| AM-1 |
nan |
Track asset inventory and their risks |
Parent |
Asset inventory and visibility |
No Azure Policy available |
Maintain comprehensive, continuously updated inventory of all assets with automated discovery and classification capabilities. Ensure security organizations have real-time visibility into asset configurations, risk posture, and business criticality across all environments to support effective threat detection, incident response, and compliance verification. |
Organizations operating without comprehensive asset inventory and continuous risk monitoring face critical security blind spots that prevent effective threat detection, incident response, and security posture management. |
Initial Access (TA0001): exploit public-facing application (T1190) targeting unknown or unmonitored internet-facing resources that security teams failed to discover during asset inventory processes. |
An organization with hybrid cloud infrastructure operating across Azure, on-premises data centers, and AWS discovered they lacked comprehensive visibility into their complete asset inventory, creating compliance risks and unknown security exposures. |
Must have |
CM-8, CM-8(1), CM-8(2), CM-8(3), PM-5, RA-2 |
2.4.1, 2.4.2, 12.5.2 |
1.1, 1.2, 1.3, 1.4, 2.1 |
ID.AM-1, ID.AM-2, ID.AM-4 |
A.5.9, A.8.1, A.8.2 |
CC6.1, CC7.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Without systematic asset tracking: Unknown attack surface exposure:Security teams cannot protect assets they don't know exist, allowing attackers to exploit unmonitored resources and establish persistent access through shadow IT infrastructure.Incomplete security coverage:Security controls, monitoring, and compliance policies cannot be applied to undiscovered assets, creating gaps in protection and detection capabilities.Ineffective incident response prioritization:Lack of asset criticality classification and business impact assessment prevents appropriate incident prioritization, leading to misallocated resources and delayed response to critical threats.Compliance and audit failures:Regulatory frameworks require comprehensive asset inventories for security controls, change management, and data protection verification-absence of accurate inventory creates compliance violations and failed audits.Stale security risk assessment:Security organizations cannot evaluate e |
Persistence (TA0003): create account (T1136) establishing persistent access in shadow IT resources and unmonitored subscriptions outside centralized security visibility and governance. |
Challenge:The organization struggled with fragmented asset visibility across multiple environments. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Defense Evasion (TA0005): unused/unsupported cloud regions (T1535) deploying malicious infrastructure in cloud regions not included in asset inventory and security monitoring coverage. |
Cloud resources deployed in Azure, on-premises servers in regional data centers, and AWS workloads existed in separate management silos without unified inventory. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Security teams lacked comprehensive visibility into asset criticality, vulnerability status, and compliance posture. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Regulatory audits identified gaps in asset tracking required for PCI-DSS and HIPAA compliance. Shadow IT proliferation created unmonitored resources consuming budget while exposing the organization to security risks. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Solution approach: Unified inventory platform:Deployed Azure Resource Graph queries discovering all Azure resources across multiple subscriptions with daily automated inventory updates. Implemented Azure Arc-enabled servers onboarding 500+ on-premises Windows and Linux servers plus 200+ AWS EC2 instances enabling unified inventory management. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Configured multicloud connector for AWS integration discovering EC2 instances, S3 buckets, and RDS databases projecting them into Azure Resource Graph for consolidated asset visibility.Asset classification and governance:Implemented mandatory tagging strategy using Azure Policy requiring business criticality, data classification, cost center, and compliance scope tags on all resources including Arc-enabled servers before provisioning. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Established business criticality classification with Critical tag for business-critical systems, High for sensitive data storage, Medium for internal applications, and Low for development environments.Security visibility and monitoring:Configured Microsoft Defender for Cloud asset inventory with Security Reader role granted to security operations center (SOC) team at Root Management Group level for enterprise-wide visibility across Azure and Arc-enabled resources. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Deployed vulnerability assessment using Microsoft Defender Vulnerability Management across all Azure and Arc-enabled virtual machines with automated remediation workflows. Extended Azure Policy enforcement to Arc-enabled servers applying security baselines, encryption requirements, and diagnostic logging policies.Executive reporting:Created Azure Workbooks dashboards for security leadership showin |
|
|
|
|
|
|
|
| AM-1 |
AM-1.1 |
Implement comprehensive asset inventory and discovery |
Child |
Asset inventory and visibility |
No Azure Policy available |
Maintain comprehensive, continuously updated inventory of all assets with automated discovery and classification capabilities. Ensure security organizations have real-time visibility into asset configurations, risk posture, and business criticality across all environments to support effective threat detection, incident response, and compliance verification. |
nan |
nan |
Accurate and comprehensive asset inventory forms the foundation of effective security operations, enabling threat detection, incident response, compliance reporting, and risk management across cloud environments. Without complete visibility, security teams cannot protect assets they don't know exist, leaving blind spots for adversaries to exploit. Automated discovery and classification capabilities ensure inventory remains current as infrastructure scales and evolves, eliminating manual tracking that becomes outdated within days. DeployAzure Resource GraphandMicrosoft Defender for Cloud asset inventoryto maintain comprehensive, continuously updated inventory of all Azure resources with automated discovery and classification capabilities. Azure Resource Graph query capabilities: Cross-subscription asset discovery:Query all resources across multiple subscriptions and management groups using Kusto Query Language (KQL) aggregating complete asset inventory for security operations and incident response.Asset criticality queries:Query resources by business criticality tags identifying Critical and High-priority assets requiring enhanced security monitoring and faster incident response prioritization.Shadow IT detection queries:Identify resources without required ownership, cost center, or compliance scope tags indicating unapproved provisioning bypassing security review and governance processes.Orphaned resource identification:Query unattached disks, unused public IP addresses, idle |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| AM-1 |
AM-1.2 |
Extend inventory to hybrid and multicloud environments |
Child |
Asset inventory and visibility |
No Azure Policy available |
Maintain comprehensive, continuously updated inventory of all assets with automated discovery and classification capabilities. Ensure security organizations have real-time visibility into asset configurations, risk posture, and business criticality across all environments to support effective threat detection, incident response, and compliance verification. |
nan |
nan |
Hybrid and multicloud environments fragment asset visibility across management consoles and security tools, creating blind spots where unmanaged resources harbor vulnerabilities and policy violations. Projecting distributed infrastructure into a unified control plane enables consistent governance, security monitoring, and compliance reporting regardless of hosting location. This unified approach eliminates the operational complexity and security gaps inherent in managing separate inventories for each environment. Unify hybrid and multicloud asset inventory through these capabilities: DeployAzure Arcto project on-premises, edge, and multicloud resources into Azure Resource Manager enabling unified asset inventory, governance, and security management across hybrid environments. Azure Arc-enabled asset discovery: Azure Arc-enabled servers:Onboard Windows and Linux physical servers and virtual machines hosted outside Azure (on-premises, VMware, Hyper-V, AWS EC2, Google Compute Engine) projecting them into Azure as native Azure resources (Azure Arc-enabled servers).Azure Arc-enabled Kubernetes:Connect and manage Kubernetes clusters running anywhere including on-premises, AWS EKS, Google GKE, and other cloud providers with unified governance and GitOps deployment (Azure Arc-enabled Kubernetes).Azure Arc-enabled SQL Managed Instance:Manage Azure Arc-enabled SQL Managed Instance deployments running on-premises or in other clouds with unified inventory, lifecycle management, and secur |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| AM-1 |
AM-1.3 |
Grant security organization inventory access |
Child |
Asset inventory and visibility |
No Azure Policy available |
Maintain comprehensive, continuously updated inventory of all assets with automated discovery and classification capabilities. Ensure security organizations have real-time visibility into asset configurations, risk posture, and business criticality across all environments to support effective threat detection, incident response, and compliance verification. |
nan |
nan |
Security teams require comprehensive visibility across all assets to detect threats, investigate incidents, and measure risk posture without depending on infrastructure teams for access or manual data collection. Appropriate read-only permissions enable security operations while preventing privilege escalation or operational disruption. Centralized access management ensures security organizations maintain visibility even as cloud environments grow and organizational structures evolve. Configure security team asset visibility through these permissions: Ensure security organizations have appropriate permissions to view and monitor asset inventory usingSecurity Reader role,Azure RBAC, andmanagement groupscoping for comprehensive visibility without excessive privileges. Security organization permission strategy: Security Reader role assignment:Grant Security Reader role at management group or subscription scope enabling security teams to view resources, security alerts, and recommendations without modification capabilities.Management group scoping:Apply permissions at Root Management Group level for enterprise-wide security visibility or scope to specific business units based on organizational structure.Defender for Cloud access:Ensure security teams have access to Defender for Cloud asset inventory, security recommendations, and compliance dashboards for centralized risk visibility.Azure Resource Graph query access:Provide security analysts access toAzure Resource Graph Explorer |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| AM-1 |
AM-1.4 |
Monitor asset risks and security posture |
Child |
Asset inventory and visibility |
No Azure Policy available |
Maintain comprehensive, continuously updated inventory of all assets with automated discovery and classification capabilities. Ensure security organizations have real-time visibility into asset configurations, risk posture, and business criticality across all environments to support effective threat detection, incident response, and compliance verification. |
nan |
nan |
Static asset inventory provides insufficient security visibility when threats and configurations change continuously across dynamic cloud environments. Continuous risk monitoring transforms inventory data into actionable security intelligence, identifying emerging vulnerabilities, configuration drift, and compliance violations before adversaries exploit them. Automated assessment enables security teams to prioritize remediation based on actual risk rather than reacting to incidents after exploitation. Establish continuous asset risk monitoring through these capabilities: Implement continuous risk monitoring usingMicrosoft Defender for Cloud Secure Score,Azure Security Baseline, andvulnerability assessmentto track asset security posture and emerging risks. Continuous risk assessment: Secure Score monitoring:Track Microsoft Defender for Cloud Secure Score across subscriptions and management groups measuring overall security posture and control effectiveness.Security recommendation tracking:Monitor security recommendations by severity level with prioritization based on asset criticality, potential impact, and threat intelligence.Vulnerability assessment integration:Automated vulnerability scanning for virtual machines using Qualys or Microsoft Defender Vulnerability Management with risk-based remediation prioritization.Compliance dashboard monitoring:Track regulatory compliance status for assets subject to PCI-DSS, HIPAA, ISO 27001, and other frameworks with gap analysis and rem |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| AM-2 |
nan |
Use only approved services |
Parent |
Service approval and application control |
Azure API Management platform version should be stv2 |
Enforce service approval processes restricting which cloud services users can provision through policy-based controls and monitoring. Ensure all deployed services undergo security review, compliance validation, and proper configuration hardening before production use, preventing shadow IT and unauthorized service sprawl. |
Uncontrolled cloud service provisioning creates significant security risks through shadow IT, configuration vulnerabilities, and compliance violations. |
Initial Access (TA0001): valid accounts (T1078) using legitimate user credentials to provision unapproved services with security misconfigurations that attackers exploit for initial access. |
A healthcare organization operating under HIPAA compliance requirements faced challenges with unauthorized cloud services deployed without proper security validation, creating compliance risks and audit findings. |
Should have |
CM-7, CM-7(1), CM-7(2), SA-3, SA-8 |
1.2.6, 2.2.7, 6.3.2 |
2.3, 2.7, 4.1 |
ID.AM-3, PR.IP-1, PR.PT-3 |
A.5.23, A.8.9, A.8.19 |
CC6.1, CC6.6, CC7.2 |
|
|
|
|
|
Storage accounts should be migrated to new Azure Resource Manager resources |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Storage accounts should be migrated to new Azure Resource Manager resources |
|
Without service approval enforcement: Shadow IT security gaps:Unapproved services bypass security review processes, operate without security monitoring, and lack proper configuration hardening creating exploitable vulnerabilities.Compliance framework violations:Unvetted services may not meet regulatory requirements for data protection, audit logging, or encryption leading to compliance failures and potential regulatory sanctions.Increased attack surface:Each new service type expands attack surface with unique security configurations, APIs, and integration points that security teams lack expertise to properly secure.Cost overruns and budget waste:Uncontrolled service provisioning leads to duplicate capabilities, unused resources, and unexpected charges undermining financial governance and budget predictability.Operational complexity:Proliferation of service types increases operational complexity, training requirements, and support burden while fragmenting security monitoring and incident response capabilities.Data governance failures |
Resource Development (TA0042): acquire infrastructure (T1583) provisioning unapproved cloud services to establish attack infrastructure, command-and-control capabilities, or malicious workloads bypassing security review processes. |
Challenge:Developers deployed Azure services without formal security assessment, resulting in HIPAA audit findings identifying unapproved services processing protected health information (PHI). |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Defense Evasion (TA0005): unused/unsupported cloud regions (T1535) deploying malicious infrastructure in unapproved cloud regions outside security monitoring coverage. |
The organization lacked centralized service approval processes and technical enforcement mechanisms preventing unauthorized deployments. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Compliance teams discovered Azure Cognitive Services and Azure OpenAI Service processing PHI without completing required risk assessments. Shadow IT proliferation created compliance gaps with 40+ service types deployed without documented security controls or encryption validation. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Solution approach: Governance framework:Established Service Validation Board composed of security, compliance, and engineering leadership reviewing new service requests with mandatory security assessment, compliance validation, and data classification analysis. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Created service catalog documenting approved services with security baselines, encryption requirements, compliance controls, and approved use cases.Technical enforcement:Deployed Allowed Resource Types Policy at management group level restricting provisioning to approved compute (Virtual Machines, Azure Kubernetes Service, Container Instances), storage (Blob Storage, Azure Files, Queue Storage), database (Azure SQL Database, Cosmos DB, Azure Database for PostgreSQL), and networking (Virtual Network, Network Security Groups, Application Gateway, Azure Firewall) services. Implemented Regional Restriction Policy limiting deployment to approved Azure regions matching HIPAA data residency requirements. Configured SKU Restriction Policies preventing premium-tier and ultra-performance SKUs in development and test subscriptions.Continuous monitoring:Created Azure Monitor alert rules for policy violation attempts with Azure Logic Apps workflows creating ServiceNow incidents and notifying resource owners and security operations team. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Granted policy exemptions for innovation sandbox subscriptions enabling evaluation of new services without production restrictions.Developer enablement:Published Infrastructure-as-Code templates including Terraform modules and Bicep templates for approved services with security configurations pre-applied accelerating compliant resource deployment. |
|
|
|
|
|
|
|
| AM-2 |
AM-2.1 |
Implement Azure Policy service restrictions |
Child |
Service approval and application control |
Azure API Management platform version should be stv2 |
Enforce service approval processes restricting which cloud services users can provision through policy-based controls and monitoring. Ensure all deployed services undergo security review, compliance validation, and proper configuration hardening before production use, preventing shadow IT and unauthorized service sprawl. |
nan |
nan |
Unrestricted service provisioning enables users to deploy unsupported, insecure, or non-compliant cloud services that bypass security review and introduce vulnerabilities into production environments. Each unapproved service expands the attack surface with potentially misconfigured security settings, unpatched software, or unmonitored access points that adversaries exploit. Enforcing approved service catalogs ensures only security-validated, operationally-supported services reach production while maintaining controlled innovation in development environments. Control service provisioning through these enforcement mechanisms: DeployAzure Policywithdeny policiesandaudit policiesto restrict service provisioning to approved Azure service types with exceptions for approved innovation projects and development environments. Service restriction policy framework: Allowed resource types policy:Define comprehensive allowed resource types policy listing approved Azure services including virtual machines, storage accounts, databases, and platform services.Denied resource types policy:Explicit deny policies for services prohibited due to security concerns, compliance restrictions, or operational limitations with clear documentation of rationale.Regional restriction policies:Restrict resource provisioning to approved Azure regions based on data residency requirements, compliance mandates, and operational support capabilities.SKU and tier restrictions:Limit resource SKUs and service tiers to |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Storage accounts should be migrated to new Azure Resource Manager resources |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Storage accounts should be migrated to new Azure Resource Manager resources |
|
|
|
|
|
|
|
|
|
|
|
| AM-2 |
AM-2.2 |
Monitor and alert on unapproved service usage |
Child |
Service approval and application control |
Azure API Management platform version should be stv2 |
Enforce service approval processes restricting which cloud services users can provision through policy-based controls and monitoring. Ensure all deployed services undergo security review, compliance validation, and proper configuration hardening before production use, preventing shadow IT and unauthorized service sprawl. |
nan |
nan |
Policy enforcement prevents unapproved provisioning but detecting existing non-compliant resources and monitoring for policy violations enables security teams to identify exceptions, respond to violations, and maintain continuous compliance visibility. Real-time detection transforms reactive compliance audits into proactive security operations, enabling rapid response to potential security risks introduced through unapproved services. Automated alerting ensures security teams address violations before adversaries discover and exploit misconfigured resources. Detect and respond to unapproved services through these monitoring capabilities: ImplementAzure Monitoralert rules andMicrosoft Defender for Cloudrecommendations to detect unapproved service provisioning attempts and existing non-compliant resources. Unapproved service detection: Azure Activity Log monitoring:Monitor Azure Activity Log for resource creation events comparing against approved service catalog with real-time alerting on policy violations.Azure Policy compliance dashboard:Track policy compliance status across subscriptions identifying resources in non-compliant state requiring remediation or decommissioning.Defender for Cloud recommendations:Leverage Defender for Cloud security recommendations identifying resources requiring configuration changes or services operating outside security baselines.Custom alert rules:Create custom Azure Monitor alert rules for specific service types or configuration patterns requi |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Storage accounts should be migrated to new Azure Resource Manager resources |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Storage accounts should be migrated to new Azure Resource Manager resources |
|
|
|
|
|
|
|
|
|
|
|
| AM-3 |
nan |
Ensure security of asset lifecycle management |
Parent |
Asset lifecycle and access management |
API endpoints that are unused should be disabled and removed from the Azure API Management service |
Implement secure asset lifecycle management from provisioning through decommissioning with security-by-default configurations, change control processes, and systematic disposal procedures. Ensure all lifecycle phases include security validation, audit logging, and approval workflows for high-impact modifications to prevent security degradation and maintain compliance. |
Inadequate asset lifecycle management creates security vulnerabilities throughout resource provisioning, modification, and decommissioning processes. |
Persistence (TA0003): create or modify system process (T1543) exploiting weak lifecycle controls to deploy persistent backdoors during resource provisioning without security review. |
An organization with 3,000+ cloud resources across Azure and on-premises infrastructure faced challenges with lifecycle management creating security incidents from misconfigured resources and excessive costs from orphaned infrastructure. |
Should have |
CM-3, CM-3(1), CM-4, SA-3, SA-4(10) |
6.3.1, 6.4.1, 6.4.2, 12.3.3 |
4.1, 4.2, 15.1, 15.2 |
PR.IP-1, PR.IP-3, PR.MA-1 |
A.5.31, A.8.1, A.8.32 |
CC6.1, CC6.6, CC8.1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Without proper lifecycle controls: Insecure resource provisioning:Resources deployed without security hardening, encryption, monitoring, or network controls operate in vulnerable state from inception creating immediate attack surface.Configuration drift and unauthorized changes:Uncontrolled resource modifications bypass security review processes leading to misconfigurations, compliance violations, and security control degradation.Orphaned resource accumulation:Resources persist after projects end or teams disband consuming budget while creating unmonitored attack surface with stale credentials and outdated security patches.Incomplete decommissioning:Improper resource deletion leaves data remnants, storage accounts, network configurations, and identity assignments creating data exposure risks and compliance violations.Privilege escalation through lifecycle gaps:Attackers exploit lifecycle management weaknesses to provision malicious resources, modify security configurations, or maintain persistence after detection attempts.Audit trail |
Privilege Escalation (TA0004): abuse elevation control mechanism (T1548) modifying resource permissions and access controls during lifecycle changes to gain unauthorized elevated privileges. |
Challenge:Development teams deployed resources without standardized security configurations resulting in 25% of new deployments missing encryption or logging requirements. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Defense Evasion (TA0005): impair defenses (T1562) disabling security monitoring and logging during resource modification processes bypassing detection capabilities. |
Production resources lacked deletion protection with three significant incidents where critical resources were accidentally deleted causing business disruption. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The organization maintained 400+ orphaned resources including unattached disks, unused public IP addresses, and idle virtual machines consuming $120,000 annually. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Change management processes relied on manual reviews unable to detect security configuration drift. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource decommissioning lacked formal procedures leading to incomplete data deletion and lingering access permissions. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Solution approach: Provisioning standardization:Deployed Azure Deployment Stacks with security-hardened resource templates ensuring encryption enabled, private endpoints configured, and diagnostic logging activated for all production resources configured with a DenyDelete deny assignment. Published Infrastructure-as-Code templates and modules with security baselines pre-applied preventing misconfiguration at provisioning time.Change protection:Implemented Azure Resource Locks on all production resource groups preventing accidental deletion and unauthorized modifications to critical infrastructure. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Established change control board reviewing high-impact modifications including identity provider changes, network security group modifications, and administrative privilege assignments. Deployed Azure Policy deny effects preventing security configuration regression including policies blocking public internet access enablement, encryption disablement, and diagnostic logging removal.Decommissioning governance:Deployed decommissioning checklists in Azure DevOps requiring data backup verification, access revocation confirmation, and compliance team signoff before production resource deletion. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Implemented soft delete policies for key vaults, storage accounts, and databases providing 90-day recovery window.Orphaned resource management:Created Azure Automation runbooks scanning for orphaned resources weekly identifying and decommissioning abandoned resources including unattached disks, unused public IPs, and idle virtual machines afte |
|
|
|
|
|
|
|
| AM-3 |
AM-3.1 |
Implement secure resource provisioning |
Child |
Asset lifecycle and access management |
API endpoints that are unused should be disabled and removed from the Azure API Management service |
Implement secure asset lifecycle management from provisioning through decommissioning with security-by-default configurations, change control processes, and systematic disposal procedures. Ensure all lifecycle phases include security validation, audit logging, and approval workflows for high-impact modifications to prevent security degradation and maintain compliance. |
nan |
nan |
Resources deployed without security hardening from inception create immediate vulnerabilities that persist throughout their operational lifetime, as retrofitting security controls after deployment proves technically complex and operationally disruptive. Security-by-default provisioning through infrastructure-as-code ensures consistent protective configurations apply automatically, preventing the configuration gaps that adversaries exploit. Automated security validation before deployment blocks insecure configurations before they reach production, transforming security from reactive remediation into proactive prevention. Establish secure-by-default provisioning through these mechanisms: DeployAzure Deployment Stacks,Azure Resource Manager templates, andTerraformwith security-hardened configurations ensuring resources are deployed with proper security controls from inception. Secure-by-default provisioning: Azure Deployment Stacks for governance:UseAzure Deployment Stacksto combine Azure Policy assignments, RBAC role assignments, and resource templates into governed bundles. Deployment Stacks create deny assignments (DenyDelete or DenyWriteAndDelete) protecting managed resources and governance artifacts from unauthorized modification or deletion while enabling controlled updates through infrastructure-as-code.Infrastructure-as-code security:Hardened ARM templates and Terraform modules with encryption enabled, diagnostic logging configured, network security groups applied, and p |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| AM-3 |
AM-3.2 |
Implement asset lifecycle change control |
Child |
Asset lifecycle and access management |
API endpoints that are unused should be disabled and removed from the Azure API Management service |
Implement secure asset lifecycle management from provisioning through decommissioning with security-by-default configurations, change control processes, and systematic disposal procedures. Ensure all lifecycle phases include security validation, audit logging, and approval workflows for high-impact modifications to prevent security degradation and maintain compliance. |
nan |
nan |
Uncontrolled resource modifications bypass security review processes, enabling adversaries to disable protective controls, escalate privileges, or maintain persistence through configuration changes that evade detection. Change control transforms ad-hoc modifications into governed workflows with security validation, audit trails, and automated enforcement preventing unauthorized changes. Continuous configuration monitoring detects drift from approved baselines, ensuring resources maintain security posture throughout their operational lifecycle rather than degrading over time. Govern resource modifications through these change control mechanisms: Establish change control processes usingAzure Policy,Azure Resource Locks, andAzure Activity Log monitoringto govern resource modifications and prevent unauthorized security configuration changes. Change control and governance: Azure Resource Locks:Deploy CanNotDelete or ReadOnly locks on production resources preventing accidental deletion or modification without explicit lock removal approval requiring documented change request and security review.Azure Policy deny effects:Policies preventing security configuration degradation including disabling encryption, removing diagnostic settings, exposing resources to public internet, or modifying network security group rules without approval.Change tracking and audit:Azure Activity Log integration with Microsoft Sentinel tracking all resource modifications with security correlation, anomaly d |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| AM-3 |
AM-3.3 |
Implement systematic resource decommissioning |
Child |
Asset lifecycle and access management |
API endpoints that are unused should be disabled and removed from the Azure API Management service |
Implement secure asset lifecycle management from provisioning through decommissioning with security-by-default configurations, change control processes, and systematic disposal procedures. Ensure all lifecycle phases include security validation, audit logging, and approval workflows for high-impact modifications to prevent security degradation and maintain compliance. |
nan |
nan |
Improper resource decommissioning leaves data remnants, orphaned configurations, and stale credentials that create long-term security exposure and compliance violations even after projects end. Formal decommissioning procedures ensure complete removal of resources with proper data handling, access revocation, and audit trail preservation preventing unauthorized access to abandoned assets. Automated detection of orphaned resources eliminates the accumulation of forgotten infrastructure that consumes budget while creating unmonitored attack surface. Execute secure resource decommissioning through these procedures: Establish formal decommissioning procedures usingAzure Resource Manager,Azure Policy, anddata retention policiesensuring secure resource deletion with proper data handling and audit trail preservation. Secure decommissioning procedures: Data backup and retention:Verify backup completion and retention policy compliance before resource deletion ensuring business continuity and regulatory compliance requirements.Access revocation:Remove all role assignments, managed identities, service principals, and key vault access policies associated with resources before deletion.Network dependency validation:Verify no active network dependencies, peering relationships, or DNS records preventing safe resource removal.Compliance and legal hold check:Validate no legal holds, regulatory retention requirements, or active investigations requiring resource preservation before deletion.Sof |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| AM-4 |
nan |
Limit access to asset management |
Parent |
Asset lifecycle and access management |
No Azure Policy available |
Enforce least-privilege access to asset management capabilities through role-based access controls, conditional access policies, and resource protection mechanisms. Limit users' ability to create, modify, or delete assets based on business justification, requiring strong authentication, secure workstations, and time-limited elevated access for administrative operations affecting production infrastructure. |
Excessive access to asset management capabilities creates risks of accidental resource deletion, malicious infrastructure modification, and privilege escalation attacks. |
Privilege Escalation (TA0004): valid accounts (T1078) using compromised accounts with asset management permissions to escalate privileges by modifying role assignments or creating high-privilege identities. |
A financial services organization processing $2B+ in daily transactions faced challenges with asset management access controls creating SOX compliance risks and security incidents from unauthorized infrastructure changes. |
Must have |
AC-2, AC-2(1), AC-5, AC-6, AC-6(1), AC-6(5) |
7.2.2, 7.2.4, 7.2.5, 8.2.2 |
5.4, 6.1, 6.7, 6.8 |
PR.AC-4, PR.AC-7, PR.PT-3 |
A.5.15, A.5.16, A.5.18, A.8.2 |
CC6.1, CC6.2, CC6.3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Without proper access controls: Accidental production impact:Overprivileged users accidentally delete production resources, modify critical network configurations, or disable security monitoring causing business disruption.Insider threat amplification:Malicious insiders with excessive asset management permissions can delete audit logs, exfiltrate data, deploy malicious infrastructure, or sabotage systems.Privilege escalation pathways:Attackers compromising accounts with asset management permissions escalate privileges by modifying RBAC assignments, creating service principals, or deploying resources with elevated access.Compliance and audit failures:Lack of least-privilege access controls violates regulatory requirements for separation of duties and creates audit findings in SOX, PCI-DSS, and HIPAA assessments.Credential theft impact:Compromised credentials with broad asset management access enable attackers to cause maximum damage across cloud environment before detection.Change control bypass:Excessive permission |
Impact (TA0040): resource hijacking (T1496) leveraging asset management permissions to deploy cryptocurrency mining infrastructure or other resource-intensive malicious workloads. |
Challenge:Application teams possessed excessive permissions with Contributor role assigned at subscription level enabling unauthorized access to financial transaction processing systems across multiple resource groups. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Defense Evasion (TA0005): impair defenses (T1562) using infrastructure permissions to disable security monitoring, delete diagnostic logs, or remove security agents preventing detection. |
Three security incidents occurred where developers accidentally modified production network security groups causing payment processing disruptions. SOX audit findings identified insufficient access controls with 40+ users possessing permanent Owner permissions without business justification. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
External attackers compromised developer credentials and accessed Azure management portal from non-corporate locations without additional security verification. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Critical infrastructure lacked deletion protection with risk of accidental removal of payment processing resources. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Solution approach: Least privilege access:Implemented Azure RBAC custom roles granting application teams Resource-Specific Contributor permissions scoped to their resource groups without subscription-wide access. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Removed subscription-level Contributor assignments affecting 40+ users reducing excessive permissions by 85%.Just-in-time access:Deployed Privileged Identity Management requiring just-in-time activation for Contributor and Owner roles with manager approval workflow and 8-hour time-limited access duration. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Eliminated standing privileged access for routine operations.Access protection:Configured Microsoft Entra Conditional Access policies requiring MFA, compliant device, and corporate network location for all Azure management access preventing external access attempts. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Established privileged access workstation program with dedicated hardened VMs for infrastructure management activities isolated from standard corporate network.Resource protection:Applied CanNotDelete locks to all production resource groups protecting financial transaction processing systems from accidental deletion. Deployed ReadOnly locks on network security groups, virtual networks, and ExpressRoute circuits preventing unauthorized network configuration changes. Configured Deployment Stacks with DenyWriteAndDelete for governance resources including Policy assignments, RBAC roles, and security baseline configurations. |
|
|
|
|
|
|
|
| AM-4 |
AM-4.1 |
Implement role-based access control for asset management |
Child |
Asset lifecycle and access management |
No Azure Policy available |
Enforce least-privilege access to asset management capabilities through role-based access controls, conditional access policies, and resource protection mechanisms. Limit users' ability to create, modify, or delete assets based on business justification, requiring strong authentication, secure workstations, and time-limited elevated access for administrative operations affecting production infrastructure. |
nan |
nan |
Broad infrastructure permissions enable both accidental misconfigurations and intentional abuse with impact amplified across numerous resources, making privilege management critical to limiting security incident blast radius. Least-privilege access through role-based controls ensures personnel access only resources required for legitimate job functions, reducing exposure from compromised credentials or malicious insiders. Just-in-time activation transforms standing administrative access into temporary, audited elevation events that dramatically reduce the window of opportunity for credential theft exploitation. Implement least-privilege asset management through these access controls: DeployAzure RBACwithleast-privilege role assignments,custom roles, andresource-level scopinglimiting asset management capabilities to authorized personnel with business justification. Least-Privilege Role Strategy: Reader role as default:Grant Reader role to general users providing visibility into resources without modification capabilities supporting operational awareness.Resource-specific Contributor roles:Use service-specific Contributor roles (Virtual Machine Contributor, Storage Account Contributor) instead of broad Contributor role limiting scope of permissions.Custom role definitions:Create custom RBAC roles with minimal required permissions for specific job functions avoiding over-permissioned built-in roles.Resource group and resource scoping:Scope role assignments to specific resource g |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| AM-4 |
AM-4.2 |
Implement Conditional Access for Azure management |
Child |
Asset lifecycle and access management |
No Azure Policy available |
Enforce least-privilege access to asset management capabilities through role-based access controls, conditional access policies, and resource protection mechanisms. Limit users' ability to create, modify, or delete assets based on business justification, requiring strong authentication, secure workstations, and time-limited elevated access for administrative operations affecting production infrastructure. |
nan |
nan |
Validating user identity alone provides insufficient protection for infrastructure management when adversaries operate from compromised devices, untrusted networks, or anomalous locations that indicate credential theft. Conditional Access policies enforce device compliance, network restrictions, and risk-based controls ensuring infrastructure management occurs only from trusted contexts that meet security standards. Multi-factor authentication combined with device and location validation creates defense-in-depth that prevents infrastructure compromise even when credentials are stolen. Enforce context-aware infrastructure access through these policies: DeployMicrosoft Entra Conditional Accesspolicies restricting access toAzure Resource Managerbased on device compliance, network location, and risk level with multi-factor authentication requirements. Conditional Access policy requirements: Multi-factor authentication enforcement:Require MFA for all access to Azure Management App (Azure Resource Manager API) preventing credential-based attacks on infrastructure management.Compliant device requirement:Restrict Azure management access to Intune-managed compliant devices preventing asset management from unmanaged personal devices.Privileged Access Workstation (PAW):Require access to Owner and Contributor roles from dedicated privileged access workstations with enhanced security configurations.Network location restrictions:Limit Azure management access to corporate network locations |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| AM-4 |
AM-4.3 |
Implement resource locks and immutability |
Child |
Asset lifecycle and access management |
No Azure Policy available |
Enforce least-privilege access to asset management capabilities through role-based access controls, conditional access policies, and resource protection mechanisms. Limit users' ability to create, modify, or delete assets based on business justification, requiring strong authentication, secure workstations, and time-limited elevated access for administrative operations affecting production infrastructure. |
nan |
nan |
Role-based access control limits who can modify infrastructure, but preventing accidental or malicious destruction of critical resources requires enforcement beyond permissions through immutability controls. Resource locks transform governance from permission management into technical enforcement that blocks deletion or modification even from accounts with Owner privileges, preventing irreversible data loss from human error or compromised credentials. Deployment Stacks extend protection to governance artifacts themselves, ensuring security policies and role assignments cannot be removed by the very privileges they control. Enforce resource immutability through these protection mechanisms: DeployAzure Resource LocksandAzure Deployment Stacks deny settingspreventing resource deletion or modification even by users with Owner permissions requiring explicit policy change through governed process. Resource lock strategy: CanNotDelete locks:Apply CanNotDelete locks to production resources preventing accidental deletion while allowing configuration modifications for operational flexibility.ReadOnly locks:Deploy ReadOnly locks on sensitive infrastructure including network security groups, virtual networks, and identity resources preventing any modifications without lock removal.Inherited locks:Apply locks at resource group or subscription level with inheritance to child resources simplifying governance and preventing lock bypass through new resource creation.Lock removal approval work |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| AM-5 |
nan |
Use only approved applications in virtual machine |
Parent |
Service approval and application control |
No Azure Policy available |
Enforce application control through allow list policies and behavioral monitoring ensuring only authorized software executes on compute assets. Prevent unauthorized software execution including malware, unapproved tools, and outdated applications while maintaining operational flexibility for approved business applications and administrative tasks. |
Uncontrolled software execution on virtual machines creates security vulnerabilities through malware, unauthorized tools, and outdated software. |
Execution (TA0002): user execution (T1204) tricking users into executing malicious software that bypasses application control mechanisms or exploits policy gaps. |
A healthcare organization processing protected health information (PHI) across 500+ Windows servers faced challenges with application control creating ransomware vulnerability and HIPAA compliance gaps. |
Should have |
CM-7(2), CM-7(5), SC-18, SI-3, SI-4 |
5.2.1, 5.2.2, 5.3.3, 11.5.1 |
2.3, 2.5, 2.6, 10.5 |
PR.DS-6, PR.PT-2, DE.CM-4 |
A.8.7, A.8.12, A.8.19 |
CC6.1, CC6.6, CC7.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Without application control: Malware and ransomware execution:Lack of application allow listing allows malware, ransomware, and other malicious software to execute freely once attackers gain system access.Unauthorized administrative tools:Attackers install remote access tools, network scanners, credential dumping utilities, and other post-exploitation tools supporting attack progression.Unapproved commercial software:Users install unlicensed software, personal tools, and unapproved applications creating legal liability, security vulnerabilities, and support challenges.Outdated vulnerable software:Legacy applications and outdated software versions persist on systems containing known vulnerabilities exploitable by attackers.Insider threat tool usage:Malicious insiders install data exfiltration tools, encryption utilities, and system sabotage applications without detection.Cryptocurrency mining and abuse:Compromised systems execute cryptocurrency miners, botnet clients, and other resource-intensive malicious applications degrading performance |
Defense Evasion (TA0005): masquerading (T1036) disguising malicious executables as legitimate applications attempting to bypass application allow listing controls. |
Challenge:The organization experienced two ransomware incidents where attackers executed unauthorized encryption tools on file servers causing business disruption and triggering HIPAA breach notification requirements. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Credential Access (TA0006): OS credential dumping (T1003) executing credential theft tools like Mimikatz harvesting credentials from memory for privilege escalation. |
Security teams lacked visibility into installed applications across 500+ servers with unknown software proliferation creating compliance risks. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Developers installed unapproved administrative tools including remote access utilities and debugging software on production servers exposing PHI to unauthorized access. PowerShell scripts executed without logging or restrictions enabling attackers to perform reconnaissance and lateral movement undetected. HIPAA audit findings identified insufficient controls over application execution and lack of software inventory management. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Solution approach: Application control deployment:Deployed Microsoft Defender for Cloud adaptive application controls across all Windows servers with 30-day audit mode learning period before enforcement activation. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Configured application control policies organized by server roles including web servers, database servers, file servers, and domain controllers with tailored allow lists per workload type blocking unauthorized execution attempts including ransomware and hacking tools.Change monitoring:Implemented Change Tracking and Inventory using Azure Monitor Agent monitoring software installations, file modifications, and registry changes across virtual machines with Microsoft Sentinel integration for security correlation. Created Azure Monitor alert rules for application control violations identifying attempted malware execution and unauthorized tool usage requiring security team investigation.Script execution controls:Enabled PowerShell script block logging and constrained language mode on all virtual machines capturing PowerShell commands for security analysis and blocking malicious script execution attempts. Deployed Windows Defender Application Control policies on domain controllers and certificate authority servers preventing unauthorized administrative tool execution protecting Active Directory infrastructure. |
|
|
|
|
|
|
|
| AM-5 |
AM-5.1 |
Implement adaptive application controls |
Child |
Service approval and application control |
No Azure Policy available |
Enforce application control through allow list policies and behavioral monitoring ensuring only authorized software executes on compute assets. Prevent unauthorized software execution including malware, unapproved tools, and outdated applications while maintaining operational flexibility for approved business applications and administrative tasks. |
nan |
nan |
Unrestricted application execution enables adversaries to deploy post-exploitation toolkits immediately upon gaining initial access, transforming minor compromises into complete system control before detection. Application control allow listing inverts traditional antivirus defense by defining approved software and blocking everything else, preventing unknown malware and living-off-the-land techniques that evade signature-based detection. Machine learning-powered adaptive controls eliminate the operational burden of manual policy maintenance by automatically adjusting allow lists as legitimate applications evolve while maintaining protection against unauthorized software. Establish executable restriction through these application controls: DeployMicrosoft Defender for Cloud adaptive application controlsautomatically generating application allow lists based on observed behavior with continuous learning and enforcement capabilities. Adaptive application control implementation: Automated allow list generation:Machine learning-powered analysis of application execution patterns generating recommended allow lists for virtual machine groups.Audit mode learning period:Initial deployment in audit mode observing application execution patterns without enforcement building comprehensive application baseline.Enforcement mode activation:Transition to enforcement mode blocking unauthorized application execution after baseline establishment with ongoing learning and automatic rule updates.Fi |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| AM-5 |
AM-5.2 |
Implement software inventory and change tracking |
Child |
Service approval and application control |
No Azure Policy available |
Enforce application control through allow list policies and behavioral monitoring ensuring only authorized software executes on compute assets. Prevent unauthorized software execution including malware, unapproved tools, and outdated applications while maintaining operational flexibility for approved business applications and administrative tasks. |
nan |
nan |
Application control prevents unauthorized software execution but detecting software installations, configuration changes, and system modifications provides the visibility required to identify control bypasses, policy violations, and emerging threats. Comprehensive software inventory enables vulnerability management by identifying outdated applications requiring patches while change tracking reveals unauthorized modifications that indicate compromise or insider activity. Continuous monitoring transforms point-in-time inventory snapshots into security intelligence that detects anomalous changes before they escalate into incidents. Monitor software and configuration changes through these capabilities: DeployChange Tracking and Inventory using Azure Monitor Agentproviding comprehensive visibility into installed software, configuration changes, and unauthorized application installations across virtual machines. Change tracking capabilities: Software inventory collection:Automated collection of installed software including application names, versions, publishers, and installation dates across Windows and Linux virtual machines using Azure Monitor Agent.File change monitoring:Track changes to critical files and directories detecting unauthorized software installation, configuration modifications, and malware deployment with configurable file path monitoring.Windows service monitoring:Monitor Windows service changes detecting unauthorized service installations and configuration modif |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| AM-5 |
AM-5.3 |
Control script execution and administrative tools |
Child |
Service approval and application control |
No Azure Policy available |
Enforce application control through allow list policies and behavioral monitoring ensuring only authorized software executes on compute assets. Prevent unauthorized software execution including malware, unapproved tools, and outdated applications while maintaining operational flexibility for approved business applications and administrative tasks. |
nan |
nan |
PowerShell, Python, and other scripting languages provide adversaries with powerful execution environments that bypass traditional executable controls while offering extensive system access and obfuscation capabilities. Administrative tools designed for legitimate system management become post-exploitation utilities in attacker hands, enabling credential theft, lateral movement, and persistence establishment. Restricting script execution to signed, authorized code and limiting administrative tool access to approved personnel prevents adversaries from leveraging built-in capabilities for malicious purposes while maintaining operational flexibility through constrained execution environments. Control scripting and administrative access through these restrictions: ImplementPowerShell script execution policies,AppLocker, andWindows Defender Application Controlrestricting execution of scripts and administrative tools to authorized personnel and scenarios. Script execution controls: PowerShell execution policy:Configure PowerShell execution policy requiring script signing for remote scripts while maintaining flexibility for signed administrative scripts.PowerShell Constrained Language Mode:DeployPowerShell Constrained Language Modelimiting PowerShell capabilities preventing malicious script execution while allowing approved administrative tasks.Script block logging:EnablePowerShell Script Block Loggingcapturing all executed PowerShell code for security monitoring and forensic invest |
nan |
nan |
nan |
nan |
nan |
nan |
nan |