Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This page is an index of Azure Policy built-in policy definitions for Azure Data Explorer. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.
The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Data Explorer encryption at rest should use a customer-managed key | Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. | Audit, Deny, Disabled | 1.0.0 |
| Disk encryption should be enabled on Azure Data Explorer | Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. | Audit, Deny, Disabled | 2.0.0 |
| Double encryption should be enabled on Azure Data Explorer | Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. | Audit, Deny, Disabled | 2.0.0 |
| Virtual network injection should be enabled for Azure Data Explorer | Secure your network perimeter with virtual network injection which allows you to enforce network security group rules, connect on-premises and secure your data connection sources with service endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Data Explorer should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. | Audit, Deny, Disabled | 1.0.0 |
| Public network access should be disabled on Azure Data Explorer | Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies the creation of Azure Data Explorer clusters with public network access enabled. | Audit, Deny, Disabled | 1.0.0 |
| Configure Azure Data Explorer to disable public network access | Disabling the public network access property shuts down public connectivity such that Azure Data Explorer can only be accessed from a private endpoint. This configuration disables the public network access for all Azure Data Explorer clusters. | Modify, Disabled | 1.0.0 |
| Azure Data Explorer cluster should use a private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Data Explorer cluster, data leakage risks are reduced. | Audit, Disabled | 1.0.0 |
| Configure Azure Data Explorer clusters with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Data Explorer, you can reduce data leakage risks. | DeployIfNotExists, Disabled | 1.0.0 |
- See the built-ins on the Azure Policy GitHub repo.
- Review the Azure Policy definition structure.
- Review Understanding policy effects.