ComplianceCISAzure

CIS Azure v2.1 Compliance: What You Need to Know

A practical guide to CIS Azure Foundations Benchmark v2.1 — what it covers, why it matters, and how to automate compliance monitoring.

3 min read

What is CIS Azure Foundations Benchmark?

The Center for Internet Security (CIS) publishes benchmarks — consensus-based security configuration guides used by organizations worldwide. The Azure Foundations Benchmark v2.1 covers security best practices for Azure environments and is one of the most widely referenced standards for cloud security audits.

If your organization has ever been asked "are you CIS compliant?" during a security review, this is the benchmark they're talking about.

Key Control Areas

The benchmark organizes controls into several domains:

Identity and Access Management

  • MFA enforcement for all users (not just admins)
  • Conditional Access policy requirements
  • Guest access restrictions and review processes
  • Privileged role management via PIM
  • Emergency access (break-glass) accounts

Security Center and Defender

  • Defender for Cloud enablement across all subscriptions
  • Security contact configuration with email and phone
  • Auto-provisioning of monitoring agents
  • Threat detection for storage, SQL, Key Vault, DNS, and App Service

Storage

  • Secure transfer (HTTPS) requirement for all storage accounts
  • Storage account access key management and rotation
  • Blob public access restrictions (disabled by default)
  • Soft-delete enablement for blob and container recovery

Networking

  • NSG flow log enablement for traffic analysis
  • Network Watcher configuration per region
  • RDP/SSH access restrictions (no 0.0.0.0/0 rules)
  • Application Gateway WAF configuration

Logging and Monitoring

  • Activity log retention (90+ days minimum)
  • Diagnostic setting configuration for all resources
  • Log Analytics workspace setup for centralized analysis
  • Alert rule configuration for critical security events

Why Automate Compliance

Manual compliance checking means:

  • Opening dozens of Azure Portal blades per control
  • Cross-referencing against a 200+ page PDF document
  • Building and maintaining spreadsheets to track control status
  • Repeating the entire process every quarter (or more frequently)
  • Scrambling when an auditor asks for evidence

Automated compliance mapping eliminates all of this. Every check is mapped to a specific CIS control, with pass/fail status and remediation guidance updated on every scan.

Beyond CIS: Four Frameworks

Unsave maps its 103 security checks to four compliance frameworks simultaneously:

  1. CIS Azure v2.1 — The infrastructure security baseline
  2. SOC 2 Type II — Trust service criteria for service organizations
  3. ISO 27001:2022 — International information security standard
  4. NIST CSF 2.0 — Federal cybersecurity framework

One scan, four compliance reports. Each with control-level status, evidence, and exportable PDF documentation.

Monitor CIS Azure v2.1 compliance continuously. Try Unsave free at unsave.io.