| Category | Id | DisplayName | Description | Effect | Roles used | Details (UTC ymd) (i) |
|---|---|---|---|---|---|---|
| Security Center | 3b1a8e0a-b2e1-48be-9365-28be2fbef550 | [Preview]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-08-09 17:24:03
change: Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) |
| Monitoring | 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee | Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2022-08-09 17:24:03
change: Major (3.0.0 > 4.0.0) |
| Cognitive Services | cddd188c-4b82-4c48-a19d-ddf74ee66a01 | Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default: Audit Allowed: (Audit, Disabled) |
2022-08-09 17:24:03
change: Major (2.0.0 > 3.0.0) | |
| Security Center | e9ac8f8e-ce22-4355-8f04-99b911d6be52 | Guest accounts with read permissions on Azure resources should be removed | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-08-09 17:24:03
add: e9ac8f8e-ce22-4355-8f04-99b911d6be52 | |
| Cosmos DB | a63cc0bd-cda4-4178-b705-37dc439d3e0f | Configure CosmosDB accounts to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2022-08-09 17:24:03
change: Major (1.0.0 > 2.0.0) |
| Monitoring | 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 | Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below | Deploy Log Analytics extension for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the extension is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Deprecation notice: The Log Analytics agent will not be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Fixed: deployIfNotExists | Log Analytics Contributor Virtual Machine Contributor |
2022-08-09 17:24:03
change: Major (2.0.1 > 3.0.0) |
| Security Center | e3e008c3-56b9-4133-8fd7-d3347377402a | Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-08-09 17:24:03
add: e3e008c3-56b9-4133-8fd7-d3347377402a | |
| Monitoring | 7c4214e9-ea57-487a-b38e-310ec09bc21d | Deploy a Data Collection Rule for VMInsights and Data Collection Rule Association for all Arc Machines in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the Arc Machines in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-08-09 17:24:03
change: Minor (1.0.0 > 1.1.0) |
| Security Center | c9ae938d-3d6f-4466-b7c3-351761d9c890 | [Preview]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule | Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this Arc machine. Target Arc machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor |
2022-08-09 17:24:03
change: Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) |
| Cognitive Services | 47ba1dd7-28d9-4b07-a8d5-9813bed64e0c | Configure Cognitive Services accounts to disable public network access | Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default: Modify Allowed: (Disabled, Modify) | Contributor |
2022-08-09 17:24:03
change: Major (2.0.0 > 3.0.0) |
| Monitoring | 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 | Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Virtual Machine Contributor |
2022-08-09 17:24:03
change: Major (3.0.0 > 4.0.0) |
| Monitoring | a0f27bdc-5b15-4810-b81d-7c4df9df1a37 | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-08-09 17:24:03
change: Minor (1.0.0 > 1.1.0) |
| Security Center | 30f52897-df47-4ca0-81a8-a3be3e8dd226 | [Preview]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule | Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this Arc machine. Target Arc machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor |
2022-08-09 17:24:03
change: Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) |
| Security Center | c15c5978-ab6e-4599-a1c3-90a7918f5371 | [Preview]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Creates a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-08-09 17:24:03
change: Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) |
| Monitoring | 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf | Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2022-08-09 17:24:03
change: Patch (2.1.0 > 2.1.1) |
| Security Center | 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be | Blocked accounts with read and write permissions on Azure resources should be removed | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-08-09 17:24:03
add: 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be | |
| Service Bus | cbd11fd3-3002-4907-b6c8-579f0e700e13 | Service Bus Namespaces should disable public network access | Azure Service Bus should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-08-09 17:24:03
add: cbd11fd3-3002-4907-b6c8-579f0e700e13 | |
| Security Center | a2ea54a3-9707-45e3-8230-bbda8309d17e | [Preview]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule | Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor |
2022-08-09 17:24:03
change: Patch, suffix remains equal (2.1.0-preview > 2.1.1-preview) |
| Monitoring | c7f3bf36-b807-4f18-82dc-f480ad713635 | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSS in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSSs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-08-09 17:24:03
change: Minor (1.0.0 > 1.1.0) |
| Security Center | aba46665-c3a7-4319-ace1-a0282deebac2 | [Preview]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Create a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace. Target Arc machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-08-09 17:24:03
change: Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) |
| Security Center | 94e1c2ac-cbbe-4cac-a2b5-389c812dee87 | Guest accounts with write permissions on Azure resources should be removed | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-08-09 17:24:03
add: 94e1c2ac-cbbe-4cac-a2b5-389c812dee87 | |
| Cognitive Services | db630ad5-52e9-4f4d-9c44-53912fe40053 | Configure Cognitive Services accounts with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor Cognitive Services Contributor |
2022-08-09 17:24:03
change: Major (2.1.0 > 3.0.0) |
| Security Center | 339353f6-2387-4a45-abe4-7f529d121046 | Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-08-09 17:24:03
add: 339353f6-2387-4a45-abe4-7f529d121046 | |
| Security Center | 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 | Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-08-09 17:24:03
add: 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 | |
| Security Center | 931e118d-50a1-4457-a5e4-78550e086c52 | Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-08-09 17:24:03
add: 931e118d-50a1-4457-a5e4-78550e086c52 | |
| Security Center | 9c0aa188-e5fe-4569-8f74-b6e155624d9a | [Preview]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule | Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor |
2022-08-09 17:24:03
change: Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) |
| Monitoring | 187242f4-89c6-4c43-9a4e-188c0efacc5f | Resource logs should be enabled for Audit on supported resources | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. The existence of a diagnostic setting for category group Audit on the selected resource types ensures that these logs are enabled and captured. Applicable resource types are those that support the "Audit" category group. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-08-09 17:24:03
add: 187242f4-89c6-4c43-9a4e-188c0efacc5f | |
| Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Preview]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-08-09 17:24:03
change: Minor, suffix remains equal (5.1.1-preview > 5.2.0-preview) |
| Monitoring | 053d3325-282c-4e5c-b944-24faffd30d77 | Deploy Log Analytics extension for Linux VMs. See deprecation notice below | Deploy Log Analytics extension for Linux VMs if the VM Image (OS) is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Fixed: deployIfNotExists | Log Analytics Contributor |
2022-08-05 16:32:22
change: Major (2.0.1 > 3.0.0) |
| Security Center | 0cfea604-3201-4e14-88fc-fae4c427a6c5 | Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-08-05 16:32:22
add: 0cfea604-3201-4e14-88fc-fae4c427a6c5 | |
| Cognitive Services | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | Cognitive Services accounts should disable public network access | Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-08-05 16:32:22
change: Major (2.0.0 > 3.0.0) | |
| Cognitive Services | 037eea7a-bd0a-46c5-9a66-03aea78705d3 | Cognitive Services accounts should restrict network access | Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-08-05 16:32:22
change: Major (2.0.0 > 3.0.0) | |
| Lab Services | 0fd9915e-cab3-4f24-b200-6e20e1aa276a | Lab Services should require non-admin user for labs | This policy requires non-admin user accounts to be created for the labs managed through lab-services. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-29 16:32:46
change: Minor (1.0.0 > 1.1.0) | |
| Lab Services | a6e9cf2d-7d76-440e-b795-8da246bd3aab | Lab Services should enable all options for auto shutdown | This policy provides helps with cost management by enforcing all automatic shutdown options are enabled for a lab. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-29 16:32:46
change: Minor (1.0.0 > 1.1.0) | |
| Container Apps | 783ea2a8-b8fd-46be-896a-9ae79643a0b1 | Container Apps should disable external network access | Disable external network access to your Container Apps by enforcing internal-only ingress. This will ensure inbound communication for Container Apps is limited to callers within the Container Apps environment. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-29 16:32:46
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2022-07-29 16:32:46
change: Minor, suffix remains equal (7.0.0-preview > 7.1.0-preview) |
| Compute | 8405fdab-1faf-48aa-b702-999c9c172094 | Managed disks should disable public network access | Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. | Default: Audit Allowed: (Audit, Disabled) |
2022-07-29 16:32:46
change: Major (1.0.0 > 2.0.0) | |
| Lab Services | e8a5a3eb-1ab6-4657-a701-7ae432cf14e1 | Lab Services should not allow template virtual machines for labs | This policy prevents creation and customization of a template virtual machines for labs managed through Lab Services. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-29 16:32:46
change: Minor (1.0.0 > 1.1.0) | |
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets | Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor Virtual Machine Contributor |
2022-07-29 16:32:46
change: Patch (3.0.0 > 3.0.1) |
| Container Apps | 0e80e269-43a4-4ae9-b5bc-178126b8a5cb | Container Apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-29 16:32:46
change: Patch (1.0.0 > 1.0.1) | |
| Container Apps | 2b585559-a78e-4cc4-b1aa-fb169d2f6b96 | Authentication should be enabled on Container Apps | Container Apps Authentication is a feature that can prevent anonymous HTTP requests from reaching the Container App, or authenticate those that have tokens before they reach the Container App | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-29 16:32:46
change: Patch (1.0.0 > 1.0.1) | |
| Container Apps | 7c9f3fbb-739d-4844-8e42-97e3be6450e0 | Container App should configure with volume mount | Enforce the use of volume mounts for Container Apps to ensure availability of persistent storage capacity. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-29 16:32:46
change: Patch (1.0.0 > 1.0.1) | |
| Container Apps | d074ddf8-01a5-4b5e-a2b8-964aed452c0a | Container Apps environment should disable public network access | Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-29 16:32:46
change: Patch (1.0.0 > 1.0.1) | |
| Monitoring | 0868462e-646c-4fe3-9ced-a733534b6a2c | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines | Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2022-07-29 16:32:46
change: Patch (3.0.0 > 3.0.1) |
| Container Apps | b874ab2d-72dd-47f1-8cb5-4a306478a4e7 | Managed Identity should be enabled for Container Apps | Enforcing managed identity ensures Container Apps can securely authenticate to any resource that supports Azure AD authentication | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-29 16:32:46
change: Patch (1.0.0 > 1.0.1) | |
| Compute | 8426280e-b5be-43d9-979e-653d12a08638 | Configure managed disks to disable public network access | Disable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/disksprivatelinksdoc. | Default: Modify Allowed: (Modify, Disabled) | Contributor |
2022-07-29 16:32:46
change: Major (1.0.0 > 2.0.0) |
| Container Apps | 8b346db6-85af-419b-8557-92cee2c0f9bb | Container App environments should use network injection | Container Apps environments should use virtual network injection to: 1.Isolate Container Apps from the public internet 2.Enable network integration with resources on-premises or in other Azure virtual networks 3.Achieve more granular control over network traffic flowing to and from the environment. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2022-07-29 16:32:46
change: Patch (1.0.1 > 1.0.2) | |
| Lab Services | 3e13d504-9083-4912-b935-39a085db2249 | Lab Services should restrict allowed virtual machine SKU sizes | This policy enables you to restrict certain Compute VM SKUs for labs managed through Lab Services. This will restrict certain virtual machine sizes. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-29 16:32:46
change: Minor (1.0.0 > 1.1.0) | |
| Machine Learning | e413671a-dd10-4cc1-a943-45b598596cb7 | Azure Machine Learning workspaces should enable V1LegacyMode to support network isolation backward compatibility | Azure ML is making a transition to a new V2 API platform on Azure Resource Manager and you can control API platform version using V1LegacyMode parameter. Enabling the V1LegacyMode parameter will enable you to keep your workspaces in the same network isolation as V1, though you won't have use of the new V2 features. We recommend turning on V1 Legacy Mode only when you want to keep the AzureML control plane data inside your private networks. Learn more at: https://aka.ms/V1LegacyMode. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-29 16:32:46
add: e413671a-dd10-4cc1-a943-45b598596cb7 | |
| Monitoring | 69af7d4a-7b18-4044-93a9-2651498ef203 | Configure Log Analytics extension on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2022-07-29 16:32:46
change: Patch (2.1.0 > 2.1.1) |
| Monitoring | 08a4470f-b26d-428d-97f4-7e3e9c92b366 | Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2022-07-26 16:32:46
add: 08a4470f-b26d-428d-97f4-7e3e9c92b366 |
| Monitoring | 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 | Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2022-07-26 16:32:46
add: 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 |
| Kubernetes | a1840de2-8088-4ea8-b153-b4c723e9cb01 | Azure Kubernetes Service clusters should have Defender profile enabled | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Default: Audit Allowed: (Audit, Disabled) |
2022-07-26 16:32:46
change: Major (1.0.3 > 2.0.0) | |
| Monitoring | c7f3bf36-b807-4f18-82dc-f480ad713635 | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSS in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSSs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-07-26 16:32:46
add: c7f3bf36-b807-4f18-82dc-f480ad713635 |
| Cognitive Services | db630ad5-52e9-4f4d-9c44-53912fe40053 | Configure Cognitive Services accounts with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor Cognitive Services Contributor |
2022-07-26 16:32:46
change: Minor (2.0.0 > 2.1.0) |
| Monitoring | 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-07-26 16:32:46
add: 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d |
| Monitoring | 84cfed75-dfd4-421b-93df-725b479d356a | Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2022-07-26 16:32:46
add: 84cfed75-dfd4-421b-93df-725b479d356a |
| Monitoring | af0082fd-fa58-4349-b916-b0e47abb0935 | Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-07-26 16:32:46
add: af0082fd-fa58-4349-b916-b0e47abb0935 |
| Monitoring | 7c4214e9-ea57-487a-b38e-310ec09bc21d | Deploy a Data Collection Rule for VMInsights and Data Collection Rule Association for all Arc Machines in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the Arc Machines in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-07-26 16:32:46
add: 7c4214e9-ea57-487a-b38e-310ec09bc21d |
| Monitoring | d55b81e1-984f-4a96-acab-fae204e3ca7f | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2022-07-26 16:32:46
add: d55b81e1-984f-4a96-acab-fae204e3ca7f |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2022-07-26 16:32:46
change: Major (3.1.1 > 4.0.0) |
| Monitoring | a0f27bdc-5b15-4810-b81d-7c4df9df1a37 | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource Group | Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-07-26 16:32:46
add: a0f27bdc-5b15-4810-b81d-7c4df9df1a37 |
| Azure Active Directory | 2e9411a0-0c5a-44b3-9ddb-ff10a1a2bf28 | Azure Active Directory should use private link to access Azure services | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure AD, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365). | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-22 16:34:49
add: 2e9411a0-0c5a-44b3-9ddb-ff10a1a2bf28 | |
| Kubernetes | 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 | Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-22 16:34:49
add: 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 | |
| Azure Active Directory | 7e4301f9-5f32-4738-ad9f-7ec2d15563ad | Configure Private Link for Azure AD to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure AD. Learn more at: https://aka.ms/privateLinkforAzureADDocs. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2022-07-22 16:34:49
add: 7e4301f9-5f32-4738-ad9f-7ec2d15563ad |
| Azure Active Directory | b923afcf-4c3a-4ed6-8386-1ff64b68de47 | Configure Private Link for Azure AD with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure AD, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365). | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-07-22 16:34:49
add: b923afcf-4c3a-4ed6-8386-1ff64b68de47 |
| SQL | 80ed5239-4122-41ed-b54a-6f1fa7552816 | Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers | Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-07-22 16:34:49
change: Patch (1.0.0 > 1.0.1) |
| SQL | a6cf7411-da9e-49e2-aec0-cba0250eaf8c | Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers | Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-07-22 16:34:49
change: Patch (1.0.0 > 1.0.1) |
| SQL | db048e65-913c-49f9-bb5f-1084184671d3 | Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers | Enable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-07-22 16:34:49
change: Patch (1.0.0 > 1.0.1) |
| SQL | 6134c3db-786f-471e-87bc-8f479dc890f6 | Deploy Advanced Data Security on SQL servers | This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. | Fixed: DeployIfNotExists | SQL Security Manager Storage Account Contributor |
2022-07-22 16:34:49
change: Minor (1.2.0 > 1.3.0) |
| SQL | 9dfea752-dd46-4766-aed1-c355fa93fb91 | Azure SQL Managed Instances should disable public network access | Disabling public network access (public endpoint) on Azure SQL Managed Instances improves security by ensuring that they can only be accessed from inside their virtual networks or via Private Endpoints. To learn more about public network access, visit https://aka.ms/mi-public-endpoint. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-22 16:34:49
add: 9dfea752-dd46-4766-aed1-c355fa93fb91 | |
| Container Registry | 785596ed-054f-41bc-aaec-7f3d0ba05725 | Configure container registries to disable ARM audience token authentication. | Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication. | Default: Modify Allowed: (Modify, Disabled) | Contributor |
2022-07-15 16:32:44
add: 785596ed-054f-41bc-aaec-7f3d0ba05725 |
| Network | 2d21331d-a4c2-4def-a9ad-ee4e1e023beb | App Service apps should use a virtual network service endpoint | Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aks.ms/appservice-vnet-service-endpoint. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-15 16:32:44
change: Major (1.0.0 > 2.0.0) | |
| Health Bot | 4d080fa5-a6d2-4f98-ba9c-f482d0d335c0 | Azure Health Bots should use customer-managed keys to encrypt data at rest | Use customer-managed keys (CMK) to manage the encryption at rest of the data of your healthbots. By default, the data is encrypted at rest with service-managed keys, but CMK are commonly required to meet regulatory compliance standards. CMK enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.microsoft.com/azure/health-bot/cmk | Default: Audit Allowed: (Audit, Disabled) |
2022-07-15 16:32:44
add: 4d080fa5-a6d2-4f98-ba9c-f482d0d335c0 | |
| Container Instance | 8af8f826-edcb-4178-b35f-851ea6fea615 | Azure Container Instance container group should deploy into a virtual network | Secure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2022-07-15 16:32:44
change: Major (1.0.0 > 2.0.0) | |
| Container Registry | 42781ec6-6127-4c30-bdfa-fb423a0047d3 | Container registries should have ARM audience token authentication disabled. | Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-15 16:32:44
add: 42781ec6-6127-4c30-bdfa-fb423a0047d3 | |
| App Service | 847ef871-e2fe-4e6e-907e-4adbf71de5cf | App Service app slots should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-15 16:32:44
change: Patch (1.0.1 > 1.0.2) | |
| Kubernetes | a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 | Kubernetes cluster Windows containers should not overcommit cpu and memory | Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-08 16:32:07
change: Patch (1.0.1 > 1.0.2) | |
| Internet of Things | d02e48d5-28d9-40d3-8ab8-301932a6f9cb | Modify - Configure IoT Central to disable public network access | Disabling the public network access property improves security by ensuring your IoT Central can only be accessed from a private endpoint. This policy disables public network access on IoT Hub resources. | Default: Modify Allowed: (Modify, Disabled) | Contributor |
2022-07-08 16:32:07
add: d02e48d5-28d9-40d3-8ab8-301932a6f9cb |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-07-08 16:32:07
change: Major (3.3.1 > 4.0.0) | |
| Network | 632d3993-e2c0-44ea-a7db-2eca131f356d | Web Application Firewall (WAF) should enable all firewall rules for Application Gateway | Enabling all Web Application Firewall (WAF) rules strengthens your application security and protects your web applications against common vulnerabilities. To learn more about Web Application Firewall (WAF) with Application Gateway, visit https://aka.ms/waf-ag | Default: Audit Allowed: (Audit, Disabled, Deny) |
2022-07-08 16:32:07
add: 632d3993-e2c0-44ea-a7db-2eca131f356d | |
| Fluid Relay | 46388f67-373c-4018-98d3-2b83172dd13a | Fluid Relay should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Fluid Relay server. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you, with full control and responsibility, including rotation and management. Learn more at https://docs.microsoft.com/azure/azure-fluid-relay/concepts/customer-managed-keys. | Default: Audit Allowed: (Audit, Disabled) |
2022-07-08 16:32:07
add: 46388f67-373c-4018-98d3-2b83172dd13a | |
| Internet of Things | 9ace2dbc-4b71-48b6-b2a7-428b0b2e3944 | IoT Central should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your IoT Central application instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/iotcentral-network-security-using-pe. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-08 16:32:07
add: 9ace2dbc-4b71-48b6-b2a7-428b0b2e3944 | |
| API Management | c15dcc82-b93c-4dcb-9332-fbf121685b54 | API Management calls to API backends should be authenticated | Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2022-07-08 16:32:07
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-07-08 16:32:07
change: Patch (6.2.0 > 6.2.1) | |
| Security Center | cdfcce10-4578-4ecd-9703-530938e4abcb | Deploy export to Event Hub for Microsoft Defender for Cloud data | Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2022-07-08 16:32:07
change: Minor (4.0.1 > 4.1.0) |
| Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Preview]: Kubernetes clusters should gate deployment of vulnerable images | Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-08 16:32:07
change: Major, suffix remains equal (1.0.3-preview > 2.0.0-preview) | |
| API Management | 549814b6-3212-4203-bdc8-1548d342fb67 | API Management minimum API version should be set to 2019-12-01 or higher | To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-08 16:32:07
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-07-08 16:32:07
change: Major (4.2.1 > 5.0.0) | |
| Azure Databricks | 0e7849de-b939-4c50-ab48-fc6b0f5eeba2 | Azure Databricks Workspaces should disable public network access | Azure Databricks Workspaces should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-08 16:32:07
add: 0e7849de-b939-4c50-ab48-fc6b0f5eeba2 | |
| API Management | 92bb331d-ac71-416a-8c91-02f2cb734ce4 | API Management calls to API backends should not bypass certificate thumbprint or name validation | Calls from API Management to API backends should validate certificate thumbprint and certificate name. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2022-07-08 16:32:07
change: Patch (1.0.0 > 1.0.1) | |
| Monitoring | 69af7d4a-7b18-4044-93a9-2651498ef203 | Configure Log Analytics extension on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2022-07-08 16:32:07
change: Minor (2.0.1 > 2.1.0) |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2022-07-08 16:32:07
change: Major, suffix remains equal (6.1.2-preview > 7.0.0-preview) |
| Monitoring | 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf | Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2022-07-08 16:32:07
change: Minor (2.0.1 > 2.1.0) |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-07-08 16:32:07
change: Major (6.2.0 > 7.0.0) | |
| Internet of Things | d627d7c6-ded5-481a-8f2e-7e16b1e6faf6 | Deploy - Configure IoT Central to use private DNS zones | Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Central private endpoints. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor Contributor |
2022-07-08 16:32:07
add: d627d7c6-ded5-481a-8f2e-7e16b1e6faf6 |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-07-08 16:32:07
change: Major (6.1.0 > 7.0.0) | |
| API Management | ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 | API Management APIs should use encrypted protocols only | APIs should use encrypted protocols. APIs should not use the unencrypted protocols such as HTTP or WS. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2022-07-08 16:32:07
change: Patch (2.0.0 > 2.0.1) | |
| Kubernetes | 8dfab9c4-fe7b-49ad-85e4-1e9be085358f | [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-08 16:32:07
change: Major, suffix remains equal (5.0.3-preview > 6.0.0-preview) | |
| Managed Identity | d367bd60-64ca-4364-98ea-276775bddd94 | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default: DeployIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Contributor User Access Administrator |
2022-07-08 16:32:07
change: Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) |
| Guest Configuration | 828ba269-bf7f-4082-83dd-633417bc391d | Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows servers | Creates a Guest Configuration assignment to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows server | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-07-08 16:32:07
add: 828ba269-bf7f-4082-83dd-633417bc391d |
| Internet of Things | cd870362-211d-4cad-9ad9-11e5ea4ebbc1 | Public network access should be disabled for IoT Central | To improve the security of IoT Central, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/iotcentral-restrict-public-access. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-08 16:32:07
add: cd870362-211d-4cad-9ad9-11e5ea4ebbc1 | |
| Internet of Things | 5b9d063f-c5fd-4750-a489-1258d1fefcbf | Configure Azure Device Update for IoT Hub accounts with private endpoint | A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your Device Update for IoT hub to allow services inside your virtual network to reach this resource without requiring traffic to be sent to Device Update for IoT Hub's public endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor Contributor |
2022-07-08 16:32:07
change: Minor (1.0.0 > 1.1.0) |
| API Management | f1cc7827-022c-473e-836e-5a51cae0b249 | API Management Named Values secrets should be stored in Azure KeyVault | Secrets referenced in Named Values should store the values in Azure KeyVault instead of within the Named Values store. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2022-07-08 16:32:07
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-07-08 16:32:07
change: Major (6.1.0 > 7.0.0) | |
| Managed Identity | 516187d4-ef64-4a1b-ad6b-a7348502976c | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default: DeployIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Contributor User Access Administrator |
2022-07-08 16:32:07
change: Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) |
| Security Center | ffb6f416-7bd2-4488-8828-56585fef2be9 | Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data | Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2022-07-08 16:32:07
change: Minor (4.0.1 > 4.1.0) |
| API Management | b741306c-968e-4b67-b916-5675e5c709f4 | API Management direct API Management endpoint should not be enabled | Azure API Management provides a direct management REST API, which can bypass certain limits of the Azure Resource Manager based API, and should not be enabled by default. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2022-07-08 16:32:07
change: Patch (1.0.0 > 1.0.1) | |
| Internet of Things | c854b0f0-02d0-4f94-9b42-fd175fbd4d49 | Deploy - Configure IoT Central with private endpoints | A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT Central to allow services inside your virtual network to reach IoT Central without requiring traffic to be sent to IoT Central's public endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor Contributor |
2022-07-08 16:32:07
add: c854b0f0-02d0-4f94-9b42-fd175fbd4d49 |
| App Service | 91a78b24-f231-4a8a-8da9-02c35b2b6510 | App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Patch (2.0.0 > 2.0.1) | |
| App Service | 7238174a-fd10-4ef0-817e-fc820a951d73 | Function apps that use Python should use the latest 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps since Python is not supported on Windows apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Major (3.0.0 > 4.0.0) | |
| App Service | 5744710e-cc2f-4ee8-8809-3b11e89f4bc9 | App Service apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0) | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2022-07-01 16:32:34
change: Patch, new suffix: preview (6.1.1 > 6.1.2-preview) |
| App Service | 74c3584d-afae-46f7-a20a-6f8adba71a16 | [Deprecated]: API apps that use Python should use the latest 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Python should use the latest 'Python version''. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) | |
| App Service | 0da106f2-4ca3-48e8-bc85-c638fe6aea8f | Function apps should use managed identity | Use a managed identity for enhanced authentication security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0) | |
| App Service | 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b | App Service apps should require FTPS only | Enable FTPS enforcement for enhanced security. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0) | |
| App Service | b318f84a-b872-429b-ac6d-a01b96814452 | Configure App Service apps to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1) |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-07-01 16:32:34
change: Major (4.2.1 > 5.0.0) | |
| App Service | 95bccee9-a7f8-4bec-9ee9-62c3473701fc | App Service apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Patch (2.0.0 > 2.0.1) | |
| App Service | 7008174a-fd10-4ef0-817e-fc820a951d73 | App Service apps that use Python should use the latest 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Major (3.0.0 > 4.0.0) | |
| App Service | 496223c3-ad65-4ecd-878a-bae78737e9ed | App Service apps that use Java should use the latest 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0) | |
| App Service | 2c034a29-2a5f-4857-b120-f800fe5549ae | Configure App Service app slots to disable local authentication for SCM sites | Disable local authentication methods for SCM sites so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Website Contributor |
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1) |
| App Service | fb74e86f-d351-4b8d-b034-93da7391c01f | App Service Environment should have internal encryption enabled | Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. | Default: Audit Allowed: (Audit, Disabled) |
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-07-01 16:32:34
change: Patch (6.0.1 > 6.0.2) | |
| App Service | 5bb220d9-2698-4ee4-8404-b9c30c9df609 | App Service apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. | Default: Audit Allowed: (Audit, Disabled) |
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0) | |
| App Service | 72d04c29-f87d-4575-9731-419ff16a2757 | App Service apps should be injected into a virtual network | Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0) | |
| App Service | 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e | [Deprecated]: Latest TLS version should be used in your API App | Upgrade to the latest TLS version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use the latest TLS version', which is scoped to include API apps in addition to Web Apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | |
| App Service | 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba | [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps that use PHP should use the latest 'PHP version'', which is scoped to include API apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (2.1.0 > 2.1.0-deprecated) | |
| App Service | dcbc65aa-59f3-4239-8978-3bb869d82604 | App Service apps should use an Azure file share for its content directory | The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default: Audit Allowed: (Audit, Disabled) |
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0) | |
| Kubernetes | 6c66c325-74c8-42fd-a286-a74b0e2939d8 | Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace | Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0) |
| App Service | c4ebc54a-46e1-481a-bee2-d4411e95d828 | [Deprecated]: Authentication should be enabled on your API app | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps should have authentication enabled', which is scoped to include API apps in addition to Web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | |
| App Service | d6545c6b-dd9d-4265-91e6-0b451e2f1c50 | App Service Environment should have TLS 1.0 and 1.1 disabled | TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-07-01 16:32:34
change: Patch (2.0.0 > 2.0.1) | |
| App Service | 0c192fe8-9cbb-4516-85b3-0ade8bd03886 | [Deprecated]: API apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should have 'Client Certificates (Incoming client certificates)' enabled', which is scoped to include API apps in addition to Web Apps. | Default: Audit Allowed: (Audit, Disabled) |
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | |
| App Service | ec71c0bc-6a45-4b1f-9587-80dc83e6898c | App Service app slots should have local authentication methods disabled for FTP deployments | Disabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1) | |
| App Service | eaebaea7-8013-4ceb-9d14-7eb32271373c | Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. | Default: Audit Allowed: (Audit, Disabled) |
2022-07-01 16:32:34
change: Major (1.0.1 > 2.0.0) | |
| App Service | 0820b7b9-23aa-4725-a1ce-ae4558f718e5 | Function apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0) | |
| App Service | e2c1c086-2d84-4019-bff3-c44ccd95113c | Function apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0) | |
| App Service | f493116f-3b7f-4ab3-bf80-0c2af35e46c2 | Configure App Service app slots to disable local authentication for FTP deployments | Disable local authentication methods for FTP deployments so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Website Contributor |
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1) |
| App Service | 991310cd-e9f3-47bc-b7b6-f57b557d07db | [Deprecated]: Ensure that 'HTTP Version' is the latest, if used to run the API app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use latest 'HTTP Version'', which is scoped to include API apps in addition to Web Apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | |
| App Service | 8c122334-9d20-4eb8-89ea-ac9a705b74ae | App Service apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0) | |
| App Service | 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc | Function apps that use Java should use the latest 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0) | |
| App Service | 2b9ad585-36bc-4615-b300-fd4435808332 | App Service apps should use managed identity | Use a managed identity for enhanced authentication security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0) | |
| App Service | 5e97b776-f380-4722-a9a3-e7f0be029e79 | Configure App Service apps to disable local authentication for SCM sites | Disable local authentication methods for SCM sites so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Website Contributor |
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1) |
| App Service | 847ef871-e2fe-4e6e-907e-4adbf71de5cf | App Service app slots should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1) | |
| App Service | aede300b-d67f-480a-ae26-4b3dfb1a1fdc | App Service apps should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | 8dfab9c4-fe7b-49ad-85e4-1e9be085358f | [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Patch, new suffix: preview (5.0.2 > 5.0.3-preview) | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-07-01 16:32:34
change: Major (3.1.1 > 4.0.0) | |
| App Service | 9a1b8c48-453a-4044-86c3-d8bfd823e4f5 | [Deprecated]: FTPS only should be required in your API App | Enable FTPS enforcement for enhanced security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should require FTPS only', which is scoped to include API apps in addition to Web Apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | |
| App Service | 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab | Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default: Audit Allowed: (Audit, Disabled) |
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0) | |
| App Service | e9c8d085-d9cc-4b17-9cdc-059f1f01f19e | [Deprecated]: Remote debugging should be turned off for API Apps | Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should have remote debugging turned off', which is scoped to include API apps in addition to Web Apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | |
| App Service | 871b205b-57cf-4e1e-a234-492616998bf7 | App Service apps should have local authentication methods disabled for FTP deployments | Disabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1) | |
| App Service | 0e60b895-3786-45da-8377-9c6b4b6ac5f9 | Function apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0) | |
| App Service | f9d614c5-c173-4d56-95a7-b4437057d193 | Function apps should use the latest TLS version | Upgrade to the latest TLS version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0) | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-07-01 16:32:34
change: Patch (5.0.1 > 5.0.2) | |
| App Service | f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b | App Service apps should use the latest TLS version | Upgrade to the latest TLS version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0) | |
| App Service | 88999f4c-376a-45c8-bcb3-4058f713cf39 | [Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app | Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Java should use the latest 'Java version'', which is scoped to include API apps in addition to Web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | |
| App Service | 687aa49d-0982-40f8-bf6b-66d1da97a04b | App Service apps should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to App Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-07-01 16:32:34
change: Major (7.2.0 > 8.0.0) | |
| App Service | 7261b898-8a84-4db8-9e04-18527132abb3 | App Service apps that use PHP should use the latest 'PHP version' | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Major (2.2.0 > 3.0.0) | |
| App Service | c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 | Function apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0) | |
| App Service | c4d441f8-f9d9-4a9e-9cef-e82117cb3eef | [Deprecated]: Managed identity should be used in your API App | Use a managed identity for enhanced authentication security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use managed identity', which is scoped to include API apps in addition to Web Apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | |
| App Service | 324c7761-08db-4474-9661-d1039abc92ee | [Deprecated]: API apps should use an Azure file share for its content directory | The content directory of an API app should be located on an Azure file share. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use an Azure file shares for its content directory', which is scoped to include API apps in addition to Web Apps. | Default: Audit Allowed: (Audit, Disabled) |
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | |
| App Service | 399b2637-a50f-4f95-96f8-3a145476eb15 | Function apps should require FTPS only | Enable FTPS enforcement for enhanced security. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Major (2.0.0 > 3.0.0) | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-07-01 16:32:34
change: Major (4.2.1 > 5.0.0) | |
| App Service | 358c20a6-3f9e-4f0e-97ff-c6ce485e2aac | [Deprecated]: CORS should not allow every resource to access your API App | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should not have CORS configured to allow every resource to access your apps', which is scoped to include API apps in addition to Web Apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | |
| App Service | 4d0bc837-6eff-477e-9ecd-33bf8d4212a5 | Function apps should use an Azure file share for its content directory | The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default: Audit Allowed: (Audit, Disabled) |
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0) | |
| App Service | 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 | Configure App Service apps to disable local authentication for FTP deployments | Disable local authentication methods for FTP deployments so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Website Contributor |
2022-07-01 16:32:34
change: Patch (1.0.0 > 1.0.1) |
| App Service | cb510bfd-1cba-4d9f-a230-cb0976f4bb71 | App Service apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-07-01 16:32:34
change: Major (1.0.0 > 2.0.0) | |
| Monitoring | 3be22e3b-d919-47aa-805e-8985dbeb0ad9 | Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-06-24 19:15:47
change: Minor (3.0.0 > 3.1.0) |
| Security Center | f1525828-9a90-4fcf-be48-268cdd02361e | Deploy Workflow Automation for Microsoft Defender for Cloud alerts | Enable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2022-06-24 19:15:47
change: Major (4.0.0 > 5.0.0) |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2022-06-24 19:15:47
change: Patch, old suffix: preview (3.1.0-preview > 3.1.1) |
| Monitoring | 1c210e94-a481-4beb-95fa-1571b434fb04 | Deploy - Configure Dependency agent to be enabled on Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2022-06-24 19:15:47
change: Minor (3.0.0 > 3.1.0) |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-06-24 19:15:47
change: Major (8.0.0 > 9.0.0) |
| Security Center | cdfcce10-4578-4ecd-9703-530938e4abcb | Deploy export to Event Hub for Microsoft Defender for Cloud data | Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2022-06-24 19:15:47
change: Patch (4.0.0 > 4.0.1) |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-06-24 19:15:47
change: Major (8.0.0 > 9.0.0) |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2022-06-24 19:15:47
change: Patch, old suffix: preview (6.1.0-preview > 6.1.1) |
| Security Center | 73d6ab6c-2475-4850-afd6-43795f3492ef | Deploy Workflow Automation for Microsoft Defender for Cloud recommendations | Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2022-06-24 19:15:47
change: Major (4.0.0 > 5.0.0) |
| Kubernetes | a1840de2-8088-4ea8-b153-b4c723e9cb01 | Azure Kubernetes Service clusters should have Defender profile enabled | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Default: Audit Allowed: (Audit, Disabled) |
2022-06-24 19:15:47
change: Patch, old suffix: preview (1.0.2-preview > 1.0.3) | |
| Guest Configuration | f40c7c00-b4e3-4068-a315-5fe81347a904 | [Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines | This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default: DeployIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Contributor User Access Administrator |
2022-06-24 19:15:47
add: f40c7c00-b4e3-4068-a315-5fe81347a904 |
| API Management | ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 | API Management APIs should use encrypted protocols only | APIs should use encrypted protocols. APIs should not use the unencrypted protocols such as HTTP or WS. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2022-06-24 19:15:47
change: Major (1.0.0 > 2.0.0) | |
| Monitoring | 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 | Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Virtual Machine Contributor |
2022-06-24 19:15:47
change: Major (2.0.0 > 3.0.0) |
| Kubernetes | 8dfab9c4-fe7b-49ad-85e4-1e9be085358f | [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-06-24 19:15:47
change: Patch, old suffix: preview (5.0.1-preview > 5.0.2) | |
| Kubernetes | 46238e2f-3f6f-4589-9f3f-77bed4116e67 | Azure Kubernetes Clusters should use Azure CNI | Azure CNI is a prerequisite for some Azure Kubernetes Service features, including Azure network policies, Windows node pools and virtual nodes add-on. Learn more at: https://aka.ms/aks-azure-cni | Default: Audit Allowed: (Audit, Disabled) |
2022-06-24 19:15:47
add: 46238e2f-3f6f-4589-9f3f-77bed4116e67 | |
| Security Center | ffb6f416-7bd2-4488-8828-56585fef2be9 | Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data | Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2022-06-24 19:15:47
change: Patch (4.0.0 > 4.0.1) |
| Monitoring | 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee | Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2022-06-24 19:15:47
change: Major (2.0.0 > 3.0.0) |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-06-24 19:15:47
change: Major (8.0.0 > 9.0.0) |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-06-24 19:15:47
change: Major (8.0.0 > 9.0.0) |
| Security Center | 509122b9-ddd9-47ba-a5f1-d0dac20be63c | Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance | Enable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2022-06-24 19:15:47
change: Major (4.0.0 > 5.0.0) |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Patch (3.3.0 > 3.3.1) | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Patch (3.1.0 > 3.1.1) | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Patch (4.2.0 > 4.2.1) | |
| API Management | f1cc7827-022c-473e-836e-5a51cae0b249 | API Management Named Values secrets should be stored in Azure KeyVault | Secrets referenced in Named Values should store the values in Azure KeyVault instead of within the Named Values store. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2022-06-17 16:31:08
add: f1cc7827-022c-473e-836e-5a51cae0b249 | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Patch (5.0.0 > 5.0.1) | |
| API Management | 3aa03346-d8c5-4994-a5bc-7652c2a2aef1 | API Management subscriptions should not be scoped at the All API scope. | API Management subscriptions should be scoped at the product or individual API instead of all APIs, which could expose all APIs in the API Management instance. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2022-06-17 16:31:08
add: 3aa03346-d8c5-4994-a5bc-7652c2a2aef1 | |
| API Management | 92bb331d-ac71-416a-8c91-02f2cb734ce4 | API Management calls to API backends should not bypass certificate thumbprint or name validation | Calls from API Management to API backends should validate certificate thumbprint and certificate name. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2022-06-17 16:31:08
add: 92bb331d-ac71-416a-8c91-02f2cb734ce4 | |
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Patch (4.0.0 > 4.0.1) | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Patch (4.0.0 > 4.0.1) | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Patch (6.0.1 > 6.0.2) | |
| Container Registry | d0793b48-0edc-4296-a390-4c75d1bdfd71 | Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-06-17 16:31:08
change: Major (1.1.0 > 2.0.0) | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Major (4.2.0 > 6.0.1) | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Patch (4.2.0 > 4.2.1) | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Patch (5.0.0 > 5.0.1) | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Patch (4.2.0 > 4.2.1) | |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Major (3.2.0 > 4.0.1) | |
| Kubernetes | b1a9997f-2883-4f12-bdff-2280f99b5915 | Ensure cluster containers have readiness or liveness probes configured | This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-06-17 16:31:08
change: Major (1.1.0 > 2.0.0) | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Patch (5.0.0 > 5.0.1) | |
| Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-06-17 16:31:08
change: Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) | |
| API Management | ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 | API Management APIs should use encrypted protocols only | APIs should use encrypted protocols. APIs should not use the unencrypted protocols such as HTTP or WS. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2022-06-17 16:31:08
add: ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 | |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Patch (3.0.0 > 3.0.1) | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Patch (5.0.0 > 5.0.1) | |
| API Management | b741306c-968e-4b67-b916-5675e5c709f4 | API Management direct API Management endpoint should not be enabled | Azure API Management provides a direct management REST API, which can bypass certain limits of the Azure Resource Manager based API, and should not be enabled by default. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2022-06-17 16:31:08
add: b741306c-968e-4b67-b916-5675e5c709f4 | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Major (7.2.0 > 8.0.0) | |
| API Management | 549814b6-3212-4203-bdc8-1548d342fb67 | API Management minimum API version should be set to 2019-12-01 or higher | To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-06-17 16:31:08
add: 549814b6-3212-4203-bdc8-1548d342fb67 | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Patch (7.0.0 > 7.0.1) | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Patch (6.0.0 > 6.0.1) | |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Patch (3.0.0 > 3.0.1) | |
| API Management | c15dcc82-b93c-4dcb-9332-fbf121685b54 | API Management calls to API backends should be authenticated | Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2022-06-17 16:31:08
add: c15dcc82-b93c-4dcb-9332-fbf121685b54 | |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-17 16:31:08
change: Patch (4.0.0 > 4.0.1) | |
| Kubernetes | 50c83470-d2f0-4dda-a716-1938a4825f62 | Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-06-17 16:31:08
change: Major (1.2.0 > 2.0.0) | |
| Key Vault | 405c5871-3e91-4644-8a63-58e19d68ff5b | Azure Key Vault should disable public network access | Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-06-10 16:31:21
add: 405c5871-3e91-4644-8a63-58e19d68ff5b | |
| App Service | 546fe8d2-368d-4029-a418-6af48a7f61e5 | App Service apps should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-06-10 16:31:21
change: Major (2.0.0 > 3.0.0) | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-10 16:31:21
change: Major (4.2.0 > 5.0.0) | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-10 16:31:21
change: Major (7.1.0 > 8.0.0) | |
| Monitoring | 1c210e94-a481-4beb-95fa-1571b434fb04 | Deploy - Configure Dependency agent to be enabled on Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2022-06-10 16:31:21
change: Major (2.1.0 > 3.0.0) |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-10 16:31:21
change: Major (3.2.0 > 4.0.0) | |
| Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-06-10 16:31:21
change: Major, old suffix: preview (2.0.0-preview > 3.0.0) | |
| Storage | b2982f36-99f2-4db5-8eff-283140c09693 | Storage accounts should disable public network access | To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-06-10 16:31:21
change: Patch (1.0.0 > 1.0.1) | |
| Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-06-10 16:31:21
change: Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) | |
| Storage | a06d0189-92e8-4dba-b0c4-08d7669fce7d | Configure storage accounts to disable public network access | To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default: Modify Allowed: (Modify, Disabled) | Storage Account Contributor |
2022-06-10 16:31:21
change: Patch (1.0.0 > 1.0.1) |
| Key Vault | ac673a9a-f77d-4846-b2d8-a57f8e1c01dc | Configure key vaults to enable firewall | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Default: Modify Allowed: (Modify, Disabled) | Key Vault Contributor |
2022-06-10 16:31:21
change: Minor, old suffix: preview (1.0.0-preview > 1.1.1) |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-06-10 16:31:21
change: Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview) | |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-06-10 16:31:21
change: Minor, suffix remains equal (6.0.1-preview > 6.1.0-preview) | |
| Monitoring | 3be22e3b-d919-47aa-805e-8985dbeb0ad9 | Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-06-10 16:31:21
change: Major (2.1.0 > 3.0.0) |
| Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-06-10 16:31:21
change: Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) | |
| Monitoring | 0868462e-646c-4fe3-9ced-a733534b6a2c | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines | Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2022-06-10 16:31:21
change: Major (2.1.1 > 3.0.0) |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-10 16:31:21
change: Major (2.1.0 > 3.0.0) | |
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets | Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor Virtual Machine Contributor |
2022-06-10 16:31:21
change: Major (2.1.1 > 3.0.0) |
| Kubernetes | 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 | Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit | ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (Audit, Disabled) |
2022-06-10 16:31:21
change: Major (1.0.1 > 2.0.0) | |
| Guest Configuration | 70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f | [Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. The machine is not configured correctly for one of the recommendations in the Azure security baseline for Docker hosts. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-06-07 16:30:19
add: 70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f | |
| Kubernetes | a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 | Kubernetes cluster Windows containers should not overcommit cpu and memory | Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-06-07 16:30:19
change: Patch (1.0.0 > 1.0.1) | |
| Security Center | 9c0aa188-e5fe-4569-8f74-b6e155624d9a | [Preview]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule | Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor |
2022-06-07 16:30:19
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Guest Configuration | e79ffbda-ff85-465d-ab8e-7e58a557660f | [Preview]: Linux machines with OMI installed should have version 1.6.8-1 or later | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Due to a security fix included in version 1.6.8-1 of the OMI package for Linux, all machines should be updated to the latest release. Upgrade apps/packages that use OMI to resolve the issue. For more information, see https://aka.ms/omiguidance. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-06-07 16:30:19
add: e79ffbda-ff85-465d-ab8e-7e58a557660f | |
| Security Center | 37c043a6-6d64-656d-6465-b362dfeb354a | [Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines | Deploys Microsoft Defender for Endpoint on Windows Azure Arc machines. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Contributor |
2022-06-07 16:30:19
change: Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) |
| Security Center | c9ae938d-3d6f-4466-b7c3-351761d9c890 | [Preview]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule | Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this Arc machine. Target Arc machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor |
2022-06-07 16:30:19
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Security Center | 1ec9c2c2-6d64-656d-6465-3ec3309b8579 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines | Deploys Microsoft Defender for Endpoint on applicable Windows VM images. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Contributor |
2022-06-07 16:30:19
change: Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) |
| Kubernetes | 65280eef-c8b4-425e-9aec-af55e55bf581 | Kubernetes cluster should not use naked pods | Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-06-07 16:30:19
add: 65280eef-c8b4-425e-9aec-af55e55bf581 | |
| Managed Identity | 516187d4-ef64-4a1b-ad6b-a7348502976c | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default: DeployIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Contributor User Access Administrator |
2022-06-07 16:30:19
change: Patch, new suffix: preview (1.0.0 > 1.0.1-preview) |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-06-07 16:30:19
change: Major, suffix remains equal (5.0.0-preview > 6.0.0-preview) | |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-07 16:30:19
change: Major (2.2.0 > 3.0.0) | |
| App Service | a4af4a39-4135-47fb-b175-47fbdf85311d | App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default: Audit Allowed: (Audit, Disabled) |
2022-06-07 16:30:19
change: Major (1.0.0 > 2.0.0) | |
| Kubernetes | 50c83470-d2f0-4dda-a716-1938a4825f62 | Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-06-07 16:30:19
change: Minor (1.1.0 > 1.2.0) | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-07 16:30:19
change: Patch (6.0.0 > 6.0.1) | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2022-06-07 16:30:19
change: Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview) |
| Security Center | ac076320-ddcf-4066-b451-6154267e8ad2 | Enable Microsoft Defender for Cloud on your subscription | Identifies existing subscriptions that aren't monitored by Microsoft Defender for Cloud and protects them with Defender for Cloud's free features. Subscriptions already monitored will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment, and create a remediation task. | Fixed: deployIfNotExists | Security Admin |
2022-06-07 16:30:19
change: Patch (1.0.0 > 1.0.1) |
| Managed Identity | d367bd60-64ca-4364-98ea-276775bddd94 | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default: DeployIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Contributor User Access Administrator |
2022-06-07 16:30:19
change: Patch, new suffix: preview (1.0.0 > 1.0.1-preview) |
| Security Center | aba46665-c3a7-4319-ace1-a0282deebac2 | [Preview]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Create a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace. Target Arc machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-06-07 16:30:19
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Security Center | 4eb909e7-6d64-656d-6465-2eeb297a1625 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines | Deploys Microsoft Defender for Endpoint agent on Linux hybrid machines | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Contributor |
2022-06-07 16:30:19
change: Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) |
| Security Center | d30025d0-6d64-656d-6465-67688881b632 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines | Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Contributor |
2022-06-07 16:30:19
change: Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) |
| Security Center | c15c5978-ab6e-4599-a1c3-90a7918f5371 | [Preview]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Creates a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-06-07 16:30:19
change: Minor, suffix remains equal (1.0.1-preview > 1.1.1-preview) |
| Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-06-07 16:30:19
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2022-06-07 16:30:19
change: Minor, suffix remains equal (3.0.3-preview > 3.1.0-preview) |
| Security Center | 30f52897-df47-4ca0-81a8-a3be3e8dd226 | [Preview]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule | Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this Arc machine. Target Arc machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor |
2022-06-07 16:30:19
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-06-07 16:30:19
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | |
| Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Preview]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-06-07 16:30:19
change: Minor, suffix remains equal (5.0.1-preview > 5.1.1-preview) |
| App Service | b7ddfbdc-1260-477d-91fd-98bd9be789a6 | [Deprecated]: API App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should only be accessible over HTTPS', which is scoped to include API apps in addition to Web Apps. | Default: Audit Allowed: (Audit, Disabled) |
2022-06-07 16:30:19
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | |
| App Service | 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab | Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default: Audit Allowed: (Audit, Disabled) |
2022-06-07 16:30:19
change: Major (1.0.0 > 2.0.0) | |
| Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-06-07 16:30:19
change: Major, suffix remains equal (5.0.0-preview > 6.0.0-preview) | |
| Security Center | 3b1a8e0a-b2e1-48be-9365-28be2fbef550 | [Preview]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-06-07 16:30:19
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Kubernetes | 57dde185-5c62-4063-b965-afbb201e9c1c | Kubernetes cluster Windows containers should only run with approved user and domain user group | Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-06-07 16:30:19
add: 57dde185-5c62-4063-b965-afbb201e9c1c | |
| Kubernetes | 9a5f4e39-e427-4d5d-ae73-93db00328bec | Kubernetes resources should have required annotations | Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-06-07 16:30:19
change: Major (1.0.0 > 2.0.0) | |
| Kubernetes | b81f454c-eebb-4e4f-9dfe-dca060e8a8fd | [Preview]: Kubernetes clusters should restrict creation of given resource type | Given Kubernetes resource type should not be deployed in certain namespace. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-06-07 16:30:19
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | |
| Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-06-07 16:30:19
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | |
| Security Center | a2ea54a3-9707-45e3-8230-bbda8309d17e | [Preview]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule | Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor |
2022-06-07 16:30:19
change: Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-06-07 16:30:19
change: Major (3.2.0 > 4.0.0) | |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-06-07 16:30:19
change: Major, suffix remains equal (5.0.0-preview > 6.0.1-preview) | |
| Storage | c1d634a5-f73d-4cdd-889f-2cc7006eb47f | Configure a private DNS Zone ID for table_secondary groupID | Configure private DNS zone group to override the DNS resolution for a table_secondary groupID private endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2022-05-27 20:20:35
add: c1d634a5-f73d-4cdd-889f-2cc7006eb47f |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-05-27 20:20:35
change: Major (4.2.0 > 5.0.0) | |
| Storage | bcff79fb-2b0d-47c9-97e5-3023479b00d1 | Configure a private DNS Zone ID for queue groupID | Configure private DNS zone group to override the DNS resolution for a queue groupID private endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2022-05-27 20:20:35
add: bcff79fb-2b0d-47c9-97e5-3023479b00d1 |
| Guest Configuration | 6141c932-9384-44c6-a395-59e4c057d7c9 | Configure time zone on Windows machines. | This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. | Fixed: deployIfNotExists | Guest Configuration Resource Contributor |
2022-05-27 20:20:35
change: Major (1.1.0 > 2.0.0) |
| Storage | b2982f36-99f2-4db5-8eff-283140c09693 | Storage accounts should disable public network access | To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-27 20:20:35
add: b2982f36-99f2-4db5-8eff-283140c09693 | |
| Storage | 75973700-529f-4de2-b794-fb9b6781b6b0 | Configure a private DNS Zone ID for blob groupID | Configure private DNS zone group to override the DNS resolution for a blob groupID private endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2022-05-27 20:20:35
add: 75973700-529f-4de2-b794-fb9b6781b6b0 |
| Security Center | c15c5978-ab6e-4599-a1c3-90a7918f5371 | [Preview]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Creates a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-05-27 20:20:35
change: Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) |
| Storage | d19ae5f1-b303-4b82-9ca8-7682749faf0c | Configure a private DNS Zone ID for web_secondary groupID | Configure private DNS zone group to override the DNS resolution for a web_secondary groupID private endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2022-05-27 20:20:35
add: d19ae5f1-b303-4b82-9ca8-7682749faf0c |
| Storage | 90bd4cb3-9f59-45f7-a6ca-f69db2726671 | Configure a private DNS Zone ID for dfs_secondary groupID | Configure private DNS zone group to override the DNS resolution for a dfs_secondary groupID private endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2022-05-27 20:20:35
add: 90bd4cb3-9f59-45f7-a6ca-f69db2726671 |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-05-27 20:20:35
change: Major (5.1.0 > 6.0.0) | |
| Storage | d847d34b-9337-4e2d-99a5-767e5ac9c582 | Configure a private DNS Zone ID for blob_secondary groupID | Configure private DNS zone group to override the DNS resolution for a blob_secondary groupID private endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2022-05-27 20:20:35
add: d847d34b-9337-4e2d-99a5-767e5ac9c582 |
| Container Apps | 8b346db6-85af-419b-8557-92cee2c0f9bb | Container App environments should use network injection | Container Apps environments should use virtual network injection to: 1.Isolate Container Apps from the public internet 2.Enable network integration with resources on-premises or in other Azure virtual networks 3.Achieve more granular control over network traffic flowing to and from the environment. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2022-05-27 20:20:35
change: Patch (1.0.0 > 1.0.1) | |
| Compute | 2835b622-407b-4114-9198-6f7064cbe0dc | Deploy default Microsoft IaaSAntimalware extension for Windows Server | This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. | Fixed: deployIfNotExists | Virtual Machine Contributor |
2022-05-27 20:20:35
change: Minor (1.0.0 > 1.1.0) |
| Compute | 9b597639-28e4-48eb-b506-56b05d366257 | Microsoft IaaSAntimalware extension should be deployed on Windows servers | This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-05-27 20:20:35
change: Minor (1.0.0 > 1.1.0) | |
| Storage | 028bbd88-e9b5-461f-9424-a1b63a7bee1a | Configure a private DNS Zone ID for table groupID | Configure private DNS zone group to override the DNS resolution for a table groupID private endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2022-05-27 20:20:35
add: 028bbd88-e9b5-461f-9424-a1b63a7bee1a |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-05-27 20:20:35
change: Major (6.3.0 > 7.0.0) | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-05-27 20:20:35
change: Major (5.2.0 > 6.0.0) | |
| Storage | da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6 | Configure a private DNS Zone ID for queue_secondary groupID | Configure private DNS zone group to override the DNS resolution for a queue_secondary groupID private endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2022-05-27 20:20:35
add: da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6 |
| Storage | a06d0189-92e8-4dba-b0c4-08d7669fce7d | Configure storage accounts to disable public network access | To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default: Modify Allowed: (Modify, Disabled) | Storage Account Contributor |
2022-05-27 20:20:35
add: a06d0189-92e8-4dba-b0c4-08d7669fce7d |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-05-27 20:20:35
change: Major (4.2.0 > 5.0.0) | |
| Maps | 50553764-7777-43cf-bf12-8647e0b9ba01 | CORS should not allow every resource to access your map account. | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your map account. Allow only required domains to interact with your map account. | Default: Audit Allowed: (Disabled, Audit, Deny) |
2022-05-27 20:20:35
add: 50553764-7777-43cf-bf12-8647e0b9ba01 | |
| Storage | 9adab2a5-05ba-4fbd-831a-5bf958d04218 | Configure a private DNS Zone ID for web groupID | Configure private DNS zone group to override the DNS resolution for a web groupID private endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2022-05-27 20:20:35
add: 9adab2a5-05ba-4fbd-831a-5bf958d04218 |
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-05-27 20:20:35
change: Major (3.1.0 > 4.0.0) | |
| Storage | 83c6fe0f-2316-444a-99a1-1ecd8a7872ca | Configure a private DNS Zone ID for dfs groupID | Configure private DNS zone group to override the DNS resolution for a dfs groupID private endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2022-05-27 20:20:35
add: 83c6fe0f-2316-444a-99a1-1ecd8a7872ca |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-05-27 20:20:35
change: Major (4.2.0 > 5.0.0) | |
| Storage | 6df98d03-368a-4438-8730-a93c4d7693d6 | Configure a private DNS Zone ID for file groupID | Configure private DNS zone group to override the DNS resolution for a file groupID private endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2022-05-27 20:20:35
add: 6df98d03-368a-4438-8730-a93c4d7693d6 |
| Key Vault | 86810a98-8e91-4a44-8386-ec66d0de5d57 | [Preview]: Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key size | Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-23 08:52:47
add: 86810a98-8e91-4a44-8386-ec66d0de5d57 | |
| Attestation | 5e7e928c-8693-4a23-9bf3-1c77b9a8fe97 | Azure Attestation providers should disable public network access | To improve the security of Azure Attestation Service, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in aka.ms/azureattestation. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-23 08:52:47
add: 5e7e928c-8693-4a23-9bf3-1c77b9a8fe97 | |
| Web PubSub | eb907f70-7514-460d-92b3-a5ae93b4f917 | Azure Web PubSub Service should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. | Default: Audit Allowed: (Audit, Disabled) |
2022-05-23 08:52:47
add: eb907f70-7514-460d-92b3-a5ae93b4f917 | |
| SignalR | 2393d2cf-a342-44cd-a2e2-fe0188fd1234 | Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. | Default: Audit Allowed: (Audit, Disabled) |
2022-05-23 08:52:47
add: 2393d2cf-a342-44cd-a2e2-fe0188fd1234 | |
| Key Vault | 1d478a74-21ba-4b9f-9d8f-8e6fced0eec5 | [Preview]: Azure Key Vault Managed HSM keys should have an expiration date | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-23 08:52:47
add: 1d478a74-21ba-4b9f-9d8f-8e6fced0eec5 | |
| Key Vault | e58fd0c1-feac-4d12-92db-0a7e9421f53e | [Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names | Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-23 08:52:47
add: e58fd0c1-feac-4d12-92db-0a7e9421f53e | |
| Managed Identity | 516187d4-ef64-4a1b-ad6b-a7348502976c | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default: DeployIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Contributor User Access Administrator |
2022-05-23 08:52:47
add: 516187d4-ef64-4a1b-ad6b-a7348502976c |
| Kubernetes | b81f454c-eebb-4e4f-9dfe-dca060e8a8fd | [Preview]: Kubernetes clusters should restrict creation of given resource type | Given Kubernetes resource type should not be deployed in certain namespace. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-23 08:52:47
add: b81f454c-eebb-4e4f-9dfe-dca060e8a8fd | |
| Managed Identity | d367bd60-64ca-4364-98ea-276775bddd94 | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default: DeployIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Contributor User Access Administrator |
2022-05-23 08:52:47
add: d367bd60-64ca-4364-98ea-276775bddd94 |
| Key Vault | ad27588c-0198-4c84-81ef-08efd0274653 | [Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration | If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-23 08:52:47
add: ad27588c-0198-4c84-81ef-08efd0274653 | |
| Machine Learning | 438c38d2-3772-465a-a9cc-7a6666a275ce | Azure Machine Learning workspaces should disable public network access | Disabling public network access improves security by ensuring that the machine learning workspaces aren't exposed on the public internet. You can limit exposure of your workspaces by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-23 08:52:47
change: Major (1.3.0 > 2.0.0) | |
| Container Apps | 0e80e269-43a4-4ae9-b5bc-178126b8a5cb | Container Apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-16 16:31:13
add: 0e80e269-43a4-4ae9-b5bc-178126b8a5cb | |
| Internet of Things | a222b93a-e6c2-4c01-817f-21e092455b2a | Configure Azure Device Update for IoT Hub accounts to use private DNS zones | Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for Device Updatefor IoT Hub private endpoints. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor Contributor |
2022-05-16 16:31:13
add: a222b93a-e6c2-4c01-817f-21e092455b2a |
| Security Center | 13ce0167-8ca6-4048-8e6b-f996402e3c1b | Configure machines to receive a vulnerability assessment provider | Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2022-05-16 16:31:13
change: Major, old suffix: preview (3.1.0-preview > 4.0.0) |
| Container Apps | b874ab2d-72dd-47f1-8cb5-4a306478a4e7 | Managed Identity should be enabled for Container Apps | Enforcing managed identity ensures Container Apps can securely authenticate to any resource that supports Azure AD authentication | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-16 16:31:13
add: b874ab2d-72dd-47f1-8cb5-4a306478a4e7 | |
| Internet of Things | 27573ebe-7ef3-4472-a8e1-33aef9ea65c5 | Configure Azure Device Update for IoT Hub accounts to disable public network access | Disabling the public network access property improves security by ensuring your Device Update for IoT Hub can only be accessed from a private endpoint. This policy disables public network access on Device Update for IoT Hub resources. | Default: Modify Allowed: (Modify, Disabled) | Contributor |
2022-05-16 16:31:13
add: 27573ebe-7ef3-4472-a8e1-33aef9ea65c5 |
| Container Apps | 2b585559-a78e-4cc4-b1aa-fb169d2f6b96 | Authentication should be enabled on Container Apps | Container Apps Authentication is a feature that can prevent anonymous HTTP requests from reaching the Container App, or authenticate those that have tokens before they reach the Container App | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-05-16 16:31:13
add: 2b585559-a78e-4cc4-b1aa-fb169d2f6b96 | |
| Container Apps | 7c9f3fbb-739d-4844-8e42-97e3be6450e0 | Container App should configure with volume mount | Enforce the use of volume mounts for Container Apps to ensure availability of persistent storage capacity. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-16 16:31:13
add: 7c9f3fbb-739d-4844-8e42-97e3be6450e0 | |
| Web PubSub | ee8a7be2-e9b5-47b9-9d37-d9b141ea78a4 | Azure Web PubSub Service should enable diagnostic logs | Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-05-16 16:31:13
add: ee8a7be2-e9b5-47b9-9d37-d9b141ea78a4 | |
| Internet of Things | 510ec8b2-cb9e-461d-b7f3-6b8678c31182 | Public network access for Azure Device Update for IoT Hub accounts should be disabled | Disabling the public network access property improves security by ensuring your Azure Device Update for IoT Hub accounts can only be accessed from a private endpoint. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-16 16:31:13
add: 510ec8b2-cb9e-461d-b7f3-6b8678c31182 | |
| SignalR | d9f1f9a9-8795-49f9-9e7b-e11db14caeb2 | Azure SignalR Service should enable diagnostic logs | Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-05-16 16:31:13
add: d9f1f9a9-8795-49f9-9e7b-e11db14caeb2 | |
| SQL | d9844e8a-1437-4aeb-a32c-0c992f056095 | Public network access should be disabled for MySQL servers | Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-16 16:31:13
change: Major (1.0.2 > 2.0.0) | |
| Bot Service | 5e8168db-69e3-4beb-9822-57cb59202a9d | Bot Service should have public network access disabled | Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-16 16:31:13
add: 5e8168db-69e3-4beb-9822-57cb59202a9d | |
| SQL | b52376f7-9612-48a1-81cd-1ffe4b61032c | Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-16 16:31:13
change: Major (1.0.2 > 2.0.0) | |
| Container Apps | d074ddf8-01a5-4b5e-a2b8-964aed452c0a | Container Apps environment should disable public network access | Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-16 16:31:13
add: d074ddf8-01a5-4b5e-a2b8-964aed452c0a | |
| SQL | fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | Public network access should be disabled for MariaDB servers | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-16 16:31:13
change: Major (1.0.2 > 2.0.0) | |
| Internet of Things | 5b9d063f-c5fd-4750-a489-1258d1fefcbf | Configure Azure Device Update for IoT Hub accounts with private endpoint | A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your Device Update for IoT hub to allow services inside your virtual network to reach this resource without requiring traffic to be sent to Device Update for IoT Hub's public endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor Contributor |
2022-05-16 16:31:13
add: 5b9d063f-c5fd-4750-a489-1258d1fefcbf |
| Container Apps | 783ea2a8-b8fd-46be-896a-9ae79643a0b1 | Container Apps should disable external network access | Disable external network access to your Container Apps by enforcing internal-only ingress. This will ensure inbound communication for Container Apps is limited to callers within the Container Apps environment. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-16 16:31:13
add: 783ea2a8-b8fd-46be-896a-9ae79643a0b1 | |
| Monitoring | 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 | Configure Linux Virtual Machines to be associated with a Data Collection Rule | Deploy Association to link Linux virtual machines to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-05-06 16:29:23
change: Major (1.0.1 > 2.0.0) |
| Guest Configuration | 50c52fc9-cb21-4d99-9031-d6a0c613361c | [Preview]: Windows machines should meet STIG compliance requirements for Azure compute | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirements for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-05-06 16:29:23
add: 50c52fc9-cb21-4d99-9031-d6a0c613361c | |
| Monitoring | 56a3e4f8-649b-4fac-887e-5564d11e8d3a | Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-05-06 16:29:23
change: Major (1.0.1 > 2.0.0) |
| Container Apps | 8b346db6-85af-419b-8557-92cee2c0f9bb | Container App environments should use network injection | Container Apps environments should use virtual network injection to: 1.Isolate Container Apps from the public internet 2.Enable network integration with resources on-premises or in other Azure virtual networks 3.Achieve more granular control over network traffic flowing to and from the environment. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2022-05-06 16:29:23
add: 8b346db6-85af-419b-8557-92cee2c0f9bb | |
| Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-05-06 16:29:23
change: Major (1.0.0 > 2.0.0) |
| Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-05-06 16:29:23
change: Major (1.1.1 > 2.0.0) |
| Security Center | 6646a0bd-e110-40ca-bb97-84fcee63c414 | [Deprecated]: Service principals should be used to protect your subscriptions instead of management certificates | [Deprecated: With Cloud Services (classic) retiring (see https://azure.microsoft.com/updates/cloud-services-retirement-announcement), there will no longer be a need for this assessment as management certificates will be obsolete.] Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-05-06 16:29:23
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | |
| SQL | 86a912f6-9a06-4e26-b447-11b16ba8659f | Deploy SQL DB transparent data encryption | Enables transparent data encryption on SQL databases | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | SQL DB Contributor |
2022-05-06 16:29:23
change: Minor (2.0.0 > 2.1.0) |
| Security Center | 13ce0167-8ca6-4048-8e6b-f996402e3c1b | Configure machines to receive a vulnerability assessment provider | Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2022-05-06 16:29:23
change: Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) |
| Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-05-06 16:29:23
change: Major (1.0.0 > 2.0.0) |
| Monitoring | 050a90d5-7cce-483f-8f6c-0df462036dda | Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-05-06 16:29:23
change: Major (1.0.1 > 2.0.0) |
| Kubernetes | da6e2401-19da-4532-9141-fb8fbde08431 | Azure Kubernetes Service Clusters should use managed identities | Use managed identities to wrap around service principals, simplify cluster management and avoid the complexity required to managed service principals. Learn more at: https://aka.ms/aks-update-managed-identities | Default: Audit Allowed: (Audit, Disabled) |
2022-05-06 16:29:23
add: da6e2401-19da-4532-9141-fb8fbde08431 | |
| Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-05-06 16:29:23
change: Major (3.0.1 > 4.0.0) |
| Machine Learning | 438c38d2-3772-465a-a9cc-7a6666a275ce | Azure Machine Learning workspaces should disable public network access | Disabling public network access improves security by ensuring that the machine learning workspaces aren't exposed on the public internet. You can limit exposure of your workspaces by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-05-06 16:29:23
change: Minor (1.2.0 > 1.3.0) | |
| Monitoring | 32ade945-311e-4249-b8a4-a549924234d7 | Linux virtual machine scale sets should have Azure Monitor Agent installed | Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-05-06 16:29:23
change: Major (1.0.0 > 2.0.0) | |
| Monitoring | 1afdc4b6-581a-45fb-b630-f1e6051e3e7a | Linux virtual machines should have Azure Monitor Agent installed | Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-05-06 16:29:23
change: Major (1.0.0 > 2.0.0) | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-29 18:06:01
change: Minor (5.1.0 > 5.2.0) | |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-29 18:06:01
change: Minor (3.1.0 > 3.2.0) | |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-04-29 18:06:01
change: Major (7.1.0 > 8.0.0) |
| Update Management Center | 59efceea-0c96-497e-a4a1-4eb2290dac15 | [Preview]: Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed: modify | Virtual Machine Contributor |
2022-04-29 18:06:01
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-29 18:06:01
change: Minor (4.1.0 > 4.2.0) | |
| Synapse | cb3738a6-82a2-4a18-b87b-15217b9deff4 | Azure Synapse Workspace SQL Server should be running TLS version 1.2 or newer | Setting TLS version to 1.2 or newer improves security by ensuring your Azure Synapse workspace SQL server can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-04-29 18:06:01
add: cb3738a6-82a2-4a18-b87b-15217b9deff4 | |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-04-29 18:06:01
change: Major (7.1.0 > 8.0.0) |
| Lab Services | e8a5a3eb-1ab6-4657-a701-7ae432cf14e1 | Lab Services should not allow template virtual machines for labs | This policy prevents creation and customization of a template virtual machines for labs managed through Lab Services. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-04-29 18:06:01
add: e8a5a3eb-1ab6-4657-a701-7ae432cf14e1 | |
| Kubernetes | 6c66c325-74c8-42fd-a286-a74b0e2939d8 | Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace | Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-04-29 18:06:01
change: Major (1.0.0 > 2.0.0) |
| Update Management Center | bfea026e-043f-4ff4-9d1b-bf301ca7ff46 | [Preview]: Configure periodic checking for missing system updates on azure Arc-enabled servers | Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed: modify | Azure Connected Machine Resource Administrator |
2022-04-29 18:06:01
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Lab Services | 3e13d504-9083-4912-b935-39a085db2249 | Lab Services should restrict allowed virtual machine SKU sizes | This policy enables you to restrict certain Compute VM SKUs for labs managed through Lab Services. This will restrict certain virtual machine sizes. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-04-29 18:06:01
add: 3e13d504-9083-4912-b935-39a085db2249 | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-29 18:06:01
change: Minor (4.1.0 > 4.2.0) | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-29 18:06:01
change: Minor (6.2.0 > 6.3.0) | |
| Kubernetes | b1a9997f-2883-4f12-bdff-2280f99b5915 | Ensure cluster containers have readiness or liveness probes configured | This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-04-29 18:06:01
change: Minor (1.0.0 > 1.1.0) | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2022-04-29 18:06:01
change: Major, suffix remains equal (5.1.0-preview > 6.0.0-preview) |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-29 18:06:01
change: Minor (4.1.0 > 4.2.0) | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-29 18:06:01
change: Minor (4.1.0 > 4.2.0) | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-29 18:06:01
change: Minor (4.1.0 > 4.2.0) | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-29 18:06:01
change: Minor (7.1.0 > 7.2.0) | |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-29 18:06:01
change: Minor (3.2.0 > 3.3.0) | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-29 18:06:01
change: Minor (7.1.0 > 7.2.0) | |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-29 18:06:01
change: Minor (6.1.0 > 6.2.0) | |
| Kubernetes | 50c83470-d2f0-4dda-a716-1938a4825f62 | Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-04-29 18:06:01
change: Minor (1.0.0 > 1.1.0) | |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-04-29 18:06:01
change: Major (7.1.0 > 8.0.0) |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-29 18:06:01
change: Minor (3.1.0 > 3.2.0) | |
| SignalR | 53503636-bcc9-4748-9663-5348217f160f | [Deprecated]: Azure SignalR Service should use private link | The policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/2393d2cf-a342-44cd-a2e2-fe0188fd1234 instead. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-04-29 18:06:01
change: Version remains equal, new suffix: deprecated (1.0.1 > 1.0.1-deprecated) | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-29 18:06:01
change: Minor (4.1.0 > 4.2.0) | |
| Lab Services | 0fd9915e-cab3-4f24-b200-6e20e1aa276a | Lab Services should require non-admin user for labs | This policy requires non-admin user accounts to be created for the labs managed through lab-services. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-04-29 18:06:01
add: 0fd9915e-cab3-4f24-b200-6e20e1aa276a | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-29 18:06:01
change: Minor (4.1.0 > 4.2.0) | |
| Web PubSub | 52630df9-ca7e-442b-853b-c6ce548b31a2 | [Deprecated]: Azure Web PubSub Service should use private link | The policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/eb907f70-7514-460d-92b3-a5ae93b4f917 instead. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-04-29 18:06:01
change: Patch, new suffix: deprecated (1.0.0 > 1.0.1-deprecated) | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-29 18:06:01
change: Minor (3.1.0 > 3.2.0) | |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-04-29 18:06:01
change: Major (7.1.0 > 8.0.0) |
| Lab Services | a6e9cf2d-7d76-440e-b795-8da246bd3aab | Lab Services should enable all options for auto shutdown | This policy provides helps with cost management by enforcing all automatic shutdown options are enabled for a lab. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-04-29 18:06:01
add: a6e9cf2d-7d76-440e-b795-8da246bd3aab | |
| Kubernetes | a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 | Kubernetes cluster Windows containers should not overcommit cpu and memory | Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-04-29 18:06:01
add: a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-29 18:06:01
change: Minor (4.1.0 > 4.2.0) | |
| Synapse | 8b5c654c-fb07-471b-aa8f-15fea733f140 | Configure Azure Synapse Workspace Dedicated SQL minimum TLS version | Customers can raise or lower the minimal TLS version using the API, for both new Synapse workspaces or existing workspaces. So users who need to use a lower client version in the workspaces can connect while users who has security requirement can raise the minimum TLS version. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. | Default: Modify Allowed: (Modify, Disabled) | Contributor |
2022-04-29 18:06:01
add: 8b5c654c-fb07-471b-aa8f-15fea733f140 |
| Kubernetes | 8dfab9c4-fe7b-49ad-85e4-1e9be085358f | [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-04-29 18:06:01
change: Patch, suffix remains equal (5.0.0-preview > 5.0.1-preview) | |
| Kubernetes | 8dfab9c4-fe7b-49ad-85e4-1e9be085358f | [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-04-22 19:50:54
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | |
| Monitoring | c02729e5-e5e7-4458-97fa-2b5ad0661f28 | Windows virtual machines should have Azure Monitor Agent installed | Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-04-22 19:50:54
change: Major (2.0.0 > 3.0.0) | |
| Monitoring | 3672e6f7-a74d-4763-b138-fcf332042f8f | Windows virtual machine scale sets should have Azure Monitor Agent installed | Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-04-22 19:50:54
change: Major (2.0.0 > 3.0.0) | |
| Kubernetes | 50c83470-d2f0-4dda-a716-1938a4825f62 | Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-04-22 19:50:54
add: 50c83470-d2f0-4dda-a716-1938a4825f62 | |
| SQL | 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 | Public network access should be disabled for PostgreSQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-04-22 19:50:54
change: Major (2.0.0 > 3.0.0) | |
| Storage | fe83a0eb-a853-422d-aac2-1bffd182c5d0 | Storage accounts should have the specified minimum TLS version | Configure a minimum TLS version for secure communication between the client application and the storage account. To minimize security risk, the recommended minimum TLS version is the latest released version, which is currently TLS 1.2. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-04-22 19:50:54
add: fe83a0eb-a853-422d-aac2-1bffd182c5d0 | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2022-04-22 19:50:54
change: Major, suffix remains equal (4.1.0-preview > 5.1.0-preview) |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-15 17:17:14
change: Minor (6.1.0 > 6.2.0) | |
| Cache | 7d092e0a-7acd-40d2-a975-dca21cae48c4 | [Deprecated]: Azure Cache for Redis should reside within a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-04-15 17:17:14
change: Version remains equal, new suffix: deprecated (1.0.3 > 1.0.3-deprecated) | |
| Security Center | d30025d0-6d64-656d-6465-67688881b632 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines | Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Contributor |
2022-04-15 17:17:14
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Security Center | 4eb909e7-6d64-656d-6465-2eeb297a1625 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines | Deploys Microsoft Defender for Endpoint agent on Linux hybrid machines | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Contributor |
2022-04-15 17:17:14
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Security Center | 37c043a6-6d64-656d-6465-b362dfeb354a | [Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines | Deploys Microsoft Defender for Endpoint on Windows Azure Arc machines. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Contributor |
2022-04-15 17:17:14
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Kubernetes | 73868911-4f4a-444f-adbd-5382bf70208a | Azure Arc-enabled Kubernetes clusters should have the Open Service Mesh extension installed | Open Service Mesh extension provides all standard service mesh capabilities for security, traffic management and observability of application services. Learn more here: https://aka.ms/arc-osm-doc | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Owner |
2022-04-15 17:17:14
add: 73868911-4f4a-444f-adbd-5382bf70208a |
| Stream Analytics | ea6c4923-510a-4346-be26-1894919a5b97 | Stream Analytics job should use managed identity to authenticate endpoints | Ensure that Stream Analytics jobs only connect to endpoints using managed identity authentication. | Default: Audit Allowed: (Deny, Disabled, Audit) |
2022-04-15 17:17:14
add: ea6c4923-510a-4346-be26-1894919a5b97 | |
| Security Center | 1ec9c2c2-6d64-656d-6465-3ec3309b8579 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines | Deploys Microsoft Defender for Endpoint on applicable Windows VM images. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Contributor |
2022-04-15 17:17:14
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Monitoring | 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff | Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-04-08 16:22:13
change: Patch (3.0.0 > 3.0.1) |
| Monitoring | 98569e20-8f32-4f31-bf34-0e91590ae9d3 | Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-04-08 16:22:13
add: 98569e20-8f32-4f31-bf34-0e91590ae9d3 |
| Monitoring | 637125fd-7c39-4b94-bb0a-d331faf333a9 | Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-04-08 16:22:13
add: 637125fd-7c39-4b94-bb0a-d331faf333a9 |
| Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-04-08 16:22:13
change: Patch (4.0.0 > 4.0.1) |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-04-08 16:22:13
change: Major (6.1.0 > 7.1.0) |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-04-08 16:22:13
change: Major (6.1.0 > 7.1.0) |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-04-08 16:22:13
change: Major (6.1.0 > 7.1.0) |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-04-08 16:22:13
change: Major (6.1.0 > 7.1.0) |
| Regulatory Compliance | d7d66d05-bf34-4555-b5f2-8b749def4098 | Microsoft Managed Control 1837 - Data Retention And Disposal | System Configuration | Microsoft implements this Data Minimization and Retention control | Fixed: audit |
2022-04-01 20:29:14
add: d7d66d05-bf34-4555-b5f2-8b749def4098 | |
| Stream Analytics | 87ba29ef-1ab3-4d82-b763-87fcd4f531f7 | Azure Stream Analytics jobs should use customer-managed keys to encrypt data | Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) | |
| Regulatory Compliance | 68f837d0-8942-4b1e-9b31-be78b247bda8 | Microsoft Managed Control 1070 - Wireless Access Restrictions | Disable Wireless Networking | Microsoft implements this Access Control control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 9870806c-153f-4fa5-aafa-c5f5eeb72292 | Microsoft Managed Control 1741 - Enterprise Architecture | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 9870806c-153f-4fa5-aafa-c5f5eeb72292 | |
| Regulatory Compliance | 3044f5dc-93dd-4da0-b25d-bb6cedde3536 | Microsoft Managed Control 1862 - System of Records Notices And Privacy Act Statements | Microsoft implements this Transparency control | Fixed: audit |
2022-04-01 20:29:14
add: 3044f5dc-93dd-4da0-b25d-bb6cedde3536 | |
| Regulatory Compliance | 4d1d4ce2-71ea-4578-bbb4-fe76215d45ac | Microsoft Managed Control 1811 - Privacy Requirements for Contractors And Service Providers | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: 4d1d4ce2-71ea-4578-bbb4-fe76215d45ac | |
| Monitoring | ea0dfaed-95fb-448c-934e-d6e713ce393d | Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) | To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) | |
| Regulatory Compliance | d39620a4-95c6-4d4f-8aa4-83c0c6a2c640 | Microsoft Managed Control 1818 - Accounting of Disclosures | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: d39620a4-95c6-4d4f-8aa4-83c0c6a2c640 | |
| Monitoring | fa298e57-9444-42ba-bf04-86e8470e32c7 | Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption | Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) | |
| Regulatory Compliance | 426f3a87-2d38-47e9-9687-c095441cd82c | Microsoft Managed Control 1732 - Information Security Program Plan | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 426f3a87-2d38-47e9-9687-c095441cd82c | |
| Regulatory Compliance | 91c97b44-791e-46e9-bad7-ab7c4949edbb | Microsoft Managed Control 1069 - Wireless Access Restrictions | Authentication And Encryption | Microsoft implements this Access Control control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | e54c325e-42a0-4dcf-b105-046e0f6f590f | Microsoft Managed Control 1716 - Software & Information Integrity | Integration Of Detection And Response | Microsoft implements this System and Information Integrity control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 80ca0a27-918a-4604-af9e-723a27ee51e8 | Microsoft Managed Control 1303 - User Identification And Authentication | Local Access To Privileged Accounts | Microsoft implements this Identification and Authentication control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef | Microsoft Managed Control 1717 - Software & Information Integrity | Binary Or Machine Executable Code | Microsoft implements this System and Information Integrity control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Key Vault | 0a075868-4c26-42ef-914c-5bc007359560 | [Preview]: Certificates should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor, suffix remains equal (2.1.0-preview > 2.2.0-preview) | |
| Regulatory Compliance | fb3c7f40-4c97-4fdd-94c9-e7d99b4f6e42 | Microsoft Managed Control 1750 - Mission/Business Process Definition | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: fb3c7f40-4c97-4fdd-94c9-e7d99b4f6e42 | |
| Regulatory Compliance | ad2f8e61-a564-4dfd-8eaa-816f5be8cb34 | Microsoft Managed Control 1569 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Monitoring | 6c53d030-cc64-46f0-906d-2bc061cd1334 | Log Analytics workspaces should block log ingestion and querying from public networks | Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) | |
| Regulatory Compliance | f751cdb7-fbee-406b-969b-815d367cb9b3 | Microsoft Managed Control 1591 - External Information System Services | Identification Of Functions / Ports / Protocols... | Microsoft implements this System and Services Acquisition control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | c3e4fa5d-c0c4-46c4-9a13-bb9b9f0b003f | Microsoft Managed Control 1865 - System of Records Notices And Privacy Act Statements | Public Website Publication | Microsoft implements this Transparency control | Fixed: audit |
2022-04-01 20:29:14
add: c3e4fa5d-c0c4-46c4-9a13-bb9b9f0b003f | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (7.0.1 > 7.1.0) | |
| Key Vault | a22f4a40-01d3-4c7d-8071-da157eeff341 | Certificates should be issued by the specified non-integrated certificate authority | Manage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (2.0.1 > 2.1.0) | |
| Regulatory Compliance | 952a545c-6dc5-4999-aeb6-51ed27dc7ea5 | Microsoft Managed Control 1854 - Inventory of Personally Identifiable Information | Microsoft implements this Security control | Fixed: audit |
2022-04-01 20:29:14
add: 952a545c-6dc5-4999-aeb6-51ed27dc7ea5 | |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-04-01 20:29:14
change: Minor (6.0.0 > 6.1.0) |
| Regulatory Compliance | a36eb487-cbd1-4fe7-a3df-2efc6aa2c2b6 | Microsoft Managed Control 1745 - Risk Management Strategy | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: a36eb487-cbd1-4fe7-a3df-2efc6aa2c2b6 | |
| Key Vault | 8e826246-c976-48f6-b03e-619bb92b3d82 | Certificates should be issued by the specified integrated certificate authority | Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (2.0.1 > 2.1.0) | |
| Regulatory Compliance | 0f559588-5e53-4b14-a7c4-85d28ebc2234 | Microsoft Managed Control 1430 - Media Labeling | Microsoft implements this Media Protection control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (4.0.3 > 4.1.0) | |
| Regulatory Compliance | 07458826-9325-4481-abaf-bc9ed043459d | Microsoft Managed Control 1744 - Risk Management Strategy | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 07458826-9325-4481-abaf-bc9ed043459d | |
| Regulatory Compliance | 40fcc635-52a2-4dbc-9523-80a1f4aa1de6 | Microsoft Managed Control 1438 - Media Sanitization And Disposal | Microsoft implements this Media Protection control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 04f5fb00-80bb-48a9-a75b-4cb4d4c97c36 | Microsoft Managed Control 1572 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Monitoring | d550e854-df1a-4de9-bf44-cd894b39a95e | Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace | Link the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) | |
| Regulatory Compliance | b11c985b-f2cd-4bd7-85f4-b52426edf905 | Microsoft Managed Control 1571 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 669ac708-82af-46f6-8bd6-75b48247489d | Microsoft Managed Control 1864 - System of Records Notices And Privacy Act Statements | Microsoft implements this Transparency control | Fixed: audit |
2022-04-01 20:29:14
add: 669ac708-82af-46f6-8bd6-75b48247489d | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (6.0.0 > 6.1.0) | |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (2.1.2 > 2.2.0) | |
| Regulatory Compliance | ea979184-f7c4-42be-86d2-584b95c34540 | Microsoft Managed Control 1869 - Information Sharing with Third Parties | Microsoft implements this Use Limitation control | Fixed: audit |
2022-04-01 20:29:14
add: ea979184-f7c4-42be-86d2-584b95c34540 | |
| Regulatory Compliance | 3a02bf7a-8fb7-4c97-bd55-4a8592764cc8 | Microsoft Managed Control 1840 - Minimization of PII Used in Testing, Training, And Research | Risk Minimization Techniques | Microsoft implements this Data Minimization and Retention control | Fixed: audit |
2022-04-01 20:29:14
add: 3a02bf7a-8fb7-4c97-bd55-4a8592764cc8 | |
| Regulatory Compliance | d02e586f-d430-4053-b672-c14a788ad59f | Microsoft Managed Control 1823 - Data Quality | Microsoft implements this Data Quality and Integrity control | Fixed: audit |
2022-04-01 20:29:14
add: d02e586f-d430-4053-b672-c14a788ad59f | |
| Regulatory Compliance | 01524fa8-4555-48ce-ba5f-c3b8dcef5147 | Microsoft Managed Control 1142 - Certification, Authorization, Security Assessment Policy And Procedures | Microsoft implements this Security Assessment and Authorization control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 27a69937-af92-4198-9b86-08d355c7e59a | Microsoft Managed Control 1074 - Access Control for Portable And Mobile Systems | Microsoft implements this Access Control control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 5ec0d156-53ba-4f29-8c17-1525cde54129 | Microsoft Managed Control 1844 - Consent | Microsoft implements this Individual Participation and Redress control | Fixed: audit |
2022-04-01 20:29:14
add: 5ec0d156-53ba-4f29-8c17-1525cde54129 | |
| Regulatory Compliance | 39f15e01-d964-41ee-88e3-eefbddc840cd | Microsoft Managed Control 1846 - Individual Access | Microsoft implements this Individual Participation and Redress control | Fixed: audit |
2022-04-01 20:29:14
add: 39f15e01-d964-41ee-88e3-eefbddc840cd | |
| Regulatory Compliance | cf1cad59-1012-4b55-9b80-427596ea1f4f | Microsoft Managed Control 1867 - Dissemination of Privacy Program Information | Microsoft implements this Transparency control | Fixed: audit |
2022-04-01 20:29:14
add: cf1cad59-1012-4b55-9b80-427596ea1f4f | |
| Kubernetes | c050047b-b21b-4822-8a2d-c1e37c3c0c6a | Configure Kubernetes clusters with specified GitOps configuration using SSH secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Contributor |
2022-04-01 20:29:14
change: Minor (1.0.1 > 1.1.0) |
| Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-04-01 20:29:14
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | |
| Regulatory Compliance | 1437bf9c-feef-4c82-a57a-22d1fcbcd247 | Microsoft Managed Control 1872 - Information Sharing with Third Parties | Microsoft implements this Use Limitation control | Fixed: audit |
2022-04-01 20:29:14
add: 1437bf9c-feef-4c82-a57a-22d1fcbcd247 | |
| Regulatory Compliance | 563f2ce4-2d95-44b6-b828-275a2f3cac47 | Microsoft Managed Control 1848 - Individual Access | Microsoft implements this Individual Participation and Redress control | Fixed: audit |
2022-04-01 20:29:14
add: 563f2ce4-2d95-44b6-b828-275a2f3cac47 | |
| Kubernetes | 1d61c4d2-aef2-432b-87fc-7f96b019b7e1 | Configure Kubernetes clusters with specified GitOps configuration using no secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Contributor |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) |
| Key Vault | bd78111f-4953-4367-9fd5-7e08808b54bf | Certificates using elliptic curve cryptography should have allowed curve names | Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (2.0.1 > 2.1.0) | |
| Regulatory Compliance | 51f2fa3e-cd5f-4713-a9ce-177ee7a22d48 | Microsoft Managed Control 1828 - Data Integrity And Data Integrity Board | Microsoft implements this Data Quality and Integrity control | Fixed: audit |
2022-04-01 20:29:14
add: 51f2fa3e-cd5f-4713-a9ce-177ee7a22d48 | |
| Regulatory Compliance | 9d9166a8-1722-4b8f-847c-2cf3f2618b3d | Microsoft Managed Control 1305 - User Identification And Authentication | Group Authentication | Microsoft implements this Identification and Authentication control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 3bd38f52-1833-42b2-b9aa-e1b9dcd0143b | Microsoft Managed Control 1747 - Security Authorization Process | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 3bd38f52-1833-42b2-b9aa-e1b9dcd0143b | |
| Regulatory Compliance | 7522ed84-70d5-4181-afc0-21e50b1b6d0e | Microsoft Managed Control 1417 - Remote Maintenance | Comparable Security / Sanitization | Microsoft implements this Maintenance control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 1189aa19-fbcf-4b3e-b9ec-76508e2fa17b | Microsoft Managed Control 1850 - Redress | Microsoft implements this Individual Participation and Redress control | Fixed: audit |
2022-04-01 20:29:14
add: 1189aa19-fbcf-4b3e-b9ec-76508e2fa17b | |
| Monitoring | 1bc02227-0cb6-4e11-8f53-eb0b22eab7e8 | Application Insights components should block log ingestion and querying from public networks | Improve Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) | |
| Regulatory Compliance | 2ce63a52-e47b-4ae2-adbb-6e40d967f9e6 | Microsoft Managed Control 1414 - Remote Maintenance | Microsoft implements this Maintenance control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (4.0.3 > 4.1.0) | |
| Regulatory Compliance | b23bd715-5d1c-4e5c-9759-9cbdf79ded9d | Microsoft Managed Control 1091 - Security Awareness | Microsoft implements this Awareness and Training control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 0a2119c1-f068-4bfe-9f03-db94317e8db9 | Microsoft Managed Control 1855 - Inventory of Personally Identifiable Information | Microsoft implements this Security control | Fixed: audit |
2022-04-01 20:29:14
add: 0a2119c1-f068-4bfe-9f03-db94317e8db9 | |
| Regulatory Compliance | 5f18c885-ade3-48c5-80b1-8f9216019c18 | Microsoft Managed Control 1576 - Acquisitions Process | Design / Implementation Information For Security Controls | Microsoft implements this System and Services Acquisition control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | ef080e67-0d1a-4f76-a0c5-fb9b0358485e | Microsoft Managed Control 1089 - Security Awareness | Microsoft implements this Awareness and Training control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 2d045bca-a0fd-452e-9f41-4ec33769717c | Microsoft Managed Control 1068 - Wireless Access Restrictions | Microsoft implements this Access Control control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 855ced56-417b-4d74-9d5f-dd1bc81e22d6 | Microsoft Managed Control 1348 - Identification And Authentication (Non-Organizational Users) | Acceptance Of Third-Party... | Microsoft implements this Identification and Authentication control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2022-04-01 20:29:14
change: Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview) |
| Regulatory Compliance | e12494fa-b81e-4080-af71-7dbacc2da0ec | Microsoft Managed Control 1714 - Software & Information Integrity | Automated Notifications Of Integrity Violations | Microsoft implements this System and Information Integrity control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 4b0d8d1d-7800-4b62-b4bf-6eecde12b2af | Microsoft Managed Control 1813 - Privacy Awareness And Training | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: 4b0d8d1d-7800-4b62-b4bf-6eecde12b2af | |
| Bot Service | 52152f42-0dda-40d9-976e-abb1acdd611e | Bot Service should have isolated mode enabled | Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (2.0.0 > 2.1.0) | |
| Monitoring | 17b3de92-f710-4cf4-aa55-0e7859f1ed7b | [Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. | Default: Modify Allowed: (Modify, Disabled) | Virtual Machine Contributor Managed Identity Contributor Managed Identity Operator |
2022-04-01 20:29:14
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) |
| Regulatory Compliance | b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08 | Microsoft Managed Control 1301 - User Identification And Authentication | Network Access To Privileged Accounts | Microsoft implements this Identification and Authentication control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 74520428-3aa8-449c-938d-93f51940759e | Microsoft Managed Control 1739 - Information System Inventory | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 74520428-3aa8-449c-938d-93f51940759e | |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-04-01 20:29:14
change: Minor (6.0.0 > 6.1.0) |
| Regulatory Compliance | d461dd50-c8fb-4ccb-93bf-61f53b44e54d | Microsoft Managed Control 1742 - Critical Infrastructure Plan | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: d461dd50-c8fb-4ccb-93bf-61f53b44e54d | |
| Regulatory Compliance | b6a8eae8-9854-495a-ac82-d2cd3eac02a6 | Microsoft Managed Control 1568 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 1f01608c-5f35-492d-8763-8edf0080cc38 | Microsoft Managed Control 1738 - Plan Of Action And Milestones Process | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 1f01608c-5f35-492d-8763-8edf0080cc38 | |
| Regulatory Compliance | 12718e41-af09-43b9-b6e4-7caae73b410b | Microsoft Managed Control 1754 - Testing, Training, And Monitoring | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 12718e41-af09-43b9-b6e4-7caae73b410b | |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-04-01 20:29:14
change: Minor (6.0.0 > 6.1.0) |
| Regulatory Compliance | a4eb2ba5-62b5-4524-83f0-7e05896edc76 | Microsoft Managed Control 1824 - Data Quality | Microsoft implements this Data Quality and Integrity control | Fixed: audit |
2022-04-01 20:29:14
add: a4eb2ba5-62b5-4524-83f0-7e05896edc76 | |
| Key Vault | 12ef42cb-9903-4e39-9c26-422d29570417 | Certificates should have the specified lifetime action triggers | Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (2.0.1 > 2.1.0) | |
| Regulatory Compliance | af2a93c8-e6dd-4c94-acdd-4a2eedfc478e | Microsoft Managed Control 1710 - Security Functionality Verification | Microsoft implements this System and Information Integrity control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | b92ae63b-4411-48ba-b5c9-5bcaef5f8d02 | Microsoft Managed Control 1841 - Consent | Microsoft implements this Individual Participation and Redress control | Fixed: audit |
2022-04-01 20:29:14
add: b92ae63b-4411-48ba-b5c9-5bcaef5f8d02 | |
| Regulatory Compliance | 4e54c7ef-7457-430b-9a3e-ef8881d4a8e0 | Microsoft Managed Control 1579 - Acquisitions Process | Use Of Approved Piv Products | Microsoft implements this System and Services Acquisition control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 32d58eb6-4c76-4881-87ce-522b0e787bd0 | Microsoft Managed Control 1735 - Information Security Resources | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 32d58eb6-4c76-4881-87ce-522b0e787bd0 | |
| Regulatory Compliance | 0b1aa965-7502-41f9-92be-3e2fe7cc392a | Microsoft Managed Control 1046 - Unsuccessful Logon Attempts | Purge / Wipe Mobile Device | Microsoft implements this Access Control control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 0afb38a3-5e1c-4339-9ab4-df6a3dfc7da2 | Microsoft Managed Control 1804 - Governance And Privacy Program | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: 0afb38a3-5e1c-4339-9ab4-df6a3dfc7da2 | |
| Regulatory Compliance | 2bfea08c-2567-4f29-aad7-0f238ce655ea | Microsoft Managed Control 1758 - Threat Awareness Program | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 2bfea08c-2567-4f29-aad7-0f238ce655ea | |
| Regulatory Compliance | cceea882-9d83-4ca6-b30e-6a7b381a8e6a | Microsoft Managed Control 1866 - Dissemination of Privacy Program Information | Microsoft implements this Transparency control | Fixed: audit |
2022-04-01 20:29:14
add: cceea882-9d83-4ca6-b30e-6a7b381a8e6a | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (4.0.2 > 4.1.0) | |
| Regulatory Compliance | 66a56404-7b65-4e33-b371-28d069172dd4 | Microsoft Managed Control 1743 - Risk Management Strategy | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 66a56404-7b65-4e33-b371-28d069172dd4 | |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (6.0.1 > 6.1.0) | |
| Storage | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | [Preview]: Storage account public access should be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor, suffix remains equal (3.0.1-preview > 3.1.0-preview) | |
| Regulatory Compliance | 8a29d47b-8604-4667-84ef-90d203fcb305 | Microsoft Managed Control 1092 - Security Awareness | Insider Threat | Microsoft implements this Awareness and Training control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| API for FHIR | 051cba44-2429-45b9-9649-46cec11c7119 | Azure API for FHIR should use a customer-managed key to encrypt data at rest | Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. | Default: Audit Allowed: (audit, Audit, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (1.0.1 > 1.1.0) | |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-04-01 20:29:14
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | |
| Regulatory Compliance | c6c43097-8552-4279-8b38-7dcabff781d3 | Microsoft Managed Control 1819 - Accounting of Disclosures | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: c6c43097-8552-4279-8b38-7dcabff781d3 | |
| Regulatory Compliance | 5c5e54f6-0127-44d0-8b61-f31dc8dd6190 | Microsoft Managed Control 1067 - Wireless Access Restrictions | Microsoft implements this Access Control control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (3.0.2 > 3.1.0) | |
| Regulatory Compliance | 2e5cd188-7fa8-41fc-87ff-0ac7475ccb25 | Microsoft Managed Control 1845 - Consent | Mechanisms Supporting Itemized or Tiered Consent | Microsoft implements this Individual Participation and Redress control | Fixed: audit |
2022-04-01 20:29:14
add: 2e5cd188-7fa8-41fc-87ff-0ac7475ccb25 | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (3.0.2 > 3.1.0) | |
| Regulatory Compliance | 025992d6-7fee-4137-9bbf-2ffc39c0686c | Microsoft Managed Control 1709 - Security Functionality Verification | Microsoft implements this System and Information Integrity control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 71c6c2b1-78c8-4e84-9d05-9bd4db116cba | Microsoft Managed Control 1858 - Privacy Notice | Microsoft implements this Transparency control | Fixed: audit |
2022-04-01 20:29:14
add: 71c6c2b1-78c8-4e84-9d05-9bd4db116cba | |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (3.0.2 > 3.1.0) | |
| Regulatory Compliance | 7c6de11b-5f51-4f7c-8d83-d2467c8a816e | Microsoft Managed Control 1143 - Certification, Authorization, Security Assessment Policy And Procedures | Microsoft implements this Security Assessment and Authorization control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 898d4fe8-f743-4333-86b7-0c9245d93e7d | Microsoft Managed Control 1411 - Remote Maintenance | Microsoft implements this Maintenance control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | [Deprecated]: Kubernetes cluster containers should only listen on allowed ports | Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor, suffix remains equal (6.1.3-deprecated > 6.2.0-deprecated) | |
| Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-04-01 20:29:14
change: Patch (1.1.0 > 1.1.1) |
| Regulatory Compliance | 6bfe6405-805c-4c9b-a9d3-f209237bb95d | Microsoft Managed Control 1802 - Governance And Privacy Program | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: 6bfe6405-805c-4c9b-a9d3-f209237bb95d | |
| Regulatory Compliance | e4df5fb7-58e9-41de-9399-f043c7a931f8 | Microsoft Managed Control 1740 - Information Security Measures Of Performance | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: e4df5fb7-58e9-41de-9399-f043c7a931f8 | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (7.0.4 > 7.1.0) | |
| API for FHIR | 0fea8f8a-4169-495d-8307-30ec335f387d | CORS should not allow every domain to access your API for FHIR | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. | Default: Audit Allowed: (audit, Audit, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) | |
| Regulatory Compliance | 76f500cc-4bca-4583-bda1-6d084dc21086 | Microsoft Managed Control 1508 - Position Categorization | Microsoft implements this Personnel Security control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 131a2706-61e9-4916-a164-00e052056462 | Microsoft Managed Control 1347 - Identification And Authentication (Non-Organizational Users) | Acceptance Of Piv Credentials... | Microsoft implements this Identification and Authentication control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (3.1.0 > 3.2.0) | |
| Regulatory Compliance | 76ba3061-b78b-48a5-aab8-43f5ae02898d | Microsoft Managed Control 1847 - Individual Access | Microsoft implements this Individual Participation and Redress control | Fixed: audit |
2022-04-01 20:29:14
add: 76ba3061-b78b-48a5-aab8-43f5ae02898d | |
| Healthcare APIs | fe1c9040-c46a-4e81-9aea-c7850fbb3aa6 | CORS should not allow every domain to access your FHIR Service | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your FHIR Service. To protect your FHIR Service, remove access for all domains and explicitly define the domains allowed to connect. | Default: Audit Allowed: (audit, Audit, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) | |
| Regulatory Compliance | 66632c7c-d0b3-4945-a8ae-e5c62cbea386 | Microsoft Managed Control 1829 - Data Integrity And Data Integrity Board | Publish Agreements on Website | Microsoft implements this Data Quality and Integrity control | Fixed: audit |
2022-04-01 20:29:14
add: 66632c7c-d0b3-4945-a8ae-e5c62cbea386 | |
| Regulatory Compliance | 38dfd8a3-5290-4099-88b7-4081f4c4d8ae | Microsoft Managed Control 1416 - Remote Maintenance | Document Remote Maintenance | Microsoft implements this Maintenance control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 33cfabfd-49ce-432b-b988-aff483ca3897 | Microsoft Managed Control 1871 - Information Sharing with Third Parties | Microsoft implements this Use Limitation control | Fixed: audit |
2022-04-01 20:29:14
add: 33cfabfd-49ce-432b-b988-aff483ca3897 | |
| Event Grid | d389df0a-e0d7-4607-833c-75a6fdac2c2d | Deploy - Configure Azure Event Grid domains to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. | Default: DeployIfNotExists Allowed: (deployIfNotExists, DeployIfNotExists, Disabled) | Network Contributor |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) |
| Monitoring | 1f68a601-6e6d-4e42-babf-3f643a047ea2 | Azure Monitor Logs clusters should be encrypted with customer-managed key | Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) | |
| Regulatory Compliance | 2ef3cc79-733e-48ed-ab6f-7bf439e9b406 | Microsoft Managed Control 1000 - Access Control Policy And Procedures Requirements | Microsoft implements this Access Control control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 0c92e78e-4667-44f1-8b1d-bbc784b66950 | Microsoft Managed Control 1755 - Contacts With Security Groups And Associations | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 0c92e78e-4667-44f1-8b1d-bbc784b66950 | |
| Regulatory Compliance | 05f5163b-bd90-49eb-8b6e-c1044d0b170a | Microsoft Managed Control 1752 - Information Security Workforce | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 05f5163b-bd90-49eb-8b6e-c1044d0b170a | |
| Regulatory Compliance | dd469ae0-71a8-4adc-aafc-de6949ca3339 | Microsoft Managed Control 1715 - Software & Information Integrity | Automated Response To Integrity Violations | Microsoft implements this System and Information Integrity control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | baff1279-05e0-4463-9a70-8ba5de4c7aa4 | Microsoft Managed Control 1726 - Information Output Handling And Retention | Microsoft implements this System and Information Integrity control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 0dced7ab-9ce5-4137-93aa-14c13e06ab17 | Microsoft Managed Control 1718 - Software & Information Integrity | Binary Or Machine Executable Code | Microsoft implements this System and Information Integrity control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Bot Service | 51522a96-0869-4791-82f3-981000c2c67f | Bot Service should be encrypted with a customer-managed key | Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) | |
| Regulatory Compliance | 44e543aa-41db-42aa-98eb-8a5eb1db53f0 | Microsoft Managed Control 1712 - Software & Information Integrity | Microsoft implements this System and Information Integrity control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | f7161f06-5260-4f0f-aeae-4bbfb8612a10 | Microsoft Managed Control 1812 - Privacy Monitoring And Auditing | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: f7161f06-5260-4f0f-aeae-4bbfb8612a10 | |
| App Service | 95bccee9-a7f8-4bec-9ee9-62c3473701fc | App Service apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-04-01 20:29:14
change: Major (1.0.0 > 2.0.0) | |
| Regulatory Compliance | 2d5600ed-575a-4723-9ff4-52d694be0a59 | Microsoft Managed Control 1856 - Privacy Incident Response | Microsoft implements this Security control | Fixed: audit |
2022-04-01 20:29:14
add: 2d5600ed-575a-4723-9ff4-52d694be0a59 | |
| Regulatory Compliance | 65c11daf-e754-406e-8d7b-f337dbd46a4f | Microsoft Managed Control 1800 - Authority to Collect | Microsoft implements this Authority and Purpose control | Fixed: audit |
2022-04-01 20:29:14
add: 65c11daf-e754-406e-8d7b-f337dbd46a4f | |
| Regulatory Compliance | 6519d7f3-e8a2-4ff3-a935-9a9497152ad7 | Microsoft Managed Control 1441 - Media Sanitization And Disposal | Equipment Testing | Microsoft implements this Media Protection control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (4.0.2 > 4.1.0) | |
| Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-04-01 20:29:14
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | |
| Kubernetes | a6f560f4-f582-4b67-b123-a37dcd1bf7ea | Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Contributor |
2022-04-01 20:29:14
change: Minor (1.0.1 > 1.1.0) |
| Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-04-01 20:29:14
add: 59c3d93f-900b-4827-a8bd-562e7b956e7c |
| Regulatory Compliance | 956b00aa-7977-4214-a0f5-e0428c1f9bff | Microsoft Managed Control 1806 - Governance And Privacy Program | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: 956b00aa-7977-4214-a0f5-e0428c1f9bff | |
| Regulatory Compliance | d2fc426a-4b67-464b-87c9-2134b8762ddf | Microsoft Managed Control 1817 - Privacy-Enhanced System Design And Development | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: d2fc426a-4b67-464b-87c9-2134b8762ddf | |
| Regulatory Compliance | 28e633fd-284e-4ea7-88b4-02ca157ed713 | Microsoft Managed Control 1418 - Remote Maintenance | Comparable Security / Sanitization | Microsoft implements this Maintenance control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | dce72873-c5f1-47c3-9b4f-6b8207fd5a45 | Microsoft Managed Control 1439 - Media Sanitization And Disposal | Microsoft implements this Media Protection control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 4e26f8c3-4bf3-4191-b8fc-d888805101b7 | Microsoft Managed Control 1001 - Access Control Policy And Procedures Requirements | Microsoft implements this Access Control control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | aac17c36-2ac1-417f-ba74-6305f2ce6ad5 | Microsoft Managed Control 1859 - Privacy Notice | Microsoft implements this Transparency control | Fixed: audit |
2022-04-01 20:29:14
add: aac17c36-2ac1-417f-ba74-6305f2ce6ad5 | |
| Azure Stack Edge | b4ac1030-89c5-4697-8e00-28b5ba6a8811 | Azure Stack Edge devices should use double-encryption | To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) | |
| Regulatory Compliance | 70792197-9bfc-4813-905a-bd33993e327f | Microsoft Managed Control 1509 - Position Categorization | Microsoft implements this Personnel Security control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 2fb740e5-cbc7-4d10-8686-d1bf826652b1 | Microsoft Managed Control 1090 - Security Awareness | Microsoft implements this Awareness and Training control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | b07c9b24-729e-4e85-95fc-f224d2d08a80 | Microsoft Managed Control 1429 - Media Labeling | Microsoft implements this Media Protection control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | fd4a2ac8-868a-4702-a345-6c896c3361ce | Microsoft Managed Control 1707 - Security Alerts & Advisories | Automated Alerts And Advisories | Microsoft implements this System and Information Integrity control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 88ae1753-f34c-47c3-96af-dccb4ac052eb | Microsoft Managed Control 1830 - Minimization of Personally Identifiable Information | Microsoft implements this Data Minimization and Retention control | Fixed: audit |
2022-04-01 20:29:14
add: 88ae1753-f34c-47c3-96af-dccb4ac052eb | |
| Regulatory Compliance | 4c6df994-1810-44c9-bd35-3280397cf9a6 | Microsoft Managed Control 1868 - Internal Use | Microsoft implements this Use Limitation control | Fixed: audit |
2022-04-01 20:29:14
add: 4c6df994-1810-44c9-bd35-3280397cf9a6 | |
| Regulatory Compliance | e17a106b-cf45-431e-89dc-da71e161c40c | Microsoft Managed Control 1801 - Purpose Specification | Microsoft implements this Authority and Purpose control | Fixed: audit |
2022-04-01 20:29:14
add: e17a106b-cf45-431e-89dc-da71e161c40c | |
| Regulatory Compliance | b2c2d6ed-bed8-419f-a8b7-59d736573acd | Microsoft Managed Control 1863 - System of Records Notices And Privacy Act Statements | Microsoft implements this Transparency control | Fixed: audit |
2022-04-01 20:29:14
add: b2c2d6ed-bed8-419f-a8b7-59d736573acd | |
| Key Vault | 1151cede-290b-4ba0-8b38-0ad145ac888f | Certificates should use allowed key types | Manage your organizational compliance requirements by restricting the key types allowed for certificates. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (2.0.1 > 2.1.0) | |
| Regulatory Compliance | 7cb8a3d2-a208-4b6f-95e8-e8f0bb85a7a6 | Microsoft Managed Control 1807 - Governance And Privacy Program | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: 7cb8a3d2-a208-4b6f-95e8-e8f0bb85a7a6 | |
| Kubernetes | b2fd3e59-6390-4f2b-8247-ea676bd03e2d | [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster | This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor, suffix remains equal (4.0.2-deprecated > 4.1.0-deprecated) | |
| Regulatory Compliance | 3bd6a378-4173-411d-a958-dc699b0ee2fd | Microsoft Managed Control 1737 - Plan Of Action And Milestones Process | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 3bd6a378-4173-411d-a958-dc699b0ee2fd | |
| Regulatory Compliance | 5fd9ced5-18e8-4c09-91b7-3725680f8ade | Microsoft Managed Control 1734 - Information Security Resources | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 5fd9ced5-18e8-4c09-91b7-3725680f8ade | |
| Cosmos DB | 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf | Azure Cosmos DB throughput should be limited | This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) | |
| Regulatory Compliance | b083a535-a66a-41ec-ba7f-f9498bf67cde | Microsoft Managed Control 1711 - Security Functionality Verification | Microsoft implements this System and Information Integrity control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | d922484a-8cfc-4a6b-95a4-77d6a685407f | Microsoft Managed Control 1577 - Acquisitions Process | Continuous Monitoring Plan | Microsoft implements this System and Services Acquisition control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 2e0ffcf5-c19e-4e04-ad0f-2db9b15ab126 | Microsoft Managed Control 1751 - Insider Threat Program | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 2e0ffcf5-c19e-4e04-ad0f-2db9b15ab126 | |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (6.0.1 > 6.1.0) | |
| Regulatory Compliance | 7a1e2c88-13de-4959-8ee7-47e3d74f1f48 | Microsoft Managed Control 1708 - Security Functionality Verification | Microsoft implements this System and Information Integrity control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Bot Service | 6164527b-e1ee-4882-8673-572f425f5e0a | Bot Service endpoint should be a valid HTTPS URI | Data can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (1.0.1 > 1.1.0) | |
| Regulatory Compliance | fc933d22-04df-48ed-8f87-22a3773d4309 | Microsoft Managed Control 1075 - Access Control for Portable And Mobile Systems | Full Device / Container-Based Encryption | Microsoft implements this Access Control control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 45b7b644-5f91-498e-9d89-7402532d3645 | Microsoft Managed Control 1578 - Acquisitions Process | Functions / Ports / Protocols / Services In Use | Microsoft implements this System and Services Acquisition control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 5b61f773-2042-46a8-b489-106d850d6d4e | Microsoft Managed Control 1814 - Privacy Awareness And Training | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: 5b61f773-2042-46a8-b489-106d850d6d4e | |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-04-01 20:29:14
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) | |
| Regulatory Compliance | aeedddb6-6bc0-42d5-809b-80048033419d | Microsoft Managed Control 1413 - Remote Maintenance | Microsoft implements this Maintenance control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 2fd50ffd-c983-4fab-862c-678b95bfaf5a | Microsoft Managed Control 1832 - Minimization of Personally Identifiable Information | Microsoft implements this Data Minimization and Retention control | Fixed: audit |
2022-04-01 20:29:14
add: 2fd50ffd-c983-4fab-862c-678b95bfaf5a | |
| Regulatory Compliance | 2234feec-08c6-4fc9-af78-df0dcc482efd | Microsoft Managed Control 1860 - Privacy Notice | Microsoft implements this Transparency control | Fixed: audit |
2022-04-01 20:29:14
add: 2234feec-08c6-4fc9-af78-df0dcc482efd | |
| Regulatory Compliance | 4c25cbd0-8776-412f-8466-5993e38ce602 | Microsoft Managed Control 1838 - Minimization of PII Used in Testing, Training, And Research | Microsoft implements this Data Minimization and Retention control | Fixed: audit |
2022-04-01 20:29:14
add: 4c25cbd0-8776-412f-8466-5993e38ce602 | |
| Regulatory Compliance | fb845c34-808d-4c17-a0ce-85a530e9164b | Microsoft Managed Control 1857 - Privacy Incident Response | Microsoft implements this Security control | Fixed: audit |
2022-04-01 20:29:14
add: fb845c34-808d-4c17-a0ce-85a530e9164b | |
| Event Grid | baf19753-7502-405f-8745-370519b20483 | Deploy - Configure Azure Event Grid topics to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. | Default: DeployIfNotExists Allowed: (deployIfNotExists, DeployIfNotExists, Disabled) | Network Contributor |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) |
| Regulatory Compliance | c055ec23-c9d1-4718-be96-433aa8108516 | Microsoft Managed Control 1826 - Data Quality | Re-Validate PII | Microsoft implements this Data Quality and Integrity control | Fixed: audit |
2022-04-01 20:29:14
add: c055ec23-c9d1-4718-be96-433aa8108516 | |
| Regulatory Compliance | 8e903bb7-00e9-4255-a881-500742a2dbaa | Microsoft Managed Control 1843 - Consent | Microsoft implements this Individual Participation and Redress control | Fixed: audit |
2022-04-01 20:29:14
add: 8e903bb7-00e9-4255-a881-500742a2dbaa | |
| Regulatory Compliance | 38512b01-6a68-45d6-bb97-189a9a0fbe5e | Microsoft Managed Control 1849 - Individual Access | Microsoft implements this Individual Participation and Redress control | Fixed: audit |
2022-04-01 20:29:14
add: 38512b01-6a68-45d6-bb97-189a9a0fbe5e | |
| Regulatory Compliance | 4f8e271b-dfea-47e9-b81e-5519bae0b120 | Microsoft Managed Control 1852 - Compliant Management | Microsoft implements this Individual Participation and Redress control | Fixed: audit |
2022-04-01 20:29:14
add: 4f8e271b-dfea-47e9-b81e-5519bae0b120 | |
| Regulatory Compliance | 1a437f5b-9ad6-4f28-8861-de404d511ae4 | Microsoft Managed Control 1071 - Wireless Access Restrictions | Restrict Configurations By Users | Microsoft implements this Access Control control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b | Microsoft Managed Control 1304 - User Identification And Authentication | Local Access To Non-Privileged Accounts | Microsoft implements this Identification and Authentication control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (4.0.3 > 4.1.0) | |
| Regulatory Compliance | a7fcf38d-bb09-4600-be7d-825046eb162a | Microsoft Managed Control 1570 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (5.0.0 > 5.1.0) | |
| Managed Application | 9db7917b-1607-4e7d-a689-bca978dd0633 | Application definition for Managed Application should use customer provided storage account | Use your own storage account to control the application definition data when this is a regulatory or compliance requirement. You can choose to store your managed application definition within a storage account provided by you during creation, so that its location and access can be fully managed by you to fulfill regulatory compliance requirements. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) | |
| Regulatory Compliance | 4f26049b-2c5a-4841-9ff3-d48a26aae475 | Microsoft Managed Control 1442 - Media Sanitization And Disposal | Nondestructive Techniques | Microsoft implements this Media Protection control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 09828c65-e323-422b-9774-9d5c646124da | Microsoft Managed Control 1302 - User Identification And Authentication | Network Access To Non-Privileged Accounts | Microsoft implements this Identification and Authentication control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 0f935dab-83d6-47b8-85ef-68b8584161b9 | Microsoft Managed Control 1574 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-04-01 20:29:14
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | |
| Regulatory Compliance | 99efece4-6828-42a4-9577-ff06bc1c4bf4 | Microsoft Managed Control 1839 - Minimization of PII Used in Testing, Training, And Research | Microsoft implements this Data Minimization and Retention control | Fixed: audit |
2022-04-01 20:29:14
add: 99efece4-6828-42a4-9577-ff06bc1c4bf4 | |
| Regulatory Compliance | d78966ce-05c7-4967-829d-9a414ea2bc92 | Microsoft Managed Control 1842 - Consent | Microsoft implements this Individual Participation and Redress control | Fixed: audit |
2022-04-01 20:29:14
add: d78966ce-05c7-4967-829d-9a414ea2bc92 | |
| Regulatory Compliance | 56a838e0-0a5d-49a8-ab74-bf6be81b32f5 | Microsoft Managed Control 1835 - Data Retention And Disposal | Microsoft implements this Data Minimization and Retention control | Fixed: audit |
2022-04-01 20:29:14
add: 56a838e0-0a5d-49a8-ab74-bf6be81b32f5 | |
| Regulatory Compliance | 93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41 | Microsoft Managed Control 1575 - Acquisitions Process | Functional Properties Of Security Controls | Microsoft implements this System and Services Acquisition control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 79da5b09-0e7e-499e-adda-141b069c7998 | Microsoft Managed Control 1510 - Position Categorization | Microsoft implements this Personnel Security control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 238cef2f-9f76-41fa-be5e-0899a7aad0d8 | Microsoft Managed Control 1821 - Data Quality | Microsoft implements this Data Quality and Integrity control | Fixed: audit |
2022-04-01 20:29:14
add: 238cef2f-9f76-41fa-be5e-0899a7aad0d8 | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (4.0.2 > 4.1.0) | |
| Regulatory Compliance | d5f959a0-1808-4ebd-9a13-79237246f96f | Microsoft Managed Control 1861 - Privacy Notice | Real-Time or Layered Notice | Microsoft implements this Transparency control | Fixed: audit |
2022-04-01 20:29:14
add: d5f959a0-1808-4ebd-9a13-79237246f96f | |
| Kubernetes | 1b708b0a-3380-40e9-8b79-821f9fa224cc | Disable Command Invoke on Azure Kubernetes Service clusters | Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Azure Kubernetes Service Contributor Role Azure Kubernetes Service Policy Add-on Deployment |
2022-04-01 20:29:14
add: 1b708b0a-3380-40e9-8b79-821f9fa224cc |
| Regulatory Compliance | 395736bb-aa8b-45f0-b9cc-06af26b2b1d4 | Microsoft Managed Control 1810 - Privacy Requirements for Contractors And Service Providers | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: 395736bb-aa8b-45f0-b9cc-06af26b2b1d4 | |
| Regulatory Compliance | 3492d949-0dbb-4589-88b3-7b59601cc764 | Microsoft Managed Control 1412 - Remote Maintenance | Microsoft implements this Maintenance control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (4.0.2 > 4.1.0) | |
| Regulatory Compliance | 1ca29e41-34ec-4e70-aba9-6248aca18c31 | Microsoft Managed Control 1072 - Wireless Access Restrictions | Antennas / Transmission Power Levels | Microsoft implements this Access Control control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| App Service | c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 | Function apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-04-01 20:29:14
change: Major (1.0.0 > 2.0.0) | |
| Cosmos DB | 1f905d99-2ab7-462c-a6b0-f709acca6c8f | Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (1.0.2 > 1.1.0) | |
| Regulatory Compliance | 18573dd5-899f-453d-b069-fa77b61fe257 | Microsoft Managed Control 1870 - Information Sharing with Third Parties | Microsoft implements this Use Limitation control | Fixed: audit |
2022-04-01 20:29:14
add: 18573dd5-899f-453d-b069-fa77b61fe257 | |
| Regulatory Compliance | cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff | Microsoft Managed Control 1306 - User Identification And Authentication | Network Access To Privileged Accounts - Replay... | Microsoft implements this Identification and Authentication control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | f5a44e7d-77a2-474e-b2e3-4e8c42ba514b | Microsoft Managed Control 1729 - Information Security Program Plan | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: f5a44e7d-77a2-474e-b2e3-4e8c42ba514b | |
| Regulatory Compliance | f475ee0e-f560-4c9b-876b-04a77460a404 | Microsoft Managed Control 1706 - Security Alerts & Advisories | Microsoft implements this System and Information Integrity control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c | Microsoft Managed Control 1073 - Access Control for Portable And Mobile Systems | Microsoft implements this Access Control control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 05a32666-d134-4842-a8cb-5c299f4bc099 | Microsoft Managed Control 1728 - Incident Handling | Microsoft implements this Incident Response control | Fixed: audit |
2022-04-01 20:29:14
add: 05a32666-d134-4842-a8cb-5c299f4bc099 | |
| Kubernetes | 89f2d532-c53c-4f8f-9afa-4927b1114a0d | Azure Kubernetes Service Clusters should disable Command Invoke | Disabling command invoke can enhance the security by avoiding bypass of restricted network access or Kubernetes role-based access control | Default: Audit Allowed: (Audit, Disabled) |
2022-04-01 20:29:14
add: 89f2d532-c53c-4f8f-9afa-4927b1114a0d | |
| Key Vault | cee51871-e572-4576-855c-047c820360f0 | Certificates using RSA cryptography should have the specified minimum key size | Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (2.0.1 > 2.1.0) | |
| Regulatory Compliance | 3cb4787b-2c91-4aca-bf5a-577e99411c8a | Microsoft Managed Control 1825 - Data Quality | Validate PII | Microsoft implements this Data Quality and Integrity control | Fixed: audit |
2022-04-01 20:29:14
add: 3cb4787b-2c91-4aca-bf5a-577e99411c8a | |
| Regulatory Compliance | 4152937a-1a44-401a-a179-04b44ea15f4c | Microsoft Managed Control 1733 - Senior Information Security Officer | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 4152937a-1a44-401a-a179-04b44ea15f4c | |
| Regulatory Compliance | 0d87c70b-5012-48e9-994b-e70dd4b8def0 | Microsoft Managed Control 1713 - Software & Information Integrity | Integrity Checks | Microsoft implements this System and Information Integrity control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 1fa50212-51a9-471b-95cf-3a23410ec9e9 | Microsoft Managed Control 1730 - Information Security Program Plan | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 1fa50212-51a9-471b-95cf-3a23410ec9e9 | |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (6.0.1 > 6.1.0) | |
| Automanage | b025cfb4-3702-47c2-9110-87fe0cfcc99b | Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. | Default: DeployIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Contributor |
2022-04-01 20:29:14
add: b025cfb4-3702-47c2-9110-87fe0cfcc99b |
| Regulatory Compliance | f3739612-c86c-4b2e-bbe6-0d0869aec19c | Microsoft Managed Control 1803 - Governance And Privacy Program | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: f3739612-c86c-4b2e-bbe6-0d0869aec19c | |
| Regulatory Compliance | 71280b2a-8c2f-4480-b933-686c0987cfbb | Microsoft Managed Control 1851 - Redress | Microsoft implements this Individual Participation and Redress control | Fixed: audit |
2022-04-01 20:29:14
add: 71280b2a-8c2f-4480-b933-686c0987cfbb | |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (6.1.2 > 6.2.0) | |
| Regulatory Compliance | 58f477bf-287b-43ef-ab49-dffde92130a0 | Microsoft Managed Control 1816 - Privacy Reporting | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: 58f477bf-287b-43ef-ab49-dffde92130a0 | |
| Regulatory Compliance | 99deec7d-5526-472e-b07c-3645a792026a | Microsoft Managed Control 1300 - User Identification And Authentication | Microsoft implements this Identification and Authentication control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 5bef3414-50bc-4fc0-b3db-372bb8fe0796 | Microsoft Managed Control 1836 - Data Retention And Disposal | Microsoft implements this Data Minimization and Retention control | Fixed: audit |
2022-04-01 20:29:14
add: 5bef3414-50bc-4fc0-b3db-372bb8fe0796 | |
| Regulatory Compliance | 881299bf-2a5b-4686-a1b2-321d33679953 | Microsoft Managed Control 1440 - Media Sanitization And Disposal | Review / Approve / Track / Document / Verify | Microsoft implements this Media Protection control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 12a4a4dd-6c65-4900-9d7e-63fed5da791e | Microsoft Managed Control 1834 - Data Retention And Disposal | Microsoft implements this Data Minimization and Retention control | Fixed: audit |
2022-04-01 20:29:14
add: 12a4a4dd-6c65-4900-9d7e-63fed5da791e | |
| Regulatory Compliance | 804faf7d-b687-40f7-9f74-79e28adf4205 | Microsoft Managed Control 1703 - Security Alerts & Advisories | Microsoft implements this System and Information Integrity control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 2d44b6fa-1134-4ea6-ad4e-9edb68f65429 | Microsoft Managed Control 1704 - Security Alerts & Advisories | Microsoft implements this System and Information Integrity control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 2ab0c8e3-b8ef-48e9-b6ac-a0c5e713a757 | Microsoft Managed Control 1746 - Security Authorization Process | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 2ab0c8e3-b8ef-48e9-b6ac-a0c5e713a757 | |
| Regulatory Compliance | 86cd0591-5076-4447-aeff-2557def90353 | Microsoft Managed Control 1827 - Data Integrity And Data Integrity Board | Microsoft implements this Data Quality and Integrity control | Fixed: audit |
2022-04-01 20:29:14
add: 86cd0591-5076-4447-aeff-2557def90353 | |
| Regulatory Compliance | 59a7116d-19fd-49e9-a068-dec4460b97e5 | Microsoft Managed Control 1731 - Information Security Program Plan | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 59a7116d-19fd-49e9-a068-dec4460b97e5 | |
| Internet of Things | c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02 | Deploy - Configure Azure IoT Hubs to use private DNS zones | Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Hub private endpoints. | Default: DeployIfNotExists Allowed: (deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Network Contributor Contributor |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) |
| Regulatory Compliance | 81817e1c-5347-48dd-965a-40159d008229 | Microsoft Managed Control 1308 - User Identification And Authentication | Remote Access - Separate Device | Microsoft implements this Identification and Authentication control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 61a1dd98-b259-4840-abd5-fbba7ee0da83 | Microsoft Managed Control 1415 - Remote Maintenance | Microsoft implements this Maintenance control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 3a09e314-dca7-4a19-b3b4-14abd6305043 | Microsoft Managed Control 1753 - Testing, Training, And Monitoring | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 3a09e314-dca7-4a19-b3b4-14abd6305043 | |
| Regulatory Compliance | d77fd943-6ba6-4a21-ba07-22b03e347cc4 | Microsoft Managed Control 1350 - Identification And Authentication (Non-Organizational Users) | Use Of Ficam-Issued Profiles | Microsoft implements this Identification and Authentication control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 6b04f815-52d7-4ff6-94bf-a4f22c07d5ae | Microsoft Managed Control 1809 - Privacy Impact And Risk Assessment | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: 6b04f815-52d7-4ff6-94bf-a4f22c07d5ae | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (5.0.0 > 5.1.0) | |
| Regulatory Compliance | 106618ad-fe3e-49b4-bfef-01009f6770d8 | Microsoft Managed Control 1820 - Accounting of Disclosures | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: 106618ad-fe3e-49b4-bfef-01009f6770d8 | |
| Regulatory Compliance | 4f3b7f51-9620-4c71-b887-48a6838c68b8 | Microsoft Managed Control 1748 - Security Authorization Process | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 4f3b7f51-9620-4c71-b887-48a6838c68b8 | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (3.0.2 > 3.1.0) | |
| Regulatory Compliance | 58c93053-7b98-4cf0-b99f-1beb985416c2 | Microsoft Managed Control 1573 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Monitoring | 6fc8115b-2008-441f-8c61-9b722c1e537f | Workbooks should be saved to storage accounts that you control | With bring your own storage (BYOS), your workbooks are uploaded into a storage account that you control. That means you control the encryption-at-rest policy, the lifetime management policy, and network access. You will, however, be responsible for the costs associated with that storage account. For more information, visit https://aka.ms/workbooksByos | Default: Audit Allowed: (deny, Deny, audit, Audit, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) | |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2022-04-01 20:29:14
change: Patch, suffix remains equal (3.0.2-preview > 3.0.3-preview) |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (3.0.2 > 3.1.0) | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (7.0.1 > 7.1.0) | |
| Regulatory Compliance | 17641f70-94cd-4a5d-a613-3d1143e20e34 | Microsoft Managed Control 1349 - Identification And Authentication (Non-Organizational Users) | Use Of Ficam-Approved Products | Microsoft implements this Identification and Authentication control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 4edd8330-da6b-4f1e-b996-e064d8b92cb7 | Microsoft Managed Control 1833 - Minimization of Personally Identifiable Information | Locate/Remove/Redact/Anonymize PII | Microsoft implements this Data Minimization and Retention control | Fixed: audit |
2022-04-01 20:29:14
add: 4edd8330-da6b-4f1e-b996-e064d8b92cb7 | |
| Regulatory Compliance | 791cfc15-6974-42a0-9f4c-2d4b82f4a78c | Microsoft Managed Control 1647 - Use of Cryptography | Microsoft implements this System and Communications Protection control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 9834600a-668a-482c-9310-a89861b29e06 | Microsoft Managed Control 1805 - Governance And Privacy Program | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: 9834600a-668a-482c-9310-a89861b29e06 | |
| Regulatory Compliance | 20ea0798-d19e-4925-afd0-53d583815818 | Microsoft Managed Control 1815 - Privacy Awareness And Training | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: 20ea0798-d19e-4925-afd0-53d583815818 | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (4.0.1 > 4.1.0) | |
| Regulatory Compliance | 84e622c8-4bed-417c-84c6-b2fb0dd73682 | Microsoft Managed Control 1307 - User Identification And Authentication | Network Access To Non-Privileged Accounts - Replay... | Microsoft implements this Identification and Authentication control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 8cb6d7ea-a6ae-4bc0-ae70-9fa3715e46bf | Microsoft Managed Control 1822 - Data Quality | Microsoft implements this Data Quality and Integrity control | Fixed: audit |
2022-04-01 20:29:14
add: 8cb6d7ea-a6ae-4bc0-ae70-9fa3715e46bf | |
| Regulatory Compliance | 6f29a2f0-ca59-4bdc-97a7-a8d593b60108 | Microsoft Managed Control 1853 - Compliant Management | Response Times | Microsoft implements this Individual Participation and Redress control | Fixed: audit |
2022-04-01 20:29:14
add: 6f29a2f0-ca59-4bdc-97a7-a8d593b60108 | |
| Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-04-01 20:29:14
add: ae8a10e6-19d6-44a3-a02d-a2bdfc707742 |
| Key Vault | f772fb64-8e40-40ad-87bc-7706e1949427 | [Preview]: Certificates should not expire within the specified number of days | Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor, suffix remains equal (2.0.1-preview > 2.1.0-preview) | |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (2.0.2 > 2.1.0) | |
| Regulatory Compliance | f355d62b-39a8-4ba3-abf7-90f71cb3b000 | Microsoft Managed Control 1309 - User Identification And Authentication | Acceptance Of Piv Credentials | Microsoft implements this Identification and Authentication control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-04-01 20:29:14
change: Minor (6.0.0 > 6.1.0) |
| Regulatory Compliance | 1c0b3710-03dc-450a-a56a-77b85e744f0d | Microsoft Managed Control 1749 - Mission/Business Process Definition | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 1c0b3710-03dc-450a-a56a-77b85e744f0d | |
| Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-04-01 20:29:14
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | |
| Monitoring | 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff | Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-04-01 20:29:14
change: Major (2.0.0 > 3.0.0) |
| Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-04-01 20:29:14
change: Major (3.0.0 > 4.0.0) |
| Regulatory Compliance | 6c657baf-0693-455a-8bb2-7b4bdf79fd0e | Microsoft Managed Control 1757 - Contacts With Security Groups And Associations | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 6c657baf-0693-455a-8bb2-7b4bdf79fd0e | |
| Cosmos DB | 0473574d-2d43-4217-aefe-941fcdf7e684 | Azure Cosmos DB allowed locations | This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-04-01 20:29:14
change: Minor (1.0.0 > 1.1.0) | |
| Monitoring | 56a3e4f8-649b-4fac-887e-5564d11e8d3a | Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) |
| Regulatory Compliance | 3815d34a-187d-4f30-a9fa-5ac464e3465d | Microsoft Managed Control 1736 - Information Security Resources | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: 3815d34a-187d-4f30-a9fa-5ac464e3465d | |
| Regulatory Compliance | cd6120c1-d069-416d-9753-fbe84bca4b01 | Microsoft Managed Control 1808 - Privacy Impact And Risk Assessment | Microsoft implements this Accountability, Audit, and Risk Management control | Fixed: audit |
2022-04-01 20:29:14
add: cd6120c1-d069-416d-9753-fbe84bca4b01 | |
| Regulatory Compliance | f82e3639-fa2b-4e06-a786-932d8379b972 | Microsoft Managed Control 1705 - Security Alerts & Advisories | Microsoft implements this System and Information Integrity control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Regulatory Compliance | 51d53eb3-6c02-4f3f-a608-a058af96fa6a | Microsoft Managed Control 1831 - Minimization of Personally Identifiable Information | Microsoft implements this Data Minimization and Retention control | Fixed: audit |
2022-04-01 20:29:14
add: 51d53eb3-6c02-4f3f-a608-a058af96fa6a | |
| Regulatory Compliance | d4de5955-e00f-414d-9c16-f569c6a99c10 | Microsoft Managed Control 1756 - Contacts With Security Groups And Associations | Microsoft implements this Program Management control | Fixed: audit |
2022-04-01 20:29:14
add: d4de5955-e00f-414d-9c16-f569c6a99c10 | |
| Regulatory Compliance | b6747bf9-2b97-45b8-b162-3c8becb9937d | Microsoft Managed Control 1419 - Remote Maintenance | Cryptographic Protection | Microsoft implements this Maintenance control | Fixed: audit |
2022-04-01 20:29:14
change: Patch (1.0.0 > 1.0.1) | |
| Guest Configuration | ea53dbee-c6c9-4f0e-9f9e-de0039b78023 | Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-03-25 18:52:24
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | e6955644-301c-44b5-a4c4-528577de6861 | Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-03-25 18:52:24
change: Major (2.0.0 > 3.0.0) | |
| CDN | daba2cce-8326-4af3-b049-81a362da024d | Secure private connectivity between Azure Front Door Premium and Azure Storage Blob, or Azure App Service | Private link ensures private connectivity between AFD Premium and Azure Storage Blob or Azure App Service over the Azure backbone network, without the Azure Storage Blob or the Azure App Service being publicly exposed to the internet. | Default: Audit Allowed: (Audit, Disabled) |
2022-03-25 18:52:24
add: daba2cce-8326-4af3-b049-81a362da024d | |
| Monitoring | 1c210e94-a481-4beb-95fa-1571b434fb04 | Deploy - Configure Dependency agent to be enabled on Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2022-03-25 18:52:24
change: Minor (2.0.0 > 2.1.0) |
| Monitoring | 3be22e3b-d919-47aa-805e-8985dbeb0ad9 | Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-03-25 18:52:24
change: Minor (2.0.0 > 2.1.0) |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2022-03-25 18:52:24
change: Patch, suffix remains equal (3.0.1-preview > 3.0.2-preview) |
| Guest Configuration | f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 | Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-03-25 18:52:24
change: Major (2.0.0 > 3.0.0) | |
| CDN | dfc212af-17ea-423a-9dcb-91e2cb2caa6b | Azure Front Door profiles should use Premium tier that supports managed WAF rules and private link | Azure Front Door Premium supports Azure managed WAF rules and private link to supported Azure origins. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-03-25 18:52:24
add: dfc212af-17ea-423a-9dcb-91e2cb2caa6b | |
| CDN | 679da822-78a7-4eff-8fff-a899454a9970 | Azure Front Door Standard and Premium should be running minimum TLS version of 1.2 | Setting minimal TLS version to 1.2 improves security by ensuring your custom domains are accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they are weak and do not support modern cryptographic algorithms. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-03-25 18:52:24
add: 679da822-78a7-4eff-8fff-a899454a9970 | |
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets | Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor Virtual Machine Contributor |
2022-03-25 18:52:24
change: Minor (2.0.1 > 2.1.1) |
| Monitoring | 0868462e-646c-4fe3-9ced-a733534b6a2c | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines | Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2022-03-25 18:52:24
change: Minor (2.0.1 > 2.1.1) |
| Storage | 06695360-db88-47f6-b976-7500d4297475 | Configure Azure File Sync to use private DNS zones | To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s). | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Private DNS Zone Contributor Network Contributor |
2022-03-18 17:53:47
change: Minor (1.0.0 > 1.1.0) |
| Kubernetes | 450d2877-ebea-41e8-b00c-e286317d21bf | Azure Kubernetes Service Clusters should enable Azure Active Directory integration | AKS-managed Azure Active Directory integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad. | Default: Audit Allowed: (Audit, Disabled) |
2022-03-18 17:53:47
add: 450d2877-ebea-41e8-b00c-e286317d21bf | |
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-03-18 17:53:47
change: Minor (2.0.1 > 2.1.0) |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2022-03-18 17:53:47
change: Major, suffix remains equal (2.0.0-preview > 3.0.1-preview) |
| Update Management Center | ba0df93e-e4ac-479a-aac2-134bbae39a1a | [Preview]: Schedule recurring updates using Update Management Center | You can use update management center (private preview) in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-03-18 17:53:47
add: ba0df93e-e4ac-479a-aac2-134bbae39a1a |
| Monitoring | 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee | Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2022-03-18 17:53:47
change: Major (1.3.0 > 2.0.0) |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2022-03-18 17:53:47
change: Major (3.0.0 > 4.0.0) |
| Monitoring | 244efd75-0d92-453c-b9a3-7d73ca36ed52 | Configure Windows Virtual Machines to be associated with a Data Collection Rule | Deploy Association to link Windows virtual machines to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-03-18 17:53:47
change: Minor (1.0.1 > 1.1.0) |
| Monitoring | 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 | Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule | Deploy Association to link Windows virtual machine scale sets to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-03-18 17:53:47
change: Minor (1.0.1 > 1.1.0) |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2022-03-18 17:53:47
change: Major (2.0.0 > 3.0.0) |
| Monitoring | 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 | Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Virtual Machine Contributor |
2022-03-18 17:53:47
change: Major (1.3.0 > 2.0.0) |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2022-03-18 17:53:47
change: Major (3.0.0 > 4.0.0) |
| Monitoring | c24c537f-2516-4c2f-aac5-2cd26baa3d26 | Configure Windows Arc Machines to be associated with a Data Collection Rule | Deploy Association to link Windows Arc machines to specified Data Collection Rule. The list of locations are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-03-11 18:16:48
change: Patch (1.0.0 > 1.0.1) |
| Monitoring | 050a90d5-7cce-483f-8f6c-0df462036dda | Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-03-11 18:16:48
change: Patch (1.0.0 > 1.0.1) |
| Security Center | 82bf5b87-728b-4a74-ba4d-6123845cf542 | Configure Microsoft Defender for Azure Cosmos DB to be enabled | Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2022-03-11 18:16:48
add: 82bf5b87-728b-4a74-ba4d-6123845cf542 |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-03-11 18:16:48
change: Major (4.0.2 > 5.0.0) | |
| Monitoring | 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 | Configure Linux Virtual Machines to be associated with a Data Collection Rule | Deploy Association to link Linux virtual machines to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-03-11 18:16:48
change: Patch (1.0.0 > 1.0.1) |
| Monitoring | ec621e21-8b48-403d-a549-fc9023d4747f | Windows Arc-enabled machines should have Azure Monitor Agent installed | Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-03-11 18:16:48
change: Patch (1.0.0 > 1.0.1) | |
| Monitoring | 244efd75-0d92-453c-b9a3-7d73ca36ed52 | Configure Windows Virtual Machines to be associated with a Data Collection Rule | Deploy Association to link Windows virtual machines to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-03-11 18:16:48
change: Patch (1.0.0 > 1.0.1) |
| SQL | 32e6bbec-16b6-44c2-be37-c5b672d103cf | Azure SQL Database should be running TLS version 1.2 or newer | Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2022-03-11 18:16:48
change: Major (1.0.1 > 2.0.0) | |
| Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Preview]: Kubernetes clusters should gate deployment of vulnerable images | Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-03-11 18:16:48
change: Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview) | |
| Monitoring | 94f686d6-9a24-4e19-91f1-de937dc171a4 | Configure Windows Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Azure Connected Machine Resource Administrator |
2022-03-11 18:16:48
change: Major (1.0.0 > 2.0.0) |
| Backup | 8015d6ed-3641-4534-8d0b-5c67b67ff7de | [Preview]: Configure Recovery Services vaults to use private endpoints for backup | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Recovery Services vaults, you can reduce data leakage risks. Note that your vaults need to meet certain pre-requisites to be eligible for private endpoint configuration. Learn more at : https://go.microsoft.com/fwlink/?linkid=2187162. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2022-03-11 18:16:48
add: 8015d6ed-3641-4534-8d0b-5c67b67ff7de |
| Kubernetes | 9a5f4e39-e427-4d5d-ae73-93db00328bec | Kubernetes resources should have required annotations | Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-03-11 18:16:48
add: 9a5f4e39-e427-4d5d-ae73-93db00328bec | |
| Monitoring | 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 | Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule | Deploy Association to link Windows virtual machine scale sets to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-03-11 18:16:48
change: Patch (1.0.0 > 1.0.1) |
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-03-11 18:16:48
change: Patch (2.0.0 > 2.0.1) |
| SQL | 25da7dfb-0666-4a15-a8f5-402127efd8bb | Configure SQL servers to have auditing enabled to Log Analytics workspace | To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor SQL Security Manager |
2022-03-11 18:16:48
add: 25da7dfb-0666-4a15-a8f5-402127efd8bb |
| Monitoring | d5c37ce1-5f52-4523-b949-f19bf945b73a | Configure Linux Arc Machines to be associated with a Data Collection Rule | Deploy Association to link Linux Arc machines to specified Data Collection Rule. The list of locations are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-03-11 18:16:48
change: Patch (1.0.0 > 1.0.1) |
| Security Center | adbe85b5-83e6-4350-ab58-bf3a4f736e5e | Microsoft Defender for Azure Cosmos DB should be enabled | Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-03-11 18:16:48
add: adbe85b5-83e6-4350-ab58-bf3a4f736e5e | |
| Synapse | 32ba8d30-07c0-4136-ab18-9a11bf4a67b7 | Configure Synapse workspaces to have auditing enabled to Log Analytics workspace | To ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor Owner |
2022-03-11 18:16:48
add: 32ba8d30-07c0-4136-ab18-9a11bf4a67b7 |
| Kubernetes | 36a27de4-199b-40fb-b336-945a8475d6c5 | Configure AAD integrated Azure Kubernetes Service Clusters with required Admin Group Access | Ensure to improve cluster security by centrally govern Administrator access to Azure Active Directory integrated AKS clusters. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Azure Kubernetes Service Contributor Role Azure Kubernetes Service Policy Add-on Deployment |
2022-03-11 18:16:48
change: Major (1.0.0 > 2.0.0) |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-03-11 18:16:48
change: Major (5.0.2 > 6.0.0) | |
| Monitoring | f17d891d-ff20-46f2-bad3-9e0a5403a4d3 | Linux Arc-enabled machines should have Azure Monitor Agent installed | Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-03-11 18:16:48
change: Patch (1.0.0 > 1.0.1) | |
| Monitoring | 845857af-0333-4c5d-bbbc-6076697da122 | Configure Linux Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Azure Connected Machine Resource Administrator |
2022-03-11 18:16:48
change: Major (1.0.0 > 2.0.0) |
| Kubernetes | a1840de2-8088-4ea8-b153-b4c723e9cb01 | Azure Kubernetes Service clusters should have Defender profile enabled | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Default: Audit Allowed: (Audit, Disabled) |
2022-03-11 18:16:48
change: Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-03-11 18:16:48
change: Major (4.0.2 > 5.0.0) | |
| SQL | b79fa14e-238a-4c2d-b376-442ce508fc84 | Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace | Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-03-11 18:16:48
change: Major (3.0.0 > 4.0.0) |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2022-03-11 18:16:48
change: Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) |
| Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-03-11 18:16:48
change: Patch (3.0.0 > 3.0.1) |
| SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows Server, the latter should have SQL Server extension installed and the server's managed identity should be configured with Azure Connected SQL Server Onboarding role | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor User Access Administrator |
2022-02-18 17:44:00
change: Minor (2.0.0 > 2.1.0) |
| Security Center | d30025d0-6d64-656d-6465-67688881b632 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines | Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Contributor |
2022-02-18 17:44:00
add: d30025d0-6d64-656d-6465-67688881b632 |
| Monitoring | 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 | Configure Linux Virtual Machines to be associated with a Data Collection Rule | Deploy Association to link Linux virtual machines to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-02-18 17:44:00
add: 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 |
| Monitoring | 050a90d5-7cce-483f-8f6c-0df462036dda | Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-02-18 17:44:00
add: 050a90d5-7cce-483f-8f6c-0df462036dda |
| Storage | f0e5abd0-2554-4736-b7c0-4ffef23475ef | Queue Storage should use customer-managed key for encryption | Secure your queue storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-02-18 17:44:00
add: f0e5abd0-2554-4736-b7c0-4ffef23475ef | |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2022-02-18 17:44:00
change: Major (2.0.0 > 3.0.0) |
| Storage | 7c322315-e26d-4174-a99e-f49d351b4688 | Table Storage should use customer-managed key for encryption | Secure your table storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-02-18 17:44:00
add: 7c322315-e26d-4174-a99e-f49d351b4688 | |
| Security Center | 1ec9c2c2-6d64-656d-6465-3ec3309b8579 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines | Deploys Microsoft Defender for Endpoint on applicable Windows VM images. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Contributor |
2022-02-18 17:44:00
add: 1ec9c2c2-6d64-656d-6465-3ec3309b8579 |
| Stream Analytics | fe8684d6-3c5b-45c0-a08b-fa92653c2e1c | Stream Analytics job should connect to trusted inputs and outputs | Ensure that Stream Analytics jobs do not have arbitrary Input or Output connections that are not defined in the allow-list. This checks that Stream Analytics jobs don't exfiltrate data by connecting to arbitrary sinks outside your organization. | Default: Audit Allowed: (Deny, Disabled, Audit) |
2022-02-18 17:44:00
change: Minor (1.0.0 > 1.1.0) | |
| Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-02-18 17:44:00
change: Major (2.0.0 > 3.0.0) |
| Guest Configuration | e6ebf138-3d71-4935-a13b-9c7fdddd94df | Audit Windows machines on which the specified services are not installed and 'Running' | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. | Fixed: auditIfNotExists |
2022-02-18 17:44:00
change: Major (2.0.0 > 3.0.0) | |
| Monitoring | 244efd75-0d92-453c-b9a3-7d73ca36ed52 | Configure Windows Virtual Machines to be associated with a Data Collection Rule | Deploy Association to link Windows virtual machines to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-02-18 17:44:00
add: 244efd75-0d92-453c-b9a3-7d73ca36ed52 |
| Monitoring | d5c37ce1-5f52-4523-b949-f19bf945b73a | Configure Linux Arc Machines to be associated with a Data Collection Rule | Deploy Association to link Linux Arc machines to specified Data Collection Rule. The list of locations are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-02-18 17:44:00
add: d5c37ce1-5f52-4523-b949-f19bf945b73a |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2022-02-18 17:44:00
change: Major (2.0.0 > 3.0.0) |
| SQL | 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 | Public network access should be disabled for PostgreSQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-02-18 17:44:00
change: Major (1.0.0 > 2.0.0) | |
| Security Center | 37c043a6-6d64-656d-6465-b362dfeb354a | [Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines | Deploys Microsoft Defender for Endpoint on Windows Azure Arc machines. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Contributor |
2022-02-18 17:44:00
add: 37c043a6-6d64-656d-6465-b362dfeb354a |
| Guest Configuration | 58c460e9-7573-4bb2-9676-339c2f2486bb | Audit Windows machines on which Windows Serial Console is not enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. | Fixed: auditIfNotExists |
2022-02-18 17:44:00
change: Major (2.0.0 > 3.0.0) | |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-02-18 17:44:00
change: Minor (3.0.2 > 3.1.0) | |
| Security Center | 4eb909e7-6d64-656d-6465-2eeb297a1625 | [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines | Deploys Microsoft Defender for Endpoint agent on Linux hybrid machines | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Contributor |
2022-02-18 17:44:00
add: 4eb909e7-6d64-656d-6465-2eeb297a1625 |
| Guest Configuration | 934345e1-4dfb-4c70-90d7-41990dc9608b | Audit Windows machines that do not contain the specified certificates in Trusted Root | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. | Fixed: auditIfNotExists |
2022-02-18 17:44:00
change: Major (2.0.0 > 3.0.0) | |
| Machine Learning | 438c38d2-3772-465a-a9cc-7a6666a275ce | Azure Machine Learning workspaces should disable public network access | Disabling public network access improves security by ensuring that the machine learning workspaces aren't exposed on the public internet. You can limit exposure of your workspaces by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-02-18 17:44:00
change: Minor (1.0.0 > 1.2.0) | |
| Guest Configuration | c633f6a2-7f8b-4d9e-9456-02f0f04f5505 | Audit Windows machines that are not set to the specified time zone | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. | Fixed: auditIfNotExists |
2022-02-18 17:44:00
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | c648fbbb-591c-4acd-b465-ce9b176ca173 | Audit Windows machines that do not have the specified Windows PowerShell execution policy | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-02-18 17:44:00
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd | Audit Windows machines on which the DSC configuration is not compliant | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. | Fixed: auditIfNotExists |
2022-02-18 17:44:00
change: Major (2.0.0 > 3.0.0) | |
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-02-18 17:44:00
change: Major (1.0.1 > 2.0.0) |
| Security Center | cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349 | [Deprecated]: Sensitive data in your SQL databases should be classified | Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-02-18 17:44:00
change: Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (3.0.0-preview > 3.0.0-deprecated) | |
| Monitoring | 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 | Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule | Deploy Association to link Windows virtual machine scale sets to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-02-18 17:44:00
add: 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 |
| Monitoring | c24c537f-2516-4c2f-aac5-2cd26baa3d26 | Configure Windows Arc Machines to be associated with a Data Collection Rule | Deploy Association to link Windows Arc machines to specified Data Collection Rule. The list of locations are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-02-18 17:44:00
add: c24c537f-2516-4c2f-aac5-2cd26baa3d26 |
| SQL | c9299215-ae47-4f50-9c54-8a392f68a052 | Public network access should be disabled for MySQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-02-18 17:44:00
change: Major (1.0.0 > 2.0.0) | |
| Automanage | f889cab7-da27-4c41-a3b0-de1f6f87c550 | Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default: DeployIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Contributor |
2022-02-18 17:44:00
change: Major (1.0.0 > 2.0.0) |
| Kubernetes | a8eff44f-8c92-45c3-a3fb-9880802d67a7 | Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Azure Kubernetes Service Contributor Role Azure Kubernetes Service Policy Add-on Deployment |
2022-02-18 17:44:00
change: Major (3.0.0 > 4.0.0) |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-02-11 18:30:22
change: Major (5.0.0 > 6.0.0) |
| Container Registry | 79fdfe03-ffcb-4e55-b4d0-b925b8241759 | Configure container registries to disable local admin account. | Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default: Modify Allowed: (Modify, Disabled) | Contributor |
2022-02-11 18:30:22
change: Patch (1.0.0 > 1.0.1) |
| Container Registry | 9f2dea28-e834-476c-99c5-3507b4728395 | Container registries should have anonymous authentication disabled. | Disable anonymous pull for your registry so that data is not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-02-11 18:30:22
add: 9f2dea28-e834-476c-99c5-3507b4728395 | |
| Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Preview]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-02-11 18:30:22
change: Patch, suffix remains equal (5.0.0-preview > 5.0.1-preview) |
| Security Center | aba46665-c3a7-4319-ace1-a0282deebac2 | [Preview]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Create a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace. Target Arc machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-02-11 18:30:22
add: aba46665-c3a7-4319-ace1-a0282deebac2 |
| Storage | ddcf4b94-9dfa-4a80-aca6-22bb654fde72 | Azure NetApp Files SMB Volumes should use SMB3 encryption | Disallow the creation of SMB Volumes without SMB3 encryption to ensure data integrity and data privacy. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-02-11 18:30:22
add: ddcf4b94-9dfa-4a80-aca6-22bb654fde72 | |
| Security Center | 30f52897-df47-4ca0-81a8-a3be3e8dd226 | [Preview]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule | Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this Arc machine. Target Arc machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor |
2022-02-11 18:30:22
add: 30f52897-df47-4ca0-81a8-a3be3e8dd226 |
| Container Registry | cced2946-b08a-44fe-9fd9-e4ed8a779897 | Configure container registries to disable anonymous authentication. | Disable anonymous pull for your registry so that data not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default: Modify Allowed: (Modify, Disabled) | Contributor |
2022-02-11 18:30:22
add: cced2946-b08a-44fe-9fd9-e4ed8a779897 |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-02-11 18:30:22
change: Major (5.0.0 > 6.0.0) |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-02-11 18:30:22
change: Major (5.0.0 > 6.0.0) |
| Storage | 7c6c7139-7d8e-45d0-9d94-72386a61308b | Azure NetApp Files Volumes of type NFSv4.1 should use Kerberos data encryption | Only allow the use of Kerberos privacy (5p) security mode to ensure data is encrypted. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-02-11 18:30:22
add: 7c6c7139-7d8e-45d0-9d94-72386a61308b | |
| Storage | d558e1a6-296d-4fbb-81a5-ea25822639f6 | Azure NetApp Files Volumes should not use NFSv3 protocol type | Disallow the use of NFSv3 protocol type to prevent unsecure access to volumes. NFSv4.1 with Kerberos protocol should be used to access NFS volumes to ensure data integrity and encryption. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-02-11 18:30:22
add: d558e1a6-296d-4fbb-81a5-ea25822639f6 | |
| App Service | 2d048aca-6479-4923-88f5-e2ac295d9af3 | App Service Environment apps should not be reachable over public internet | To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-02-11 18:30:22
change: Major (1.0.0 > 2.0.0) | |
| Security Center | 3b1a8e0a-b2e1-48be-9365-28be2fbef550 | [Preview]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-02-11 18:30:22
add: 3b1a8e0a-b2e1-48be-9365-28be2fbef550 |
| Storage | 16f4af95-96b1-4220-805a-367ca59cd72e | Azure NetApp Files Volumes of type NFSv4.1 should use Kerberos data integrity or data privacy | Ensure that at least either Kerberos integrity (krb5i) or Kerberos privacy (krb5p) is selected to ensure data integrity and data privacy. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-02-11 18:30:22
add: 16f4af95-96b1-4220-805a-367ca59cd72e | |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2022-02-11 18:30:22
change: Major (5.0.0 > 6.0.0) |
| Container Registry | dc921057-6b28-4fbe-9b83-f7bec05db6c2 | Container registries should have local admin account disabled. | Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-02-11 18:30:22
change: Patch (1.0.0 > 1.0.1) | |
| Container Registry | a9b426fe-8856-4945-8600-18c5dd1cca2a | Configure container registries to disable repository scoped access token. | Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default: Modify Allowed: (Modify, Disabled) | Contributor |
2022-02-11 18:30:22
add: a9b426fe-8856-4945-8600-18c5dd1cca2a |
| Container Registry | ff05e24e-195c-447e-b322-5e90c9f9f366 | Container registries should have repository scoped access token disabled. | Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-02-11 18:30:22
add: ff05e24e-195c-447e-b322-5e90c9f9f366 | |
| Security Center | c9ae938d-3d6f-4466-b7c3-351761d9c890 | [Preview]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule | Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this Arc machine. Target Arc machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor |
2022-02-11 18:30:22
add: c9ae938d-3d6f-4466-b7c3-351761d9c890 |
| Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-02-04 18:25:37
change: Major (2.0.1 > 3.0.0) |
| Security Center | 9c0aa188-e5fe-4569-8f74-b6e155624d9a | [Preview]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule | Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor |
2022-02-04 18:25:37
add: 9c0aa188-e5fe-4569-8f74-b6e155624d9a |
| Security Center | a2ea54a3-9707-45e3-8230-bbda8309d17e | [Preview]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule | Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor |
2022-02-04 18:25:37
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Preview]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-02-04 18:25:37
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) |
| Monitoring | 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff | Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2022-02-04 18:25:37
change: Major (1.0.0 > 2.0.0) |
| Security Center | 13ce0167-8ca6-4048-8e6b-f996402e3c1b | Configure machines to receive a vulnerability assessment provider | Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2022-02-04 18:25:37
change: Major, suffix remains equal (2.2.0-preview > 3.0.0-preview) |
| Kubernetes | b1a9997f-2883-4f12-bdff-2280f99b5915 | Ensure cluster containers have readiness or liveness probes configured | This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-02-04 18:25:37
add: b1a9997f-2883-4f12-bdff-2280f99b5915 | |
| Monitoring | 3672e6f7-a74d-4763-b138-fcf332042f8f | Windows virtual machine scale sets should have Azure Monitor Agent installed | Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-02-04 18:25:37
change: Major (1.0.0 > 2.0.0) | |
| SQL | a9934fd7-29f2-4e6d-ab3d-607ea38e9079 | SQL Managed Instances should avoid using GRS backup redundancy | Managed Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Default: Deny Allowed: (Deny, Disabled) |
2022-02-04 18:25:37
change: Major (1.0.1 > 2.0.0) | |
| Automanage | 6d02d2f7-e38b-4bdc-96f3-adc0a8726abc | Hotpatch should be enabled for Windows Server Azure Edition VMs | Minimize reboots and install updates quickly with hotpatch. Learn more at https://docs.microsoft.com/azure/automanage/automanage-hotpatch | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-02-04 18:25:37
add: 6d02d2f7-e38b-4bdc-96f3-adc0a8726abc | |
| Security Center | c15c5978-ab6e-4599-a1c3-90a7918f5371 | [Preview]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent | Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Creates a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-02-04 18:25:37
add: c15c5978-ab6e-4599-a1c3-90a7918f5371 |
| SQL | b79fa14e-238a-4c2d-b376-442ce508fc84 | Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace | Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2022-02-04 18:25:37
change: Major (2.0.0 > 3.0.0) |
| Monitoring | c02729e5-e5e7-4458-97fa-2b5ad0661f28 | Windows virtual machines should have Azure Monitor Agent installed | Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-02-04 18:25:37
change: Major (1.0.0 > 2.0.0) | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2022-02-04 18:25:37
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) |
| Guest Configuration | 43bb60fe-1d7e-4b82-9e93-496bfc99e7d5 | Windows machines should meet requirements for 'System Audit Policies - Account Logon' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| App Service | 91a78b24-f231-4a8a-8da9-02c35b2b6510 | App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | 19be9779-c776-4dfa-8a15-a2fd5dc843d6 | Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2022-01-28 17:51:01
change: Major (1.2.0 > 2.0.0) |
| Guest Configuration | ea53dbee-c6c9-4f0e-9f9e-de0039b78023 | Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (1.2.0 > 2.0.0) | |
| Guest Configuration | b18175dd-c599-4c64-83ba-bb018a06d35b | [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) | |
| Guest Configuration | 35781875-8026-4628-b19b-f6efb4d88a1d | Windows machines should meet requirements for 'System Audit Policies - Object Access' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | ee984370-154a-4ee8-9726-19d900e56fc0 | Windows machines should meet requirements for 'Security Options - Accounts' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | f19aa1c1-6b91-4c27-ae6a-970279f03db9 | [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) |
| Guest Configuration | 934345e1-4dfb-4c70-90d7-41990dc9608b | Audit Windows machines that do not contain the specified certificates in Trusted Root | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major (1.0.1 > 2.0.0) | |
| Guest Configuration | 4d1c04de-2172-403f-901b-90608c35c721 | [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) |
| Guest Configuration | e068b215-0026-4354-b347-8fb2766f73a2 | Windows machines should meet requirements for 'User Rights Assignment' | Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 237b38db-ca4d-4259-9e47-7882441ca2c0 | Audit Windows machines that do not have a minimum password age of 1 day | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | 84662df4-0e37-44a6-9ce1-c9d2150db18c | Audit Windows machines that are not joined to the specified domain | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter. | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | bf16e0bb-31e1-4646-8202-60a235cc7e74 | Audit Windows machines that do not have the password complexity setting enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | ebb67efd-3c46-49b0-adfe-5599eb944998 | Audit Windows machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | caf2d518-f029-4f6b-833b-d7081702f253 | Windows machines should meet requirements for 'Security Options - Microsoft Network Server' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2022-01-28 17:51:01
change: Major (1.1.0 > 2.0.0) |
| Guest Configuration | 1221c620-d201-468c-81e7-2817e6107e84 | Windows machines should meet requirements for 'Security Options - Network Security' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Monitoring | 594c1276-f44f-482d-9910-71fac2ce5ae0 | [Preview]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace | Protect your Azure Arc-enabled Windows machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-01-28 17:51:01
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Guest Configuration | c633f6a2-7f8b-4d9e-9456-02f0f04f5505 | Audit Windows machines that are not set to the specified time zone | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | 3e4e2bd5-15a2-4628-b3e1-58977e9793f3 | Audit Windows machines that do not have the specified Windows PowerShell modules installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 8537fe96-8cbe-43de-b0ef-131bc72bc22a | Windows machines should meet requirements for 'Windows Components' | Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | beb6ccee-b6b8-4e91-9801-a5fa4260a104 | Audit Windows machines that have not restarted within the specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter. | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | 12017595-5a75-4bb1-9d97-4c2c939ea3c3 | Windows machines should meet requirements for 'Security Options - System settings' | Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 1417908b-4bff-46ee-a2a6-4acc899320ab | Audit Windows machines that contain certificates expiring within the specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | f79fef0d-0050-4c18-a303-5babb9c14ac7 | Windows machines should only have local accounts that are allowed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. This definition is not supported on Windows Server 2012 or 2012 R2. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | c5b85cba-6e6f-4de4-95e1-f0233cd712ac | Audit Windows machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2022-01-28 17:51:01
change: Major (1.1.0 > 2.0.0) |
| Guest Configuration | 58c460e9-7573-4bb2-9676-339c2f2486bb | Audit Windows machines on which Windows Serial Console is not enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | da0f98fe-a24b-4ad5-af69-bd0400233661 | Audit Windows machines that do not store passwords using reversible encryption | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | 492a29ed-d143-4f03-b6a4-705ce081b463 | Windows machines should meet requirements for 'Security Options - User Account Control' | Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 3d2a3320-2a72-4c67-ac5f-caa40fbee2b2 | Audit Windows machines that have extra accounts in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | fee5cb2b-9d9b-410e-afe3-2902d90d0004 | [Deprecated]: Show audit results from Linux VMs that do not have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) | |
| Guest Configuration | e6955644-301c-44b5-a4c4-528577de6861 | Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (1.2.0 > 2.0.0) | |
| Guest Configuration | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (1.1.1 > 2.0.0) | |
| Guest Configuration | 630ac30f-a234-4533-ac2d-e0df77acda51 | Audit Windows machines network connectivity | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter. | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | 3470477a-b35a-49db-aca5-1073d04524fe | [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) |
| Guest Configuration | 2d67222d-05fd-4526-a171-2ee132ad9e83 | [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) | |
| Guest Configuration | 5b842acb-0fe7-41b0-9f40-880ec4ad84d8 | [Deprecated]: Show audit results from Linux VMs that have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) | |
| Guest Configuration | c40c9087-1981-4e73-9f53-39743eda9d05 | [Deprecated]: Show audit results from Linux VMs that have accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) | |
| Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.2.0 > 3.0.0) | |
| Guest Configuration | 94d9aca8-3757-46df-aa51-f218c5f11954 | Windows machines should meet requirements for 'System Audit Policies - Account Management' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | e6ebf138-3d71-4935-a13b-9c7fdddd94df | Audit Windows machines on which the specified services are not installed and 'Running' | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | 3aa2661b-02d7-4ba6-99bc-dc36b10489fd | Windows machines should meet requirements for 'Administrative Templates - Control Panel' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | e0a7e899-2ce2-4253-8a13-d808fdeb75af | Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd | Audit Windows machines on which the DSC configuration is not compliant | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | 5b054a0d-39e2-4d53-bea3-9734cad2c69b | Audit Windows machines that allow re-use of the previous 24 passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | c648fbbb-591c-4acd-b465-ce9b176ca173 | Audit Windows machines that do not have the specified Windows PowerShell execution policy | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (1.1.0 > 2.0.0) | |
| Guest Configuration | f2143251-70de-4e81-87a8-36cee5a2f29d | Windows machines should meet requirements for 'Security Settings - Account Policies' | Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 2a7a701e-dff3-4da9-9ec5-42cb98594c0b | Windows machines should meet requirements for 'System Audit Policies - Policy Change' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | d6c69680-54f0-4349-af10-94dd05f4225e | Windows machines should meet requirements for 'Security Options - Microsoft Network Client' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 884b209a-963b-4520-8006-d20cb3c213e0 | [Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) |
| Guest Configuration | b4a4d1eb-0263-441b-84cb-a44073d8372d | Windows machines should meet requirements for 'Security Options - Shutdown' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 4ceb8dc2-559c-478b-a15b-733fbf1e3738 | Audit Windows machines that do not have a maximum password age of 70 days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | fc9b3da7-8347-4380-8e70-0a0361d8dedd | Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (1.3.0 > 2.0.0) | |
| Guest Configuration | 33936777-f2ac-45aa-82ec-07958ec9ade4 | Windows machines should meet requirements for 'Security Options - Audit' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | Windows web servers should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (3.0.0 > 4.0.0) | |
| Guest Configuration | 6265018c-d7e2-432f-a75d-094d5f6f4465 | Audit Windows machines on which the Log Analytics agent is not connected as expected | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd | Windows machines should meet requirements for 'Security Options - Network Access' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 8316fa92-d69c-4810-8124-62414f560dcf | Windows machines should meet requirements for 'System Audit Policies - System' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 4221adbc-5c0f-474f-88b7-037a99e6114c | Audit Windows VMs with a pending reboot | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path. | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | f71be03e-e25b-4d0f-b8bc-9b3e309b66c0 | Windows machines should meet requirements for 'Security Options - Recovery console' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-01-28 17:51:01
change: Patch (4.0.2 > 4.0.3) | |
| Guest Configuration | 73db37c4-f180-4b0f-ab2c-8ee96467686b | Linux machines should only have local accounts that are allowed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (1.1.0 > 2.0.0) | |
| Guest Configuration | d3b823c9-e0fc-4453-9fb2-8213b7338523 | Audit Linux machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (3.1.0 > 4.0.0) | |
| Guest Configuration | 8794ff4f-1a35-4e18-938f-0b22055067cd | Windows machines should meet requirements for 'Security Options - Devices' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 2f262ace-812a-4fd0-b731-b38ba9e9708d | Windows machines should meet requirements for 'Security Options - System objects' | Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | Windows machines should meet requirements of the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (1.0.1 > 2.0.0) | |
| Guest Configuration | 58383b73-94a9-4414-b382-4146eb02611b | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | ec49586f-4939-402d-a29e-6ff502b20592 | [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) |
| Guest Configuration | 87845465-c458-45f3-af66-dcd62176f397 | Windows machines should meet requirements for 'System Audit Policies - Privilege Use' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 4078e558-bda6-41fb-9b3c-361e8875200d | Windows machines should have Log Analytics agent installed on Azure Arc | Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | 30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7 | Audit Windows machines missing any of specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | 67e010c1-640d-438e-a3a5-feaccb533a98 | Windows machines should meet requirements for 'Administrative Templates - Network' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 968410dc-5ca0-4518-8a5b-7b55f0530ea9 | Windows machines should meet requirements for 'Administrative Templates - System' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f | Audit Windows machines that have the specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. | Fixed: auditIfNotExists |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 | Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (1.2.0 > 2.0.0) | |
| Guest Configuration | fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2022-01-28 17:51:01
change: Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) |
| Guest Configuration | d472d2c9-d6a3-4500-9f5f-b15f123005aa | Windows machines should meet requirements for 'Security Options - Interactive Logon' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Guest Configuration | a2d0e922-65d0-40c4-8f87-ea6da2d307a2 | Audit Windows machines that do not restrict the minimum password length to 14 characters | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (1.0.0 > 2.0.0) | |
| Guest Configuration | 0447bc18-e2f7-4c0d-aa20-bff034275be1 | Audit Linux machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (3.2.0 > 4.0.0) | |
| Guest Configuration | 35d9882c-993d-44e6-87d2-db66ce21b636 | Windows machines should meet requirements for 'Windows Firewall Properties' | Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-28 17:51:01
change: Major (2.0.0 > 3.0.0) | |
| Automanage | f889cab7-da27-4c41-a3b0-de1f6f87c550 | Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default: DeployIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Contributor |
2022-01-21 21:53:22
add: f889cab7-da27-4c41-a3b0-de1f6f87c550 |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-01-21 21:53:22
change: Patch (4.0.2 > 4.0.3) | |
| Automanage | 270610db-8c04-438a-a739-e8e6745b22d3 | [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-01-21 21:53:22
change: Version remains equal, new suffix: version (4.1.0 > 4.1.0-version-deprecated) |
| App Service | 7261b898-8a84-4db8-9e04-18527132abb3 | App Service apps that use PHP should use the latest 'PHP version' | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-21 21:53:22
change: Minor (2.1.0 > 2.2.0) | |
| General | 10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9 | [Deprecated]: Custom subscription owner roles should not exist | This policy is deprecated. | Default: Audit Allowed: (Audit, Disabled) |
2022-01-21 21:53:22
change: Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | |
| App Service | 546fe8d2-368d-4029-a418-6af48a7f61e5 | App Service apps should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-01-21 21:53:22
change: Major (1.0.0 > 2.0.0) | |
| Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-01-14 17:44:09
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-01-14 17:44:09
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | |
| Azure Edge Hardware Center | 08a6b96f-576e-47a2-8511-119a212d344d | Azure Edge Hardware Center devices should have double encryption support enabled | Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-01-14 17:44:09
change: Major (1.0.0 > 2.0.0) | |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2022-01-14 17:44:09
change: Major, suffix remains equal (3.1.0-preview > 4.0.0-preview) | |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | [Deprecated]: Kubernetes cluster containers should only listen on allowed ports | Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-01-07 18:14:35
change: Patch, new suffix: deprecated (6.1.2 > 6.1.3-deprecated) | |
| Backup | 958dbd4e-0e20-4385-a082-d3f20c2a6ad8 | [Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region | Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Backup Contributor |
2022-01-07 18:14:35
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Monitoring | bacd7fca-1938-443d-aad6-a786107b1bfb | [Preview]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspace | Protect your Azure Arc-enabled Linux machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-01-07 18:14:35
add: bacd7fca-1938-443d-aad6-a786107b1bfb |
| Monitoring | 7f89b1eb-583c-429a-8828-af049802c1d9 | Audit diagnostic setting | Audit diagnostic setting for selected resource types | Fixed: AuditIfNotExists |
2022-01-07 18:14:35
change: Minor (1.0.0 > 1.1.0) | |
| Bot Service | 52152f42-0dda-40d9-976e-abb1acdd611e | Bot Service should have isolated mode enabled | Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2022-01-07 18:14:35
change: Major (1.0.0 > 2.0.0) | |
| Internet of Things | 27d4c5ec-8820-443f-91fe-1215e96f64b2 | Azure Device Update for IoT Hub accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Device Update for IoT Hub accounts, data leakage risks are reduced. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-07 18:14:35
add: 27d4c5ec-8820-443f-91fe-1215e96f64b2 | |
| Azure Purview | 9259053b-ddb8-40ab-842a-0aef19d0ade4 | Azure Purview accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Purview accounts instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/purview-private-link. | Default: Audit Allowed: (Audit, Disabled) |
2022-01-07 18:14:35
add: 9259053b-ddb8-40ab-842a-0aef19d0ade4 | |
| Monitoring | 8e3e61b3-0b32-22d5-4edf-55f87fdb5955 | Configure Log Analytics workspace and automation account to centralize logs and monitoring | Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Contributor |
2022-01-07 18:14:35
change: Major (1.0.0 > 2.0.0) |
| Monitoring | 594c1276-f44f-482d-9910-71fac2ce5ae0 | [Preview]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace | Protect your Azure Arc-enabled Windows machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2022-01-07 18:14:35
add: 594c1276-f44f-482d-9910-71fac2ce5ae0 |
| Security Center | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | Container registry images should have vulnerability findings resolved | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-07 18:14:35
change: Patch (2.0.0 > 2.0.1) | |
| Security Center | 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 | Running container images should have vulnerability findings resolved | Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-07 18:14:35
change: Patch (1.0.0 > 1.0.1) | |
| Backup | 615b01c4-d565-4f6f-8c6e-d130268e3a1a | [Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region | Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Backup Contributor |
2022-01-07 18:14:35
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| SQL | 0a370ff3-6cab-4e85-8995-295fd854c5b8 | SQL servers should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-01-07 18:14:35
change: Patch (2.0.0 > 2.0.1) | |
| Monitoring | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-07 18:14:35
change: Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | |
| App Service | b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0 | [Deprecated]: Diagnostic logs in App Services should be enabled | Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-07 18:14:35
change: Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | |
| Storage | bc1b984e-ddae-40cc-801a-050a030e4fbe | Storage accounts should have shared access signature (SAS) policies configured | Ensure storage accounts have shared access signature (SAS) expiration policy enabled. Users use a SAS to delegate access to resources in Azure Storage account. And SAS expiration policy recommend upper expiration limit when a user creates a SAS token. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2022-01-07 18:14:35
add: bc1b984e-ddae-40cc-801a-050a030e4fbe | |
| Security Center | ae89ebca-1c92-4898-ac2c-9f63decb045c | Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-07 18:14:35
change: Patch (1.0.1 > 1.0.2) | |
| Monitoring | 04c4380f-3fae-46e8-96c9-30193528f602 | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2022-01-07 18:14:35
change: Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | |
| Network | 5e1cd26a-5090-4fdb-9d6a-84a90335e22d | Configure network security groups to use specific workspace for traffic analytics | If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2021-12-10 17:29:56
change: Patch (1.0.0 > 1.0.1) |
| Network | 0db34a60-64f4-4bf6-bd44-f95c16cf34b9 | Deploy a flow log resource with target network security group | Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. | Fixed: deployIfNotExists | Contributor |
2021-12-10 17:29:56
change: Patch (1.0.0 > 1.0.1) |
| Network | e920df7f-9a64-4066-9b58-52684c02a091 | Configure network security groups to enable traffic analytics | Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2021-12-10 17:29:56
change: Patch (1.0.0 > 1.0.1) |
| Kubernetes | c050047b-b21b-4822-8a2d-c1e37c3c0c6a | Configure Kubernetes clusters with specified GitOps configuration using SSH secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Contributor |
2021-12-10 17:29:56
change: Patch (1.0.0 > 1.0.1) |
| Kubernetes | a6f560f4-f582-4b67-b123-a37dcd1bf7ea | Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Contributor |
2021-12-10 17:29:56
change: Patch (1.0.0 > 1.0.1) |
| SQL | 0a370ff3-6cab-4e85-8995-295fd854c5b8 | SQL servers should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-12-06 22:17:57
change: Major, old suffix: preview (1.0.0-preview > 2.0.0) | |
| Kubernetes | 0adc5395-9169-4b9b-8687-af838d69410a | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension | Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Kubernetes Extension Contributor |
2021-12-06 22:17:57
add: 0adc5395-9169-4b9b-8687-af838d69410a |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (6.0.0 > 6.0.1) | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (4.0.1 > 4.0.2) | |
| Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-12-06 22:17:57
change: Minor (2.1.0 > 2.2.0) | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (4.0.1 > 4.0.2) | |
| Guest Configuration | 2d67222d-05fd-4526-a171-2ee132ad9e83 | [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) | |
| Guest Configuration | 1e7fed80-8321-4605-b42c-65fc300f23a3 | Linux machines should have Log Analytics agent installed on Azure Arc | Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-12-06 22:17:57
change: Minor (1.0.0 > 1.1.0) | |
| Video Analyzers | 165a4137-c3ed-4fd0-a17f-1c8a80266580 | Video Analyzer accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Video Analyzer accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/videoanalyzerscmkdocs. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-12-06 22:17:57
add: 165a4137-c3ed-4fd0-a17f-1c8a80266580 | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (5.0.1 > 5.0.2) | |
| Guest Configuration | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2021-12-06 22:17:57
change: Minor (1.1.0 > 1.2.0) |
| Security Center | 2370a3c1-4a25-4283-a91a-c9c1a145fb2f | Configure Azure Defender for DNS to be enabled | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2021-12-06 22:17:57
change: Patch (1.0.0 > 1.0.1) |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (4.0.1 > 4.0.2) | |
| Compute | 702dd420-7fcc-42c5-afe8-4026edd20fe0 | OS and data disks should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-12-06 22:17:57
change: Major (2.0.0 > 3.0.0) | |
| Security Center | 1c988dd6-ade4-430f-a608-2a3e5b0a6d38 | Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-12-06 22:17:57
add: 1c988dd6-ade4-430f-a608-2a3e5b0a6d38 | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (7.0.0 > 7.0.1) | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (4.0.1 > 4.0.2) | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (7.0.0 > 7.0.1) | |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2021-12-06 22:17:57
change: Minor (1.1.1 > 1.2.0) |
| Network | 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 | Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-12-06 22:17:57
change: Major (1.0.1 > 2.0.0) | |
| Kubernetes | 6b2122c1-8120-4ff5-801b-17625a355590 | [Preview]: Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed | The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-12-06 22:17:57
add: 6b2122c1-8120-4ff5-801b-17625a355590 | |
| Security Center | b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d | Configure Azure Defender for App Service to be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2021-12-06 22:17:57
change: Patch (1.0.0 > 1.0.1) |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (3.0.1 > 3.0.2) | |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2021-12-06 22:17:57
change: Minor (1.0.0 > 1.1.0) |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (4.0.0 > 4.0.1) | |
| Kubernetes | b2fd3e59-6390-4f2b-8247-ea676bd03e2d | [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster | This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch, suffix remains equal (4.0.1-deprecated > 4.0.2-deprecated) | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (4.0.1 > 4.0.2) | |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2021-12-06 22:17:57
change: Major (4.0.0 > 5.0.0) |
| Guest Configuration | f19aa1c1-6b91-4c27-ae6a-970279f03db9 | [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) |
| Security Center | c25d9a16-bc35-4e15-a7e5-9db606bf9ed4 | [Deprecated]: Azure Defender for container registries should be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-12-06 22:17:57
change: Version remains equal, new suffix: deprecated (1.0.3 > 1.0.3-deprecated) | |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (6.0.0 > 6.0.1) | |
| Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Preview]: Kubernetes clusters should gate deployment of vulnerable images | Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-12-06 22:17:57
change: Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | |
| Backup | 615b01c4-d565-4f6f-8c6e-d130268e3a1a | [Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region | Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Backup Contributor |
2021-12-06 22:17:57
add: 615b01c4-d565-4f6f-8c6e-d130268e3a1a |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (2.0.1 > 2.0.2) | |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (6.0.0 > 6.0.1) | |
| SQL | 048248b0-55cd-46da-b1ff-39efd52db260 | [Deprecated]: SQL managed instances should use customer-managed keys to encrypt data at rest | This policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 instead | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-12-06 22:17:57
change: Version remains equal, new suffix: deprecated (1.0.2 > 1.0.2-deprecated) | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (4.0.1 > 4.0.2) | |
| Backup | 958dbd4e-0e20-4385-a082-d3f20c2a6ad8 | [Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region | Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Backup Contributor |
2021-12-06 22:17:57
add: 958dbd4e-0e20-4385-a082-d3f20c2a6ad8 |
| Security Center | 523b5cd1-3e23-492f-a539-13118b6d1e3a | [Deprecated]: Azure Defender for Kubernetes should be enabled | Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-12-06 22:17:57
change: Version remains equal, new suffix: deprecated (1.0.3 > 1.0.3-deprecated) | |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (2.1.1 > 2.1.2) | |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2021-12-06 22:17:57
change: Major (4.0.0 > 5.0.0) |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (3.0.1 > 3.0.2) | |
| Security Center | c9ddb292-b203-4738-aead-18e2716e858f | Configure Microsoft Defender for Containers to be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2021-12-06 22:17:57
add: c9ddb292-b203-4738-aead-18e2716e858f |
| Guest Configuration | fee5cb2b-9d9b-410e-afe3-2902d90d0004 | [Deprecated]: Show audit results from Linux VMs that do not have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) | |
| Guest Configuration | 0447bc18-e2f7-4c0d-aa20-bff034275be1 | Audit Linux machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-12-06 22:17:57
change: Minor (3.1.0 > 3.2.0) | |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | [Deprecated]: Kubernetes cluster containers should only listen on allowed ports | Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (6.1.1 > 6.1.2) | |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2021-12-06 22:17:57
change: Major (4.0.0 > 5.0.0) |
| Guest Configuration | ea53dbee-c6c9-4f0e-9f9e-de0039b78023 | Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-12-06 22:17:57
change: Minor (1.1.0 > 1.2.0) | |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2021-12-06 22:17:57
change: Minor (1.0.0 > 1.1.0) |
| Guest Configuration | fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) |
| Monitoring | a499fed8-bcc8-4195-b154-641f14743757 | Azure Monitor Private Link Scope should block access to non private link resources | Azure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#private-link-access-modes-private-only-vs-open. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-12-06 22:17:57
add: a499fed8-bcc8-4195-b154-641f14743757 | |
| Guest Configuration | fc9b3da7-8347-4380-8e70-0a0361d8dedd | Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-12-06 22:17:57
change: Minor (1.2.0 > 1.3.0) | |
| Kubernetes | a8eff44f-8c92-45c3-a3fb-9880802d67a7 | Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Azure Kubernetes Service Contributor Role Azure Kubernetes Service Policy Add-on Deployment |
2021-12-06 22:17:57
change: Major (2.0.0 > 3.0.0) |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2021-12-06 22:17:57
change: Major (4.0.0 > 5.0.0) |
| Guest Configuration | c648fbbb-591c-4acd-b465-ce9b176ca173 | Audit Windows machines that do not have the specified Windows PowerShell execution policy | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-12-06 22:17:57
change: Minor (1.0.0 > 1.1.0) | |
| Security Center | 1f725891-01c0-420a-9059-4fa46cb770b7 | Configure Azure Defender for Key Vaults to be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2021-12-06 22:17:57
change: Patch (1.0.0 > 1.0.1) |
| Security Center | 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 | Running container images should have vulnerability findings resolved | Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-12-06 22:17:57
add: 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (4.0.1 > 4.0.2) | |
| Guest Configuration | d3b823c9-e0fc-4453-9fb2-8213b7338523 | Audit Linux machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-12-06 22:17:57
change: Minor (3.0.0 > 3.1.0) | |
| App Platform | af35e2a4-ef96-44e7-a9ae-853dd97032c4 | Azure Spring Cloud should use network injection | Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2021-12-06 22:17:57
change: Minor (1.0.0 > 1.1.0) | |
| Monitoring | bec5db8e-c4e3-40f9-a545-e0bd00065c82 | Configure Azure Monitor Private Link Scope to block access to non private link resources | Azure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#private-link-access-modes-private-only-vs-open. | Default: Modify Allowed: (Modify, Disabled) | Contributor |
2021-12-06 22:17:57
add: bec5db8e-c4e3-40f9-a545-e0bd00065c82 |
| Compute | 7c1b1214-f927-48bf-8882-84f0af6588b1 | Resource logs in Virtual Machine Scale Sets should be enabled | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-12-06 22:17:57
change: Minor (2.0.1 > 2.1.0) | |
| Guest Configuration | ec49586f-4939-402d-a29e-6ff502b20592 | [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (4.0.2 > 4.0.3) | |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (3.0.1 > 3.0.2) | |
| Guest Configuration | c40c9087-1981-4e73-9f53-39743eda9d05 | [Deprecated]: Show audit results from Linux VMs that have accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) | |
| Guest Configuration | f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 | Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-12-06 22:17:57
change: Minor (1.1.0 > 1.2.0) | |
| Security Center | 133047bf-1369-41e3-a3be-74a11ed1395a | [Deprecated]: Configure Azure Defender for Kubernetes to be enabled | Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2021-12-06 22:17:57
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) |
| SQL | ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 | SQL managed instances should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-12-06 22:17:57
change: Major, old suffix: preview (1.0.0-preview > 2.0.0) | |
| Kubernetes | 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 | Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit | ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (Audit, Disabled) |
2021-12-06 22:17:57
change: Patch (1.0.0 > 1.0.1) | |
| Guest Configuration | e6955644-301c-44b5-a4c4-528577de6861 | Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-12-06 22:17:57
change: Minor (1.1.0 > 1.2.0) | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (3.0.1 > 3.0.2) | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (7.0.3 > 7.0.4) | |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (6.1.1 > 6.1.2) | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (4.0.1 > 4.0.2) | |
| Guest Configuration | 5b842acb-0fe7-41b0-9f40-880ec4ad84d8 | [Deprecated]: Show audit results from Linux VMs that have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) | |
| SQL | 0d134df8-db83-46fb-ad72-fe0c9428c8dd | [Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest | This policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8 instead. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-12-06 22:17:57
change: Version remains equal, new suffix: deprecated (2.0.1 > 2.0.1-deprecated) | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (3.0.1 > 3.0.2) | |
| Monitoring | c9c29499-c1d1-4195-99bd-2ec9e3a9dc89 | Deploy Diagnostic Settings for Network Security Groups | This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. | Fixed: deployIfNotExists | Monitoring Contributor Storage Account Contributor |
2021-12-06 22:17:57
change: Major (1.0.0 > 2.0.0) |
| Guest Configuration | 884b209a-963b-4520-8006-d20cb3c213e0 | [Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) |
| Guest Configuration | b18175dd-c599-4c64-83ba-bb018a06d35b | [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) | |
| Guest Configuration | 4d1c04de-2172-403f-901b-90608c35c721 | [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) |
| Kubernetes | 36a27de4-199b-40fb-b336-945a8475d6c5 | Configure AAD integrated Azure Kubernetes Service Clusters with required Admin Group Access | Ensure to improve cluster security by centrally govern Administrator access to Azure Active Directory integrated AKS clusters. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Azure Kubernetes Service Contributor Role Azure Kubernetes Service Policy Add-on Deployment |
2021-12-06 22:17:57
add: 36a27de4-199b-40fb-b336-945a8475d6c5 |
| Guest Configuration | 3470477a-b35a-49db-aca5-1073d04524fe | [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2021-12-06 22:17:57
change: Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) |
| Security Center | d3d1e68e-49d4-4b56-acff-93cef644b432 | [Deprecated]: Configure Azure Defender for container registries to be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2021-12-06 22:17:57
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) |
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-12-06 22:17:57
change: Patch (3.0.1 > 3.0.2) | |
| Security Center | b7021b2b-08fd-4dc0-9de7-3c6ece09faf9 | Configure Azure Defender for Resource Manager to be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2021-12-06 22:17:57
change: Patch (1.0.0 > 1.0.1) |
| Security Center | a7f5e735-d212-4c32-9229-d12bffbc7e00 | [Preview]: ChangeTracking extension should be installed on your Windows Arc machine | Install ChangeTracking Extension on Windows Arc machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-11-12 16:23:07
add: a7f5e735-d212-4c32-9229-d12bffbc7e00 | |
| Security Center | 672fe5a1-2fcd-42d7-b85d-902b6e28c6ff | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines | Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machines. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-11-12 16:23:07
change: Major, suffix remains equal (2.0.0-preview > 5.0.0-preview) | |
| Security Center | ec88097d-843f-4a92-8471-78016d337ba4 | [Preview]: Configure ChangeTracking Extension for Linux virtual machines | Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-11-12 16:23:07
add: ec88097d-843f-4a92-8471-78016d337ba4 |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2021-11-12 16:23:07
change: Major (3.0.0 > 4.0.0) |
| Security Center | 4bb303db-d051-4099-95d2-e3e1428a4cd5 | [Preview]: Configure ChangeTracking Extension for Windows Arc machines | Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2021-11-12 16:23:07
add: 4bb303db-d051-4099-95d2-e3e1428a4cd5 |
| Stream Analytics | fe8684d6-3c5b-45c0-a08b-fa92653c2e1c | Stream Analytics job should connect to trusted inputs and outputs | Ensure that Stream Analytics jobs do not have arbitrary Input or Output connections that are not defined in the allow-list. This checks that Stream Analytics jobs don't exfiltrate data by connecting to arbitrary sinks outside your organization. | Default: Audit Allowed: (Deny, Disabled, Audit) |
2021-11-12 16:23:07
add: fe8684d6-3c5b-45c0-a08b-fa92653c2e1c | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2021-11-12 16:23:07
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) |
| Security Center | 10caed8a-652c-4d1d-84e4-2805b7c07278 | [Preview]: Configure ChangeTracking Extension for Linux Arc machines | Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2021-11-12 16:23:07
add: 10caed8a-652c-4d1d-84e4-2805b7c07278 |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2021-11-12 16:23:07
change: Major (3.0.0 > 4.0.0) |
| Security Center | 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 | [Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent | Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-11-12 16:23:07
change: Major, suffix remains equal (5.0.0-preview > 6.0.0-preview) |
| Backup | 013e242c-8828-4970-87b3-ab247555486d | Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-11-12 16:23:07
change: Major (2.0.0 > 3.0.0) | |
| Security Center | e71c1e29-9c76-4532-8c4b-cb0573b0014c | [Preview]: ChangeTracking extension should be installed on your Linux virtual machine scale sets | Install ChangeTracking Extension on Linux virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-11-12 16:23:07
add: e71c1e29-9c76-4532-8c4b-cb0573b0014c | |
| Security Center | d62cfe2b-3ab0-4d41-980d-76803b58ca65 | [Deprecated]: Log Analytics agent health issues should be resolved on your machines | Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-11-12 16:23:07
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | |
| Security Center | 8893442c-e7cb-4637-bab8-299a5d4ed96a | [Preview]: ChangeTracking extension should be installed on your Linux virtual machine | Install ChangeTracking Extension on Linux virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-11-12 16:23:07
add: 8893442c-e7cb-4637-bab8-299a5d4ed96a | |
| Media Services | 9285c3de-d5fd-4225-86d4-027894b0c442 | Azure Media Services should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Media Services accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/mediaservicescmkdocs. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-11-12 16:23:07
add: 9285c3de-d5fd-4225-86d4-027894b0c442 | |
| Security Center | 1cb4d9c2-f88f-4069-bee0-dba239a57b09 | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines | Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machines. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-11-12 16:23:07
change: Major, suffix remains equal (1.0.0-preview > 3.0.0-preview) | |
| Kubernetes | 8dfab9c4-fe7b-49ad-85e4-1e9be085358f | [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-11-12 16:23:07
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) | |
| Security Center | c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf | [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-11-12 16:23:07
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) |
| Data Factory | f78ccdb4-7bf4-4106-8647-270491d2978a | [Preview]: Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported | Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-11-12 16:23:07
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | |
| Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Preview]: Kubernetes clusters should gate deployment of vulnerable images | Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-11-12 16:23:07
change: Patch, new suffix: preview (1.0.0 > 1.0.1-preview) | |
| Network | 055aa869-bc98-4af8-bafc-23f1ab6ffe2c | Azure Web Application Firewall should be enabled for Azure Front Door entry-points | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-11-12 16:23:07
change: Patch (1.0.1 > 1.0.2) | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-11-12 16:23:07
change: Patch (7.0.2 > 7.0.3) | |
| Security Center | 95406fc3-1f69-47b0-8105-4c03b276ec5c | [Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot | Configure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-11-12 16:23:07
change: Major, suffix remains equal (2.0.0-preview > 5.0.0-preview) |
| Security Center | 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 | [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension | Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-11-12 16:23:07
change: Major, suffix remains equal (2.0.0-preview > 4.0.0-preview) |
| Security Center | fc47609f-4d9b-4aed-806b-446816cc63a3 | [Preview]: ChangeTracking extension should be installed on your Linux Arc machine | Install ChangeTracking Extension on Linux Arc machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-11-12 16:23:07
add: fc47609f-4d9b-4aed-806b-446816cc63a3 | |
| Security Center | 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e | [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-11-12 16:23:07
change: Major, suffix remains equal (3.0.0-preview > 5.0.0-preview) |
| Security Center | f08f556c-12ff-464d-a7de-40cb5b6cccec | [Preview]: Configure ChangeTracking Extension for Windows virtual machines | Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-11-12 16:23:07
add: f08f556c-12ff-464d-a7de-40cb5b6cccec |
| Security Center | 97566dd7-78ae-4997-8b36-1c7bfe0d8121 | [Preview]: Secure Boot should be enabled on supported Windows virtual machines | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment only applies to trusted launch enabled Windows virtual machines. | Default: Audit Allowed: (Audit, Disabled) |
2021-11-12 16:23:07
change: Major, suffix remains equal (1.0.0-preview > 3.0.0-preview) | |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2021-11-12 16:23:07
change: Major (3.0.0 > 4.0.0) |
| Security Center | 221aac80-54d8-484b-83d7-24f4feac2ce0 | [Preview]: ChangeTracking extension should be installed on your Windows virtual machine | Install ChangeTracking Extension on Windows virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-11-12 16:23:07
add: 221aac80-54d8-484b-83d7-24f4feac2ce0 | |
| Security Center | 4bb303db-d051-4099-95d2-e3e1428a4d2c | [Preview]: Configure ChangeTracking Extension for Windows virtual machine scale sets | Configure Windows virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-11-12 16:23:07
add: 4bb303db-d051-4099-95d2-e3e1428a4d2c |
| Security Center | 1288c8d7-4b05-4e3a-bc88-9053caefc021 | [Preview]: Configure ChangeTracking Extension for Linux virtual machine scale sets | Configure Linux virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-11-12 16:23:07
add: 1288c8d7-4b05-4e3a-bc88-9053caefc021 |
| Security Center | 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 | [Preview]: vTPM should be enabled on supported virtual machines | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Default: Audit Allowed: (Audit, Disabled) |
2021-11-12 16:23:07
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | |
| Security Center | e494853f-93c3-4e44-9210-d12f61a64b34 | [Preview]: Configure supported virtual machines to automatically enable vTPM | Configure supported virtual machines to automatically enable vTPM to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-11-12 16:23:07
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Security Center | 7cb1b219-61c6-47e0-b80c-4472cadeeb5f | [Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot | Configure supported Windows virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-11-12 16:23:07
change: Major, suffix remains equal (1.0.0-preview > 3.0.0-preview) |
| Kubernetes | a1840de2-8088-4ea8-b153-b4c723e9cb01 | Azure Kubernetes Service clusters should have Defender profile enabled | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Default: Audit Allowed: (Audit, Disabled) |
2021-11-12 16:23:07
change: Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | |
| Security Center | 009259b0-12e8-42c9-94e7-7af86aa58d13 | [Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension | Configure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Reader Virtual Machine Contributor |
2021-11-12 16:23:07
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor Backup Contributor |
2021-11-12 16:23:07
change: Major (3.0.0 > 4.0.0) |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2021-11-12 16:23:07
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Security Center | a21f8c92-9e22-4f09-b759-50500d1d2dda | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machine scale sets. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-11-12 16:23:07
change: Major, suffix remains equal (2.0.0-preview > 4.0.0-preview) | |
| Security Center | 4bb303db-d051-4099-95d2-e3e1428a4d00 | [Preview]: ChangeTracking extension should be installed on your Windows virtual machine scale sets | Install ChangeTracking Extension on Windows virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-11-12 16:23:07
add: 4bb303db-d051-4099-95d2-e3e1428a4d00 | |
| Security Center | f655e522-adff-494d-95c2-52d4f6d56a42 | [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets | Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machine scale sets. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-11-12 16:23:07
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | |
| Security Center | 6074e9a3-c711-4856-976d-24d51f9e065b | [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension | Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-11-12 16:23:07
change: Major, suffix remains equal (3.0.0-preview > 6.0.0-preview) |
| Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Preview]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2021-11-12 16:23:07
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) |
| Security Center | 496e010e-fa91-4c00-be4b-92b481f67b58 | [Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension | Configure virtual machines created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Reader Virtual Machine Contributor |
2021-11-12 16:23:07
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-10-25 16:02:14
change: Patch (7.0.1 > 7.0.2) | |
| Key Vault | f772fb64-8e40-40ad-87bc-7706e1949427 | [Preview]: Certificates should not expire within the specified number of days | Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-10-25 16:02:14
change: Version remains equal, new suffix: preview (2.0.1 > 2.0.1-preview) | |
| Security Center | 6074e9a3-c711-4856-976d-24d51f9e065b | [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension | Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-10-22 15:42:38
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) |
| Security Center | 009259b0-12e8-42c9-94e7-7af86aa58d13 | [Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension | Configure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Reader Virtual Machine Contributor |
2021-10-22 15:42:38
add: 009259b0-12e8-42c9-94e7-7af86aa58d13 |
| Security Center | c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf | [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-10-22 15:42:38
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Monitoring | 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff | Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-10-22 15:42:38
add: 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff |
| Security Center | 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e | [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-10-22 15:42:38
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) |
| Monitoring | 3672e6f7-a74d-4763-b138-fcf332042f8f | Windows virtual machine scale sets should have Azure Monitor Agent installed | Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-10-22 15:42:38
add: 3672e6f7-a74d-4763-b138-fcf332042f8f | |
| SQL | b79fa14e-238a-4c2d-b376-442ce508fc84 | Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace | Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2021-10-22 15:42:38
change: Major (1.0.1 > 2.0.0) |
| Monitoring | c02729e5-e5e7-4458-97fa-2b5ad0661f28 | Windows virtual machines should have Azure Monitor Agent installed | Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-10-22 15:42:38
add: c02729e5-e5e7-4458-97fa-2b5ad0661f28 | |
| Monitoring | 94f686d6-9a24-4e19-91f1-de937dc171a4 | Configure Windows Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Azure Connected Machine Resource Administrator |
2021-10-22 15:42:38
add: 94f686d6-9a24-4e19-91f1-de937dc171a4 |
| Monitoring | ec621e21-8b48-403d-a549-fc9023d4747f | Windows Arc-enabled machines should have Azure Monitor Agent installed | Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-10-22 15:42:38
add: ec621e21-8b48-403d-a549-fc9023d4747f | |
| Security Center | 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 | [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension | Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-10-22 15:42:38
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Security Center | 0961003e-5a0a-4549-abde-af6a37f2724d | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-10-22 15:42:38
change: Patch (2.0.2 > 2.0.3) | |
| Security Center | 496e010e-fa91-4c00-be4b-92b481f67b58 | [Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension | Configure virtual machines created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Reader Virtual Machine Contributor |
2021-10-22 15:42:38
add: 496e010e-fa91-4c00-be4b-92b481f67b58 |
| Monitoring | 56a3e4f8-649b-4fac-887e-5564d11e8d3a | Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-10-19 19:10:32
add: 56a3e4f8-649b-4fac-887e-5564d11e8d3a |
| Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2021-10-19 19:10:32
change: Patch (1.0.0 > 1.0.1) |
| Search | 6300012e-e9a4-4649-b41f-a85f5c43be91 | Azure Cognitive Search services should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Cognitive Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/azure-cognitive-search/rbac. Note that while the disable local authentication parameter is still in preview, the deny effect for this policy may result in limited Azure Cognitive Search portal functionality since some features of the Portal use the GA API which does not support the parameter. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-10-19 19:10:32
add: 6300012e-e9a4-4649-b41f-a85f5c43be91 | |
| Monitoring | 17b3de92-f710-4cf4-aa55-0e7859f1ed7b | [Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. | Default: Modify Allowed: (Modify, Disabled) | Virtual Machine Contributor Managed Identity Contributor Managed Identity Operator |
2021-10-19 19:10:32
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) |
| Monitoring | 845857af-0333-4c5d-bbbc-6076697da122 | Configure Linux Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Azure Connected Machine Resource Administrator |
2021-10-19 19:10:32
add: 845857af-0333-4c5d-bbbc-6076697da122 |
| Monitoring | 32ade945-311e-4249-b8a4-a549924234d7 | Linux virtual machine scale sets should have Azure Monitor Agent installed | Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-10-19 19:10:32
add: 32ade945-311e-4249-b8a4-a549924234d7 | |
| Guest Configuration | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | Windows machines should meet requirements of the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-10-19 19:10:32
change: Version remains equal, old suffix: preview (1.0.1-preview > 1.0.1) | |
| Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-10-19 19:10:32
change: Patch (2.0.0 > 2.0.1) |
| Search | 4eb216f2-9dba-4979-86e6-5d7e63ce3b75 | Configure Azure Cognitive Search services to disable local authentication | Disable local authentication methods so that your Azure Cognitive Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/azure-cognitive-search/rbac. | Default: Modify Allowed: (Modify, Disabled) | Search Service Contributor |
2021-10-19 19:10:32
add: 4eb216f2-9dba-4979-86e6-5d7e63ce3b75 |
| Monitoring | f17d891d-ff20-46f2-bad3-9e0a5403a4d3 | Linux Arc-enabled machines should have Azure Monitor Agent installed | Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-10-19 19:10:32
add: f17d891d-ff20-46f2-bad3-9e0a5403a4d3 | |
| Guest Configuration | fc9b3da7-8347-4380-8e70-0a0361d8dedd | Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-10-19 19:10:32
change: Version remains equal, old suffix: preview (1.2.0-preview > 1.2.0) | |
| Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2021-10-19 19:10:32
change: Major (1.0.0 > 2.0.0) |
| Monitoring | 1afdc4b6-581a-45fb-b630-f1e6051e3e7a | Linux virtual machines should have Azure Monitor Agent installed | Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-10-19 19:10:32
add: 1afdc4b6-581a-45fb-b630-f1e6051e3e7a | |
| Compute | 2c89a2e5-7285-40fe-afe0-ae8654b92fb2 | [Deprecated]: Unattached disks should be encrypted | This policy audits any unattached disk without encryption enabled. | Default: Audit Allowed: (Audit, Disabled) |
2021-10-19 19:10:32
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | |
| Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-10-19 19:10:32
change: Minor (1.0.0 > 1.1.0) |
| Compute | ac34a73f-9fa5-4067-9247-a3ecae514468 | Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery | Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Owner |
2021-10-08 15:47:40
change: Major (1.2.0 > 2.0.0) |
| Monitoring | bef3f64c-5290-43b7-85b0-9b254eef4c47 | Deploy Diagnostic Settings for Key Vault to Log Analytics workspace | Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2021-10-08 15:47:40
change: Major (1.0.0 > 2.0.0) |
| Azure Arc | 55c4db33-97b0-437b-8469-c4f4498f5df9 | Configure Azure Arc Private Link Scopes to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Arc Private Link Scopes. Learn more at: https://aka.ms/arc/privatelink. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2021-10-08 15:47:40
add: 55c4db33-97b0-437b-8469-c4f4498f5df9 |
| HDInsight | 2676090a-4baf-46ac-9085-4ac02cc50e3e | Configure Azure HDInsight clusters with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2021-10-08 15:47:40
add: 2676090a-4baf-46ac-9085-4ac02cc50e3e |
| Azure Arc | 7eab1da3-2bf0-4ff0-8303-1a4277c380e8 | Azure Arc Private Link Scopes should be configured with a private endpoint | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Arc Private Link Scopes, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Default: Audit Allowed: (Audit, Disabled) |
2021-10-08 15:47:40
add: 7eab1da3-2bf0-4ff0-8303-1a4277c380e8 | |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2021-10-08 15:47:40
change: Patch (1.1.0 > 1.1.1) |
| Update Management Center | 59efceea-0c96-497e-a4a1-4eb2290dac15 | [Preview]: Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed: modify | Virtual Machine Contributor |
2021-10-08 15:47:40
add: 59efceea-0c96-497e-a4a1-4eb2290dac15 |
| Update Management Center | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | [Preview]: Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-10-08 15:47:40
add: bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | |
| Azure Arc | a3461c8c-6c9d-4e42-a644-40ba8a1abf49 | Configure Azure Arc-enabled servers to use an Azure Arc Private Link Scope | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Default: Modify Allowed: (Modify, Disabled) | Azure Connected Machine Resource Administrator |
2021-10-08 15:47:40
add: a3461c8c-6c9d-4e42-a644-40ba8a1abf49 |
| HDInsight | c8cc2f85-e019-4065-9fa3-5e6a2b2dde56 | Azure HDInsight should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-10-08 15:47:40
add: c8cc2f85-e019-4065-9fa3-5e6a2b2dde56 | |
| Security Center | 44433aa3-7ec2-4002-93ea-65c65ff0310a | Configure Azure Defender for open-source relational databases to be enabled | Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2021-10-08 15:47:40
add: 44433aa3-7ec2-4002-93ea-65c65ff0310a |
| Azure Arc | 898f2439-3333-4713-af25-f1d78bc50556 | Azure Arc Private Link Scopes should disable public network access | Disabling public network access improves security by ensuring that Azure Arc resources cannot connect via the public internet. Creating private endpoints can limit exposure of Azure Arc resources. Learn more at: https://aka.ms/arc/privatelink. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-10-08 15:47:40
add: 898f2439-3333-4713-af25-f1d78bc50556 | |
| Key Vault | ed7c8c13-51e7-49d1-8a43-8490431a0da2 | Deploy Diagnostic Settings for Key Vault to Event Hub | Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. | Fixed: deployIfNotExists | Contributor |
2021-10-08 15:47:40
change: Major (2.0.0 > 3.0.0) |
| Update Management Center | bfea026e-043f-4ff4-9d1b-bf301ca7ff46 | [Preview]: Configure periodic checking for missing system updates on azure Arc-enabled servers | Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed: modify | Azure Connected Machine Resource Administrator |
2021-10-08 15:47:40
add: bfea026e-043f-4ff4-9d1b-bf301ca7ff46 |
| Azure Arc | d6eeba80-df61-4de5-8772-bc1b7852ba6b | Configure Azure Arc Private Link Scopes with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Arc Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/arc/privatelink. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor Azure Connected Machine Resource Administrator |
2021-10-08 15:47:40
add: d6eeba80-df61-4de5-8772-bc1b7852ba6b |
| HDInsight | 43d6e3bd-fc6a-4b44-8b4d-2151d8736a11 | Configure Azure HDInsight clusters to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure HDInsight clusters. Learn more at: https://aka.ms/hdi.pl. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2021-10-08 15:47:40
add: 43d6e3bd-fc6a-4b44-8b4d-2151d8736a11 |
| Azure Arc | efa3f296-ff2b-4f38-bc0d-5ef12c965b68 | Azure Arc-enabled servers should be configured with an Azure Arc Private Link Scope | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-10-08 15:47:40
add: efa3f296-ff2b-4f38-bc0d-5ef12c965b68 | |
| Azure Arc | de0bc8ea-76e2-4fe2-a288-a07556d0e9c4 | Configure Azure Arc Private Link Scopes to disable public network access | Disable public network access for your Azure Arc Private Link Scope so that associated Azure Arc resources cannot connect to Azure Arc services over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/arc/privatelink. | Default: Modify Allowed: (Modify, Disabled) | Azure Connected Machine Resource Administrator |
2021-10-08 15:47:40
add: de0bc8ea-76e2-4fe2-a288-a07556d0e9c4 |
| Machine Learning | 7804b5c7-01dc-4723-969b-ae300cc07ff1 | Audit Azure Machine Learning Compute Cluster and Instance is behind virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access.When am Azure Machine Learning Compute instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Default: Audit Allowed: (Audit, Disabled) |
2021-10-08 15:47:40
add: 7804b5c7-01dc-4723-969b-ae300cc07ff1 | |
| Event Hub | 57f35901-8389-40bb-ac49-3ba4f86d889d | Configure Azure Event Hub namespaces to disable local authentication | Disable local authentication methods so that your Azure Event Hub namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. | Default: Modify Allowed: (Modify, Disabled) | Azure Event Hubs Data Owner |
2021-10-04 15:27:15
add: 57f35901-8389-40bb-ac49-3ba4f86d889d |
| Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Preview]: Kubernetes clusters should gate deployment of vulnerable images | Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-10-04 15:27:15
change: Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) | |
| Machine Learning | 438c38d2-3772-465a-a9cc-7a6666a275ce | Azure Machine Learning workspaces should disable public network access | Disabling public network access improves security by ensuring that the machine learning workspaces aren't exposed on the public internet. You can limit exposure of your workspaces by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-10-04 15:27:15
add: 438c38d2-3772-465a-a9cc-7a6666a275ce | |
| Service Bus | cfb11c26-f069-4c14-8e36-56c394dae5af | Azure Service Bus namespaces should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Service Bus namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-10-04 15:27:15
add: cfb11c26-f069-4c14-8e36-56c394dae5af | |
| Guest Configuration | f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 | Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-10-04 15:27:15
change: Minor (1.0.0 > 1.1.0) | |
| Machine Learning | a10ee784-7409-4941-b091-663697637c0f | Configure Azure Machine Learning workspaces to disable public network access | Disable public network access for Azure Machine Learning workspaces so that your workspaces aren't accessible over the public internet. This will help protect the workspaces against data leakage risks. You can limit exposure of the your machine learning workspaces by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default: Modify Allowed: (Modify, Disabled) | AzureML Data Scientist |
2021-10-04 15:27:15
add: a10ee784-7409-4941-b091-663697637c0f |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-10-04 15:27:15
change: Version remains equal, old suffix: preview (2.0.1-preview > 2.0.1) | |
| Guest Configuration | 73db37c4-f180-4b0f-ab2c-8ee96467686b | Linux machines should only have local accounts that are allowed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-10-04 15:27:15
change: Minor (1.0.0 > 1.1.0) | |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2021-10-04 15:27:15
change: Minor (1.0.1 > 1.1.0) |
| Guest Configuration | 0447bc18-e2f7-4c0d-aa20-bff034275be1 | Audit Linux machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-10-04 15:27:15
change: Minor (3.0.0 > 3.1.0) | |
| Guest Configuration | fc9b3da7-8347-4380-8e70-0a0361d8dedd | Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-10-04 15:27:15
change: Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) | |
| Guest Configuration | e6955644-301c-44b5-a4c4-528577de6861 | Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-10-04 15:27:15
change: Minor (1.0.0 > 1.1.0) | |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-10-04 15:27:15
change: Version remains equal, old suffix: preview (2.1.1-preview > 2.1.1) | |
| Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-10-04 15:27:15
change: Minor (2.0.1 > 2.1.0) | |
| Guest Configuration | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2021-10-04 15:27:15
change: Minor (1.0.1 > 1.1.0) |
| Event Hub | 5d4e3c65-4873-47be-94f3-6f8b953a3598 | Azure Event Hub namespaces should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-10-04 15:27:15
add: 5d4e3c65-4873-47be-94f3-6f8b953a3598 | |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-10-04 15:27:15
change: Version remains equal, old suffix: preview (3.0.1-preview > 3.0.1) | |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-10-04 15:27:15
change: Version remains equal, old suffix: preview (3.0.1-preview > 3.0.1) | |
| Guest Configuration | ea53dbee-c6c9-4f0e-9f9e-de0039b78023 | Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-10-04 15:27:15
change: Minor (1.0.0 > 1.1.0) | |
| Service Bus | 910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e | Configure Azure Service Bus namespaces to disable local authentication | Disable local authentication methods so that your Azure ServiceBus namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. | Default: Modify Allowed: (Modify, Disabled) | Azure Service Bus Data Owner |
2021-10-04 15:27:15
add: 910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e |
| Security Center | af99038c-02fd-4a2f-ac24-386b62bf32de | [Preview]: Machines should have ports closed that might expose attack vectors | Azure's Terms Of Use prohibit the use of Azure services in ways that could damage, disable, overburden, or impair any Microsoft server, or the network. The exposed ports identified by this recommendation need to be closed for your continued security. For each identified port, the recommendation also provides an explanation of the potential threat. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-10-04 15:27:15
add: af99038c-02fd-4a2f-ac24-386b62bf32de | |
| Monitoring | efbde977-ba53-4479-b8e9-10b957924fbf | The Log Analytics extension should be installed on Virtual Machine Scale Sets | This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-27 15:52:17
change: Patch (1.0.0 > 1.0.1) | |
| Monitoring | d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e | [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-27 15:52:17
change: Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | |
| SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows Server, the latter should have SQL Server extension installed and the server's managed identity should be configured with Azure Connected SQL Server Onboarding role | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor User Access Administrator |
2021-09-27 15:52:17
change: Major (1.0.1 > 2.0.0) |
| Network | 98a2e215-5382-489e-bd29-32e7190a39ba | Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace | Deploy diagnostic settings to Azure Network Security Groups to stream resource logs to a Log Analytics workspace. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2021-09-27 15:52:17
add: 98a2e215-5382-489e-bd29-32e7190a39ba |
| Guest Configuration | 1e7fed80-8321-4605-b42c-65fc300f23a3 | Linux machines should have Log Analytics agent installed on Azure Arc | Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-27 15:52:17
add: 1e7fed80-8321-4605-b42c-65fc300f23a3 | |
| Security Center | a2ea54a3-9707-45e3-8230-bbda8309d17e | [Preview]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule | Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor |
2021-09-27 15:52:17
add: a2ea54a3-9707-45e3-8230-bbda8309d17e |
| Storage | 92a89a79-6c52-4a7e-a03f-61306fc49312 | Storage accounts should prevent cross tenant object replication | Audit restriction of object replication for your storage account. By default, users can configure object replication with a source storage account in one Azure AD tenant and a destination account in a different tenant. It is a security concern because customer's data can be replicated to a storage account that is owned by the customer. By setting allowCrossTenantReplication to false, objects replication can be configured only if both source and destination accounts are in the same Azure AD tenant. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-09-27 15:52:17
add: 92a89a79-6c52-4a7e-a03f-61306fc49312 | |
| Network | e372f825-a257-4fb8-9175-797a8a8627d6 | [Deprecated]: RDP access from the Internet should be blocked | This policy is deprecated. This policy audits any network security rule that allows RDP access from Internet | Default: Audit Allowed: (Audit, Disabled) |
2021-09-27 15:52:17
change: Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | |
| Monitoring | 32133ab0-ee4b-4b44-98d6-042180979d50 | [Preview]: Log Analytics Extension should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-27 15:52:17
change: Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) | |
| Compute | 3d8640fc-63f6-4734-8dcb-cfd3d8c78f38 | [Deprecated]: Deploy default Log Analytics Extension for Ubuntu VMs | This policy deploys the Log Analytics Extension on Ubuntu VMs, and connects to the selected Log Analytics workspace | Fixed: deployIfNotExists | Log Analytics Contributor |
2021-09-27 15:52:17
change: Patch, suffix remains equal (1.0.0-deprecated > 1.0.1-deprecated) |
| Monitoring | 842c54e8-c2f9-4d79-ae8d-38d8b8019373 | [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-27 15:52:17
change: Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | |
| Guest Configuration | 4078e558-bda6-41fb-9b3c-361e8875200d | Windows machines should have Log Analytics agent installed on Azure Arc | Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-27 15:52:17
add: 4078e558-bda6-41fb-9b3c-361e8875200d | |
| Network | 2c89a2e5-7285-40fe-afe0-ae8654b92fab | [Deprecated]: SSH access from the Internet should be blocked | This policy is deprecated. This policy audits any network security rule that allows SSH access from Internet | Default: Audit Allowed: (Audit, Disabled) |
2021-09-27 15:52:17
change: Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | |
| Monitoring | 0868462e-646c-4fe3-9ced-a733534b6a2c | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines | Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2021-09-27 15:52:17
change: Patch (2.0.0 > 2.0.1) |
| Security Center | bdc59948-5574-49b3-bb91-76b7c986428d | Azure Defender for DNS should be enabled | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-27 15:52:17
change: Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) | |
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets | Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor Virtual Machine Contributor |
2021-09-27 15:52:17
change: Patch (2.0.0 > 2.0.1) |
| Monitoring | 053d3325-282c-4e5c-b944-24faffd30d77 | Deploy Log Analytics extension for Linux VMs. See deprecation notice below | Deploy Log Analytics extension for Linux VMs if the VM Image (OS) is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Fixed: deployIfNotExists | Log Analytics Contributor |
2021-09-27 15:52:17
change: Patch (2.0.0 > 2.0.1) |
| Monitoring | 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf | Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2021-09-27 15:52:17
change: Patch (2.0.0 > 2.0.1) |
| Monitoring | 69af7d4a-7b18-4044-93a9-2651498ef203 | Configure Log Analytics extension on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2021-09-27 15:52:17
change: Patch (2.0.0 > 2.0.1) |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-27 15:52:17
change: Patch (7.0.0 > 7.0.1) | |
| Monitoring | 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 | Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-27 15:52:17
change: Patch (2.0.0 > 2.0.1) | |
| Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Preview]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2021-09-27 15:52:17
change: Major, suffix remains equal (1.1.0-preview > 3.0.0-preview) |
| Monitoring | 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 | Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below | Deploy Log Analytics extension for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the extension is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Deprecation notice: The Log Analytics agent will not be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | Fixed: deployIfNotExists | Log Analytics Contributor Virtual Machine Contributor |
2021-09-27 15:52:17
change: Patch (2.0.0 > 2.0.1) |
| Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Preview]: Kubernetes clusters should gate deployment of vulnerable images | Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-09-27 15:52:17
add: 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | |
| Monitoring | a70ca396-0a34-413a-88e1-b956c1e683be | Virtual machines should have the Log Analytics extension installed | This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-27 15:52:17
change: Patch (1.0.0 > 1.0.1) | |
| Key Vault | 84d327c3-164a-4685-b453-900478614456 | [Preview]: Configure Azure Key Vault Managed HSM to disable public network access | Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. | Default: Modify Allowed: (Modify, Disabled) | Managed HSM contributor |
2021-09-27 15:52:17
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Synapse | ac7891a4-ac7a-4ba0-9ae9-c923e5a225ee | Configure Synapse workspaces to have auditing enabled | To ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. This is sometimes required for compliance with regulatory standards. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | SQL Security Manager Storage Account Contributor |
2021-09-27 15:52:17
change: Major (1.1.0 > 2.0.0) |
| Event Grid | 2dd0e8b9-4289-4bb0-b813-1883298e9924 | Configure Azure Event Grid partner namespaces to disable local authentication | Disable local authentication methods so that your Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default: Modify Allowed: (Modify, Disabled) | EventGrid Contributor |
2021-09-21 16:12:09
add: 2dd0e8b9-4289-4bb0-b813-1883298e9924 |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-21 16:12:09
change: Major (3.0.1 > 4.0.0) | |
| Kubernetes | 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 | Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit | ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (Audit, Disabled) |
2021-09-21 16:12:09
add: 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 | |
| Kubernetes | 245fc9df-fa96-4414-9a0b-3738c2f7341c | Resource logs in Azure Kubernetes Service should be enabled | Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-21 16:12:09
add: 245fc9df-fa96-4414-9a0b-3738c2f7341c | |
| Event Grid | ae9fb87f-8a17-4428-94a4-8135d431055c | Azure Event Grid topics should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-09-21 16:12:09
add: ae9fb87f-8a17-4428-94a4-8135d431055c | |
| Automation | 48c5f1cb-14ad-4797-8e3b-f78ab3f8d700 | Azure Automation account should have local authentication method disabled | Disabling local authentication methods improves security by ensuring that Azure Automation accounts exclusively require Azure Active Directory identities for authentication. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-09-21 16:12:09
add: 48c5f1cb-14ad-4797-8e3b-f78ab3f8d700 | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-21 16:12:09
change: Patch (4.0.1 > 4.0.2) | |
| Automation | 30d1d58e-8f96-47a5-8564-499a3f3cca81 | Configure Azure Automation account to disable local authentication | Disable local authentication methods so that your Azure Automation accounts exclusively require Azure Active Directory identities for authentication. | Default: Modify Allowed: (Modify, Disabled) | Contributor |
2021-09-21 16:12:09
add: 30d1d58e-8f96-47a5-8564-499a3f3cca81 |
| Event Grid | 1c8144d9-746a-4501-b08c-093c8d29ad04 | Configure Azure Event Grid topics to disable local authentication | Disable local authentication methods so that your Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default: Modify Allowed: (Modify, Disabled) | EventGrid Contributor |
2021-09-21 16:12:09
add: 1c8144d9-746a-4501-b08c-093c8d29ad04 |
| Event Grid | 8bfadddb-ee1c-4639-8911-a38cb8e0b3bd | Azure Event Grid domains should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-09-21 16:12:09
add: 8bfadddb-ee1c-4639-8911-a38cb8e0b3bd | |
| Event Grid | 8632b003-3545-4b29-85e6-b2b96773df1e | Azure Event Grid partner namespaces should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-09-21 16:12:09
add: 8632b003-3545-4b29-85e6-b2b96773df1e | |
| Event Grid | 8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1 | Configure Azure Event Grid domains to disable local authentication | Disable local authentication methods so that your Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default: Modify Allowed: (Modify, Disabled) | EventGrid Contributor |
2021-09-21 16:12:09
add: 8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1 |
| Security Center | 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 | [Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent | Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-09-13 16:35:32
change: Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) |
| Monitoring | 04d53d87-841c-4f23-8a5b-21564380b55e | Deploy Diagnostic Settings for Service Bus to Log Analytics workspace | Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2021-09-13 16:35:32
change: Major (1.0.0 > 2.0.0) |
| Security Center | 2f47ec78-4301-4655-b78e-b29377030cdc | [Preview]: Configure supported Linux Arc machines to automatically install the Azure Security agent | Configure supported Linux Arc machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Linux Arc machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2021-09-13 16:35:32
add: 2f47ec78-4301-4655-b78e-b29377030cdc |
| Security Center | e8794316-d918-4565-b57d-6b38a06381a0 | [Preview]: Azure Security agent should be installed on your Linux virtual machines | Install the Azure Security agent on your Linux virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-13 16:35:32
add: e8794316-d918-4565-b57d-6b38a06381a0 | |
| Security Center | 1f300abb-f5a0-41c3-a163-91bd3ed35de7 | [Preview]: Azure Security agent should be installed on your Linux Arc machines | Install the Azure Security agent on your Linux Arc machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-13 16:35:32
add: 1f300abb-f5a0-41c3-a163-91bd3ed35de7 | |
| Security Center | bb2c6c6d-14bc-4443-bef3-c6be0adc6076 | [Preview]: Azure Security agent should be installed on your Windows virtual machines | Install the Azure Security agent on your Windows virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-13 16:35:32
add: bb2c6c6d-14bc-4443-bef3-c6be0adc6076 | |
| Security Center | 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 | [Preview]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent | Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2021-09-13 16:35:32
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Security Center | 0961003e-5a0a-4549-abde-af6a37f2724d | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-13 16:35:32
change: Patch (2.0.1 > 2.0.2) | |
| Security Center | 1537496a-b1e8-482b-a06a-1cc2415cdc7b | [Preview]: Configure supported Windows machines to automatically install the Azure Security agent | Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-09-13 16:35:32
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) |
| Security Center | e16f967a-aa57-4f5e-89cd-8d1434d0a29a | [Preview]: Azure Security agent should be installed on your Windows virtual machine scale sets | Install the Azure Security agent on your Windows virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-13 16:35:32
add: e16f967a-aa57-4f5e-89cd-8d1434d0a29a | |
| Security Center | d01f3018-de9f-4d75-8dae-d12c1875da9f | [Preview]: Configure supported Windows Arc machines to automatically install the Azure Security agent | Configure supported Windows Arc machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows Arc machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2021-09-13 16:35:32
add: d01f3018-de9f-4d75-8dae-d12c1875da9f |
| Security Center | 6654c8c4-e6f8-43f8-8869-54327af7ce32 | [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent | Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-09-13 16:35:32
add: 6654c8c4-e6f8-43f8-8869-54327af7ce32 |
| Security Center | 13ce0167-8ca6-4048-8e6b-f996402e3c1b | Configure machines to receive a vulnerability assessment provider | Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2021-09-13 16:35:32
change: Minor, suffix remains equal (2.1.0-preview > 2.2.0-preview) |
| Security Center | 0367cfc4-90b3-46ba-a8a6-ddd5d3514878 | [Preview]: Azure Security agent should be installed on your Windows Arc machines | Install the Azure Security agent on your Windows Arc machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-13 16:35:32
add: 0367cfc4-90b3-46ba-a8a6-ddd5d3514878 | |
| Security Center | 62b52eae-c795-44e3-94e8-1b3d264766fb | [Preview]: Azure Security agent should be installed on your Linux virtual machine scale sets | Install the Azure Security agent on your Linux virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-13 16:35:32
add: 62b52eae-c795-44e3-94e8-1b3d264766fb | |
| Key Vault | 84d327c3-164a-4685-b453-900478614456 | [Preview]: Configure Azure Key Vault Managed HSM to disable public network access | Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. | Default: Modify Allowed: (Modify, Disabled) | Managed HSM contributor |
2021-09-13 16:35:32
add: 84d327c3-164a-4685-b453-900478614456 |
| Security Center | 808a7dc4-49f2-4e7b-af75-d14e561c244a | [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent | Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows virtual machine scale sets must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-09-13 16:35:32
add: 808a7dc4-49f2-4e7b-af75-d14e561c244a |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch (4.0.0 > 4.0.1) | |
| App Service | 847ef871-e2fe-4e6e-907e-4adbf71de5cf | App Service app slots should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-08 15:39:57
add: 847ef871-e2fe-4e6e-907e-4adbf71de5cf | |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch (4.0.0 > 4.0.1) | |
| App Service | aede300b-d67f-480a-ae26-4b3dfb1a1fdc | App Service apps should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-08 15:39:57
add: aede300b-d67f-480a-ae26-4b3dfb1a1fdc | |
| App Service | 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 | Configure App Service apps to disable local authentication for FTP deployments | Disable local authentication methods for FTP deployments so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Website Contributor |
2021-09-08 15:39:57
add: 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 |
| Healthcare APIs | fe1c9040-c46a-4e81-9aea-c7850fbb3aa6 | CORS should not allow every domain to access your FHIR Service | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your FHIR Service. To protect your FHIR Service, remove access for all domains and explicitly define the domains allowed to connect. | Default: Audit Allowed: (audit, Audit, disabled, Disabled) |
2021-09-08 15:39:57
add: fe1c9040-c46a-4e81-9aea-c7850fbb3aa6 | |
| SignalR | 702133e5-5ec5-4f90-9638-c78e22f13b39 | Configure Azure SignalR Service to disable local authentication | Disable local authentication methods so that your Azure SignalR Service exclusively requires Azure Active Directory identities for authentication. | Default: Modify Allowed: (Modify, Disabled) | SignalR/Web PubSub Contributor |
2021-09-08 15:39:57
add: 702133e5-5ec5-4f90-9638-c78e22f13b39 |
| App Service | 871b205b-57cf-4e1e-a234-492616998bf7 | App Service apps should have local authentication methods disabled for FTP deployments | Disabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-08 15:39:57
add: 871b205b-57cf-4e1e-a234-492616998bf7 | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch (4.0.0 > 4.0.1) | |
| App Service | ec71c0bc-6a45-4b1f-9587-80dc83e6898c | App Service app slots should have local authentication methods disabled for FTP deployments | Disabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-09-08 15:39:57
add: ec71c0bc-6a45-4b1f-9587-80dc83e6898c | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch (5.0.0 > 5.0.1) | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch (4.0.0 > 4.0.1) | |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch, suffix remains equal (2.1.0-preview > 2.1.1-preview) | |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch, suffix remains equal (3.0.0-preview > 3.0.1-preview) | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch (4.0.0 > 4.0.1) | |
| Bot Service | ad5621d6-a877-4407-aa93-a950b428315e | BotService resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your BotService resource, data leakage risks are reduced. | Default: Audit Allowed: (Audit, Disabled) |
2021-09-08 15:39:57
add: ad5621d6-a877-4407-aa93-a950b428315e | |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch (3.0.0 > 3.0.1) | |
| Internet of Things | 672d56b3-23a7-4a3c-a233-b77ed7777518 | Azure IoT Hub should have local authentication methods disabled for Service Apis | Disabling local authentication methods improves security by ensuring that Azure IoT Hub exclusively require Azure Active Directory identities for Service Api authentication. Learn more at: https://aka.ms/iothubdisablelocalauth. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-09-08 15:39:57
add: 672d56b3-23a7-4a3c-a233-b77ed7777518 | |
| Internet of Things | 9f8ba900-a70f-486e-9ffc-faf907305376 | Configure Azure IoT Hub to disable local authentication | Disable local authentication methods so that your Azure IoT Hub exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/iothubdisablelocalauth. | Default: Modify Allowed: (Modify, Disabled) | Contributor |
2021-09-08 15:39:57
add: 9f8ba900-a70f-486e-9ffc-faf907305376 |
| App Service | 5e97b776-f380-4722-a9a3-e7f0be029e79 | Configure App Service apps to disable local authentication for SCM sites | Disable local authentication methods for SCM sites so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Website Contributor |
2021-09-08 15:39:57
add: 5e97b776-f380-4722-a9a3-e7f0be029e79 |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch (4.0.0 > 4.0.1) | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch (4.0.0 > 4.0.1) | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch (4.0.0 > 4.0.1) | |
| SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows Server, the latter should have SQL Server extension installed and the server's managed identity should be configured with Azure Connected SQL Server Onboarding role | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor User Access Administrator |
2021-09-08 15:39:57
change: Patch (1.0.0 > 1.0.1) |
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch (3.0.0 > 3.0.1) | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch (3.0.0 > 3.0.1) | |
| App Service | 2c034a29-2a5f-4857-b120-f800fe5549ae | Configure App Service app slots to disable local authentication for SCM sites | Disable local authentication methods for SCM sites so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Website Contributor |
2021-09-08 15:39:57
add: 2c034a29-2a5f-4857-b120-f800fe5549ae |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch, suffix remains equal (3.0.0-preview > 3.0.1-preview) | |
| Bot Service | 6a4e6f44-f2af-4082-9702-033c9e88b9f8 | Configure BotService resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to BotService related resources. Learn more at: https://aka.ms/privatednszone. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2021-09-08 15:39:57
add: 6a4e6f44-f2af-4082-9702-033c9e88b9f8 |
| Bot Service | 29261f8e-efdb-4255-95b8-8215414515d6 | Configure BotService resources with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your BotService resource, you can reduce data leakage risks. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2021-09-08 15:39:57
add: 29261f8e-efdb-4255-95b8-8215414515d6 |
| App Service | f493116f-3b7f-4ab3-bf80-0c2af35e46c2 | Configure App Service app slots to disable local authentication for FTP deployments | Disable local authentication methods for FTP deployments so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Website Contributor |
2021-09-08 15:39:57
add: f493116f-3b7f-4ab3-bf80-0c2af35e46c2 |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch (3.0.0 > 3.0.1) | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch (3.0.0 > 3.0.1) | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-09-08 15:39:57
change: Patch (4.0.0 > 4.0.1) | |
| Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2021-08-30 14:27:30
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Key Vault | 8e826246-c976-48f6-b03e-619bb92b3d82 | Certificates should be issued by the specified integrated certificate authority | Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (2.0.0-preview > 2.0.1) | |
| Security Center | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | Endpoint protection should be installed on your machines | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-08-30 14:27:30
add: 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Major (3.0.0 > 4.0.0) | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Major (3.0.0 > 4.0.0) | |
| Key Vault | c26e4b24-cf98-4c67-b48b-5a25c4c69eb9 | Keys should not be active for longer than the specified number of days | Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1) | |
| Security Center | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | Endpoint protection health issues should be resolved on your machines | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-08-30 14:27:30
add: 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | |
| Key Vault | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | Key Vault keys should have an expiration date | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.1-preview > 1.0.2) | |
| Key Vault | a22f4a40-01d3-4c7d-8071-da157eeff341 | Certificates should be issued by the specified non-integrated certificate authority | Manage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (2.0.0-preview > 2.0.1) | |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | |
| Key Vault | ff25f3c8-b739-4538-9d07-3d6d25cfb255 | Keys using elliptic curve cryptography should have the specified curve names | Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1) | |
| Key Vault | cee51871-e572-4576-855c-047c820360f0 | Certificates using RSA cryptography should have the specified minimum key size | Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (2.0.0-preview > 2.0.1) | |
| Key Vault | 1151cede-290b-4ba0-8b38-0ad145ac888f | Certificates should use allowed key types | Manage your organizational compliance requirements by restricting the key types allowed for certificates. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (2.0.0-preview > 2.0.1) | |
| Key Vault | 75c4f823-d65c-4f29-a733-01d0077fdbcb | Keys should be the specified cryptographic type RSA or EC | Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1) | |
| API Management | 7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2 | Configure API Management services to disable public network access | To improve the security of API Management services, disable public endpoints. Some public endpoints are exposed by API Management services to support user scenarios, e.g. direct access to Management API, managing configuration using Git, self-hosted gateways configuration. If any of those features are not used, corresponding endpoints should be disabled. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | API Management Service Contributor |
2021-08-30 14:27:30
add: 7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2 |
| Key Vault | 82067dbb-e53b-4e06-b631-546d197452d9 | Keys using RSA cryptography should have a specified minimum key size | Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1) | |
| Key Vault | b0eb591a-5e70-4534-a8bf-04b9c489584a | Secrets should have more than the specified number of days before expiration | If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1) | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Major (3.0.0 > 4.0.0) | |
| Key Vault | 75262d3e-ba4a-4f43-85f8-9f72c090e5e3 | Secrets should have content type set | A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1) | |
| Key Vault | 12ef42cb-9903-4e39-9c26-422d29570417 | Certificates should have the specified lifetime action triggers | Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (2.0.0-preview > 2.0.1) | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Major (3.0.0 > 4.0.0) | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Major (3.0.0 > 4.0.0) | |
| Key Vault | 98728c90-32c7-4049-8429-847dc0f4fe37 | Key Vault secrets should have an expiration date | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.1-preview > 1.0.2) | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Major (3.0.0 > 4.0.0) | |
| Key Vault | bd78111f-4953-4367-9fd5-7e08808b54bf | Certificates using elliptic curve cryptography should have allowed curve names | Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (2.0.0-preview > 2.0.1) | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Major (3.0.0 > 4.0.0) | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Major (6.0.0 > 7.0.0) | |
| Storage | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | [Preview]: Storage account public access should be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Major, suffix remains equal (2.0.1-preview > 3.0.1-preview) | |
| Kubernetes | a8eff44f-8c92-45c3-a3fb-9880802d67a7 | Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Azure Kubernetes Service Contributor Role Azure Kubernetes Service Policy Add-on Deployment |
2021-08-30 14:27:30
change: Major (1.0.0 > 2.0.0) |
| Kubernetes | 8dfab9c4-fe7b-49ad-85e4-1e9be085358f | [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-08-30 14:27:30
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | |
| Key Vault | 5ff38825-c5d8-47c5-b70e-069a21955146 | Keys should have more than the specified number of days before expiration | If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1) | |
| Key Vault | 587c79fe-dd04-4a5e-9d0b-f89598c7261b | Keys should be backed by a hardware security module (HSM) | An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1) | |
| Key Vault | 342e8053-e12e-4c44-be01-c3c2f318400f | Secrets should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1) | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Major (4.0.0 > 5.0.0) | |
| Key Vault | 49a22571-d204-4c91-a7b6-09b1a586fbc9 | Keys should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1) | |
| Key Vault | f772fb64-8e40-40ad-87bc-7706e1949427 | [Preview]: Certificates should not expire within the specified number of days | Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (2.0.0-preview > 2.0.1) | |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-30 14:27:30
change: Major, suffix remains equal (2.1.0-preview > 3.0.0-preview) | |
| API Management | df73bd95-24da-4a4f-96b9-4e8b94b402bd | API Management services should disable public network access | To improve the security of API Management services, ensure that endpoints aren't exposed to the public internet. Some public endpoints are exposed by API Management services to support user scenarios, e.g. direct access to Management API, managing configuration using Git, self-hosted gateways configuration. If any of those features are not used, corresponding endpoints should be disabled. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-08-30 14:27:30
add: df73bd95-24da-4a4f-96b9-4e8b94b402bd | |
| SQL | f4c68484-132f-41f9-9b6d-3e4b1cb55036 | Configure SQL servers to have auditing enabled | To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | SQL Security Manager Storage Account Contributor |
2021-08-30 14:27:30
change: Major (2.0.0 > 3.0.0) |
| Key Vault | e8d99835-8a06-45ae-a8e0-87a91941ccfe | Secrets should not be active for longer than the specified number of days | If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-30 14:27:30
change: Patch, old suffix: preview (1.0.0-preview > 1.0.1) | |
| Monitoring | 0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6 | Azure Monitor Private Link Scope should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Monitor Private Links Scope, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-08-30 14:27:30
add: 0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6 | |
| Security Center | 672fe5a1-2fcd-42d7-b85d-902b6e28c6ff | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines | Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machines. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-08-23 14:26:16
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | |
| Key Vault | d1d6d8bb-cc7c-420f-8c7d-6f6f5279a844 | [Preview]: Configure Azure Key Vault Managed HSM with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Key Vault Managed HSM, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor Managed HSM contributor |
2021-08-23 14:26:16
add: d1d6d8bb-cc7c-420f-8c7d-6f6f5279a844 |
| Cognitive Services | cddd188c-4b82-4c48-a19d-ddf74ee66a01 | Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default: Audit Allowed: (Audit, Disabled) |
2021-08-23 14:26:16
change: Major (1.0.0 > 2.0.0) | |
| Storage | bfecdea6-31c4-4045-ad42-71b9dc87247d | Storage account encryption scopes should use double encryption for data at rest | Enable infrastructure encryption for encryption at rest of your storage account encryption scopes for added security. Infrastructure encryption ensures that your data is encrypted twice. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-23 14:26:16
add: bfecdea6-31c4-4045-ad42-71b9dc87247d | |
| Storage | 6fac406b-40ca-413b-bf8e-0bf964659c25 | Storage accounts should use customer-managed key for encryption | Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Default: Audit Allowed: (Audit, Disabled) |
2021-08-23 14:26:16
change: Patch (1.0.2 > 1.0.3) | |
| Security Center | 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 | [Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent | Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-08-23 14:26:16
change: Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) |
| Bot Service | ffea632e-4e3a-4424-bf78-10e179bb2e1a | Bot Service should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that a bot uses AAD exclusively for authentication. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-23 14:26:16
add: ffea632e-4e3a-4424-bf78-10e179bb2e1a | |
| Kubernetes | a1840de2-8088-4ea8-b153-b4c723e9cb01 | Azure Kubernetes Service clusters should have Defender profile enabled | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Default: Audit Allowed: (Audit, Disabled) |
2021-08-23 14:26:16
add: a1840de2-8088-4ea8-b153-b4c723e9cb01 | |
| Cognitive Services | 037eea7a-bd0a-46c5-9a66-03aea78705d3 | Cognitive Services accounts should restrict network access | Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-23 14:26:16
change: Major (1.0.0 > 2.0.0) | |
| Cognitive Services | db630ad5-52e9-4f4d-9c44-53912fe40053 | Configure Cognitive Services accounts with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor Cognitive Services Contributor |
2021-08-23 14:26:16
change: Major (1.0.0 > 2.0.0) |
| Key Vault | 59fee2f4-d439-4f1b-9b9a-982e1474bfd8 | [Preview]: Azure Key Vault Managed HSM should use private link | Private link provides a way to connect Azure Key Vault Managed HSM to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link | Default: Audit Allowed: (Audit, Disabled) |
2021-08-23 14:26:16
add: 59fee2f4-d439-4f1b-9b9a-982e1474bfd8 | |
| Security Center | 6074e9a3-c711-4856-976d-24d51f9e065b | [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension | Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-08-23 14:26:16
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| SQL | c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd | Configure Azure Defender to be enabled on SQL managed instances | Enable Azure Defender on your Azure SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | SQL Security Manager |
2021-08-23 14:26:16
change: Major (1.0.0 > 2.0.0) |
| Key Vault | 19ea9d63-adee-4431-a95e-1913c6c1c75f | [Preview]: Azure Key Vault Managed HSM should disable public network access | Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-23 14:26:16
add: 19ea9d63-adee-4431-a95e-1913c6c1c75f | |
| Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor Log Analytics Contributor |
2021-08-23 14:26:16
add: 64def556-fbad-4622-930e-72d1d5589bf5 |
| Security Center | 95406fc3-1f69-47b0-8105-4c03b276ec5c | [Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot | Configure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-08-23 14:26:16
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Cognitive Services | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | Cognitive Services accounts should disable public network access | Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-23 14:26:16
change: Major (1.0.1 > 2.0.0) | |
| Security Center | 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e | [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-08-23 14:26:16
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) |
| Security Center | a21f8c92-9e22-4f09-b759-50500d1d2dda | [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machine scale sets. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-08-23 14:26:16
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | |
| Cognitive Services | 47ba1dd7-28d9-4b07-a8d5-9813bed64e0c | Configure Cognitive Services accounts to disable public network access | Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default: Modify Allowed: (Disabled, Modify) | Contributor |
2021-08-23 14:26:16
change: Major (1.0.0 > 2.0.0) |
| Monitoring | 0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6 | Azure Monitor Private Link Scope should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Monitor Private Links Scope, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. | n/a | n/a | 2021-08-16 16:08:10 remove: 0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6 (i) |
| Media Services | 8bfe3603-0888-404a-87ff-5c1b6b4cc5e3 | Azure Media Services accounts should disable public network access | Disabling public network access improves security by ensuring that Media Services resources are not exposed on the public internet. Creating private endpoints can limit exposure of Media Services resources. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-13 17:07:49
add: 8bfe3603-0888-404a-87ff-5c1b6b4cc5e3 | |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-13 17:07:49
change: Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | |
| SQL | 0a370ff3-6cab-4e85-8995-295fd854c5b8 | SQL servers should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-13 17:07:49
add: 0a370ff3-6cab-4e85-8995-295fd854c5b8 | |
| SQL | abda6d70-9778-44e7-84a8-06713e6db027 | Azure SQL Database should have Azure Active Directory Only Authentication enabled | Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Databases can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-13 17:07:49
add: abda6d70-9778-44e7-84a8-06713e6db027 | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) |
2021-08-13 17:07:49
change: Major (6.1.0 > 7.0.0) | |
| SQL | 78215662-041e-49ed-a9dd-5385911b3a1f | Azure SQL Managed Instance should have Azure Active Directory Only Authentication enabled | Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Managed Instances can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-13 17:07:49
add: 78215662-041e-49ed-a9dd-5385911b3a1f | |
| SQL | ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 | SQL managed instances should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-13 17:07:49
add: ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 | |
| Kubernetes | 993c2fcd-2b29-49d2-9eb0-df2c3a730c32 | Azure Kubernetes Service Clusters should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Kubernetes Service Clusters should exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aks-disable-local-accounts. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-09 19:32:42
add: 993c2fcd-2b29-49d2-9eb0-df2c3a730c32 | |
| Batch | 1760f9d4-7206-436e-a28f-d9f3a5c8a227 | Azure Batch pools should have disk encryption enabled | Enabling Azure Batch disk encryption ensures that data is always encrypted at rest on your Azure Batch compute node. Learn more about disk encryption in Batch at https://docs.microsoft.com/azure/batch/disk-encryption. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2021-08-09 19:32:42
add: 1760f9d4-7206-436e-a28f-d9f3a5c8a227 | |
| Batch | 6f68b69f-05fe-49cd-b361-777ee9ca7e35 | Batch accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-09 19:32:42
add: 6f68b69f-05fe-49cd-b361-777ee9ca7e35 | |
| SignalR | f70eecba-335d-4bbc-81d5-5b17b03d498f | Azure SignalR Service should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure SignalR Service exclusively require Azure Active Directory identities for authentication. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-09 19:32:42
add: f70eecba-335d-4bbc-81d5-5b17b03d498f | |
| Batch | 4dbc2f5c-51cf-4e38-9179-c7028eed2274 | Configure Batch accounts to disable local authentication | Disable location authentication methods so that your Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. | Default: Modify Allowed: (Modify, Disabled) | Contributor |
2021-08-09 19:32:42
add: 4dbc2f5c-51cf-4e38-9179-c7028eed2274 |
| Container Registry | 524b0254-c285-4903-bee6-bb8126cde579 | Container registries should have exports disabled | Disabling exports improves security by ensuring data in a registry is accessed solely via the dataplane ('docker pull'). Data cannot be moved out of the registry via 'acr import' or via 'acr transfer'. In order to disable exports, public network access must be disabled. Learn more at: https://aka.ms/acr/export-policy. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-08-09 19:32:42
add: 524b0254-c285-4903-bee6-bb8126cde579 | |
| SQL | fd2d1a6e-6d95-4df2-ad00-504bf0273406 | Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows Server, the latter should have SQL Server extension installed and the server's managed identity should be configured with Azure Connected SQL Server Onboarding role | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor User Access Administrator |
2021-08-09 19:32:42
add: fd2d1a6e-6d95-4df2-ad00-504bf0273406 |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2021-08-02 15:58:22
change: Major, suffix remains equal (2.1.0-preview > 3.1.0-preview) | |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2021-08-02 15:58:22
change: Major, suffix remains equal (2.1.0-preview > 3.0.0-preview) | |
| Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2021-08-02 15:58:22
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | |
| Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2021-08-02 15:58:22
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | |
| Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2021-08-02 15:58:22
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | |
| Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2021-08-02 15:58:22
change: Major, suffix remains equal (2.1.0-preview > 3.0.0-preview) | |
| Storage | 044985bb-afe1-42cd-8a36-9d5d42424537 | Storage account keys should not be expired | Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-07-30 15:17:20
change: Major (2.0.0 > 3.0.0) | |
| Security Center | b99b73e7-074b-4089-9395-b7236f094491 | Configure Azure Defender for Azure SQL database to be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2021-07-30 15:17:20
add: b99b73e7-074b-4089-9395-b7236f094491 |
| Monitoring | 69af7d4a-7b18-4044-93a9-2651498ef203 | Configure Log Analytics extension on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2021-07-30 15:17:20
change: Major (1.2.0 > 2.0.0) |
| Security Center | 0a9fbe0d-c5c4-4da8-87d8-f4fd77338835 | Azure Defender for open-source relational databases should be enabled | Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-07-30 15:17:20
add: 0a9fbe0d-c5c4-4da8-87d8-f4fd77338835 | |
| Backup | deeddb44-9f94-4903-9fa0-081d524406e3 | [Preview]: Azure Recovery Services vaults should use private link for backup | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints. | Default: Audit Allowed: (Audit, Disabled) |
2021-07-30 15:17:20
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | |
| Security Center | 50ea7265-7d8c-429e-9a7d-ca1f410191c3 | Configure Azure Defender for SQL servers on machines to be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2021-07-30 15:17:20
add: 50ea7265-7d8c-429e-9a7d-ca1f410191c3 |
| Security Center | 509122b9-ddd9-47ba-a5f1-d0dac20be63c | Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance | Enable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2021-07-30 15:17:20
change: Major (3.0.0 > 4.0.0) |
| Security Center | b7021b2b-08fd-4dc0-9de7-3c6ece09faf9 | Configure Azure Defender for Resource Manager to be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2021-07-30 15:17:20
add: b7021b2b-08fd-4dc0-9de7-3c6ece09faf9 |
| SQL | f4c68484-132f-41f9-9b6d-3e4b1cb55036 | Configure SQL servers to have auditing enabled | To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | SQL Security Manager Storage Account Contributor |
2021-07-30 15:17:20
change: Major (1.2.0 > 2.0.0) |
| Search | 76a56461-9dc0-40f0-82f5-2453283afa2f | Azure Cognitive Search services should use customer-managed keys to encrypt data at rest | Enabling encryption at rest using a customer-managed key on your Azure Cognitive Search services provides additional control over the key used to encrypt data at rest. This feature is often applicable to customers with special compliance requirements to manage data encryption keys using a key vault. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-07-30 15:17:20
add: 76a56461-9dc0-40f0-82f5-2453283afa2f | |
| Security Center | f1525828-9a90-4fcf-be48-268cdd02361e | Deploy Workflow Automation for Microsoft Defender for Cloud alerts | Enable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2021-07-30 15:17:20
change: Major (3.0.0 > 4.0.0) |
| Security Center | ffb6f416-7bd2-4488-8828-56585fef2be9 | Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data | Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2021-07-30 15:17:20
change: Major (3.0.0 > 4.0.0) |
| Monitoring | 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 | Configure Dependency agent on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2021-07-30 15:17:20
change: Major (1.2.1 > 2.0.0) |
| Security Center | d3d1e68e-49d4-4b56-acff-93cef644b432 | [Deprecated]: Configure Azure Defender for container registries to be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2021-07-30 15:17:20
add: d3d1e68e-49d4-4b56-acff-93cef644b432 |
| Security Center | 73d6ab6c-2475-4850-afd6-43795f3492ef | Deploy Workflow Automation for Microsoft Defender for Cloud recommendations | Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2021-07-30 15:17:20
change: Major (3.0.0 > 4.0.0) |
| Security Center | b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d | Configure Azure Defender for App Service to be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2021-07-30 15:17:20
add: b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d |
| SQL | 36d49e87-48c4-4f2e-beed-ba4ed02b71f5 | Configure Azure Defender to be enabled on SQL servers | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Fixed: DeployIfNotExists | SQL Security Manager |
2021-07-30 15:17:20
change: Minor (2.0.0 > 2.1.0) |
| Backup | af783da1-4ad1-42be-800d-d19c70038820 | [Preview]: Configure Recovery Services vaults to use private DNS zones for backup | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2021-07-30 15:17:20
change: Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) |
| Security Center | 1f725891-01c0-420a-9059-4fa46cb770b7 | Configure Azure Defender for Key Vaults to be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2021-07-30 15:17:20
add: 1f725891-01c0-420a-9059-4fa46cb770b7 |
| Security Center | 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222 | Configure Azure Defender for servers to be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2021-07-30 15:17:20
add: 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222 |
| Security Center | 2370a3c1-4a25-4283-a91a-c9c1a145fb2f | Configure Azure Defender for DNS to be enabled | Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin |
2021-07-30 15:17:20
add: 2370a3c1-4a25-4283-a91a-c9c1a145fb2f |