last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

[Preview]: Container Registry should use a virtual network service endpoint

Name [Preview]: Container Registry should use a virtual network service endpoint
Azure Portal
Id c4857be7-912a-4c75-87e6-e30292bcdf78
Version 1.0.0-preview
details on versioning
Category Network
Microsoft docs
Description This policy audits any Container Registry not configured to use a virtual network service endpoint.
Mode Indexed
Type BuiltIn
Preview True
Deprecated FALSE
Effect Default
Audit
Allowed
Audit, Disabled
RBAC
Role(s)
none
Rule
Aliases
IF (2)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction Microsoft.ContainerRegistry registries properties.networkRuleSet.defaultAction false
Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action Microsoft.ContainerRegistry registries properties.networkRuleSet.virtualNetworkRules[*].action false
Rule
ResourceTypes
IF (1)
Microsoft.ContainerRegistry/registries
Compliance The following 9 compliance controls are associated with this Policy definition '[Preview]: Container Registry should use a virtual network service endpoint' (c4857be7-912a-4c75-87e6-e30292bcdf78)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v1.0 1.1 Azure_Security_Benchmark_v1.0_1.1 Azure Security Benchmark 1.1 Network Security Protect resources using Network Security Groups or Azure Firewall on your Virtual Network Customer Ensure that all Virtual Network subnet deployments have a Network Security Group applied with network access controls specific to your application's trusted ports and sources. Use Azure Services with Private Link enabled, deploy the service inside your Vnet, or connect privately using Private Endpoints. For service specific requirements, please refer to the security recommendation for that specific service. Alternatively, if you have a specific use case, requirements can be met by implementing Azure Firewall. General Information on Private Link: https://docs.microsoft.com/azure/private-link/private-link-overview How to create a Virtual Network: https://docs.microsoft.com/azure/virtual-network/quick-create-portal How to create an NSG with a security configuration: https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic How to deploy and configure Azure Firewall: https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal n/a link 21
hipaa 0805.01m1Organizational.12-01.m hipaa-0805.01m1Organizational.12-01.m 0805.01m1Organizational.12-01.m 08 Network Protection 0805.01m1Organizational.12-01.m 01.04 Network Access Control Shared n/a The organization's security gateways (e.g., firewalls) (i) enforce security policies; (ii) are configured to filter traffic between domains; (iii) block unauthorized access; (iv) are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet), including DMZs; and, (vi) enforce access control policies for each of the domains. 12
hipaa 0806.01m2Organizational.12356-01.m hipaa-0806.01m2Organizational.12356-01.m 0806.01m2Organizational.12356-01.m 08 Network Protection 0806.01m2Organizational.12356-01.m 01.04 Network Access Control Shared n/a The organization’s network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. 13
hipaa 0868.09m3Organizational.18-09.m hipaa-0868.09m3Organizational.18-09.m 0868.09m3Organizational.18-09.m 08 Network Protection 0868.09m3Organizational.18-09.m 09.06 Network Security Management Shared n/a The organization builds a firewall configuration to restrict inbound and outbound traffic to that which is necessary for the covered data environment. 5
hipaa 0869.09m3Organizational.19-09.m hipaa-0869.09m3Organizational.19-09.m 0869.09m3Organizational.19-09.m 08 Network Protection 0869.09m3Organizational.19-09.m 09.06 Network Security Management Shared n/a The router configuration files are secured and synchronized. 11
hipaa 0870.09m3Organizational.20-09.m hipaa-0870.09m3Organizational.20-09.m 0870.09m3Organizational.20-09.m 08 Network Protection 0870.09m3Organizational.20-09.m 09.06 Network Security Management Shared n/a Access to all proxies is denied, except for those hosts, ports, and services that are explicitly required. 8
hipaa 0871.09m3Organizational.22-09.m hipaa-0871.09m3Organizational.22-09.m 0871.09m3Organizational.22-09.m 08 Network Protection 0871.09m3Organizational.22-09.m 09.06 Network Security Management Shared n/a Authoritative DNS servers are segregated into internal and external roles. 4
hipaa 0894.01m2Organizational.7-01.m hipaa-0894.01m2Organizational.7-01.m 0894.01m2Organizational.7-01.m 08 Network Protection 0894.01m2Organizational.7-01.m 01.04 Network Access Control Shared n/a Networks are segregated from production-level networks when migrating physical servers, applications, or data to virtualized servers. 19
SWIFT_CSCF_v2021 1.1 SWIFT_CSCF_v2021_1.1 SWIFT CSCF v2021 1.1 SWIFT Environment Protection SWIFT Environment Protection n/a Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. link 30
History
Date/Time (UTC ymd) (i) Change type Change detail
2019-10-11 00:02:54 add c4857be7-912a-4c75-87e6-e30292bcdf78
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
JSON