last sync: 2021-Sep-24 16:09:49 UTC

Azure Policy definition

Deploy Advanced Threat Protection for Cosmos DB Accounts

Name Deploy Advanced Threat Protection for Cosmos DB Accounts
Azure Portal
Id b5f04e03-92a3-4b09-9410-2cc5e5047656
Version 1.0.0
details on versioning
Category Cosmos DB
Microsoft docs
Description This policy enables Advanced Threat Protection across Cosmos DB accounts.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Used RBAC Role
Role Name Role Id
Security Admin fb1c8493-542b-48eb-b624-b4c8fea62acd
History none
Used in Initiatives
Initiative DisplayName Initiative Id Initiative Category State
[Preview]: CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance Preview
JSON
{
  "displayName": "Deploy Advanced Threat Protection for Cosmos DB Accounts",
  "policyType": "BuiltIn",
  "mode": "Indexed",
  "description": "This policy enables Advanced Threat Protection across Cosmos DB accounts.",
  "metadata": {
    "version": "1.0.0",
    "category": "Cosmos DB"
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "DeployIfNotExists",
        "Disabled"
      ],
      "defaultValue": "DeployIfNotExists"
    }
  },
  "policyRule": {
    "if": {
      "field": "type",
      "equals": "Microsoft.DocumentDB/databaseAccounts"
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "Microsoft.Security/advancedThreatProtectionSettings",
        "name": "current",
        "existenceCondition": {
          "field": "Microsoft.Security/advancedThreatProtectionSettings/isEnabled",
          "equals": "true"
        },
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
        ],
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "cosmosDbAccountName": {
                  "type": "string"
                }
              },
              "resources": [
                {
                  "apiVersion": "2019-01-01",
                  "type": "Microsoft.DocumentDB/databaseAccounts/providers/advancedThreatProtectionSettings",
                  "name": "[concat(parameters('cosmosDbAccountName'), '/Microsoft.Security/current')]",
                  "properties": {
                    "isEnabled": true
                  }
                }
              ]
            },
            "parameters": {
              "cosmosDbAccountName": {
                "value": "[field('name')]"
              }
            }
          }
        }
      }
    }
  }
}