| AM-1 | Asset Management | 1.1 - Utilize an Active Discovery Tool | 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory | CM-8: INFORMATION SYSTEM COMPONENT INVENTORY | 2.4 | Track asset inventory and their risks | Track your asset inventory by query and discover all your cloud resources. Logically organize your assets by tagging and grouping your assets based on their service nature, location, or other characteristics. Ensure your security organization has access to a continuously updated inventory of assets. | The Microsoft Defender for Cloud inventory feature and Azure Resource Graph can query for and discover all resources in your subscriptions, including Azure services, applications, and network resources. Logically organize assets according to your organization's taxonomy using tags as well as other metadata in Azure (Name, Description, and Category). | How to create queries with Azure Resource Graph Explorer: | Use the AWS Systems Manager Inventory feature to query for and discover all resources in your EC2 instances, including application level and operating system level details. In addition, use AWS Resource Groups - Tag Editor to browse AWS resource inventories. | AWS Systems Manager Inventory: | Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint |
| | 1.2 - Use a Passive Asset Discovery Tool | 1.5 - Use a Passive Asset Discovery Tool | PM-5: INFORMATION SYSTEM INVENTORY | | | | | https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal | | https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-inventory.html | |
| | 1.4 - Maintain Detailed Asset Inventory | 2.1 - Establish and Maintain a Software Inventory | | | | Ensure your security organization can monitor the risks of the cloud assets by always having security insights and risks aggregated centrally | Ensure that security organizations have access to a continuously updated inventory of assets on Azure. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input for continuous security improvements. | | Logically organize assets according to your organization's taxonomy using tags as well as other metadata in AWS (Name, Description, and Category). | | Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management |
| | 1.5 - Maintain Asset Inventory Information | 2.4 - Utilize Automated Software Inventory Tools | | | | | | Microsoft Defender for Cloud asset inventory management: | | AWS Resource Groups and Tags: | |
| | 2.1 - Maintain Inventory of Authorized Software | | | | | | Ensure security organizations are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Microsoft Defender for Cloud. Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions. | https://docs.microsoft.com/azure/security-center/asset-inventory | Ensure that security organizations have access to a continuously updated inventory of assets on AWS. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input for continuous security improvements. | https://docs.aws.amazon.com/ARG/latest/userguide/tag-editor.html | |
| | | | | | | | | | | | |
| | | | | | | | Note: Additional permissions might be required to get visibility into workloads and services. | For more information about tagging assets, see the resource naming and tagging decision guide: | Note: Additional permissions might be required to get visibility into workloads and services. | | |
| | | | | | | | | https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json | | | |
| | | | | | | | | | | | |
| | | | | | | | | Overview of Security Reader Role: | | | |
| | | | | | | | | https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#security-reader | | | |
| AM-2 | Asset Management | 2.7 - Utilize Application Whitelisting | 2.5 - Allowlist Authorized Software | CM-8: INFORMATION SYSTEM COMPONENT INVENTORY | 6.3 | Use only approved services | Ensure that only approved cloud services can be used, by auditing and restricting which services users can provision in the environment. | Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected. | Configure and manage Azure Policy: | Use AWS Config to audit and restrict which services users can provision in your environment. Use AWS Resource Groups to query for and discover resources within their accounts. You can also use CloudWatch and/or AWS Config to create rules to trigger alerts when a non-approved service is detected. | AWS Resource Groups: | Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management |
| | 2.8 - Implement Application Whitelisting of Libraries | 2.6 - Allowlist Authorized Libraries | PM-5: INFORMATION SYSTEM INVENTORY | | | | | https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage | | https://docs.aws.amazon.com/ARG/latest/userguide/gettingstarted.html | |
| | 2.9 - Implement Application Whitelisting of Scripts | 2.7 - Allowlist Authorized Scripts | | | | | | | | | Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
| | 9.2 - Ensure Only Approved Ports, Protocols, and Services Are Running | 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software | | | | | | How to deny a specific resource type with Azure Policy: | | | |
| | | | | | | | | https://docs.microsoft.com/azure/governance/policy/samples/not-allowed-resource-types | | | |
| | | | | | | | | | | | |
| | | | | | | | | How to create queries with Azure Resource Graph Explorer: | | | |
| | | | | | | | | https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal | | | |
| AM-3 | Asset Management | 1.4 - Maintain Detailed Asset Inventory | 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory | CM-8: INFORMATION SYSTEM COMPONENT INVENTORY | 2.4 | Ensure security of asset lifecycle management | Ensure security attributes or configurations of the assets are always updated during the asset lifecycle. | Establish or update security policies/process that address asset lifecycle management processes for potentially high impact modifications. These modifications include changes to identity providers and access, data sensitivity level, network configuration, and administrative privilege assignment. | Delete Azure resource group and resource: | Establish or update security policies/process that address asset lifecycle management processes for potentially high impact modifications. These modifications include changes to identity providers and access, data sensitivity level, network configuration, and administrative privilege assignment. | How do I check for active resources that I no longer need on my AWS account? | Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint |
| | 1.5 - Maintain Asset Inventory Information | 2.1 - Establish and Maintain a Software Inventory | CM-7: LEAST FUNCTIONALITY | | | | | https://docs.microsoft.com/azure/azure-resource-manager/management/delete-resource-group | | https://aws.amazon.com/premiumsupport/knowledge-center/check-for-active-resources/ | |
| | 2.1 - Maintain Inventory of Authorized Software | | | | | | Identify and remove Azure resources when they are no longer needed. | | Identify and remove AWS resources when they are no longer needed. | | Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
| | 2.4 - Track Software Inventory Information | | | | | | | | | How do I terminate active resources that I no longer need on my AWS account? | |
| | | | | | | | | | | https://aws.amazon.com/premiumsupport/knowledge-center/terminate-resources-account-closure/ | Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management |
| AM-4 | Asset Management | 14.6 - Protect Information Through Access Control Lists | 3.3 - Configure Data Access Control Lists | AC-3: ACCESS ENFORCEMENT | nan | Limit access to asset management | Limit users' access to asset management features, to avoid accidental or malicious modification of the assets in your cloud. | Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources (assets) in Azure. Use Azure AD Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App. | How to configure Conditional Access to block access to Azure Resources Manager: | Use AWS IAM to restrict access to a specific resource. You can specify allowed or deny actions as well as the conditions under which actions are triggered. You may specify one condition or combine methods of resource-level permissions, resource-based policies, tag-based authorization, temporary credentials, or service-linked roles to have a fine-grain control access control for your resources. | AWS services that work with IAM: | Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
| | | | | | | | | https://docs.microsoft.com/azure/role-based-access-control/conditional-access-azure-management | | https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html | |
| | | | | | | | Use Azure Role-based Access Control (Azure RBAC) to assign roles to identities to control their permissions and access to Azure resources. For example, a user with only the 'Reader' Azure RBAC role can view all resources, but is not allowed to make any changes. | | | | Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint |
| | | | | | | | | Lock your resources to protect your infrastructure: | | | |
| | | | | | | | Use Resource Locks to prevent either deletions or modifications to resources. Resource Locks may also be administered through Azure Blueprints. | https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json | | | |
| | | | | | | | | | | | |
| | | | | | | | | Protect new resources with Azure Blueprints resource locks: | | | |
| | | | | | | | | https://learn.microsoft.com/azure/governance/blueprints/tutorials/protect-new-resources | | | |
| AM-5 | Asset Management | 2.7 - Utilize Application Whitelisting | 2.5 - Allowlist Authorized Software | CM-8: INFORMATION SYSTEM COMPONENT INVENTORY | 6.3 | Use only approved applications in virtual machine | Ensure that only authorized software executes by creating an allow list and block the unauthorized software from executing in your environment. | Use Microsoft Defender for Cloud adaptive application controls to discover and generate an application allow list. You can also use ASC adaptive application controls to ensure that only authorized software can executes, and all unauthorized software is blocked from executing on Azure Virtual Machines. | How to use Microsoft Defender for Cloud adaptive application controls: | Use the AWS Systems Manager Inventory feature to discover the applications installed in your EC2 instances. Use AWS Config rules to ensure that non-authorized software is blocked from executing on EC2 instances. | Preventing blacklisted applications with AWS Systems Manager and AWS Config: | Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint |
| | 2.8 - Implement Application Whitelisting of Libraries | 2.6 - Allowlist Authorized Libraries | CM-7: LEAST FUNCTIONALITY | | | | | https://docs.microsoft.com/azure/security-center/security-center-adaptive-application | | https://aws.amazon.com/blogs/mt/preventing-blacklisted-applications-with-aws-systems-manager-and-aws-config/ | |
| | 2.9 - Implement Application Whitelisting of Scripts | 2.7 - Allowlist Authorized Scripts | CM-10: SOFTWARE USAGE RESTRICTIONS | | | | Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. Software name, version, publisher, and refresh time information are available from the Azure portal. To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to a Log Analytics workspace. | | You can also use a third-party solution to discover and identify unapproved software. | | Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
| | 9.2 - Ensure Only Approved Ports, Protocols, and Services Are Running | 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software | CM-11: USER-INSTALLED SOFTWARE | | | | | Understand Azure Automation Change Tracking and Inventory: | | | |
| | | | | | | | Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources. | https://docs.microsoft.com/azure/automation/change-tracking | | | Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management |
| | | | | | | | | | | | |
| | | | | | | | You can also use a third-party solution to discover and identify unapproved software. | How to control PowerShell script execution in Windows environments: | | | |
| | | | | | | | | https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6 | | | |