure Security Benchmark - Endpoint security:
https://docs.microsoft.com/azure/security/benchmarks/security-
benchmark-v3-endpoint-security

Best practices for endpoint security on Azure:

https://docs.microsoft.com/azure/architecture/framework/security/
design-network-endpoints

Azure Security Benchmark - DevOps security:

https://docs.microsoft.com/azure/security/benchmarks/security-
benchmark-v3-devops-security

Secure DevOps:
https://www.microsoft.com/securityengineering/devsecops

Cloud Adoption Framework - DevSecOps controls:

https://docs.microsoft.com/azure/cloud-adoption-framework/secure/
devsecops-controls
Azure hybrid and multicloud:
https://docs.microsoft.com/en-us/hybrid/

Azure hybrid and multicloud documentation:

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/
scenarios/hybrid/scenario-overview

AWS to Azure services comparison:

https://docs.microsoft.com/en-us/azure/architecture/aws-
professional/services

Azure for AWS professionals:

https://docs.microsoft.com/en-us/azure/architecture/aws-
professional/
Customer Security Stakeholders:
All stakeholders:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-
security#security-functions

All stakeholders:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-
security#security-functions

All stakeholders:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-
security#security-functions
All stakeholders:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-
security#security-functions

All stakeholders:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-
security#security-functions
All stakeholders:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-
security#security-functions
All stakeholders:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-
security#security-functions

All stakeholders:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-
security#security-functions
All stakeholders:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-
security#security-functions

All stakeholders:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-
security#security-functions
All stakeholders:
https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-
security#security-functions