Skip to content

MCSB_v1 - Posture and Vulnerability Mgmt

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders:
PV-1 Posture and Vulnerability Management 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 1.1 Define and establish secure configurations Define the security configuration baselines for different resource types in the cloud. Alternatively, use configuration management tools to establish the configuration baseline automatically before or during resource deployment so the environment can be compliant by default after the deployment. Use the Microsoft Cloud Security Benchmark and service baseline to define your configuration baseline for each respective Azure offering or service. Refer to the Azure reference architecture and Cloud Adoption Framework landing zone architecture to understand the critical security controls and configurations that may be needed across Azure resources. Illustration of Guardrails implementation in Enterprise Scale Landing Zone: Use the Microsoft Cloud Security Benchmark - multi-cloud guidance for AWS and other input to define your configuration baseline for each respective AWS offering or service. Refer to the security pillar and other pillars in the AWS Well-Architectured Framework to understand the critical security controls and configurations that may be needed across AWS resources. AWS Control Tower: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
11.1 - Maintain Standard Security Configurations for Network Devices 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure CM-6: CONFIGURATION SETTINGS 2.2 https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture#landing-zone-expanded-definition https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html
Use Azure landing zone (and Blueprints) to accelerate the workload deployment by setting up configuration of services and application environments, including Azure Resource Manager templates, Azure RBAC controls, and Azure Policy. Use AWS CloudFormation templates and AWS Config rules in the AWS landing zone definition to automate deployment and configuration of services and application environments. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Working with security policies in Microsoft Defender for Cloud: AWS Config rules:
https://docs.microsoft.com/azure/security-center/tutorial-security-policy https://aws.amazon.com/config/ Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Tutorial: Create and manage policies to enforce compliance: AWS landing zone
https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage
Azure Blueprints:
https://docs.microsoft.com/azure/governance/blueprints/overview
PV-2 Posture and Vulnerability Management 5.4 - Deploy System Configuration Management Tools 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 2.2 Audit and enforce secure configurations Continuously monitor and alert when there is a deviation from the defined configuration baseline. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploying a configuration. Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources. Understand Azure Policy effects: Use AWS Config rules to audit configurations of your AWS resources. And you can choose to resolve the configuration drift using AWS Systems Manager Automation associated with the AWS Config rule. Use Amazon CloudWatch to create alerts when there is a configuration deviation detected on the resources. Remediating Noncompliant AWS Resources by AWS Config Rules: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
5.5 - Implement Automated Configuration Monitoring Systems 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure CM-6: CONFIGURATION SETTINGS https://docs.microsoft.com/azure/governance/policy/concepts/effects https://docs.aws.amazon.com/config/latest/developerguide/remediation.html
11.3 - Use Automated Tools to Verify Standard Device Configurations and Detect Changes Use Azure Policy [deny] and [deploy if not exist] rules to enforce secure configuration across Azure resources. For resource configuration audit and enforcement not supported by AWS Config, you may need to write custom scripts or use third-party tooling to implement the configuration audit and enforcement. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Create and manage policies to enforce compliance: Detecting unmanaged configuration changes to stacks and resources:
For resource configuration audit and enforcement not supported by Azure Policy, you may need to write custom scripts or use third-party tooling to implement the configuration audit and enforcement. https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage You can also centrally monitor your configuration drifting by onboarding your AWS account to Microsoft Defender for Cloud. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Get compliance data of Azure resources: AWS Config Comformance Pack:
https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data https://aws.amazon.com/about-aws/whats-new/2019/11/introducing-aws-config-conformance-packs/
PV-3 Posture and Vulnerability Management 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 2.2 Define and establish secure configurations for compute resources Define the secure configuration baselines for your compute resources, such as VMs and containers. Use configuration management tools to establish the configuration baseline automatically before or during the compute resource deployment so the environment can be compliant by default after the deployment. Alternatively, use a pre-configured image to build the desired configuration baseline into the compute resource image template. Use Azure recommended operating system security baselines (for both Windows and Linux) as a benchmark to define your compute resource configuration baseline. Linux OS security configuration baseline: Use EC2 AWS Machine Images (AMI) from trusted sources on marketplace as a benchmark to define your EC2 configuration baseline. Enable Azure Automation State Configuration: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
5.5 - Implement Automated Configuration Monitoring Systems CM-6: CONFIGURATION SETTINGS 11.5 https://docs.microsoft.com/azure/governance/policy/samples/guest-configuration-baseline-linux https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#enable-physicalvirtual-windows-machines
Additionally, you can use a custom VM image (using Azure Image Builder) or container image with Azure Automanage Machine Configuration (formerly called Azure Policy Guest Configuration) and Azure Automation State Configuration to establish the desired security configuration. Additionally, you can use EC2 Image Builder to build custom AMI template with a Systems Manager agent to establish the desired security configuration. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Windows OS security configuration baseline: Note: The AWS Systems Manager Agent is preinstalled on some Amazon Machine Images (AMIs) provided by AWS.
https://docs.microsoft.com/azure/governance/policy/samples/guest-configuration-baseline-windows Enable Azure Automation State Configuration: Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
For workload applications running within your EC2 instances, AWS Lambda or containers environment, you may use AWS System Manager AppConfig to establish the desired configuration baseline. https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#enable-physicalvirtual-windows-machines
Security configuration recommendation for compute resources:
https://docs.microsoft.com/azure/security-center/recommendations-reference
Azure Automation State Configuration Overview:
https://docs.microsoft.com/azure/automation/automation-dsc-overview
PV-4 Posture and Vulnerability Management 5.4 - Deploy System Configuration Management Tools 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 2.2 Audit and enforce secure configurations for compute resources Continuously monitor and alert when there is a deviation from the defined configuration baseline in your compute resources. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploying a configuration in compute resources. Use Microsoft Defender for Cloud and Azure Automanage Machine Configuration (formerly called Azure Policy Guest Configuration) to regularly assess and remediate configuration deviations on your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system. Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements. Use Change Tracking and Inventory in Azure Automation to track changes in virtual machines hosted in Azure, on-premises, and other cloud environments to help you pinpoint operational and environmental issues with software managed by the Distribution Package Manager. Install the Guest Attestation agent on virtual machines to monitor for boot integrity on confidential virtual machines. How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: Use AWS System Manager's State Manager feature to regularly assess and remediate configuration deviations on your EC2 instances. In addition, you can use CloudFormation templates, custom operating system images to maintain the security configuration of the operating system. AMI templates in conjunction with Systems Manager can assist in meeting and maintaining security requirements. AWS System Manager State Manager: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
5.5 - Implement Automated Configuration Monitoring Systems CM-6: CONFIGURATION SETTINGS https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-state.html
11.3 - Use Automated Tools to Verify Standard Device Configurations and Detect Changes Note: Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft. You can also centrally monitor and manage the operating system configuration drift through Azure Automation State Configuration and onboard the applicable resources to Azure security governance using the following methods : Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
How to create an Azure virtual machine from an ARM template: - Onboard your AWS account into Microsoft Defender for Cloud Connect your AWS accounts to Microsoft Defender for Cloud:
https://docs.microsoft.com/azure/virtual-machines/windows/ps-template - Use Azure Arc for servers to connect your EC2 instances to Microsoft Defender for Cloud https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Azure Automation State Configuration overview: For workload applications running within your EC2 instances, AWS Lambda or containers environment, you may use AWS System Manager AppConfig to audit and enforce the desired configuration baseline. Enable Azure Automation State Configuration:
https://docs.microsoft.com/azure/automation/automation-dsc-overview https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#enable-physicalvirtual-windows-machines
Note: AMIs published by Amazon Web Services in AWS Marketplace are managed and maintained by Amazon Web Services.
Create a Windows virtual machine in the Azure portal:
https://docs.microsoft.com/azure/virtual-machines/windows/quick-create-portal
Container security in Microsoft Defender for Cloud:
https://docs.microsoft.com/azure/security-center/container-security
Change Tracking and Inventory overview:
https://learn.microsoft.com/azure/automation/change-tracking/overview?tabs=python-2
Guest attestation for confidential VMs:
https://learn.microsoft.com/azure/confidential-computing/guest-attestation-confidential-vms
PV-5 Posture and Vulnerability Management 3.1 - Run Automated Vulnerability Scanning Tools 5.5 - Establish and Maintain an Inventory of Service Accounts RA-3: RISK ASSESSMENT 6.1 Perform vulnerability assessments Perform vulnerabilities assessment for your cloud resources at all tiers in a fixed schedule or on-demand. Track and compare the scan results to verify the vulnerabilities are remediated. The assessment should include all type of vulnerabilities, such as vulnerabilities in Azure services, network, web, operating systems, misconfigurations, and so on. Follow recommendations from Microsoft Defender for Cloud for performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Microsoft Defender for Cloud has a built-in vulnerability scanner for virtual machines. Use a third-party solution for performing vulnerability assessments on network devices and applications (e.g., web applications) How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations Use Amazon Inspector to scan your Amazon EC2 instances and container images residing in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities and unintended network exposure. Use a third-party solution for performing vulnerability assessments on network devices and applications (e.g., web applications) Amazon Inspector: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
3.3 - Protect Dedicated Assessment Accounts 7.1 - Establish and Maintain a Vulnerability Management Process RA-5: VULNERABILITY SCANNING 6.2 https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html
3.6 - Compare Back-to-back Vulnerability Scans 7.5 - Perform Automated Vulnerability Scans of Internal Enterprise Assets 6.6 Be aware of the potential risks associated with the privileged access used by the vulnerability scanners. Follow the privileged access security best practice to secure any administrative accounts used for the scanning. Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Microsoft Defender for Cloud, you can pivot into the selected scan solution's portal to view historical scan data. Integrated vulnerability scanner for virtual machines: Refer to control ES-1, "Use Endpoint Detection and Response (EDR)", to onboard your AWS account into Microsoft Defender for Cloud and deploy Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) in your EC2 instances. Microsoft Defender for servers provides a native threat and vulnerability management capability for your VMs. The vulnerability scanning result will be consolidated in the Microsoft Defender for Cloud dashboard. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
7.6 - Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets 11.2 https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management:
When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT (Just In Time) provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning. Track the status of vulnerability findings to ensure they are properly remediated or suppressed if they're considered false positive. https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
SQL vulnerability assessment:
Note: Microsoft Defender services (including Defender for servers, containers, App Service, Database, and DNS) embed certain vulnerability assessment capabilities. The alerts generated from Azure Defender services should be monitored and reviewed together with the result from Microsoft Defender for Cloud vulnerability scanning tool. https://docs.microsoft.com/azure/azure-sql/database/sql-vulnerability-assessment When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing a temporary provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.
Note: Ensure you setup email notifications in Microsoft Defender for Cloud. Exporting Microsoft Defender for Cloud vulnerability scan results:
https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment#exporting-results
PV-6 Posture and Vulnerability Management 3.4 - Deploy Automated Operating System Patch Management Tools 7.2 - Establish and Maintain a Remediation Process RA-3: RISK ASSESSMENT 6.1 Rapidly and automatically remediate vulnerabilities Rapidly and automatically deploy patches and updates to remediate vulnerabilities in your cloud resources. Use the appropriate risk-based approach to prioritize the remediation of vulnerabilities. For example, more severe vulnerabilities in a higher value asset should be addressed as a higher priority. Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically. How to configure Update Management for virtual machines in Azure: Use AWS Systems Manager - Patch Manager to ensure that the most recent security updates are installed on your operating systems and applications. Patch Manager supports patch baselines to allow you to define a list of approved and rejected patches for your systems. AWS Systems Manager - Patch Manager: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
3.5 - Deploy Automated Software Patch Management Tools 7.3 - Perform Automated Operating System Patch Management RA-5: VULNERABILITY SCANNING 6.2 https://docs.microsoft.com/azure/automation/update-management/overview https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html
3.7 - Utilize a Risk-rating Process 7.4 - Perform Automated Application Patch Management SI-2: FLAW REMEDIATION 6.5 Prioritize which updates to deploy first using a common risk scoring program (such as Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool and tailor to your environment. You should also consider which applications present a high security risk and which ones require high uptime. For third-party software, use a third-party patch management solution or Microsoft System Center Updates Publisher for Configuration Manager. You can also use Azure Automation Update Management to centrally manage the patches and updates of your AWS EC2 Windows and Linux instances. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
7.7 - Remediate Detected Vulnerabilities 11.2 Manage updates and patches for your Azure VMs: Update Management overview:
https://docs.microsoft.com/azure/automation/update-management/manage-updates-for-vm For third-party software, use a third-party patch management solution or Microsoft System Center Updates Publisher for Configuration Manager. https://docs.microsoft.com/en-us/azure/automation/update-management/overview Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
PV-7 Posture and Vulnerability Management 20.1 - Establish a Penetration Testing Program 18.1 - Establish and Maintain a Penetration Testing Program CA-8: PENETRATION TESTING 6.6 Conduct regular red team operations Simulate real-world attacks to provide a more complete view of your organization's vulnerability. Red team operations and penetration testing complement the traditional vulnerability scanning approach to discover risks. As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings. Penetration testing in Azure: As required, conduct penetration testing or red team activities on your AWS resources and ensure remediation of all critical security findings. AWS Customer Support Policy for Penetration Testing: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
20.2 - Conduct Regular External and Internal Penetration Tests 18.2 - Perform Periodic External Penetration Tests RA-5: VULNERABILITY SCANNING 11.2 https://docs.microsoft.com/azure/security/fundamentals/pen-testing https://aws.amazon.com/security/penetration-testing/
20.3 - Perform Periodic Red Team Exercises 18.3 - Remediate Penetration Test Findings 11.3 Follow industry best practices to design, prepare and conduct this kind of testing to ensure it will not cause damage or disruption to your environment. This should always include discussing testing scope and constraints with relevant stakeholders and resource owners. Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications. Follow the AWS Customer Support Policy for Penetration Testing to ensure your penetration tests are not in violation of AWS policies. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
18.4 - Validate Security Measures Penetration Testing Rules of Engagement:
18.5 - Perform Periodic Internal Penetration Tests https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1 Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Microsoft Cloud Red Teaming:
https://download.microsoft.com/download/C/1/9/C1990DBA-502F-4C2A-848D-392B93D9B9C3/Microsoft_Enterprise_Cloud_Red_Teaming.pdf
Technical Guide to Information Security Testing and Assessment:
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf