Azure Policy for Media Services

Media Services logo v3


Warning

Azure Media Services will be retired June 30th, 2024. For more information, see the AMS Retirement Guide.

Azure Media Services provides built-in Azure Policy definitions to help enforce organizational standards and compliance at-scale. Common use cases for Azure Policy include implementing governance for resource consistency,regulatory compliance, security, cost and management.

Media Services provides several common use case definitions for Azure Policy that a built-in to help you get started.

Built-in Azure Policy definitions for Media Services

Several built in policy definitions are available for use with Media Services to help get you started, and allow you to define your own custom policies.

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Media Services accounts should disable public network access Disabling public network access improves security by ensuring that Media Services resources are not exposed on the public internet. Creating private endpoints can limit exposure of Media Services resources. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. Audit, Deny, Disabled 1.0.0
Azure Media Services accounts should use an API that supports Private Link Media Services accounts should be created with an API that supports private link. Audit, Deny, Disabled 1.0.0
Azure Media Services accounts that allow access to the legacy v2 API should be blocked The Media Services legacy v2 API allows requests that cannot be managed using Azure Policy. Media Services resources created using the 2020-05-01 API or later block access to the legacy v2 API. Audit, Deny, Disabled 1.0.0
Azure Media Services content key policies should use token authentication Content key policies define the conditions that must be met to access content keys. A token restriction ensures content keys can only be accessed by users that have valid tokens from an authentication service, for example Azure Active Directory. Audit, Deny, Disabled 1.0.0
Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns Restrict HTTPS inputs used by Media Services jobs to known endpoints. Inputs from HTTPS endpoints can be disabled entirely by setting an empty list of allowed job input patterns. Where job inputs specify a 'baseUri' the patterns will be matched against this value; when 'baseUri' is not set, the pattern is matched against the 'files' property. Deny, Disabled 1.0.1
Azure Media Services should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Media Services accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/mediaservicescmkdocs. Audit, Deny, Disabled 1.0.0
Azure Media Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs. AuditIfNotExists, Disabled 1.0.0
Configure Azure Media Services to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Media Services account. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. DeployIfNotExists, Disabled 1.0.0
Configure Azure Media Services with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs. DeployIfNotExists, Disabled 1.0.0

The list of built-in policy definitions for Media Services provides the latest definitions and links the code definitions and how to access them in the Portal.

Common scenarios that require Azure Policy

  • If your enterprise security requires you to ensure that all Media Services accounts are created with Private Links, you can use a policy definition to ensure that accounts are only created with the 2020-05-01 API (or later) to disable access to the legacy REST v2 API and access the Private Link feature.
  • If you want to enforce specific options on the tokens used for Content Key Policies, an Azure Policy definition can be constructed to support the specific requirements.
  • If your security goals require you to restrict a Job input source to only come from your trusted storage accounts, and restrict access to external HTTP(S) inputs through the use of JobInputHttp, an Azure policy can be constructed to limit the input URI pattern.

Example policy definitions

Azure Media Services maintains and publishes a set of sample Azure Policy definitions in Git hub. See the built-in policy definitions for Media Services samples in the azure-policy Git hub repository.

Azure Policies, private endpoints and Media Services

Media Services defines a set of built-in Azure Policy definitions to help enforce organizational standards and to assess compliance at-scale.

Azure Policy for Private Endpoints in the portal

The Configure Azure Media Services with private endpoints policy can be used to automatically create private endpoints for Media Services resources. The parameters for the policy set the subnet where the private link should be created and the group ID to use when creating the private endpoint. To automatically create private endpoints for key delivery, live events, and streaming endpoints, the policy must be assigned separately for each of the group IDs (i.e., a policy assignment would be created with the group ID set to keydelivery, a second policy assignment would be created with the group ID set to liveevent and a third assignment would set the group ID to streamingendpoint). As this policy deploys resources, the policy must be created with a Managed Identity.

The Configure Azure Media Services to use private DNS zones policy can be used to create private DNS zones for Media Services private endpoints. This policy is also applied separately for each group ID.

The Azure Media Services should use private link policy will generate audit events for Media Services resources that do not have private link enabled.

Azure Policy for network security

When private link is used to access Media Services resources, a common requirement is to limit access to these resources from the internet. The Azure Media Services accounts should disable public network access policy can be used to audit Media Services accounts that permit public network access.

Outbound network security

Azure Policy can be used to restrict how Media Services accesses external services. The Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns policy be used to either entirely block Media Services jobs that read from HTTP and HTTPS URLS or to limit Media Services jobs to reading from URLs that match specific patterns.