last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Audit VMs that do not use managed disks

Name Audit VMs that do not use managed disks
Azure Portal
Id 06a78e20-9358-41c9-923c-fb736d382a4d
Version 1.0.0
details on versioning
Category Compute
Microsoft docs
Description This policy audits VMs that do not use managed disks
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Fixed
audit
RBAC
Role(s)
none
Rule
Aliases
IF (3)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Compute/virtualMachines/osDisk.uri Microsoft.Compute virtualMachines properties.storageProfile.osDisk.vhd.uri true
Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl Microsoft.Compute virtualMachineScaleSets properties.virtualMachineProfile.storageProfile.osdisk.image.url false
Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers Microsoft.Compute virtualMachineScaleSets properties.virtualMachineProfile.storageProfile.osdisk.vhdContainers false
Rule
ResourceTypes
IF (2)
Microsoft.Compute/virtualMachines
Microsoft.Compute/VirtualMachineScaleSets
Compliance The following 12 compliance controls are associated with this Policy definition 'Audit VMs that do not use managed disks' (06a78e20-9358-41c9-923c-fb736d382a4d)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.3.0 7.1 CIS_Azure_1.3.0_7.1 CIS Microsoft Azure Foundations Benchmark recommendation 7.1 7 Virtual Machines Ensure Virtual Machines are utilizing Managed Disks Shared The customer is responsible for implementing this recommendation. Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include 1) Default Disk Encryption 2) Resilience as Microsoft will managed the disk storage and move around if underlying hardware goes faulty 3) Reduction of costs over storage accounts link 4
CIS_Azure_1.4.0 7.1 CIS_Azure_1.4.0_7.1 CIS Microsoft Azure Foundations Benchmark recommendation 7.1 7 Virtual Machines Ensure Virtual Machines are utilizing Managed Disks Shared The customer is responsible for implementing this recommendation. Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include 1) Default Disk Encryption 2) Resilience as Microsoft will managed the disk storage and move around if underlying hardware goes faulty 3) Reduction of costs over storage accounts link 4
ISO27001-2013 A.9.1.2 ISO27001-2013_A.9.1.2 ISO 27001:2013 A.9.1.2 Access Control Access to networks and network services Shared n/a Users shall only be provided with access to the network and network services that they have been specifically authorized to use. link 29
SOC_2 CC6.8 SOC_2_CC6.8 SOC 2 Type 2 CC6.8 Logical and Physical Access Controls Prevent or detect against unauthorized or malicious software Shared The customer is responsible for implementing this recommendation. Restricts Application and Software Installation — The ability to install applications and software is restricted to authorized individuals. • Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. • Uses a Defined Change Control Process — A management-defined change control process is used for the implementation of software. • Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware. • Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network. 54
SOC_2 CC8.1 SOC_2_CC8.1 SOC 2 Type 2 CC8.1 Change Management Changes to infrastructure, data, and software Shared The customer is responsible for implementing this recommendation. Manages Changes Throughout the System Life Cycle — A process for managing system changes throughout the life cycle of the system and its components (infrastructure, data, software, and procedures) is used to support system availability and processing integrity. • Authorizes Changes — A process is in place to authorize system changes prior to development. • Designs and Develops Changes — A process is in place to design and develop system changes. • Documents Changes — A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities. • Tracks System Changes — A process is in place to track system changes prior to implementation. • Configures Software — A process is in place to select and implement the configuration parameters used to control the functionality of software. • Tests System Changes — A process is in place to test system changes prior to implementation. • Approves System Changes — A process is in place to approve system changes prior to implementation. • Deploys System Changes — A process is in place to implement system changes. • Identifies and Evaluates System Changes — Objectives affected by system changes are identified and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle. • Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents — Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified and the change process is initiated upon identification. • Creates Baseline Configuration of IT Technology — A baseline configuration of IT and control systems is created and maintained. • Provides for Changes Necessary in Emergency Situations — A process is in place for authorizing, designing, testing, approving, and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent time frame). Additional points of focus that apply only in an engagement using the trust services criteria for confidentiality: • Protects Confidential Information — The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality. Additional points of focus that apply only in an engagement using the trust services criteria for privacy: • Protects Personal Information — The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy. 53
SWIFT_CSCF_v2021 1.3 SWIFT_CSCF_v2021_1.3 SWIFT CSCF v2021 1.3 SWIFT Environment Protection Virtualisation Platform Protection n/a Secure virtualisation platform and virtual machines (VM???s) hosting SWIFT related components to the same level as physical systems. link 1
SWIFT_CSCF_v2021 2.5A SWIFT_CSCF_v2021_2.5A SWIFT CSCF v2021 2.5A Reduce Attack Surface and Vulnerabilities External Transmission Data Protection n/a Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. link 12
SWIFT_CSCF_v2021 3.1 SWIFT_CSCF_v2021_3.1 SWIFT CSCF v2021 3.1 Physically Secure the Environment Physical Security n/a Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. link 1
SWIFT_CSCF_v2022 1.3 SWIFT_CSCF_v2022_1.3 SWIFT CSCF v2022 1.3 1. Restrict Internet Access & Protect Critical Systems from General IT Environment Secure the virtualisation platform and virtual machines (VMs) that host SWIFT-related components to the same level as physical systems. Shared n/a Secure the virtualisation platform, virtualised machines, and the supporting virtual infrastructure (such as firewalls) to the same level as physical systems. link 2
SWIFT_CSCF_v2022 2.5A SWIFT_CSCF_v2022_2.5A SWIFT CSCF v2022 2.5A 2. Reduce Attack Surface and Vulnerabilities External Transmission Data Protection Customer n/a Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. link 7
SWIFT_CSCF_v2022 3.1 SWIFT_CSCF_v2022_3.1 SWIFT CSCF v2022 3.1 3. Physically Secure the Environment Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. Shared n/a Physical security controls are in place to protect access to sensitive equipment, hosting sites, and storage. link 8
UK_NCSC_CSP 10 UK_NCSC_CSP_10 UK NCSC CSP 10 Identity and authentication Identity and authentication Shared n/a All access to service interfaces should be constrained to authenticated and authorised individuals. link 25
History none
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Preview]: SWIFT CSP-CSCF v2020 3e0c67fc-8c7c-406c-89bd-6b6bdc986a22 Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
UK OFFICIAL and UK NHS 3937f550-eedd-4639-9c5e-294358be442e Regulatory Compliance GA BuiltIn
JSON