Azure Policy built-in policy definitions
This page is an index of Azure Policy built-in policy definitions.
The name of each built-in links to the policy definition in the Azure portal. Use the link in the Source column to view the source on the Azure Policy GitHub repo. The built-ins are grouped by the category property in metadata. To go to a specific category, use Ctrl-F for your browser's search feature.
API Management
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
API Management APIs should use only encrypted protocols | To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS. | Audit, Disabled, Deny | 2.0.2 |
API Management calls to API backends should be authenticated | Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends. | Audit, Disabled, Deny | 1.0.1 |
API Management calls to API backends should not bypass certificate thumbprint or name validation | To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation. | Audit, Disabled, Deny | 1.0.2 |
API Management direct management endpoint should not be enabled | The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service. | Audit, Disabled, Deny | 1.0.2 |
API Management minimum API version should be set to 2019-12-01 or higher | To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher. | Audit, Deny, Disabled | 1.0.1 |
API Management secret named values should be stored in Azure Key Vault | Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret named values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies. | Audit, Disabled, Deny | 1.0.2 |
API Management service should use a SKU that supports virtual networks | With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: https://docs.azure.cn/api-management/api-management-using-with-vnet. | Audit, Deny, Disabled | 1.0.0 |
API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Audit, Deny, Disabled | 1.0.2 |
API Management should disable public network access to the service configuration endpoints | To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. | AuditIfNotExists, Disabled | 1.0.1 |
API Management should have username and password authentication disabled | To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. | Audit, Disabled | 1.0.1 |
API Management subscriptions should not be scoped to all APIs | API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure. | Audit, Disabled, Deny | 1.1.0 |
Azure API Management platform version should be stv2 | Azure API Management stv1 compute platform version will be retired effective 31 August 2024, and these instances should be migrated to stv2 compute platform for continued support. Learn more at https://docs.azure.cn/api-management/breaking-changes/stv1-platform-retirement-august-2024 | Audit, Deny, Disabled | 1.0.0 |
Configure API Management services to disable access to API Management public service configuration endpoints | To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. | DeployIfNotExists, Disabled | 1.1.0 |
Modify API Management to disable username and password authentication | To better secure developer portal user accounts and their credentials, configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. | Modify | 1.1.0 |
App Configuration
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Configuration should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.azure.cn/azure-app-configuration/concept-private-endpoint. | Audit, Deny, Disabled | 1.0.0 |
App Configuration should use a customer-managed key | Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. | Audit, Deny, Disabled | 1.1.0 |
App Configuration should use a SKU that supports private link | When using a supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://docs.azure.cn/azure-app-configuration/concept-private-endpoint. | Audit, Deny, Disabled | 1.0.0 |
App Configuration should use geo-replication | Use the geo-replication feature to create replicas in other locations of your current configuration store for enhanced resiliency and availability. Additionally, having multi-region replicas lets you better distribute load, lower latency, protect against datacenter outages, and compartmentalize globally distributed workloads. Learn more at: https://docs.azure.cn/azure-app-configuration/concept-geo-replication. | AuditIfNotExists, Disabled | 1.0.0 |
App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://docs.azure.cn/zh-cn/azure-app-configuration/concept-private-endpoint. | AuditIfNotExists, Disabled | 1.0.2 |
App Configuration stores should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://docs.azure.cn/azure-app-configuration/howto-disable-access-key-authentication. | Audit, Deny, Disabled | 1.0.1 |
Configure App Configuration stores to disable local authentication methods | Disable local authentication methods so that your App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://docs.azure.cn/azure-app-configuration/howto-disable-access-key-authentication. | Modify, Disabled | 1.0.1 |
Configure App Configuration to disable public network access | Disable public network access for App Configuration so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://docs.azure.cn/azure-app-configuration/concept-private-endpoint. | Modify, Disabled | 1.0.0 |
Configure private DNS zones for private endpoints connected to App Configuration | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve app configuration instances. Learn more at: https://docs.azure.cn/azure-app-configuration/concept-private-endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure private endpoints for App Configuration | Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your app configuration instances, data leakage risks are reduced. Learn more at: https://docs.azure.cn/azure-app-configuration/concept-private-endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
App Service
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service app slots should be injected into a virtual network | Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.azure.cn/app-service/web-sites-integrate-with-vnet. | Audit, Deny, Disabled | 1.0.0 |
App Service app slots should disable public network access | Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://docs.azure.cn/app-service/networking/private-endpoint. | Audit, Disabled, Deny | 1.0.0 |
App Service app slots should enable configuration routing to Azure Virtual Network | By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://docs.azure.cn/app-service/configure-vnet-integration-routing#container-image-pull. | Audit, Deny, Disabled | 1.0.0 |
App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Audit, Deny, Disabled | 1.0.0 |
App Service app slots should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | AuditIfNotExists, Disabled | 1.0.0 |
App Service app slots should have local authentication methods disabled for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | AuditIfNotExists, Disabled | 1.0.3 |
App Service app slots should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | AuditIfNotExists, Disabled | 1.0.4 |
App Service app slots should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 1.0.1 |
App Service app slots should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | AuditIfNotExists, Disabled | 1.0.0 |
App Service app slots should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | AuditIfNotExists, Disabled | 1.0.0 |
App Service app slots should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 2.0.0 |
App Service app slots should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 1.0.0 |
App Service app slots should use an Azure file share for its content directory | The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://docs.azure.cn/storage/files/storage-files-introduction. | Audit, Disabled | 1.0.0 |
App Service app slots should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 1.0.0 |
App Service app slots should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 1.0.0 |
App Service app slots should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 1.0.0 |
App Service app slots that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | AuditIfNotExists, Disabled | 1.0.0 |
App Service app slots that use PHP should use a specified 'PHP version' | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. | AuditIfNotExists, Disabled | 1.0.0 |
App Service app slots that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | AuditIfNotExists, Disabled | 1.0.0 |
App Service apps should be injected into a virtual network | Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.azure.cn/app-service/web-sites-integrate-with-vnet. | Audit, Deny, Disabled | 3.0.0 |
App Service apps should disable public network access | Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://docs.azure.cn/app-service/networking/private-endpoint. | Audit, Disabled, Deny | 1.1.0 |
App Service apps should enable configuration routing to Azure Virtual Network | By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://docs.azure.cn/app-service/configure-vnet-integration-routing#container-image-pull. | Audit, Deny, Disabled | 1.0.0 |
App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Audit, Deny, Disabled | 1.0.0 |
App Service apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. | AuditIfNotExists, Disabled | 2.0.1 |
App Service apps should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | AuditIfNotExists, Disabled | 1.0.0 |
App Service apps should have local authentication methods disabled for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | AuditIfNotExists, Disabled | 1.0.3 |
App Service apps should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | AuditIfNotExists, Disabled | 1.0.3 |
App Service apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | AuditIfNotExists, Disabled | 2.0.1 |
App Service apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | AuditIfNotExists, Disabled | 2.0.0 |
App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
App Service apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
App Service apps should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://docs.azure.cn/app-service/networking/private-endpoint. | Audit, Deny, Disabled | 4.1.0 |
App Service apps should use an Azure file share for its content directory | The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://docs.azure.cn/storage/files/storage-files-introduction. | Audit, Disabled | 3.0.0 |
App Service apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
App Service apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
App Service apps should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to App Service, you can reduce data leakage risks. Learn more about private links at: https://docs.azure.cn/app-service/networking/private-endpoint. | AuditIfNotExists, Disabled | 1.0.1 |
App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
App Service apps that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | AuditIfNotExists, Disabled | 3.1.0 |
App Service apps that use PHP should use a specified 'PHP version' | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. | AuditIfNotExists, Disabled | 3.2.0 |
App Service apps that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | AuditIfNotExists, Disabled | 4.1.0 |
App Service Environment apps should not be reachable over public internet | To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. | Audit, Deny, Disabled | 3.0.0 |
App Service Environment should be configured with strongest TLS Cipher suites | The two most minimal and strongest cipher suites required for App Service Environment to function correctly are : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. | Audit, Disabled | 1.0.0 |
App Service Environment should be provisioned with latest versions | Only allow App Service Environment version 2 or version 3 to be provisioned. Older versions of App Service Environment require manual management of Azure resources and have greater scaling limitations. | Audit, Deny, Disabled | 1.0.0 |
App Service Environment should have internal encryption enabled | Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.azure.cn/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. | Audit, Disabled | 1.0.1 |
App Service Environment should have TLS 1.0 and 1.1 disabled | TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. | Audit, Deny, Disabled | 2.0.1 |
Configure App Service app slots to disable local authentication for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | DeployIfNotExists, Disabled | 1.0.3 |
Configure App Service app slots to disable local authentication for SCM sites | Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | DeployIfNotExists, Disabled | 1.0.3 |
Configure App Service app slots to disable public network access | Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.azure.cn/app-service/networking/private-endpoint. | Modify, Disabled | 1.1.0 |
Configure App Service app slots to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Modify, Disabled | 2.0.0 |
Configure App Service app slots to turn off remote debugging | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | DeployIfNotExists, Disabled | 1.1.0 |
Configure App Service app slots to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | DeployIfNotExists, Disabled | 1.1.0 |
Configure App Service apps to disable local authentication for FTP deployments | Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | DeployIfNotExists, Disabled | 1.0.3 |
Configure App Service apps to disable local authentication for SCM sites | Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | DeployIfNotExists, Disabled | 1.0.3 |
Configure App Service apps to disable public network access | Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.azure.cn/app-service/networking/private-endpoint. | Modify, Disabled | 1.1.0 |
Configure App Service apps to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Modify, Disabled | 2.0.0 |
Configure App Service apps to turn off remote debugging | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | DeployIfNotExists, Disabled | 1.0.0 |
Configure App Service apps to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.azure.cn/app-service/networking/private-endpoint#dns. | DeployIfNotExists, Disabled | 1.0.1 |
Configure App Service apps to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | DeployIfNotExists, Disabled | 1.0.1 |
Configure Function app slots to disable public network access | Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.azure.cn/app-service/networking/private-endpoint. | Modify, Disabled | 1.1.0 |
Configure Function app slots to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Modify, Disabled | 2.0.0 |
Configure Function app slots to turn off remote debugging | Remote debugging requires inbound ports to be opened on a Function app. Remote debugging should be turned off. | DeployIfNotExists, Disabled | 1.1.0 |
Configure Function app slots to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | DeployIfNotExists, Disabled | 1.1.0 |
Configure Function apps to disable public network access | Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.azure.cn/app-service/networking/private-endpoint. | Modify, Disabled | 1.1.0 |
Configure Function apps to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Modify, Disabled | 2.0.0 |
Configure Function apps to turn off remote debugging | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Function apps to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | DeployIfNotExists, Disabled | 1.0.1 |
Function app slots should disable public network access | Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://docs.azure.cn/app-service/networking/private-endpoint. | Audit, Disabled, Deny | 1.0.0 |
Function app slots should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | AuditIfNotExists, Disabled | 1.0.0 |
Function app slots should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 1.0.0 |
Function app slots should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | AuditIfNotExists, Disabled | 1.0.0 |
Function app slots should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 2.0.0 |
Function app slots should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 1.0.0 |
Function app slots should use an Azure file share for its content directory | The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://docs.azure.cn/storage/files/storage-files-introduction. | Audit, Disabled | 1.0.0 |
Function app slots should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 1.0.0 |
Function app slots should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 1.0.0 |
Function app slots that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | AuditIfNotExists, Disabled | 1.0.0 |
Function app slots that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | AuditIfNotExists, Disabled | 1.0.0 |
Function apps should disable public network access | Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://docs.azure.cn/storage/files/storage-files-introduction. | Audit, Disabled, Deny | 1.0.0 |
Function apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. | AuditIfNotExists, Disabled | 3.0.0 |
Function apps should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | AuditIfNotExists, Disabled | 1.0.0 |
Function apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
Function apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | AuditIfNotExists, Disabled | 2.0.0 |
Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
Function apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
Function apps should use an Azure file share for its content directory | The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://docs.azure.cn/storage/files/storage-files-introduction. | Audit, Disabled | 3.0.0 |
Function apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
Function apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
Function apps that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | AuditIfNotExists, Disabled | 3.1.0 |
Function apps that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | AuditIfNotExists, Disabled | 4.1.0 |
Automation
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automation Account should have Managed Identity | Use Managed Identities as the recommended method for authenticating with Azure resources from the runbooks. Managed identity for authentication is more secure and eliminates the management overhead associated with using RunAs Account in your runbook code . | Audit, Disabled | 1.0.0 |
Automation account variables should be encrypted | It is important to enable encryption of Automation account variable assets when storing sensitive data | Audit, Deny, Disabled | 1.1.0 |
Automation accounts should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your Automation account resources by creating private endpoints instead. Learn more at: https://docs.azure.cn/automation/how-to/private-link-security. | Audit, Deny, Disabled | 1.0.0 |
Azure Automation accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.azure.cn/automation/automation-secure-asset-encryption. | Audit, Deny, Disabled | 1.0.0 |
Configure Azure Automation accounts to disable public network access | Disable public network access for Azure Automation account so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your Automation account resources by creating private endpoints instead. Learn more at: https://docs.azure.cn/event-grid/configure-private-endpoints. | Modify, Disabled | 1.0.0 |
Configure Azure Automation accounts with private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns. | DeployIfNotExists, Disabled | 1.0.0 |
Configure private endpoint connections on Azure Automation accounts | Private endpoint connections allow secure communication by enabling private connectivity to Azure Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.azure.cn/automation/how-to/private-link-security. | DeployIfNotExists, Disabled | 1.0.0 |
Private endpoint connections on Automation Accounts should be enabled | Private endpoint connections allow secure communication by enabling private connectivity to Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.azure.cn/automation/how-to/private-link-security | AuditIfNotExists, Disabled | 1.0.0 |
Azure Active Directory
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode | Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.azure.cn/active-directory-domain-services/secure-your-domain. | Audit, Deny, Disabled | 1.1.0 |
Azure AI Services
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure AI Services resources should have key access disabled (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://docs.azure.cn/ai-services/authentication | Audit, Deny, Disabled | 1.1.0 |
Azure AI Services resources should restrict network access | By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. | Audit, Deny, Disabled | 3.2.0 |
Azure AI Services resources should use Azure Private Link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform reduces data leakage risks by handling the connectivity between the consumer and services over the Azure backbone network. Learn more about private links at: https://docs.azure.cn/private-link/private-link-overview | Audit, Disabled | 1.0.0 |
Configure Azure AI Services resources to disable local key access (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://docs.azure.cn/ai-services/authentication | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure AI Services resources to disable local key access (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://docs.azure.cn/ai-services/authentication | DeployIfNotExists, Disabled | 1.0.0 |
Diagnostic logs in Azure AI services resources should be enabled | Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised | AuditIfNotExists, Disabled | 1.0.0 |
Azure Data Explorer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
All Database Admin on Azure Data Explorer should be disabled | Disable all database admin role to restrict granting highly privileged/administrative user role. | Audit, Deny, Disabled | 1.0.0 |
Azure Data Explorer cluster should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Data Explorer cluster, data leakage risks are reduced. Learn more about private links at: https://docs.azure.cn/data-explorer/security-network-private-endpoint. | Audit, Disabled | 1.0.0 |
Azure Data Explorer encryption at rest should use a customer-managed key | Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. | Audit, Deny, Disabled | 1.0.0 |
Azure Data Explorer should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://docs.azure.cn/app-service/networking/private-endpoint. | Audit, Deny, Disabled | 1.0.0 |
Configure Azure Data Explorer clusters with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Data Explorer, you can reduce data leakage risks. Learn more at: [ServiceSpecificAKA.ms]. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Data Explorer to disable public network access | Disabling the public network access property shuts down public connectivity such that Azure Data Explorer can only be accessed from a private endpoint. This configuration disables the public network access for all Azure Data Explorer clusters . | Modify, Disabled | 1.0.0 |
Disk encryption should be enabled on Azure Data Explorer | Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. | Audit, Deny, Disabled | 2.0.0 |
Double encryption should be enabled on Azure Data Explorer | Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. | Audit, Deny, Disabled | 2.0.0 |
Public network access on Azure Data Explorer should be disabled | Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Audit, Deny, Disabled | 1.0.0 |
Virtual network injection should be enabled for Azure Data Explorer | Secure your network perimeter with virtual network injection which allows you to enforce network security group rules, connect on-premises and secure your data connection sources with service endpoints. | Audit, Deny, Disabled | 1.0.0 |
Azure Databricks
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Databricks Clusters should disable public IP | Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://docs.azure.cn/databricks/security/network/classic/secure-cluster-connectivity. | Audit, Deny, Disabled | 1.0.1 |
Azure Databricks Workspaces should be in a virtual network | Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.azure.cn/databricks/security/network/classic/vnet-inject. | Audit, Deny, Disabled | 1.0.2 |
Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption | Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://docs.azure.cn/databricks/security/network/classic/private-link-standard#create-the-workspace-and-private-endpoints-in-the-azure-portal-ui. | Audit, Deny, Disabled | 1.0.1 |
Azure Databricks Workspaces should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: [https://docs.azure.cn/databricks/security/network/classic/private-link](https://docs.azure.cn/databricks/security/network/classic/private-link. | Audit, Deny, Disabled | 1.0.1 |
Azure Databricks Workspaces should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://docs.azure.cn/databricks/security/network/classic/private-link-standard#create-the-workspace-and-private-endpoints-in-the-azure-portal-ui. | Audit, Disabled | 1.0.2 |
Configure Azure Databricks workspace to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://docs.azure.cn/databricks/security/network/classic/private-link-standard#create-the-workspace-and-private-endpoints-in-the-azure-portal-ui. | DeployIfNotExists, Disabled | 1.0.1 |
Configure Azure Databricks Workspaces with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://docs.azure.cn/databricks/administration-guide/cloud-configurations/azure/private-link-standard#create-the-workspace-and-private-endpoints-in-the-azure-portal-ui. | DeployIfNotExists, Disabled | 1.0.2 |
Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace | Deploys the diagnostic settings for Azure Databricks Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Databricks Workspace which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.1 |
Resource logs in Azure Databricks Workspaces should be enabled | Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. | AuditIfNotExists, Disabled | 1.0.1 |
Backup
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Azure Backup Extension should be installed in AKS clusters | Ensure protection installation of backup extension in your AKS Clusters to leverage Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters | AuditIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Azure Backup should be enabled for AKS clusters | Ensure protection of your AKS Clusters by enabling Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters. | AuditIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Azure Backup should be enabled for Blobs in Storage Accounts | Ensure protection of your Storage Accounts by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Azure Backup should be enabled for Managed Disks | Ensure protection of your Managed Disks by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Azure Recovery Services vaults should disable public network access | Disabling public network access improves security by ensuring that recovery services vault is not exposed on the public internet. Creating private endpoints can limit exposure of recovery services vault. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data | Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.azure.cn/backup/encryption-at-rest-with-cmk. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Azure Recovery Services vaults should use private link for backup | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. | Audit, Disabled | 2.0.0-preview |
[Preview]: Configure Azure Recovery Services vaults to disable public network access | Disable public network access for your Recovery services vault so that it's not accessible over the public internet. This can reduce data leakage risks. | Modify, Disabled | 1.0.0-preview |
[Preview]: Configure backup for Azure Disks (Managed Disks) with a given tag to an existing backup vault in the same region | Enforce backup for all Azure Disks (Managed Disks) that contain a given tag to a central backup vault. Learn more at https://docs.azure.cn/backup/disk-backup-overview | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Configure backup for Azure Disks (Managed Disks) without a given tag to an existing backup vault in the same region | Enforce backup for all Azure Disks (Managed Disks) that do not contain a given tag to a central backup vault. Learn more at https://docs.azure.cn/backup/disk-backup-overview | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region | Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://docs.azure.cn/backup/blob-backup-overview | DeployIfNotExists, AuditIfNotExists, Disabled | 2.0.0-preview |
[Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region | Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://docs.azure.cn/backup/blob-backup-overview | DeployIfNotExists, AuditIfNotExists, Disabled | 2.0.0-preview |
[Preview]: Configure Recovery Services vaults to use private DNS zones for backup | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. | DeployIfNotExists, Disabled | 1.0.1-preview |
[Preview]: Configure Recovery Services vaults to use private endpoints for backup | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Recovery Services vaults, you can reduce data leakage risks. Note that your vaults need to meet certain pre-requisites to be eligible for private endpoint configuration. | DeployIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults | Disable or PermanentlyDisable Cross Subscription Restore for your Recovery Services vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://docs.azure.cn/backup/backup-azure-arm-restore-vms. | Modify, Disabled | 1.1.0-preview |
[Preview]: Disable Cross Subscription Restore for Backup Vaults | Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://docs.azure.cn/backup/backup-vault-overview#move-a-backup-vault-across-azure-subscriptionsresource-groups. | Modify, Disabled | 1.1.0-preview |
[Preview]: Immutability must be enabled for backup vaults | This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://docs.azure.cn/backup/backup-azure-immutable-vault-concept?tabs=recovery-services-vault. | Audit, Disabled | 1.0.1-preview |
[Preview]: Immutability must be enabled for Recovery Services vaults | This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://docs.azure.cn/backup/backup-azure-immutable-vault-concept?tabs=recovery-services-vault. | Audit, Disabled | 1.0.1-preview |
[Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag. | Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters containing a given tag. Doing this can help you manage Backup of AKS Clusters at scale. | AuditIfNotExists, DeployIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) without a given tag. | Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters without a particular tag value. Doing this can help you manage Backup of AKS Clusters at scale. | AuditIfNotExists, DeployIfNotExists, Disabled | 1.0.0-preview |
Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 3.0.0 |
Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://docs.azure.cn/backup/backup-azure-auto-enable-backup#policy-4---preview-configure-backup-on-vms-with-a-given-tag-to-a-new-recovery-services-vault-with-a-default-policy. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://docs.azure.cn/backup/backup-azure-auto-enable-backup#policy-4---preview-configure-backup-on-vms-with-a-given-tag-to-a-new-recovery-services-vault-with-a-default-policy. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://docs.azure.cn/backup/backup-azure-auto-enable-backup#policy-3---preview-configure-backup-on-vms-without-a-given-tag-to-a-new-recovery-services-vault-with-a-default-policy. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://docs.azure.cn/backup/backup-azure-auto-enable-backup#policy-1---configure-backup-on-vms-without-a-given-tag-to-an-existing-recovery-services-vault-in-the-same-location. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. | Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. | deployIfNotExists | 1.0.2 |
Batch
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Batch account should use customer-managed keys to encrypt data | Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. | Audit, Deny, Disabled | 1.0.1 |
Azure Batch pools should have disk encryption enabled | Enabling Azure Batch disk encryption ensures that data is always encrypted at rest on your Azure Batch compute node. Learn more about disk encryption in Batch at https://docs.azure.cn/batch/disk-encryption. | Audit, Disabled, Deny | 1.0.0 |
Batch accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. | Audit, Deny, Disabled | 1.0.0 |
Configure Batch accounts to disable local authentication | Disable location authentication methods so that your Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. | Modify, Disabled | 1.0.0 |
Configure Batch accounts to disable public network access | Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. | Modify, Disabled | 1.0.0 |
Configure Batch accounts with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Batch accounts, you can reduce data leakage risks. | DeployIfNotExists, Disabled | 1.0.0 |
Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts | Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. | DeployIfNotExists, Disabled | 1.0.0 |
Metric alert rules should be configured on Batch accounts | Audit configuration of metric alert rules on Batch account to enable the required metric | AuditIfNotExists, Disabled | 1.0.0 |
Private endpoint connections on Batch accounts should be enabled | Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. | AuditIfNotExists, Disabled | 1.0.0 |
Public network access should be disabled for Batch accounts | Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. | Audit, Deny, Disabled | 1.0.0 |
Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
Cache
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Cache for Redis should disable public network access | Disabling public network access improves security by ensuring that the Azure Cache for Redis isn't exposed on the public internet. You can limit exposure of your Azure Cache for Redis by creating private endpoints instead. Learn more at: https://docs.azure.cn/azure-cache-for-redis/cache-private-link. | Audit, Deny, Disabled | 1.0.0 |
Azure Cache for Redis should not use access keys for authentication | Not using local authentication methods like access keys and using more secure alternatives like Microsoft Entra ID (recommended) improves security for your Azure Cache for Redis. Learn more at https://docs.azure.cn/azure-cache-for-redis/cache-azure-active-directory-for-authentication | Audit, Deny, Disabled | 1.0.0 |
Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.azure.cn/azure-cache-for-redis/cache-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
Configure Azure Cache for Redis to disable non SSL ports | Enable SSL only connections to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Modify, Disabled | 1.0.0 |
Configure Azure Cache for Redis to disable public network access | Disable public network access for your Azure Cache for Redis resource so that it's not accessible over the public internet. This helps protect the cache against data leakage risks. | Modify, Disabled | 1.0.0 |
Configure Azure Cache for Redis to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Cache for Redis with private endpoints | Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis resources, you can reduce data leakage risks. Learn more at: https://docs.azure.cn/azure-cache-for-redis/cache-private-link. | DeployIfNotExists, Disabled | 1.0.0 |
Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
Cognitive Services
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK) | Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. | Audit, Deny, Disabled | 2.2.0 |
Cognitive Services accounts should use a managed identity | Assigning a managed identity to your Cognitive Service account helps ensure secure authentication. This identity is used by this Cognitive service account to communicate with other Azure services, like Azure Key Vault, in a secure way without you having to manage any credentials. | Audit, Deny, Disabled | 1.0.0 |
Cognitive Services accounts should use customer owned storage | Use customer owned storage to control the data stored at rest in Cognitive Services. | Audit, Deny, Disabled | 2.0.0 |
Configure Cognitive Services accounts to disable local authentication methods | Disable local authentication methods so that your Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://docs.azure.cn/cognitive-services/authentication. | Modify, Disabled | 1.0.0 |
Configure Cognitive Services accounts to disable public network access | Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.azure.cn/private-link/. | Disabled, Modify | 3.0.0 |
Configure Cognitive Services accounts to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://docs.azure.cn/cognitive-services/cognitive-services-virtual-networks. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Cognitive Services accounts with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://docs.azure.cn/private-link/. | DeployIfNotExists, Disabled | 3.0.0 |
Compute
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Allowed virtual machine size SKUs | This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. | Deny | 1.0.1 |
Audit virtual machines without disaster recovery configured | Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://docs.azure.cn/site-recovery/. | auditIfNotExists | 1.0.0 |
Audit VMs that do not use managed disks | This policy audits VMs that do not use managed disks | audit | 1.0.0 |
Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery | Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://docs.azure.cn/site-recovery/. | DeployIfNotExists, Disabled | 2.1.0 |
Configure disk access resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://docs.azure.cn/virtual-machines/disks-enable-private-links-for-import-export-portal. | DeployIfNotExists, Disabled | 1.0.0 |
Configure disk access resources with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to disk access resources, you can reduce data leakage risks. Learn more about private links at: https://docs.azure.cn/virtual-machines/disks-enable-private-links-for-import-export-portal. | DeployIfNotExists, Disabled | 1.0.0 |
Configure managed disks to disable public network access | Disable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.azure.cn/virtual-machines/disks-enable-private-links-for-import-export-portal. | Modify, Disabled | 2.0.0 |
Deploy default Microsoft IaaSAntimalware extension for Windows Server | This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. | deployIfNotExists | 1.1.0 |
Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://docs.azure.cn/virtual-machines/disks-enable-private-links-for-import-export-portal. | AuditIfNotExists, Disabled | 1.0.0 |
Managed disks should be double encrypted with both platform-managed and customer-managed keys | High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://docs.azure.cn/virtual-machines/disk-encryption#double-encryption-at-rest. | Audit, Deny, Disabled | 1.0.0 |
Managed disks should disable public network access | Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://docs.azure.cn/virtual-machines/disks-enable-private-links-for-import-export-portal. | Audit, Disabled | 2.0.0 |
Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption | Requiring a specific set of disk encryption sets to be used with managed disks give you control over the keys used for encryption at rest. You are able to select the allowed encrypted sets and all others are rejected when attached to a disk. Learn more at https://docs.azure.cn/virtual-machines/disk-encryption. | Audit, Deny, Disabled | 2.0.0 |
Microsoft Antimalware for Azure should be configured to automatically update protection signatures | This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. | AuditIfNotExists, Disabled | 1.0.0 |
Microsoft IaaSAntimalware extension should be deployed on Windows servers | This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. | AuditIfNotExists, Disabled | 1.1.0 |
Only approved VM extensions should be installed | This policy governs the virtual machine extensions that are not approved. | Audit, Deny, Disabled | 1.0.0 |
OS and data disks should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.azure.cn/virtual-machines/disk-encryption. | Audit, Deny, Disabled | 3.0.0 |
Require automatic OS image patching on Virtual Machine Scale Sets | This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security patches every month. | deny | 1.0.0 |
Virtual machines and virtual machine scale sets should have encryption at host enabled | Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://docs.azure.cn/virtual-machines/disks-enable-host-based-encryption-portal. | Audit, Deny, Disabled | 1.0.0 |
Virtual machines should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
Container Instance
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Container Instance container group should deploy into a virtual network | Secure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other. | Audit, Disabled, Deny | 2.0.0 |
Azure Container Instance container group should use customer-managed key for encryption | Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Audit, Disabled, Deny | 1.0.0 |
Configure diagnostic settings for container groups to Log Analytics workspace | Deploys the diagnostic settings for Container Instance to stream resource logs to a Log Analytics workspace when any container instance which is missing this diagnostic settings is created or updated. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Container Registry
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure container registries to disable anonymous authentication. | Disable anonymous pull for your registry so that data not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.azure.cn/container-registry/container-registry-authentication. | Modify, Disabled | 1.0.0 |
Configure container registries to disable ARM audience token authentication. | Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://docs.azure.cn/container-registry/container-registry-authentication. | Modify, Disabled | 1.0.0 |
Configure container registries to disable local admin account. | Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.azure.cn/container-registry/container-registry-authentication. | Modify, Disabled | 1.0.1 |
Configure Container registries to disable public network access | Disable public network access for your Container Registry resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at https://docs.azure.cn/container-registry/container-registry-access-selected-networks and https://docs.azure.cn/container-registry/container-registry-private-link. | Modify, Disabled | 1.0.0 |
Configure container registries to disable repository scoped access token. | Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.azure.cn/container-registry/container-registry-authentication. | Modify, Disabled | 1.0.0 |
Configure Container registries to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns and https://docs.azure.cn/container-registry/container-registry-private-link. | DeployIfNotExists, Disabled | 1.0.1 |
Configure Container registries with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your premium container registry resources, you can reduce data leakage risks. Learn more at: https://docs.azure.cn/event-grid/configure-private-endpoints and https://docs.azure.cn/container-registry/container-registry-private-link. | DeployIfNotExists, Disabled | 1.0.0 |
Container registries should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.azure.cn/container-registry/tutorial-customer-managed-keys. | Audit, Deny, Disabled | 1.1.2 |
Container registries should have anonymous authentication disabled. | Disable anonymous pull for your registry so that data is not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.azure.cn/container-registry/container-registry-authentication. | Audit, Deny, Disabled | 1.0.0 |
Container registries should have ARM audience token authentication disabled. | Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://docs.azure.cn/container-registry/container-registry-authentication. | Audit, Deny, Disabled | 1.0.0 |
Container registries should have exports disabled | Disabling exports improves security by ensuring data in a registry is accessed solely via the dataplane ('docker pull'). Data cannot be moved out of the registry via 'acr import' or via 'acr transfer'. In order to disable exports, public network access must be disabled. Learn more at: https://docs.azure.cn/container-registry/data-loss-prevention. | Audit, Deny, Disabled | 1.0.0 |
Container registries should have local admin account disabled. | Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.azure.cn/container-registry/container-registry-authentication. | Audit, Deny, Disabled | 1.0.1 |
Container registries should have repository scoped access token disabled. | Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.azure.cn/container-registry/container-registry-authentication. | Audit, Deny, Disabled | 1.0.0 |
Container registries should have SKUs that support Private Links | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Microsoft Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, data leakage risks are reduced. Learn more at: https://docs.azure.cn/container-registry/container-registry-private-link. | Audit, Deny, Disabled | 1.0.0 |
Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://docs.azure.cn/container-registry/container-registry-private-link, and https://docs.azure.cn/container-registry/container-registry-access-selected-networks. | Audit, Deny, Disabled | 2.0.0 |
Container registries should prevent cache rule creation | Disable cache rule creation for your Azure Container Registry to prevent pull through cache pulls. Learn more at: https://docs.azure.cn/container-registry/tutorial-artifact-cache. | Audit, Deny, Disabled | 1.0.0 |
Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Microsoft Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://docs.azure.cn/container-registry/container-registry-private-link. | Audit, Disabled | 1.0.1 |
Public network access should be disabled for Container registries | Disabling public network access improves security by ensuring that container registries are not exposed on the public internet. Creating private endpoints can limit exposure of container registry resources. Learn more at: https://docs.azure.cn/container-registry/container-registry-access-selected-networks and https://docs.azure.cn/container-registry/container-registry-private-link. | Audit, Deny, Disabled | 1.0.0 |
Cosmos DB
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Audit, Deny, Disabled | 2.1.0 |
Azure Cosmos DB accounts should not allow traffic from all Azure data centers | Disallow the IP Firewall rule, '0.0.0.0', which allows for all traffic from any Azure data centers. Learn more at https://docs.azure.cn/cosmos-db/how-to-configure-firewall | Audit, Deny, Disabled | 1.0.0 |
Azure Cosmos DB accounts should not exceed the maximum number of days allowed since last account key regeneration. | Regenerate your keys in the specified time to keep your data more protected. | Audit, Disabled | 1.0.0 |
Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.azure.cn/cosmos-db/how-to-setup-cmk. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
Azure Cosmos DB allowed locations | This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. | [parameters('policyEffect')] | 1.1.0 |
Azure Cosmos DB key based metadata write access should be disabled | This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. | append | 1.0.0 |
Azure Cosmos DB should disable public network access | Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: https://docs.azure.cn/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. | Audit, Deny, Disabled | 1.0.0 |
Azure Cosmos DB throughput should be limited | This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
Configure Cosmos DB database accounts to disable local authentication | Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.azure.cn/cosmos-db/how-to-setup-rbac#disable-local-auth. | Modify, Disabled | 1.1.0 |
Configure CosmosDB accounts to disable public network access | Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.azure.cn/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. | Modify, Disabled | 1.0.1 |
Configure CosmosDB accounts to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns. | DeployIfNotExists, Disabled | 2.0.0 |
Configure CosmosDB accounts with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your CosmosDB account, you can reduce data leakage risks. Learn more about private links at: https://docs.azure.cn/cosmos-db/how-to-configure-private-endpoints. | DeployIfNotExists, Disabled | 1.0.0 |
Cosmos DB database accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.azure.cn/cosmos-db/how-to-setup-rbac#disable-local-auth. | Audit, Deny, Disabled | 1.1.0 |
CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.azure.cn/cosmos-db/how-to-configure-private-endpoints. | Audit, Disabled | 1.0.0 |
Data Box
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Data Box jobs should enable double encryption for data at rest on the device | Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. | Audit, Deny, Disabled | 1.0.0 |
Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password | Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key. | Audit, Deny, Disabled | 1.0.0 |
Data Factory
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure data factories should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.azure.cn/data-factory/enable-customer-managed-key. | Audit, Deny, Disabled | 1.0.1 |
Azure Data Factory integration runtime should have a limit for number of cores | To manage your resources and costs, limit the number of cores for an integration runtime. | Audit, Deny, Disabled | 1.0.0-preview |
Azure Data Factory linked service resource type should be in allow list | Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. | Audit, Deny, Disabled | 1.1.0 |
Azure Data Factory linked services should use Key Vault for storing secrets | To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. | Audit, Deny, Disabled | 1.0.0-preview |
Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported | Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. | Audit, Deny, Disabled | 2.1.0 |
Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.azure.cn/data-factory/data-factory-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
Configure Data Factories to disable public network access | Disable public network access for your Data Factory so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.azure.cn/data-factory/data-factory-private-link. | Modify, Disabled | 1.0.0 |
Configure private DNS zones for private endpoints that connect to Azure Data Factory | Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.azure.cn/data-factory/data-factory-private-link. | DeployIfNotExists, Disabled | 1.0.0 |
Configure private endpoints for Data factories | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks. Learn more at: https://docs.azure.cn/data-factory/data-factory-private-link. | DeployIfNotExists, Disabled | 1.1.0 |
Public network access on Azure Data Factory should be disabled | Disabling the public network access property improves security by ensuring your Azure Data Factory can only be accessed from a private endpoint. | Audit, Deny, Disabled | 1.0.0 |
SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. | Audit, Deny, Disabled | 2.3.0 |
Desktop Virtualization
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Virtual Desktop hostpools should disable public network access | Disabling public network access improves security and keeps your data safe by ensuring that access to the Azure Virtual Desktop service is not exposed to the public internet. | Audit, Deny, Disabled | 1.0.0 |
Azure Virtual Desktop hostpools should disable public network access only on session hosts | Disabling public network access for your Azure Virtual Desktop hostpool session hosts, but allowing public access for end users improves security by limiting exposure to the public internet. Learn more at: [https: | Audit, Deny, Disabled | 1.0.0 |
Azure Virtual Desktop service should use private link | Using Azure Private Link with your Azure Virtual Desktop resources can improve security and keep your data safe. | Audit, Disabled | 1.0.0 |
Azure Virtual Desktop workspaces should disable public network access | Disabling public network access for your Azure Virtual Desktop workspace resource prevents the feed from being accessible over the public internet. Allowing only private network access improves security and keeps your data safe. | Audit, Deny, Disabled | 1.0.0 |
Configure Azure Virtual Desktop hostpool resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Virtual Desktop hostpools to disable public network access | Disable public network access for session hosts and end users on your Azure Virtual Desktop hostpool resource so that it's not accessible over the public internet. This improves security and keeps your data safe. | Modify, Disabled | 1.0.0 |
Configure Azure Virtual Desktop hostpools to disable public network access only for session hosts | Disable public network access for your Azure Virtual Desktop hostpool session hosts, but allow public access for end users. This allows users to still access AVD service while ensuring the session host is only accessible through private routes. | Modify, Disabled | 1.0.0 |
Configure Azure Virtual Desktop hostpools with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Virtual Desktop workspace resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Virtual Desktop workspaces to disable public network access | Disable public network access for your Azure Virtual Desktop workspace resource so the feed is not accessible over the public internet. This improves security and keeps your data safe. | Modify, Disabled | 1.0.0 |
Event Grid
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Event Grid domains should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.azure.cn/event-grid/configure-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
Azure Event Grid domains should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.azure.cn/event-grid/authenticate-with-active-directory#disable-key-and-shared-access-signature-authentication. | Audit, Deny, Disabled | 1.0.0 |
Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://docs.azure.cn/event-grid/configure-private-endpoints. | Audit, Disabled | 1.0.2 |
Azure Event Grid partner namespaces should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.azure.cn/event-grid/authenticate-with-active-directory#disable-key-and-shared-access-signature-authentication. | Audit, Deny, Disabled | 1.0.0 |
Azure Event Grid topics should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.azure.cn/event-grid/configure-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
Azure Event Grid topics should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.azure.cn/event-grid/authenticate-with-active-directory#disable-key-and-shared-access-signature-authentication. | Audit, Deny, Disabled | 1.0.0 |
Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://docs.azure.cn/event-grid/configure-private-endpoints. | Audit, Disabled | 1.0.2 |
Configure Azure Event Grid domains to disable local authentication | Disable local authentication methods so that your Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.azure.cn/event-grid/authenticate-with-active-directory#disable-key-and-shared-access-signature-authentication. | Modify, Disabled | 1.0.0 |
Configure Azure Event Grid partner namespaces to disable local authentication | Disable local authentication methods so that your Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.azure.cn/event-grid/authenticate-with-active-directory#disable-key-and-shared-access-signature-authentication. | Modify, Disabled | 1.0.0 |
Configure Azure Event Grid topics to disable local authentication | Disable local authentication methods so that your Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.azure.cn/event-grid/authenticate-with-active-directory#disable-key-and-shared-access-signature-authentication. | Modify, Disabled | 1.0.0 |
Deploy - Configure Azure Event Grid domains to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns. | deployIfNotExists, DeployIfNotExists, Disabled | 1.1.0 |
Deploy - Configure Azure Event Grid domains with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://docs.azure.cn/event-grid/configure-private-endpoints. | DeployIfNotExists, Disabled | 1.0.0 |
Deploy - Configure Azure Event Grid topics to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns. | deployIfNotExists, DeployIfNotExists, Disabled | 1.1.0 |
Deploy - Configure Azure Event Grid topics with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://docs.azure.cn/event-grid/configure-private-endpoints. | DeployIfNotExists, Disabled | 1.0.0 |
Modify - Configure Azure Event Grid domains to disable public network access | Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://docs.azure.cn/event-grid/configure-private-endpoints. | Modify, Disabled | 1.0.0 |
Modify - Configure Azure Event Grid topics to disable public network access | Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://docs.azure.cn/event-grid/configure-private-endpoints. | Modify, Disabled | 1.0.0 |
Event Hub
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace | Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity | Audit, Deny, Disabled | 1.0.1 |
Authorization rules on the Event Hub instance should be defined | Audit existence of authorization rules on Event Hub entities to grant least-privileged access | AuditIfNotExists, Disabled | 1.0.0 |
Azure Event Hub namespaces should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://docs.azure.cn/event-hubs/authenticate-shared-access-signature. | Audit, Deny, Disabled | 1.0.1 |
Configure Azure Event Hub namespaces to disable local authentication | Disable local authentication methods so that your Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://docs.azure.cn/event-hubs/authenticate-shared-access-signature. | Modify, Disabled | 1.0.1 |
Configure Event Hub namespaces to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Event Hub namespaces. Learn more at: https://docs.azure.cn/event-hubs/private-link-service. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Event Hub namespaces with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Event Hub namespaces, you can reduce data leakage risks. Learn more at: https://docs.azure.cn/event-hubs/private-link-service. | DeployIfNotExists, Disabled | 1.0.0 |
Event Hub Namespaces should disable public network access | Azure Event Hub should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.azure.cn/event-hubs/private-link-service | Audit, Deny, Disabled | 1.0.0 |
Event Hub namespaces should have double encryption enabled | Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. | Audit, Deny, Disabled | 1.0.0 |
Event Hub namespaces should use a customer-managed key for encryption | Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters. | Audit, Disabled | 1.0.0 |
Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.azure.cn/event-hubs/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
General
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Allowed locations | This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. | deny | 1.0.0 |
Allowed locations for resource groups | This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements. | deny | 1.0.0 |
Allowed resource types | This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'. | deny | 1.0.0 |
Audit resource location matches resource group location | Audit that the resource location matches its resource group location | audit | 2.0.0 |
Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.0 |
Do Not Allow M365 resources | Block creation of M365 resources. | Audit, Deny, Disabled | 1.0.0 |
Do Not Allow MCPP resources | Block creation of MCPP resources. | Audit, Deny, Disabled | 1.0.0 |
Exclude Usage Costs Resources | This policy enables you to exlcude Usage Costs Resources. Usage costs include things like metered storage and Azure resources which are billed based on usage. | Audit, Deny, Disabled | 1.0.0 |
Not allowed resource types | Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources. | Audit, Deny, Disabled | 2.0.0 |
HDInsight
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure HDInsight clusters should be injected into a virtual network | Injecting Azure HDInsight clusters in a virtual network unlocks advanced HDInsight networking and security features and provides you with control over your network security configuration. | Audit, Disabled, Deny | 1.0.0 |
Azure HDInsight clusters should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.azure.cn/hdinsight/disk-encryption. | Audit, Deny, Disabled | 1.0.1 |
Azure HDInsight clusters should use encryption at host to encrypt data at rest | Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. | Audit, Deny, Disabled | 1.0.0 |
Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes | Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission. | Audit, Deny, Disabled | 1.0.0 |
Azure HDInsight should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://docs.azure.cn/hdinsight/hdinsight-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
Configure Azure HDInsight clusters to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure HDInsight clusters. Learn more at: https://docs.azure.cn/hdinsight/hdinsight-private-link. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure HDInsight clusters with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://docs.azure.cn/hdinsight/hdinsight-private-link. | DeployIfNotExists, Disabled | 1.0.0 |
Internet of Things
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Azure IoT Hub should use customer-managed key to encrypt data at rest | Encryption of data at rest in IoT Hub with customer-managed key adds a second layer of encryption on top of the default service-managed keys, enables customer control of keys, custom rotation policies, and ability to manage access to data through key access control. Customer-managed keys must be configured during creation of IoT Hub. For more information on how to configure customer-managed keys, see https://docs.azure.cn//iot-hub/iot-hub-customer-managed-keys. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK) | Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. | Audit, Deny, Disabled | 1.0.0-preview |
Configure IoT Hub device provisioning instances to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to an IoT Hub device provisioning service instance. Learn more at: https://docs.azure.cn/iot-dps/virtual-network-support. | DeployIfNotExists, Disabled | 1.0.0 |
Configure IoT Hub device provisioning service instances to disable public network access | Disable public network access for your IoT Hub device provisioning instance so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.azure.cn/iot-dps/virtual-network-support. | Modify, Disabled | 1.0.0 |
Configure IoT Hub device provisioning service instances with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to IoT Hub device provisioning service, you can reduce data leakage risks. Learn more about private links at: https://docs.azure.cn/iot-dps/virtual-network-support. | DeployIfNotExists, Disabled | 1.0.0 |
Deploy - Configure Azure IoT Hubs to use private DNS zones | Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Hub private endpoints. | deployIfNotExists, DeployIfNotExists, disabled, Disabled | 1.1.0 |
Deploy - Configure Azure IoT Hubs with private endpoints | A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT hub to allow services inside your virtual network to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
IoT Hub device provisioning service instances should disable public network access | Disabling public network access improves security by ensuring that IoT Hub device provisioning service instance isn't exposed on the public internet. Creating private endpoints can limit exposure of the IoT Hub device provisioning instances. Learn more at: https://docs.azure.cn/iot-dps/virtual-network-support. | Audit, Deny, Disabled | 1.0.0 |
IoT Hub device provisioning service instances should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://docs.azure.cn/iot-dps/virtual-network-support. | Audit, Disabled | 1.0.0 |
Modify - Configure Azure IoT Hubs to disable public network access | Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. This policy disables public network access on IoT Hub resources. | Modify, Disabled | 1.0.0 |
Private endpoint should be enabled for IoT Hub | Private endpoint connections enforce secure communication by enabling private connectivity to IoT Hub. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | Audit, Disabled | 1.0.0 |
Public network access on Azure IoT Hub should be disabled | Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. | Audit, Deny, Disabled | 1.0.0 |
Key Vault
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Certificates should be issued by one of the specified non-integrated certificate authorities | Manage your organizational compliance requirements by specifying custom or internal certificate authorities that can issue certificates in your key vault. | Audit, Deny, Disabled | 1.0.0-preview |
Azure Key Vault should disable public network access | Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.azure.cn/key-vault/general/private-link-service. | Audit, Deny, Disabled | 1.1.0 |
Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.azure.cn/key-vault/general/network-security | Audit, Deny, Disabled | 3.2.1 |
Azure Key Vault should use RBAC permission model | Enable RBAC permission model across Key Vaults. Learn more at: https://docs.azure.cn/key-vault/general/rbac-migration | Audit, Deny, Disabled | 1.0.1 |
Azure Key Vaults should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://docs.azure.cn/key-vault/general/private-link-service. | [parameters('audit_effect')] | 1.2.1 |
Certificates should be issued by the specified integrated certificate authority | Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. | audit, Audit, deny, Deny, disabled, Disabled | 2.1.0 |
Certificates should be issued by the specified non-integrated certificate authority | Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault. | audit, Audit, deny, Deny, disabled, Disabled | 2.1.1 |
Certificates should have the specified lifetime action triggers | Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. | audit, Audit, deny, Deny, disabled, Disabled | 2.1.0 |
Certificates should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. | audit, Audit, deny, Deny, disabled, Disabled | 2.2.1 |
Certificates should not expire within the specified number of days | Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. | audit, Audit, deny, Deny, disabled, Disabled | 2.1.1 |
Certificates should use allowed key types | Manage your organizational compliance requirements by restricting the key types allowed for certificates. | audit, Audit, deny, Deny, disabled, Disabled | 2.1.0 |
Certificates using elliptic curve cryptography should have allowed curve names | Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://docs.azure.cn/key-vault/general/azure-policy. | audit, Audit, deny, Deny, disabled, Disabled | 2.1.0 |
Certificates using RSA cryptography should have the specified minimum key size | Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. | audit, Audit, deny, Deny, disabled, Disabled | 2.1.0 |
Configure Azure Key Vaults to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://docs.azure.cn/key-vault/general/private-link-service. | DeployIfNotExists, Disabled | 1.0.1 |
Configure Azure Key Vaults with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://docs.azure.cn/key-vault/general/private-link-service. | DeployIfNotExists, Disabled | 1.0.1 |
Configure key vaults to enable firewall | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.azure.cn/key-vault/general/network-security | Modify, Disabled | 1.1.1 |
Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace | Deploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.1 |
Deploy Diagnostic Settings for Key Vault to Event Hub | Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 3.0.1 |
Key Vault keys should have an expiration date | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Audit, Deny, Disabled | 1.0.2 |
Key Vault secrets should have an expiration date | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Audit, Deny, Disabled | 1.0.2 |
Key vaults should have deletion protection enabled | Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Azure will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. | Audit, Deny, Disabled | 2.1.0 |
Key vaults should have soft delete enabled | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Audit, Deny, Disabled | 3.0.0 |
Keys should be the specified cryptographic type RSA or EC | Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. | Audit, Deny, Disabled | 1.0.1 |
Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation. | Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated. | Audit, Disabled | 1.0.0 |
Keys should have more than the specified number of days before expiration | If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. | Audit, Deny, Disabled | 1.0.1 |
Keys should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. | Audit, Deny, Disabled | 1.0.1 |
Keys should not be active for longer than the specified number of days | Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. | Audit, Deny, Disabled | 1.0.1 |
Keys using elliptic curve cryptography should have the specified curve names | Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. | Audit, Deny, Disabled | 1.0.1 |
Keys using RSA cryptography should have a specified minimum key size | Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. | Audit, Deny, Disabled | 1.0.1 |
Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
Secrets should have content type set | A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets. | Audit, Deny, Disabled | 1.0.1 |
Secrets should have more than the specified number of days before expiration | If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. | Audit, Deny, Disabled | 1.0.1 |
Secrets should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. | Audit, Deny, Disabled | 1.0.1 |
Secrets should not be active for longer than the specified number of days | If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. | Audit, Deny, Disabled | 1.0.1 |
Kubernetes
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: [Image Integrity] Kubernetes clusters should only use images signed by notation | Use images signed by notation to ensure that images come from trusted sources and will not be maliciously modified. | Audit, Disabled | 1.1.0-preview |
[Preview]: Cannot Edit Individual Nodes | Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. | Audit, Deny, Disabled | 1.3.0-preview |
[Preview]: Deploy Image Integrity on Azure Kubernetes Service | Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. | DeployIfNotExists, Disabled | 1.0.5-preview |
[Preview]: Kubernetes cluster container images must include the preStop hook | Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns. | Audit, Deny, Disabled | 1.1.0-preview |
[Preview]: Kubernetes cluster container images should not include latest image tag | Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images. | Audit, Deny, Disabled | 1.1.0-preview |
[Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present | Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster | Audit, Deny, Disabled | 1.2.0-preview |
[Preview]: Kubernetes cluster services should use unique selectors | Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). | Audit, Deny, Disabled | 1.2.0-preview |
[Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets | Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). | Audit, Deny, Disabled | 1.2.0-preview |
[Preview]: Kubernetes clusters should restrict creation of given resource type | Given Kubernetes resource type should not be deployed in certain namespace. | Audit, Deny, Disabled | 2.3.0-preview |
[Preview]: Must Have Anti Affinity Rules Set | This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. | Audit, Deny, Disabled | 1.2.0-preview |
[Preview]: Mutate K8s Container to drop all capabilities | Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux containers | Mutate, Disabled | 1.1.0-preview |
[Preview]: Mutate K8s Init Container to drop all capabilities | Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux init containers | Mutate, Disabled | 1.1.0-preview |
[Preview]: No AKS Specific Labels | Prevents customers from applying AKS specific labels. AKS uses labels prefixed with kubernetes.azure.com to denote AKS owned components. The customer should not use these labels. |
Audit, Deny, Disabled | 1.2.0-preview |
[Preview]: Prevents containers from being ran as root by setting runAsNotRoot to true. | Setting runAsNotRoot to true increases security by preventing containers from being ran as root. | Mutate, Disabled | 1.0.0-preview |
[Preview]: Prevents init containers from being ran as root by setting runAsNotRoot to true. | Setting runAsNotRoot to true increases security by preventing containers from being ran as root. | Mutate, Disabled | 1.0.0-preview |
[Preview]: Reserved System Pool Taints | Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. | Audit, Deny, Disabled | 1.2.0-preview |
[Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. | To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools. | Mutate, Disabled | 1.2.0-preview |
[Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. | Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. | Mutate, Disabled | 1.2.0-preview |
[Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. | Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. | Mutate, Disabled | 1.2.0-preview |
[Preview]: Sets Kubernetes cluster containers' secure computing mode profile type to RuntimeDefault if not present. | Setting secure computing mode profile type for containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. | Mutate, Disabled | 1.1.0-preview |
[Preview]: Sets Kubernetes cluster init containers' secure computing mode profile type to RuntimeDefault if not present. | Setting secure computing mode profile type for init containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. | Mutate, Disabled | 1.1.0-preview |
[Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources | Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption | Mutate, Disabled | 1.2.0-preview |
[Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. | Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers. | Mutate, Disabled | 1.2.0-preview |
[Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. | Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem | Mutate, Disabled | 1.2.0-preview |
Azure Kubernetes Clusters should disable SSH | Disable SSH gives you the ability to secure your cluster and reduce the attack surface. To learn more, visit: https://docs.azure.cn/aks/manage-ssh-node-access?tabs=node-shell#disable-ssh-overview | Audit, Disabled | 1.0.0 |
Azure Kubernetes Clusters should enable Container Storage Interface(CSI) | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Azure Kubernetes Service. To learn more, https://docs.azure.cn/aks/csi-storage-drivers | Audit, Disabled | 1.0.0 |
Azure Kubernetes Clusters should enable Key Management Service (KMS) | Use Key Management Service (KMS) to encrypt secret data at rest in etcd for Kubernetes cluster security. Learn more at: https://docs.azure.cn/aks/use-kms-etcd-encryption. | Audit, Disabled | 1.0.0 |
Azure Kubernetes Clusters should use Azure CNI | Azure CNI is a prerequisite for some Azure Kubernetes Service features, including Azure network policies, Windows node pools and virtual nodes add-on. Learn more at: https://docs.azure.cn/aks/configure-azure-cni | Audit, Disabled | 1.0.1 |
Azure Kubernetes Service Clusters should disable Command Invoke | Disabling command invoke can enhance the security by avoiding bypass of restricted network access or Kubernetes role-based access control | Audit, Disabled | 1.0.1 |
Azure Kubernetes Service Clusters should enable cluster auto-upgrade | AKS cluster auto-upgrade can ensure your clusters are up to date and don't miss the latest features or patches from AKS and upstream Kubernetes. Learn more at: https://docs.azure.cn/aks/auto-upgrade-cluster. | Audit, Disabled | 1.0.0 |
Azure Kubernetes Service Clusters should enable Image Cleaner | Image Cleaner performs automatic vulnerable, unused image identification and removal, which mitigates the risk of stale images and reduces the time required to clean them up. Learn more at: https://docs.azure.cn/aks/image-cleaner. | Audit, Disabled | 1.0.0 |
Azure Kubernetes Service Clusters should enable Microsoft Entra ID integration | AKS-managed Microsoft Entra ID integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://docs.azure.cn/aks/managed-azure-ad. | Audit, Disabled | 1.0.2 |
Azure Kubernetes Service Clusters should enable node os auto-upgrade | AKS node OS auto-upgrade controls node-level OS security updates. Learn more at: https://docs.azure.cn/aks/auto-upgrade-node-image. | Audit, Disabled | 1.0.0 |
Azure Kubernetes Service Clusters should enable workload identity | Workload identity allows to assign a unique identity to each Kubernetes Pod and associate it with Azure AD protected resources such as Azure Key Vault, enabling secure access to these resources from within the Pod. Learn more at: https://docs.azure.cn/aks/workload-identity-deploy-cluster. | Audit, Disabled | 1.0.0 |
Azure Kubernetes Service clusters should have Defender profile enabled | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.azure.cn/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Audit, Disabled | 2.0.1 |
Azure Kubernetes Service Clusters should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Kubernetes Service Clusters should exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.azure.cn/aks/managed-aad. | Audit, Deny, Disabled | 1.0.1 |
Azure Kubernetes Service Clusters should use managed identities | Use managed identities to wrap around service principals, simplify cluster management and avoid the complexity required to managed service principals. Learn more at: https://docs.azure.cn/aks/use-managed-identity | Audit, Disabled | 1.0.1 |
Azure Kubernetes Service Private Clusters should be enabled | Enable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only. This is a common requirement in many regulatory and industry compliance standards. | Audit, Deny, Disabled | 1.0.1 |
Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Audit, Disabled | 1.0.2 |
Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys | Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. | Audit, Deny, Disabled | 1.0.1 |
Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.azure.cn/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | DeployIfNotExists, Disabled | 4.3.0 |
Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access | Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. | DeployIfNotExists, Disabled | 2.1.0 |
Configure Node OS Auto upgrade on Azure Kubernetes Cluster | Use Node OS auto-upgrade to control node-level OS security updates of Azure Kubernetes Service (AKS) clusters. For more info, visit https://docs.azure.cn/aks/auto-upgrade-node-image. | DeployIfNotExists, Disabled | 1.0.1 |
Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace | Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. | DeployIfNotExists, Disabled | 3.0.0 |
Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | DeployIfNotExists, Disabled | 4.1.0 |
Deploy Image Cleaner on Azure Kubernetes Service | Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://docs.azure.cn/aks/image-cleaner | DeployIfNotExists, Disabled | 1.0.4 |
Deploy Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster | Planned Maintenance allows you to schedule weekly maintenance windows to perform updates and minimize workload impact. Once scheduled, upgrades occur only during the window you selected. Learn more at: https://docs.azure.cn/aks/planned-maintenance | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
Disable Command Invoke on Azure Kubernetes Service clusters | Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster | DeployIfNotExists, Disabled | 1.2.0 |
Ensure cluster containers have readiness or liveness probes configured | This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | Audit, Deny, Disabled | 3.3.0 |
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 9.3.0 |
Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 5.2.0 |
Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 7.2.0 |
Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 6.2.0 |
Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 6.2.0 |
Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 9.3.0 |
Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 8.2.0 |
Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Audit, Deny, Disabled | 3.2.0 |
Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 7.2.0 |
Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 6.3.0 |
Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 5.2.0 |
Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 6.2.0 |
Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 6.2.0 |
Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 7.2.0 |
Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 5.2.0 |
Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 6.2.0 |
Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 7.2.0 |
Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 8.2.0 |
Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 5.2.0 |
Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 9.2.0 |
Kubernetes cluster should not use naked pods | Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs | Audit, Deny, Disabled | 2.3.0 |
Kubernetes cluster Windows containers should not overcommit cpu and memory | Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory | Audit, Deny, Disabled | 2.2.0 |
Kubernetes cluster Windows containers should not run as ContainerAdministrator | Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . | Audit, Deny, Disabled | 1.2.0 |
Kubernetes cluster Windows containers should only run with approved user and domain user group | Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. | Audit, Deny, Disabled | 2.2.0 |
Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes | audit, Audit, deny, Deny, disabled, Disabled | 8.2.0 |
Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 4.2.0 |
Kubernetes clusters should ensure that the cluster-admin role is only used where required | The role 'cluster-admin' provides wide-ranging powers over the environment and should be used only where and when needed. | Audit, Disabled | 1.1.0 |
Kubernetes clusters should minimize wildcard use in role and cluster role | Using wildcards '*' can be a security risk because it grants broad permissions that may not be necessary for a specific role. If a role has too many permissions, it could potentially be abused by an attacker or compromised user to gain unauthorized access to resources in the cluster. | Audit, Disabled | 1.1.0 |
Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 7.2.0 |
Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit | ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | Audit, Disabled | 3.2.0 |
Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 5.1.0 |
Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 5.2.0 |
Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 4.2.0 |
Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://docs.azure.cn/aks/csi-storage-drivers | Audit, Deny, Disabled | 2.3.0 |
Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | audit, Audit, deny, Deny, disabled, Disabled | 8.2.0 |
Kubernetes resources should have required annotations | Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://docs.azure.cn/governance/policy/concepts/policy-for-kubernetes. | Audit, Deny, Disabled | 3.2.0 |
Resource logs in Azure Kubernetes Service should be enabled | Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed | AuditIfNotExists, Disabled | 1.0.0 |
Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host | To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. | Audit, Deny, Disabled | 1.0.1 |
Logic Apps
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.1.0 |
Machine Learning
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Machine Learning Compute Instance should have idle shutdown. | Having an idle shutdown schedule reduces cost by shutting down computes that are idle after a pre-determined period of activity. | Audit, Deny, Disabled | 1.0.0 |
Azure Machine Learning compute instances should be recreated to get the latest software updates | Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://docs.azure.cn/machine-learning/concept-vulnerability-management?view=azureml-api-2#compute-instance. | [parameters('effects')] | 1.0.3 |
Azure Machine Learning Computes should be in a virtual network | Azure Virtual Networks provide enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access. When a compute is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Audit, Disabled | 1.0.1 |
Azure Machine Learning Computes should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://docs.azure.cn/machine-learning/security-controls-policy?view=azureml-api-2. | Audit, Deny, Disabled | 2.1.0 |
Azure Machine Learning workspaces should be encrypted with a customer-managed key | Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.azure.cn/machine-learning/how-to-create-workspace-template#deploy-an-encrypted-workspace. | Audit, Deny, Disabled | 1.1.0 |
Azure Machine Learning Workspaces should disable public network access | Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://docs.azure.cn/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. | Audit, Deny, Disabled | 2.0.1 |
Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.azure.cn/machine-learning/how-to-configure-private-link. | Audit, Disabled | 1.0.0 |
Azure Machine Learning workspaces should use user-assigned managed identity | Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. Learn more at https://docs.azure.cn/machine-learning/how-to-use-managed-identities?tabs=python. | Audit, Deny, Disabled | 1.0.0 |
Configure Azure Machine Learning Computes to disable local authentication methods | Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://docs.azure.cn/machine-learning/security-controls-policy. | Modify, Disabled | 2.1.0 |
Configure Azure Machine Learning workspace to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.azure.cn/machine-learning/how-to-network-security-overview. | DeployIfNotExists, Disabled | 1.1.0 |
Configure Azure Machine Learning Workspaces to disable public network access | Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://docs.azure.cn/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. | Modify, Disabled | 1.0.3 |
Configure Azure Machine Learning workspaces with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Machine Learning workspace, you can reduce data leakage risks. Learn more about private links at: https://docs.azure.cn/machine-learning/how-to-configure-private-link. | DeployIfNotExists, Disabled | 1.0.0 |
Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace | Deploys the diagnostic settings for Azure Machine Learning Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Machine Learning Workspace which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.1 |
Resource logs in Azure Machine Learning Workspaces should be enabled | Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. | AuditIfNotExists, Disabled | 1.0.1 |
Managed Application
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Application definition for Managed Application should use customer provided storage account | Use your own storage account to control the application definition data when this is a regulatory or compliance requirement. You can choose to store your managed application definition within a storage account provided by you during creation, so that its location and access can be fully managed by you to fulfill regulatory compliance requirements. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
Media Services
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Media Services accounts should disable public network access | Disabling public network access improves security by ensuring that Media Services resources are not exposed on the public internet. Creating private endpoints can limit exposure of Media Services resources. Learn more at: Azure private endpoints with Azure Media Services. | Audit, Deny, Disabled | 1.0.0 |
Azure Media Services accounts should use an API that supports Private Link | Media Services accounts should be created with an API that supports private link. | Audit, Deny, Disabled | 1.0.0 |
Azure Media Services accounts that allow access to the legacy v2 API should be blocked | The Media Services legacy v2 API allows requests that cannot be managed using Azure Policy. Media Services resources created using the 2020-05-01 API or later block access to the legacy v2 API. | Audit, Deny, Disabled | 1.0.0 |
Azure Media Services content key policies should use token authentication | Content key policies define the conditions that must be met to access content keys. A token restriction ensures content keys can only be accessed by users that have valid tokens from an authentication service, for example Microsoft Entra ID. | Audit, Deny, Disabled | 1.0.1 |
Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns | Restrict HTTPS inputs used by Media Services jobs to known endpoints. Inputs from HTTPS endpoints can be disabled entirely by setting an empty list of allowed job input patterns. Where job inputs specify a 'baseUri' the patterns will be matched against this value; when 'baseUri' is not set, the pattern is matched against the 'files' property. | Deny, Disabled | 1.0.1 |
Azure Media Services should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Media Services accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/mediaservicescmkdocs. | Audit, Deny, Disabled | 1.0.0 |
Azure Media Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: Azure private endpoints with Azure Media Services. | AuditIfNotExists, Disabled | 1.0.0 |
Configure Azure Media Services to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Media Services account. Learn more at: Azure private endpoints with Azure Media Services. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Media Services with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: Azure private endpoints with Azure Media Services. | DeployIfNotExists, Disabled | 1.0.0 |
Migrate
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure Azure Migrate resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Migrate project. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns. | DeployIfNotExists, Disabled | 1.0.0 |
Monitoring
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | AuditIfNotExists, Disabled | 2.0.1-preview |
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
Activity log should be retained for at least one year | This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). | AuditIfNotExists, Disabled | 1.0.0 |
An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
An activity log alert should exist for specific Policy operations | This policy audits specific Policy operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 3.0.0 |
An activity log alert should exist for specific Security operations | This policy audits specific Security operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
Application Insights components should block log ingestion and querying from public networks | Improve Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
Application Insights components should block non-Azure Active Directory based ingestion. | Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system. | Deny, Audit, Disabled | 1.0.0 |
Application Insights components with Private Link enabled should use Bring Your Own Storage accounts for profiler and debugger. | To support private link and customer-managed key policies, create your own storage account for profiler and debugger. | Deny, Audit, Disabled | 1.0.0 |
Audit diagnostic setting for selected resource types | Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. | AuditIfNotExists | 2.0.1 |
Azure Application Gateway should have Resource logs enabled | Enable Resource logs for Azure Application Gateway (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. | AuditIfNotExists, Disabled | 1.0.0 |
Azure Front Door should have Resource logs enabled | Enable Resource logs for Azure Front Door (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. | AuditIfNotExists, Disabled | 1.0.0 |
Azure Log Search Alerts over Log Analytics workspaces should use customer-managed keys | Ensure that Azure Log Search Alerts are implementing customer-managed keys, by storing the query text using the storage account that the customer had provided for the queried Log Analytics workspace. For more information, visit https://docs.azure.cn/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. | Audit, Disabled, Deny | 1.0.0 |
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' | This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' | AuditIfNotExists, Disabled | 1.0.0 |
Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) | To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see /azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
Azure Monitor Logs clusters should be encrypted with customer-managed key | Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see /azure-monitor/platform/customer-managed-keys. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace | Link the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see /azure-monitor/platform/customer-managed-keys. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
Azure Monitor Private Link Scope should block access to non private link resources | Azure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). | Audit, Deny, Disabled | 1.0.0 |
Azure Monitor Private Link Scope should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Monitor Private Links Scope, you can reduce data leakage risks. | AuditIfNotExists, Disabled | 1.0.0 |
Azure Monitor should collect activity logs from all regions | This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. | AuditIfNotExists, Disabled | 2.0.0 |
Azure Monitor solution 'Security and Audit' must be deployed | This policy ensures that Security and Audit is deployed. | AuditIfNotExists, Disabled | 1.0.0 |
Azure subscriptions should have a log profile for Activity Log | This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub. | AuditIfNotExists, Disabled | 1.0.0 |
Configure Azure Application Insights components to disable public network access for log ingestion and querying | Disable components log ingestion and querying from public networks access to improve security. Only private-link connected networks will be able to ingest and query logs on this workspace. | Modify, Disabled | 1.1.0 |
Configure Azure Log Analytics workspaces to disable public network access for log ingestion and querying | Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. | Modify, Disabled | 1.1.0 |
Configure Azure Monitor Private Link Scope to block access to non private link resources | Azure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). | Modify, Disabled | 1.0.0 |
Configure Azure Monitor Private Link Scope to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Monitor private link scope. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Monitor Private Link Scopes with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Monitor Private Link Scopes, you can reduce data leakage risks. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 6.5.1 |
Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 4.4.1 |
Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://docs.azure.cn/azure-monitor/agents/agents-overview. | DeployIfNotExists, Disabled | 3.8.0 |
Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 4.4.1 |
Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://docs.azure.cn/azure-monitor/agents/agents-overview. | DeployIfNotExists, Disabled | 3.8.0 |
Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 4.5.1 |
Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 3.3.1 |
Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://docs.azure.cn/azure-monitor/agents/agents-overview. | DeployIfNotExists, Disabled | 1.5.0 |
Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 3.3.1 |
Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://docs.azure.cn/azure-monitor/agents/agents-overview. | DeployIfNotExists, Disabled | 1.5.0 |
Dependency agent should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | AuditIfNotExists, Disabled | 2.0.0 |
Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | AuditIfNotExists, Disabled | 2.0.0 |
Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | DeployIfNotExists, Disabled | 3.2.0 |
Deploy - Configure Dependency agent to be enabled on Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. | DeployIfNotExists, Disabled | 3.2.0 |
Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets | Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | DeployIfNotExists, Disabled | 3.1.0 |
Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines | Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | DeployIfNotExists, Disabled | 3.1.0 |
Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | deployIfNotExists | 5.1.0 |
Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | DeployIfNotExists, Disabled | 3.2.0 |
Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | deployIfNotExists | 5.1.0 |
Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. | DeployIfNotExists, Disabled | 3.2.0 |
Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | DeployIfNotExists, Disabled | 1.3.0 |
Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. | DeployIfNotExists, Disabled | 1.3.0 |
Deploy Diagnostic Settings for Batch Account to Event Hub | Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 |
Deploy Diagnostic Settings for Batch Account to Log Analytics workspace | Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.1.0 |
Deploy Diagnostic Settings for Data Lake Analytics to Event Hub | Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 |
Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace | Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 |
Deploy Diagnostic Settings for Event Hub to Event Hub | Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.1.0 |
Deploy Diagnostic Settings for Event Hub to Log Analytics workspace | Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 |
Deploy Diagnostic Settings for Key Vault to Log Analytics workspace | Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 3.0.0 |
Deploy Diagnostic Settings for Logic Apps to Event Hub | Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 |
Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace | Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 |
Deploy Diagnostic Settings for Network Security Groups | This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. | deployIfNotExists | 2.0.1 |
Deploy Diagnostic Settings for Search Services to Event Hub | Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 |
Deploy Diagnostic Settings for Search Services to Log Analytics workspace | Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 |
Deploy Diagnostic Settings for Service Bus to Event Hub | Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 |
Deploy Diagnostic Settings for Service Bus to Log Analytics workspace | Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.1.0 |
Deploy Diagnostic Settings for Stream Analytics to Event Hub | Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 |
Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace | Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 |
Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below | Deploy Log Analytics extension for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the extension is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Deprecation notice: The Log Analytics agent will not be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | deployIfNotExists | 3.0.0 |
Deploy Log Analytics extension for Linux VMs. See deprecation notice below | Deploy Log Analytics extension for Linux VMs if the VM Image (OS) is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | deployIfNotExists | 3.0.0 |
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | AuditIfNotExists, Disabled | 2.0.1 |
Log Analytics workspaces should block log ingestion and querying from public networks | Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
Log Analytics Workspaces should block non-Azure Active Directory based ingestion. | Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system. | Deny, Audit, Disabled | 1.0.0 |
Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption | Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see /azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
Storage account containing the container with activity logs must be encrypted with BYOK | This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. | AuditIfNotExists, Disabled | 1.0.0 |
The legacy Log Analytics extension should not be installed on Azure Arc enabled Windows servers | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Azure Arc enabled Windows servers. Learn more: https://aka.ms/migratetoAMA | Deny, Audit, Disabled | 1.0.0 |
The legacy Log Analytics extension should not be installed on Linux virtual machine scale sets | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Linux virtual machine scale sets. Learn more: https://aka.ms/migratetoAMA | Deny, Audit, Disabled | 1.0.0 |
The legacy Log Analytics extension should not be installed on Linux virtual machines | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Linux virtual machines. Learn more: https://aka.ms/migratetoAMA | Deny, Audit, Disabled | 1.0.0 |
The legacy Log Analytics extension should not be installed on virtual machine scale sets | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Windows virtual machine scale sets. Learn more: https://aka.ms/migratetoAMA | Deny, Audit, Disabled | 1.0.0 |
The legacy Log Analytics extension should not be installed on virtual machines | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Windows virtual machines. Learn more: https://aka.ms/migratetoAMA | Deny, Audit, Disabled | 1.0.0 |
The Log Analytics extension should be installed on Virtual Machine Scale Sets | This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1 |
Virtual machines should be connected to a specified workspace | Reports virtual machines as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. | AuditIfNotExists, Disabled | 1.1.0 |
Virtual machines should have the Log Analytics extension installed | This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1 |
Network
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0-preview |
A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections | This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms and key strengths - https://docs.azure.cn/vpn-gateway/vpn-gateway-about-compliance-crypto#what-are-the-algorithms-and-key-strengths-supported-in-the-custom-policy | Audit, Disabled | 1.0.0 |
All flow log resources should be in enabled state | Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Audit, Disabled | 1.0.1 |
App Service apps should use a virtual network service endpoint | Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. | AuditIfNotExists, Disabled | 2.0.1 |
Audit flow logs configuration for every virtual network | Audit for virtual network to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through virtual network. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Audit, Disabled | 1.0.1 |
Azure Application Gateway should be deployed with Azure WAF | Requires Azure Application Gateway resources to be deployed with Azure WAF. | Audit, Deny, Disabled | 1.0.0 |
Azure Firewall Classic Rules should be migrated to Firewall Policy | Migrate from Azure Firewall Classic Rules to Firewall Policy to utilize central management tools such as Azure Firewall Manager. | Audit, Deny, Disabled | 1.0.0 |
Azure Firewall Policy Analytics should be Enabled | Enabling Policy Analytics provides enhanced visibility into traffic flowing through Azure Firewall, enabling the optimization of your firewall configuration without impacting your application performance | Audit, Disabled | 1.0.0 |
Azure Firewall Policy should enable Threat Intelligence | Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. | Audit, Deny, Disabled | 1.0.0 |
Azure Firewall Policy should have DNS Proxy Enabled | Enabling DNS Proxy will make the Azure Firewall associated with this policy to listen on port 53 and forward the DNS requests to specified DNS server | Audit, Disabled | 1.0.0 |
Azure Firewall should be deployed to span multiple Availability Zones | For increased availability we recommend deploying your Azure Firewall to span multiple Availability Zones. This ensures that your Azure Firewall will remain available in the event of a zone failure. | Audit, Deny, Disabled | 1.0.0 |
Azure Firewall Standard - Classic Rules should enable Threat Intelligence | Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. | Audit, Deny, Disabled | 1.0.0 |
Azure Firewall Standard should be upgraded to Premium for next generation protection | If you are looking for next generation protection like IDPS and TLS inspection, you should consider upgrading your Azure Firewall to Premium sku. | Audit, Deny, Disabled | 1.0.0 |
Azure VPN gateways should not use 'basic' SKU | This policy ensures that VPN gateways do not use 'basic' SKU. | Audit, Disabled | 1.0.0 |
Azure Web Application Firewall on Azure Application Gateway should have request body inspection enabled | Ensure that Web Application Firewalls associated to Azure Application Gateways have Request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. | Audit, Deny, Disabled | 1.0.0 |
Bot Protection should be enabled for Azure Application Gateway WAF | This policy ensures that bot protection is enabled in all Azure Application Gateway Web Application Firewall (WAF) policies | Audit, Deny, Disabled | 1.0.0 |
Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace | Deploy diagnostic settings to Azure Network Security Groups to stream resource logs to a Log Analytics workspace. | DeployIfNotExists, Disabled | 1.0.0 |
Configure network security groups to enable traffic analytics | Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | DeployIfNotExists, Disabled | 1.2.0 |
Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics | If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | DeployIfNotExists, Disabled | 1.2.0 |
Configure virtual network to enable Flow Log and Traffic Analytics | Traffic analytics and Flow logs can be enabled for all virtual networks hosted in a particular region with the settings provided during policy creation. This policy does not overwrite current setting for virtual networks that already have these feature enabled. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | DeployIfNotExists, Disabled | 1.1.1 |
Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics | If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | DeployIfNotExists, Disabled | 1.1.2 |
Cosmos DB should use a virtual network service endpoint | This policy audits any Cosmos DB not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Deploy a flow log resource with target network security group | Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. | deployIfNotExists | 1.1.0 |
Deploy a Flow Log resource with target virtual network | Configures flow log for specific virtual network. It will allow to log information about IP traffic flowing through an virtual network. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. | DeployIfNotExists, Disabled | 1.1.1 |
Deploy network watcher when virtual networks are created | This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. | DeployIfNotExists | 1.0.0 |
Event Hub should use a virtual network service endpoint | This policy audits any Event Hub not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Flow logs should be configured for every network security group | Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Audit, Disabled | 1.1.0 |
Gateway subnets should not be configured with a network security group | This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. | deny | 1.0.0 |
Key Vault should use a virtual network service endpoint | This policy audits any Key Vault not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Migrate WAF from WAF Config to WAF Policy on Application Gateway | If you have WAF Config instead of WAF Policy, then you may want to move to the new WAF Policy. Going forward, the firewall policy will support WAF policy settings, managed rulesets, exclusions, and disabled rule-groups. | Audit, Deny, Disabled | 1.0.0 |
Network interfaces should disable IP forwarding | This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team. | deny | 1.0.0 |
Network interfaces should not have public IPs | This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team. | deny | 1.0.0 |
Network Watcher flow logs should have traffic analytics enabled | Traffic analytics analyzes flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more. | Audit, Disabled | 1.0.1 |
Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
Public IPs and Public IP prefixes should have FirstPartyUsage tag | Ensure all Public IP addresses and Public IP Prefixes have a FirstPartyUsage tag. | Audit, Deny, Disabled | 1.0.0 |
SQL Server should use a virtual network service endpoint | This policy audits any SQL Server not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Storage Accounts should use a virtual network service endpoint | This policy audits any Storage Account not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Subnets should be private | Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://docs.azure.cn/virtual-network/ip-services/default-outbound-access | Audit, Deny, Disabled | 1.0.0 |
Virtual Hubs should be protected with Azure Firewall | Deploy an Azure Firewall to your Virtual Hubs to protect and granularly control internet egress and ingress traffic. | Audit, Deny, Disabled | 1.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
Virtual networks should use specified virtual network gateway | This policy audits any virtual network if the default route does not point to the specified virtual network gateway. | AuditIfNotExists, Disabled | 1.0.0 |
VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users | Disabling local authentication methods improves security by ensuring that VPN Gateways use only Azure Active Directory identities for authentication. Learn more about Azure AD authentication at https://docs.azure.cn/vpn-gateway/openvpn-azure-ad-tenant | Audit, Deny, Disabled | 1.0.0 |
Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 2.0.0 |
Web Application Firewall (WAF) should use the specified mode for Application Gateway | Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. | Audit, Deny, Disabled | 1.0.0 |
Portal
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Shared dashboards should not have markdown tiles with inline content | Disallow creating a shared dashboard that has inline content in markdown tiles and enforce that the content should be stored as a markdown file that's hosted online. If you use inline content in the markdown tile, you cannot manage encryption of the content. By configuring your own storage, you can encrypt, double encrypt and even bring your own keys. Enabling this policy restricts users to use 2020-09-01-preview or above version of shared dashboards REST API. | Audit, Deny, Disabled | 1.0.0 |
PostgreSQL
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
A Microsoft Entra administrator should be provisioned for PostgreSQL flexible servers | Audit provisioning of a Microsoft Entra administrator for your PostgreSQL flexible server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
Auditing with PgAudit should be enabled for PostgreSQL flexible servers | This policy helps audit any PostgreSQL flexible servers in your environment which is not enabled to use pgaudit. | AuditIfNotExists, Disabled | 1.0.0 |
Connection throttling should be enabled for PostgreSQL flexible servers | This policy helps audit any PostgreSQL flexible servers in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. | AuditIfNotExists, Disabled | 1.0.0 |
Deploy Diagnostic Settings for PostgreSQL flexible servers to Log Analytics workspace | Deploys the diagnostic settings for PostgreSQL flexible servers to stream to a regional Log Analytics workspace when any PostgreSQL flexible servers which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 |
Disconnections should be logged for PostgreSQL flexible servers. | This policy helps audit any PostgreSQL flexible servers in your environment without log_disconnections enabled. | AuditIfNotExists, Disabled | 1.0.0 |
Enforce SSL connection should be enabled for PostgreSQL flexible servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL flexible server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database flexible server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your PostgreSQL flexible server. | AuditIfNotExists, Disabled | 1.0.0 |
Geo-redundant backup should be enabled for Azure Database for PostgreSQL flexible servers | Azure Database for PostgreSQL flexible servers allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.0 |
Log checkpoints should be enabled for PostgreSQL flexible servers | This policy helps audit any PostgreSQL flexible servers in your environment without log_checkpoints setting enabled. | AuditIfNotExists, Disabled | 1.0.0 |
Log connections should be enabled for PostgreSQL flexible servers | This policy helps audit any PostgreSQL flexible servers in your environment without log_connections setting enabled. | AuditIfNotExists, Disabled | 1.0.0 |
PostgreSQL flexible servers should be running TLS version 1.2 or newer | This policy helps audit any PostgreSQL flexible servers in your environment which is running with TLS version less than 1.2. | AuditIfNotExists, Disabled | 1.0.0 |
PostgreSQL flexible servers should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your PostgreSQL flexible servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Audit, Deny, Disabled | 1.1.0 |
Private endpoint should be enabled for PostgreSQL flexible servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.0 |
Resilience
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: API Management Service should be Zone Redundant | API Management Service can be configured to be Zone Redundant or not. An API Management Service is Zone Redundant if its sku name is 'Premium' and it has at least two entries in it's zones array. This policy identifies API Management Services lacking the redundancy needed to withstand a zone outage. | Audit, Deny, Disabled | 1.0.1-preview |
[Preview]: App Service Plans should be Zone Redundant | App Service Plans can be configured to be Zone Redundant or not. When the 'zoneRedundant' property is set to 'false' for an App Service Plan, it is not configured for Zone Redundancy. This policy identifies and enforces the Zone Redundancy configuration for App Service Plans. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Application Gateways should be Zone Resilient | Application Gateways can be configured to be either Zone Aligned, Zone Redundant, or neither. Application Gatewaysmthat havenexactly one entry in their zones array are considered Zone Aligned. In contrast, Application Gatmways withn3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Azure AI Search Service should be Zone Redundant | Azure AI Search Service can be configured to be Zone Redundant or not. Availability zones are used when you add two or more replicas to your search service. Each replica is placed in a different availability zone within the region. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Azure Cache for Redis should be Zone Redundant | Azure Cache for Redis can be configured to be Zone Redundant or not. Azure Cache for Redis instances with fewer than 2 entries in their zones array are not Zone Redundant. This policy identifies Azure Cache for Redis instances lacking the redundancy needed to withstand a zone outage. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Azure Data Explorer Clusters should be Zone Redundant | Azure Data Explorer Clusters can be configured to be Zone Redundant or not. An Azure Data Explorer Cluster is considered Zone Redundant if it has at least two entries in its zones array. This policy helps ensure the your Azure Data Explorer Clusters are Zone Redundant. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Azure Database for MySQL Flexible Server should be Zone Resilient | Azure Database for MySQL Flexible Server can be configured to be either Zone Aligned, Zone Redundant, or neither. MySQL Server that has a standby server selected in same zone for high availability is considered Zone Aligned. In contrast, MySQL Server that has a standby server selected to be in a different zone for high availability is recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Azure Database for PostgreSQL Flexible Server should be Zone Resilient | Azure Database for PostgreSQL Flexible Server can be configured to be either Zone Aligned, Zone Redundant, or neither. PostgreSQL Server that has a standby server selected in same zone for high availability is considered Zone Aligned. In contrast, PostgreSQL Server that has a standby server selected to be in a different zone for high availability is recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Azure HDInsight should be Zone Aligned | Azure HDInsight can be configured to be Zone Aligned or not. Azure HDInsight that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an Azure HDInsight cluster is configured to operate within a single availability zone. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Azure Kubernetes Service Managed Clusters should be Zone Redundant | Azure Kubernetes Service Managed Clusters can be configured to be Zone Redundant or not. The policy checks the node pools in the cluster and ensures that avaialbilty zones are set for all the node pools. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Backup and Site Recovery should be Zone Redundant | Backup and Site Recovery can be configured to be Zone Redundant or not. Backup and Site Recovery is Zone Redundant if it's 'standardTierStorageRedundancy' property is set to 'ZoneRedundant'. Enforcing this policy helps ensure that Backup and Site Recovery is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Backup Vaults should be Zone Redundant | Backup Vaults can be configured to be Zone Redundant or not. Backup Vaults are Zone Redundant if it's storage settings type is set to 'ZoneRedundant' and they are considered to be resilient. Geo Redundant or Locally Redundant Backup Vaults are not considered resilient. Enforcing this policy helps ensure that Backup Vaults are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Container App should be Zone Redundant | Container App can be configured to be Zone Redundant or not. A Container App is Zone Redundant if its managed environment's 'ZoneRedundant' property is set to true. This policy identifies Container App lacking the redundancy needed to withstand a zone outage. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Container Instances should be Zone Aligned | Container Instances can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Container Registry should be Zone Redundant | Container Registry can be configured to be Zone Redundant or not. When the zoneRedundancy property for a Container Registry is set to 'Disabled', it means the registry is not Zone Redundant. Enforcing this policy helps ensure that your Container Registry is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Cosmos Database Accounts should be Zone Redundant | Cosmos Database Accounts can be configured to be Zone Redundant or not. If the 'enableMultipleWriteLocations' is set to 'true' then all locations must have a 'isZoneRedundant' property and it must be set to 'true'. If the 'enableMultipleWriteLocations' is set to 'false' then the primary location ('failoverPriority' set to 0) must have a 'isZoneRedundant' property and it must be set to 'true'. Enforcing this policy ensures Cosmos Database Accounts are appropriately configured for zone redundancy. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Event Hubs should be Zone Redundant | Event Hubs can be configured to be Zone Redundant or not. Event Hubs are Zone Redundant if it's 'zoneRedundant' property is set to 'true'. Enforcing this policy helps ensure that Event Hubs are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Firewalls should be Zone Resilient | Firewalls can be configured to be either Zone Aligned, Zone Redundant, or neither. Firewalls that have exactly one entry in its zones array are considered Zone Aligned. In contrast, Firewalls with 3 or more entries in its zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Load Balancers should be Zone Resilient | Load Balancers with a sku other than Basic inherit the resilience of the Public IP addresses in their frontend. When combined with the 'Public IP addresses should be Zone Resilient' policy, this approach ensures the necessary redundancy to withstand a zone outage. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Managed Disks should be Zone Resilient | Managed Disks can be configured to be either Zone Aligned, Zone Redundant, or neither. Managed Disks with exactly one zone assignment are Zone Aligned. Managed Disks with a sku name that ends in ZRS are Zone Redundant. This policy assists in identifying and enforcing these resilience configurations for Managed Disks. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: NAT gateway should be Zone Aligned | NAT gateway can be configured to be Zone Aligned or not. NAT gateway that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an NAT gateway is configured to operate within a single availability zone. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Public IP addresses should be Zone Resilient | Public IP addresses can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP addresses that are regional, with exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP addresses that are regional, with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Audit, Deny, Disabled | 1.1.0-preview |
[Preview]: Public IP Prefixes should be Zone Resilient | Public IP Prefixes can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP prefixes that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP prefixes with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Service Bus should be Zone Redundant | Service Bus can be configured to be Zone Redundant or not. When the 'zoneRedundant' property is set to 'false' for a Service Bus, it means it is not configured for Zone Redundancy. This policy identifies and enforces the Zone Redundancy configuration for Service Bus instances. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Service Fabric Clusters should be Zone Redundant | Service Fabric Clusters can be configured to be Zone Redundant or not. Servicefabric Clusters whose nodeType do not have the multipleAvailabilityZones set to true are not Zone Redundant. This policy identifies Servicefabric Clusters lacking the redundancy needed to withstand a zone outage. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: SQL Databases should be Zone Redundant | SQL Databases can be configured to be Zone Redundant or not. Databases with the 'zoneRedundant' setting set to 'false' are not configured for zone redundancy. This policy helps identify SQL databases that need zone redundancy configuration to enhance availability and resilience within Azure. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: SQL Elastic database pools should be Zone Redundant | SQL Elastic database pools can be configured to be Zone Redundant or not. SQL Elastic database pools are Zone Redundant if it's 'zoneRedundant' property is set to 'true'. Enforcing this policy helps ensure that Event Hubs are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: SQL Managed Instances should be Zone Redundant | SQL Managed Instances can be configured to be Zone Redundant or not. Instances with the 'zoneRedundant' setting set to 'false' are not configured for zone redundancy. This policy helps identify SQL managedInstances that need zone redundancy configuration to enhance availability and resilience within Azure. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Storage Accounts should be Zone Redundant | Storage Accounts can be configured to be Zone Redundant or not. If a Storage Account's SKU name does not end with 'ZRS' or its kind is 'Storage,' it is not Zone Redundant. This policy ensures that your Storage Accounts use ae Zone Redundant configuration. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Virtual Machine Scale Sets should be Zone Resilient | Virtual Machine Scale Sets can be configured to be either Zone Aligned, Zone Redundant, or neither. Virtual Machine Scale Sets that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Virtual Machine Scale Sets with 3 or more entries in their zones array and a capacity of at least 3 are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Virtual Machines should be Zone Aligned | Virtual Machines can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Virtual network gateways should be Zone Redundant | Virtual network gateways can be configured to be Zone Redundant or not. Virtual network gateways whose SKU name or tier does not end with 'AZ' are not Zone Redundant. This policy identifies Virtual network gateways lacking the redundancy needed to withstand a zone outage. | Audit, Deny, Disabled | 1.0.0-preview |
Search
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Cognitive Search service should use a SKU that supports private link | With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://docs.azure.cn/search/service-create-private-endpoint. | Audit, Deny, Disabled | 1.0.0 |
Azure Cognitive Search services should disable public network access | Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://docs.azure.cn/search/service-create-private-endpoint. | Audit, Deny, Disabled | 1.0.0 |
Azure Cognitive Search services should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Cognitive Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.azure.cn/search/search-security-rbac. Note that while the disable local authentication parameter is still in preview, the deny effect for this policy may result in limited Azure Cognitive Search portal functionality since some features of the Portal use the GA API which does not support the parameter. | Audit, Deny, Disabled | 1.0.0 |
Azure Cognitive Search services should use customer-managed keys to encrypt data at rest | Enabling encryption at rest using a customer-managed key on your Azure Cognitive Search services provides additional control over the key used to encrypt data at rest. This feature is often applicable to customers with special compliance requirements to manage data encryption keys using a key vault. | Audit, Deny, Disabled | 1.0.0 |
Configure Azure Cognitive Search services to disable local authentication | Disable local authentication methods so that your Azure Cognitive Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.azure.cn/search/search-security-rbac. | Modify, Disabled | 1.0.0 |
Configure Azure Cognitive Search services to disable public network access | Disable public network access for your Azure Cognitive Search service so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.azure.cn/search/service-create-private-endpoint. | Modify, Disabled | 1.0.0 |
Configure Azure Cognitive Search services to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Cognitive Search service. Learn more at: https://docs.azure.cn/search/service-create-private-endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Cognitive Search services with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cognitive Search service, you can reduce data leakage risks. Learn more at: https://docs.azure.cn/search/service-create-private-endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
Security Center
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | DeployIfNotExists, Disabled | 6.1.0-preview |
[Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot | Configure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. | DeployIfNotExists, Disabled | 5.0.0-preview |
[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension | Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | DeployIfNotExists, Disabled | 7.1.0-preview |
[Preview]: Configure supported virtual machines to automatically enable vTPM | Configure supported virtual machines to automatically enable vTPM to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. | DeployIfNotExists, Disabled | 2.0.0-preview |
[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | DeployIfNotExists, Disabled | 4.1.0-preview |
[Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot | Configure supported Windows virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. | DeployIfNotExists, Disabled | 3.0.0-preview |
[Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension | Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | DeployIfNotExists, Disabled | 5.1.0-preview |
[Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension | Configure virtual machines created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | DeployIfNotExists, Disabled | 2.0.0-preview |
[Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension | Configure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | DeployIfNotExists, Disabled | 2.1.0-preview |
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines | Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines. | AuditIfNotExists, Disabled | 6.0.0-preview |
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. | AuditIfNotExists, Disabled | 5.1.0-preview |
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines | Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | AuditIfNotExists, Disabled | 4.0.0-preview |
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets | Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. | AuditIfNotExists, Disabled | 3.1.0-preview |
[Preview]: Linux virtual machines should use Secure Boot | To protect against the installation of malware-based rootkits and boot kits, enable Secure Boot on supported Linux virtual machines. Secure Boot ensures that only signed operating systems and drivers will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed. | AuditIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Secure Boot should be enabled on supported Windows virtual machines | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Audit, Disabled | 4.0.0-preview |
A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
Authorized IP ranges should be defined on Kubernetes Services | Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. | Audit, Disabled | 2.0.1 |
Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers | Audit PostgreSQL flexible servers without Advanced Data Security | AuditIfNotExists, Disabled | 1.0.0 |
Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | AuditIfNotExists, Disabled | 1.0.1 |
Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | AuditIfNotExists, Disabled | 1.0.1 |
Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
Blocked accounts with read and write permissions on Azure resources should be removed | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://docs.azure.cn/azure-monitor/agents/agents-overview. | DeployIfNotExists, Disabled | 1.3.0 |
Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL | Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | DeployIfNotExists, Disabled | 1.2.0 |
Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | DeployIfNotExists, Disabled | 1.5.0 |
Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | DeployIfNotExists, Disabled | 1.7.0 |
Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | DeployIfNotExists, Disabled | 1.1.0 |
Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | DeployIfNotExists, Disabled | 1.3.0 |
Configure SQL Virtual Machines to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://docs.azure.cn/azure-monitor/agents/agents-overview. | DeployIfNotExists, Disabled | 1.5.0 |
Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL | Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | DeployIfNotExists, Disabled | 1.5.0 |
Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | DeployIfNotExists, Disabled | 1.7.0 |
Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | DeployIfNotExists, Disabled | 1.8.0 |
Configure the Microsoft Defender for SQL Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. | DeployIfNotExists, Disabled | 1.4.0 |
Create and assign a built-in user-assigned managed identity | Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. | AuditIfNotExists, DeployIfNotExists, Disabled | 1.7.0 |
Deploy export to Event Hub as a trusted service for Microsoft Defender for Cloud data | Enable export to Event Hub as a trusted service of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub as a trusted service configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | DeployIfNotExists, Disabled | 1.0.0 |
Deploy export to Event Hub for Microsoft Defender for Cloud data | Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | deployIfNotExists | 4.2.0 |
Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data | Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | deployIfNotExists | 4.1.0 |
Deploy Workflow Automation for Microsoft Defender for Cloud alerts | Enable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | deployIfNotExists | 5.0.1 |
Deploy Workflow Automation for Microsoft Defender for Cloud recommendations | Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | deployIfNotExists | 5.0.1 |
Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance | Enable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | deployIfNotExists | 5.0.1 |
Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.2.0 |
Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.1.0 |
Enable Microsoft Defender for Cloud on your subscription | Identifies existing subscriptions that aren't monitored by Microsoft Defender for Cloud and protects them with Defender for Cloud's free features. Subscriptions already monitored will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment, and create a remediation task. | deployIfNotExists | 1.0.1 |
Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. | Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace. | DeployIfNotExists, Disabled | 1.0.0 |
Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. | Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace. | DeployIfNotExists, Disabled | 1.0.0 |
Endpoint protection health issues should be resolved on your machines | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.azure.cn/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.azure.cn/security-center/security-center-endpoint-protection. | AuditIfNotExists, Disabled | 1.0.0 |
Endpoint protection should be installed on your machines | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | AuditIfNotExists, Disabled | 1.0.0 |
Endpoint protection solution should be installed on virtual machine scale sets | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
Guest accounts with read permissions on Azure resources should be removed | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
Guest accounts with write permissions on Azure resources should be removed | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://docs.azure.cn/governance/policy/concepts/guest-configuration. | AuditIfNotExists, Disabled | 1.0.3 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://docs.azure.cn/virtual-network/network-security-groups-overview | AuditIfNotExists, Disabled | 3.0.0 |
IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | AuditIfNotExists, Disabled | 3.0.0 |
Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version | Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ | Audit, Disabled | 1.0.2 |
Log Analytics agent should be installed on your Cloud Services (extended support) role instances | Security Center collects data from your Cloud Services (extended support) role instances to monitor for security vulnerabilities and threats. | AuditIfNotExists, Disabled | 2.0.0 |
Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
Monitor missing Endpoint Protection in Azure Security Center | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://docs.azure.cn/virtual-network/network-security-groups-overview | AuditIfNotExists, Disabled | 3.0.0 |
Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Audit, Disabled | 1.0.4 |
Security Center standard pricing tier should be selected | The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center | Audit, Disabled | 1.1.0 |
SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan | To ensure your SQL VMs and Arc-enabled SQL Servers are protected, ensure the SQL-targeted Azure Monitoring Agent is configured to automatically deploy. This is also necessary if you've previously configured autoprovisioning of the Microsoft Monitoring Agent, as that component is being deprecated. | AuditIfNotExists, Disabled | 1.0.0 |
SQL servers on machines should have vulnerability findings resolved | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | AuditIfNotExists, Disabled | 1.0.0 |
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
System updates should be installed on your machines (powered by Update Center) | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | AuditIfNotExists, Disabled | 1.0.1 |
There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | AuditIfNotExists, Disabled | 3.0.0 |
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://docs.azure.cn/governance/policy/concepts/guest-configuration | AuditIfNotExists, Disabled | 1.0.1 |
Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
Service Bus
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace | Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity | Audit, Deny, Disabled | 1.0.1 |
Azure Service Bus namespaces should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Service Bus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://docs.azure.cn/service-bus-messaging/service-bus-sas. | Audit, Deny, Disabled | 1.0.1 |
Azure Service Bus namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.azure.cn/service-bus-messaging/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
Configure Azure Service Bus namespaces to disable local authentication | Disable local authentication methods so that your Azure ServiceBus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://docs.azure.cn/service-bus-messaging/service-bus-sas. | Modify, Disabled | 1.0.1 |
Configure Service Bus namespaces to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Service Bus namespaces. Learn more at: https://docs.azure.cn/service-bus-messaging/private-link-service. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Service Bus namespaces with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Service Bus namespaces, you can reduce data leakage risks. Learn more at: https://docs.azure.cn/service-bus-messaging/private-link-service. | DeployIfNotExists, Disabled | 1.0.0 |
Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
Service Bus Namespaces should disable public network access | Azure Service Bus should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.azure.cn/service-bus-messaging/private-link-service | Audit, Deny, Disabled | 1.1.0 |
Service Bus namespaces should have double encryption enabled | Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. | Audit, Deny, Disabled | 1.0.0 |
Service Bus Premium namespaces should use a customer-managed key for encryption | Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces. | Audit, Disabled | 1.0.0 |
Service Fabric
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign | Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed | Audit, Deny, Disabled | 1.1.0 |
Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
SignalR
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure SignalR Service should disable public network access | To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://docs.azure.cn/azure-signalr/howto-network-access-control. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Audit, Deny, Disabled | 1.1.0 |
Azure SignalR Service should enable diagnostic logs | Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 1.0.0 |
Azure SignalR Service should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure SignalR Service exclusively require Azure Active Directory identities for authentication. | Audit, Deny, Disabled | 1.0.0 |
Azure SignalR Service should use a Private Link enabled SKU | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination which protect your resources against public data leakage risks. The policy limits you to Private Link enabled SKUs for Azure SignalR Service. Learn more about private link at: https://docs.azure.cn/azure-signalr/howto-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://docs.azure.cn/azure-signalr/howto-private-endpoints. | Audit, Disabled | 1.0.0 |
Configure Azure SignalR Service to disable local authentication | Disable local authentication methods so that your Azure SignalR Service exclusively requires Azure Active Directory identities for authentication. | Modify, Disabled | 1.0.0 |
Configure private endpoints to Azure SignalR Service | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure SignalR Service resources, you can reduce data leakage risks. Learn more at https://docs.azure.cn/azure-signalr/howto-private-endpoints. | DeployIfNotExists, Disabled | 1.0.0 |
Deploy - Configure private DNS zones for private endpoints connect to Azure SignalR Service | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure SignalR Service resource. Learn more at: https://docs.azure.cn/azure-signalr/howto-private-endpoints. | DeployIfNotExists, Disabled | 1.0.0 |
Modify Azure SignalR Service resources to disable public network access | To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://docs.azure.cn/azure-signalr/howto-network-access-control. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Modify, Disabled | 1.1.0 |
Site Recovery
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Configure Azure Recovery Services vaults to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Recovery Services Vaults. Learn more at: https://docs.azure.cn/private-link/private-endpoint-dns. | DeployIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Configure private endpoints on Azure Recovery Services vaults | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your site recovery resources of Recovery Services vaults, you can reduce data leakage risks. To use private links, managed service identity must be assigned to Recovery Services Vaults. Learn more about private links at: https://docs.azure.cn/site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints. | DeployIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Recovery Services vaults should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links for Azure Site Recovery at: https://docs.azure.cn/site-recovery/hybrid-how-to-enable-replication-private-endpoints and https://docs.azure.cn/site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints. | Audit, Disabled | 1.0.0-preview |
SQL
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Azure PostgreSQL flexible server should have Microsoft Entra Only Authentication enabled | Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure PostgreSQL flexible server can exclusively be accessed by Microsoft Entra identities. | Audit, Disabled | 1.0.0-preview |
A Microsoft Entra administrator should be provisioned for MySQL servers | Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.1.1 |
A Microsoft Entra administrator should be provisioned for PostgreSQL servers | Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.1 |
An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled | Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure MySQL flexible server can exclusively be accessed by Microsoft Entra identities. | AuditIfNotExists, Disabled | 1.0.1 |
Azure SQL Database should be running TLS version 1.2 or newer | Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Audit, Disabled, Deny | 2.0.0 |
Azure SQL Database should have Microsoft Entra-only authentication enabled | Require Azure SQL logical servers to use Microsoft Entra-only authentication. This policy doesn't block servers from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://docs.azure.cn/azure-sql/database/authentication-azure-ad-only-authentication-create-server. | Audit, Deny, Disabled | 1.0.0 |
Azure SQL Database should have Microsoft Entra-only authentication enabled during creation | Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://docs.azure.cn/azure-sql/database/authentication-azure-ad-only-authentication-create-server. | Audit, Deny, Disabled | 1.2.0 |
Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled | Require Azure SQL Managed Instance to use Microsoft Entra-only authentication. This policy doesn't block Azure SQL Managed instances from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://docs.azure.cn/azure-sql/database/authentication-azure-ad-only-authentication-create-server. | Audit, Deny, Disabled | 1.0.0 |
Azure SQL Managed Instances should disable public network access | Disabling public network access (public endpoint) on Azure SQL Managed Instances improves security by ensuring that they can only be accessed from inside their virtual networks or via Private Endpoints. To learn more about public network access, visit https://docs.azure.cn/azure-sql/managed-instance/public-endpoint-configure. | Audit, Deny, Disabled | 1.0.0 |
Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation | Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://docs.azure.cn/azure-sql/database/authentication-azure-ad-only-authentication-create-server. | Audit, Deny, Disabled | 1.2.0 |
Configure Azure Defender to be enabled on SQL managed instances | Enable Azure Defender on your Azure SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | DeployIfNotExists, Disabled | 2.0.0 |
Configure Azure Defender to be enabled on SQL servers | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | DeployIfNotExists | 2.1.0 |
Configure Azure SQL database servers diagnostic settings to Log Analytics workspace | Enables auditing logs for Azure SQL Database server and stream the logs to a Log Analytics workspace when any SQL Server which is missing this auditing is created or updated | DeployIfNotExists, Disabled | 1.0.2 |
Configure Azure SQL Server to disable public network access | Disabling the public network access property shuts down public connectivity such that Azure SQL Server can only be accessed from a private endpoint. This configuration disables the public network access for all databases under the Azure SQL Server. | Modify, Disabled | 1.0.0 |
Configure Azure SQL Server to enable private endpoint connections | A private endpoint connection enables private connectivity to your Azure SQL Database via a private IP address inside a virtual network. This configuration improves your security posture and supports Azure networking tools and scenarios. | DeployIfNotExists, Disabled | 1.0.0 |
Configure SQL servers to have auditing enabled | To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards. | DeployIfNotExists, Disabled | 3.0.0 |
Configure SQL servers to have auditing enabled to Log Analytics workspace | To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace. | DeployIfNotExists, Disabled | 1.0.0 |
Connection throttling should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. | AuditIfNotExists, Disabled | 1.0.0 |
Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace | Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 4.0.0 |
Deploy Advanced Data Security on SQL servers | This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. | DeployIfNotExists | 1.3.0 |
Deploy Diagnostic Settings for Azure SQL Database to Event Hub | Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is created or updated. | DeployIfNotExists | 1.2.0 |
Deploy SQL DB transparent data encryption | Enables transparent data encryption on SQL databases | DeployIfNotExists, Disabled | 2.2.0 |
Disconnections should be logged for PostgreSQL database servers. | This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. | AuditIfNotExists, Disabled | 1.0.0 |
Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
Log checkpoints should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. | AuditIfNotExists, Disabled | 1.0.0 |
Log connections should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. | AuditIfNotExists, Disabled | 1.0.0 |
Log duration should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_duration setting enabled. | AuditIfNotExists, Disabled | 1.0.0 |
Long-term geo-redundant backup should be enabled for Azure SQL Databases | This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. | AuditIfNotExists, Disabled | 2.0.0 |
MariaDB server should use a virtual network service endpoint | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MariaDB while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MariaDB has virtual network service endpoint being used. | AuditIfNotExists, Disabled | 1.0.2 |
MySQL server should use a virtual network service endpoint | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MySQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MySQL has virtual network service endpoint being used. | AuditIfNotExists, Disabled | 1.0.2 |
PostgreSQL server should use a virtual network service endpoint | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for PostgreSQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for PostgreSQL has virtual network service endpoint being used. | AuditIfNotExists, Disabled | 1.0.2 |
Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Audit, Disabled | 1.1.0 |
Private endpoint should be enabled for MariaDB servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
Private endpoint should be enabled for MySQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
Private endpoint should be enabled for PostgreSQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Audit, Deny, Disabled | 1.1.0 |
Public network access should be disabled for MariaDB servers | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.0.0 |
Public network access should be disabled for MySQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.1.0 |
Public network access should be disabled for MySQL servers | Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.0.0 |
Public network access should be disabled for PostgreSQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP based firewall rules. | Audit, Deny, Disabled | 3.1.0 |
Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.0.1 |
SQL Auditing settings should have Action-Groups configured to capture critical activities | The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging | AuditIfNotExists, Disabled | 1.0.0 |
SQL Database should avoid using GRS backup redundancy | Databases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Deny, Disabled | 2.0.0 |
SQL Managed Instance should have the minimal TLS version of 1.2 | Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Audit, Disabled | 1.0.1 |
SQL Managed Instances should avoid using GRS backup redundancy | Managed Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Deny, Disabled | 2.0.0 |
SQL managed instances should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Audit, Deny, Disabled | 2.0.0 |
SQL servers should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Audit, Deny, Disabled | 2.0.1 |
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | AuditIfNotExists, Disabled | 3.0.0 |
Transparent Data Encryption on SQL databases should be enabled | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | AuditIfNotExists, Disabled | 2.0.0 |
Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure SQL Database while ensuring the traffic stays within the Azure boundary. | AuditIfNotExists | 1.0.0 |
Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 1.0.1 |
Vulnerability assessment should be enabled on your SQL servers | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
Storage
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure File Sync should use private link | Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for blob groupID | Configure private DNS zone group to override the DNS resolution for a blob groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for blob_secondary groupID | Configure private DNS zone group to override the DNS resolution for a blob_secondary groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for dfs groupID | Configure private DNS zone group to override the DNS resolution for a dfs groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for dfs_secondary groupID | Configure private DNS zone group to override the DNS resolution for a dfs_secondary groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for file groupID | Configure private DNS zone group to override the DNS resolution for a file groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for queue groupID | Configure private DNS zone group to override the DNS resolution for a queue groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for queue_secondary groupID | Configure private DNS zone group to override the DNS resolution for a queue_secondary groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for table groupID | Configure private DNS zone group to override the DNS resolution for a table groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for table_secondary groupID | Configure private DNS zone group to override the DNS resolution for a table_secondary groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for web groupID | Configure private DNS zone group to override the DNS resolution for a web groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure a private DNS Zone ID for web_secondary groupID | Configure private DNS zone group to override the DNS resolution for a web_secondary groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure File Sync to use private DNS zones | To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s). | DeployIfNotExists, Disabled | 1.1.0 |
Configure Azure File Sync with private endpoints | A private endpoint is deployed for the indicated Storage Sync Service resource. This enables you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. The existence of one or more private endpoints by themselves does not disable the public endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
Configure diagnostic settings for Blob Services to Log Analytics workspace | Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated. | DeployIfNotExists, AuditIfNotExists, Disabled | 4.0.0 |
Configure diagnostic settings for File Services to Log Analytics workspace | Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated. | DeployIfNotExists, AuditIfNotExists, Disabled | 4.0.0 |
Configure diagnostic settings for Queue Services to Log Analytics workspace | Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | DeployIfNotExists, AuditIfNotExists, Disabled | 4.0.1 |
Configure diagnostic settings for Storage Accounts to Log Analytics workspace | Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated. | DeployIfNotExists, AuditIfNotExists, Disabled | 4.0.0 |
Configure diagnostic settings for Table Services to Log Analytics workspace | Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. | DeployIfNotExists, AuditIfNotExists, Disabled | 4.0.1 |
Configure secure transfer of data on a storage account | Secure transfer is an option that forces storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Modify, Disabled | 1.0.0 |
Configure Storage account to use a private link connection | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your storage account, you can reduce data leakage risks. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | DeployIfNotExists, Disabled | 1.0.0 |
Configure storage accounts to disable public network access | To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Modify, Disabled | 1.0.1 |
Configure your Storage account public access to be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Azure recommends preventing public access to a storage account unless your scenario requires it. | Modify, Disabled | 1.0.0 |
Configure your Storage account to enable blob versioning | You can enable Blob storage versioning to automatically maintain previous versions of an object. When blob versioning is enabled, you can access earlier versions of a blob to recover your data if it's modified or deleted. | Audit, Deny, Disabled | 1.0.0 |
Geo-redundant storage should be enabled for Storage Accounts | Use geo-redundancy to create highly available applications | Audit, Disabled | 1.0.0 |
Modify - Configure Azure File Sync to disable public network access | The Azure File Sync's internet-accessible public endpoint are disabled by your organizational policy. You may still access the Storage Sync Service via its private endpoint(s). | Modify, Disabled | 1.0.0 |
Modify - Configure your Storage account to enable blob versioning | You can enable Blob storage versioning to automatically maintain previous versions of an object. When blob versioning is enabled, you can access earlier versions of a blob to recover your data if it's modified or deleted. Please note existing storage accounts will not be modified to enable Blob storage versioning. Only newly created storage accounts will have Blob storage versioning enabled | Modify, Disabled | 1.0.0 |
Public network access should be disabled for Azure File Sync | Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly. | Audit, Deny, Disabled | 1.0.0 |
Queue Storage should use customer-managed key for encryption | Secure your queue storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Audit, Deny, Disabled | 1.0.0 |
Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
Storage account encryption scopes should use double encryption for data at rest | Enable infrastructure encryption for encryption at rest of your storage account encryption scopes for added security. Infrastructure encryption ensures that your data is encrypted twice. | Audit, Deny, Disabled | 1.0.0 |
Storage account keys should not be expired | Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired. | Audit, Deny, Disabled | 3.0.0 |
Storage accounts should allow access from trusted Microsoft services | Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. | Audit, Deny, Disabled | 1.0.0 |
Storage accounts should be limited by allowed SKUs | Restrict the set of storage account SKUs that your organization can deploy. | Audit, Deny, Disabled | 1.1.0 |
Storage accounts should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
Storage accounts should disable public network access | To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Audit, Deny, Disabled | 1.0.1 |
Storage accounts should have infrastructure encryption | Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. | Audit, Deny, Disabled | 1.0.0 |
Storage accounts should have shared access signature (SAS) policies configured | Ensure storage accounts have shared access signature (SAS) expiration policy enabled. Users use a SAS to delegate access to resources in Azure Storage account. And SAS expiration policy recommend upper expiration limit when a user creates a SAS token. | Audit, Deny, Disabled | 1.0.0 |
Storage accounts should have the specified minimum TLS version | Configure a minimum TLS version for secure communication between the client application and the storage account. To minimize security risk, the recommended minimum TLS version is the latest released version, which is currently TLS 1.2. | Audit, Deny, Disabled | 1.0.0 |
Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
Storage accounts should restrict network access using virtual network rules | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Audit, Deny, Disabled | 1.0.1 |
Storage accounts should use customer-managed key for encryption | Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Audit, Disabled | 1.0.3 |
Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://docs.azure.cn/private-link/private-link-overview | AuditIfNotExists, Disabled | 2.0.0 |
Table Storage should use customer-managed key for encryption | Secure your table storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Audit, Deny, Disabled | 1.0.0 |
Stream Analytics
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Stream Analytics jobs should use customer-managed keys to encrypt data | Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
Stream Analytics job should connect to trusted inputs and outputs | Ensure that Stream Analytics jobs do not have arbitrary Input or Output connections that are not defined in the allowlist. This checks that Stream Analytics jobs don't exfiltrate data by connecting to arbitrary sinks outside your organization. | Deny, Disabled, Audit | 1.1.0 |
Stream Analytics job should use managed identity to authenticate endpoints | Ensure that Stream Analytics jobs only connect to endpoints using managed identity authentication. | Deny, Disabled, Audit | 1.0.0 |
Synapse
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Auditing on Synapse workspace should be enabled | Auditing on your Synapse workspace should be enabled to track database activities across all databases on the dedicated SQL pools and save them in an audit log. | AuditIfNotExists, Disabled | 1.0.0 |
Azure Synapse Workspace SQL Server should be running TLS version 1.2 or newer | Setting TLS version to 1.2 or newer improves security by ensuring your Azure Synapse workspace SQL server can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Audit, Deny, Disabled | 1.1.0 |
Azure Synapse workspaces should allow outbound data traffic only to approved targets | Increase security of your Synapse workspace by allowing outbound data traffic only to approved targets. This helps prevention against data exfiltration by validating the target before sending data. | Audit, Disabled, Deny | 1.0.0 |
Azure Synapse workspaces should disable public network access | Disabling public network access improves security by ensuring that the Synapse workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your Synapse workspaces. Learn more at: https://docs.azure.cn/synapse-analytics/security/connectivity-settings. | Audit, Deny, Disabled | 1.0.0 |
Azure Synapse workspaces should use customer-managed keys to encrypt data at rest | Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. | Audit, Deny, Disabled | 1.0.0 |
Azure Synapse workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.azure.cn/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Audit, Disabled | 1.0.1 |
Configure Azure Synapse Workspace Dedicated SQL minimum TLS version | Customers can raise or lower the minimal TLS version using the API, for both new Synapse workspaces or existing workspaces. So users who need to use a lower client version in the workspaces can connect while users who has security requirement can raise the minimum TLS version. Learn more at: https://docs.azure.cn/synapse-analytics/security/connectivity-settings. | Modify, Disabled | 1.1.0 |
Configure Azure Synapse workspaces to disable public network access | Disable public network access for your Synapse workspace so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.azure.cn/synapse-analytics/security/connectivity-settings. | Modify, Disabled | 1.0.0 |
Configure Azure Synapse workspaces to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. | DeployIfNotExists, Disabled | 2.0.0 |
Configure Azure Synapse workspaces with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Synapse workspaces, you can reduce data leakage risks. Learn more about private links at: https://docs.azure.cn/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Synapse workspaces to have auditing enabled | To ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. This is sometimes required for compliance with regulatory standards. | DeployIfNotExists, Disabled | 2.0.0 |
Configure Synapse workspaces to have auditing enabled to Log Analytics workspace | To ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Synapse Workspaces to use only Microsoft Entra identities for authentication | Require and reconfigure Synapse Workspaces to use Microsoft Entra-only authentication. This policy doesn't block workspaces from being created with local authentication enabled. It does block local authentication from being enabled and re-enables Microsoft Entra-only authentication on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. | Modify, Disabled | 1.0.0 |
Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation | Require and reconfigure Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. | Modify, Disabled | 1.2.0 |
IP firewall rules on Azure Synapse workspaces should be removed | Removing all IP firewall rules improves security by ensuring your Azure Synapse workspace can only be accessed from a private endpoint. This configuration audits creation of firewall rules that allow public network access on the workspace. | Audit, Disabled | 1.0.0 |
Managed workspace virtual network on Azure Synapse workspaces should be enabled | Enabling a managed workspace virtual network ensures that your workspace is network isolated from other workspaces. Data integration and Spark resources deployed in this virtual network also provides user level isolation for Spark activities. | Audit, Deny, Disabled | 1.0.0 |
Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants | Protect your Synapse workspace by only allowing connections to resources in approved Azure Active Directory (Azure AD) tenants. The approved Azure AD tenants can be defined during policy assignment. | Audit, Disabled, Deny | 1.0.0 |
Synapse workspace auditing settings should have action groups configured to capture critical activities | To ensure your audit logs are as thorough as possible, the AuditActionsAndGroups property should include all the relevant groups. We recommend adding at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, and BATCH_COMPLETED_GROUP. This is sometimes required for compliance with regulatory standards. | AuditIfNotExists, Disabled | 1.0.0 |
Synapse Workspaces should have Microsoft Entra-only authentication enabled | Require Synapse Workspaces to use Microsoft Entra-only authentication. This policy doesn't block workspaces from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. | Audit, Deny, Disabled | 1.0.0 |
Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation | Require Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. | Audit, Deny, Disabled | 1.2.0 |
Synapse workspaces with SQL auditing to storage account destination should be configured with 90 days retention or higher | For incident investigation purposes, we recommend setting the data retention for your Synapse workspace' SQL auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | AuditIfNotExists, Disabled | 2.0.0 |
Vulnerability assessment should be enabled on your Synapse workspaces | Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. | AuditIfNotExists, Disabled | 1.0.0 |
Tags
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Add a tag to resource groups | Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. | modify | 1.0.0 |
Add a tag to resources | Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does not modify tags on resource groups. | modify | 1.0.0 |
Add a tag to subscriptions | Adds the specified tag and value to subscriptions via a remediation task. If the tag exists with a different value it will not be changed. See https://docs.azure.cn/governance/policy/how-to/remediate-resources for more information on policy remediation. | modify | 1.0.0 |
Add or replace a tag on resource groups | Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation task. | modify | 1.0.0 |
Add or replace a tag on resources | Adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does not modify tags on resource groups. | modify | 1.0.0 |
Add or replace a tag on subscriptions | Adds or replaces the specified tag and value on subscriptions via a remediation task. Existing resource groups can be remediated by triggering a remediation task. See https://docs.azure.cn/zh-cn/governance/policy/how-to/remediate-resources for more information on policy remediation. | modify | 1.0.0 |
Append a tag and its value from the resource group | Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://docs.azure.cn/governance/policy/concepts/effects#modify). | append | 1.0.0 |
Append a tag and its value to resource groups | Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://docs.azure.cn/governance/policy/concepts/effects#modify). | append | 1.0.0 |
Append a tag and its value to resources | Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://docs.azure.cn/governance/policy/concepts/effects#modify). | append | 1.0.1 |
Inherit a tag from the resource group | Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. | modify | 1.0.0 |
Inherit a tag from the resource group if missing | Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. | modify | 1.0.0 |
Inherit a tag from the subscription | Adds or replaces the specified tag and value from the containing subscription when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. | modify | 1.0.0 |
Inherit a tag from the subscription if missing | Adds the specified tag with its value from the containing subscription when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. | modify | 1.0.0 |
Require a tag and its value on resource groups | Enforces a required tag and its value on resource groups. | deny | 1.0.0 |
Require a tag and its value on resources | Enforces a required tag and its value. Does not apply to resource groups. | deny | 1.0.1 |
Require a tag on resource groups | Enforces existence of a tag on resource groups. | deny | 1.0.0 |
Require a tag on resources | Enforces existence of a tag. Does not apply to resource groups. | deny | 1.0.1 |
Trusted Launch
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Disks and OS image should support TrustedLaunch | TrustedLaunch improves security of a Virtual Machine which requires OS Disk & OS Image to support it (Gen 2). To learn more about TrustedLaunch, visit https://docs.azure.cn/virtual-machines/trusted-launch | Audit, Disabled | 1.0.0 |
Virtual Machine should have TrustedLaunch enabled | Enable TrustedLaunch on Virtual Machine for enhanced security, use VM SKU (Gen 2) that supports TrustedLaunch. To learn more about TrustedLaunch, visit https://docs.azure.cn/virtual-machines/trusted-launch | Audit, Disabled | 1.0.0 |
Next steps
- See the built-ins on the Azure Policy GitHub repo.
- Review the Azure Policy definition structure.
- Review Understanding policy effects.