AzPolicyAdvertizer

last sync: 2021-Sep-24 16:09:49 UTC

Azure Policy definition

Deploy Advanced Threat Protection for Cosmos DB Accounts

Name Deploy Advanced Threat Protection for Cosmos DB Accounts
Azure Portal

Id b5f04e03-92a3-4b09-9410-2cc5e5047656

Version 1.0.0
details on versioning

Category Cosmos DB
Microsoft docs

Description This policy enables Advanced Threat Protection across Cosmos DB accounts.

Mode Indexed

Type BuiltIn

Preview FALSE

Deprecated FALSE

Effect Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)

Used RBAC Role

Role Name	Role Id
Security Admin	fb1c8493-542b-48eb-b624-b4c8fea62acd

History none

Used in Initiatives

Initiative DisplayName	Initiative Id	Initiative Category	State
[Preview]: CMMC Level 3	b5629c75-5c77-4422-87b9-2509e680f8de	Regulatory Compliance	Preview

JSON

{
  "displayName": "Deploy Advanced Threat Protection for Cosmos DB Accounts",
  "policyType": "BuiltIn",
  "mode": "Indexed",
  "description": "This policy enables Advanced Threat Protection across Cosmos DB accounts.",
  "metadata": {
    "version": "1.0.0",
    "category": "Cosmos DB"
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "DeployIfNotExists",
        "Disabled"
      ],
      "defaultValue": "DeployIfNotExists"
    }
  },
  "policyRule": {
    "if": {
      "field": "type",
      "equals": "Microsoft.DocumentDB/databaseAccounts"
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "Microsoft.Security/advancedThreatProtectionSettings",
        "name": "current",
        "existenceCondition": {
          "field": "Microsoft.Security/advancedThreatProtectionSettings/isEnabled",
          "equals": "true"
        },
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
        ],
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "cosmosDbAccountName": {
                  "type": "string"
                }
              },
              "resources": [
                {
                  "apiVersion": "2019-01-01",
                  "type": "Microsoft.DocumentDB/databaseAccounts/providers/advancedThreatProtectionSettings",
                  "name": "[concat(parameters('cosmosDbAccountName'), '/Microsoft.Security/current')]",
                  "properties": {
                    "isEnabled": true
                  }
                }
              ]
            },
            "parameters": {
              "cosmosDbAccountName": {
                "value": "[field('name')]"
              }
            }
          }
        }
      }
    }
  }
}