| Category | Id | DisplayName | Description | Effect | Roles used | Details (UTC ymd) (i) |
|---|---|---|---|---|---|---|
| Synapse | 3484ce98-c0c5-4c83-994b-c5ac24785218 | Azure Synapse workspaces should allow outbound data traffic only to approved targets | Increase security of your Synapse workspace by allowing outbound data traffic only to approved targets. This helps prevention against data exfiltration by validating the target before sending data. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2021-03-02 15:11:40
add: 3484ce98-c0c5-4c83-994b-c5ac24785218 | |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | Ensure containers listen only on allowed ports in Kubernetes cluster | This policy enforces containers to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (5.0.1 > 6.0.0) | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | This policy ensures pod FlexVolume volumes only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0) | |
| Internet of Things | 114eec6e-5e59-4bad-999d-6eceeb39d582 | Modify - Configure Azure IoT Hubs to disable public network access | Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. This policy disables public network access on IoT Hub resources. | Default: Modify Allowed: (Modify, Disabled) | Contributor |
2021-03-02 15:11:40
add: 114eec6e-5e59-4bad-999d-6eceeb39d582 |
| Event Grid | 6fcec95c-fbdf-45e8-91e1-e3175d9c9eca | Deploy - Configure Azure Event Grid topics with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor EventGrid Contributor |
2021-03-02 15:11:40
add: 6fcec95c-fbdf-45e8-91e1-e3175d9c9eca |
| App Service | 7238174a-fd10-4ef0-817e-fc820a951d73 | Ensure that 'Python version' is the latest, if used as a part of the Function app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-03-02 15:11:40
change: Major (2.0.0 > 3.0.0) | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | This policy ensures containers only use allowed ProcMountType in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (3.0.1 > 4.0.0) | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | This policy ensures containers only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0) | |
| Automation | 0c2b3618-68a8-4034-a150-ff4abc873462 | Private endpoint connections on Automation Accounts should be enabled | Private endpoint connections allow secure communication by enabling private connectivity to Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-03-02 15:11:40
add: 0c2b3618-68a8-4034-a150-ff4abc873462 | |
| Internet of Things | 0d40b058-9f95-4a19-93e3-9b0330baa2a3 | Private endpoint should be enabled for IoT Hub | Private endpoint connections enforce secure communication by enabling private connectivity to IoT Hub. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | Default: Audit Allowed: (Audit, Disabled) |
2021-03-02 15:11:40
add: 0d40b058-9f95-4a19-93e3-9b0330baa2a3 | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | This policy ensures containers only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0) | |
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | [Preview]: Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack(CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | |
| SQL | 8e8ca470-d980-4831-99e6-dc70d9f6af87 | Configure Azure SQL Server to enable private endpoint connections | A private endpoint connection enables private connectivity to your Azure SQL Database via a private IP address inside a virtual network. This configuration improves your security posture and supports Azure networking tools and scenarios. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor SQL Server Contributor |
2021-03-02 15:11:40
add: 8e8ca470-d980-4831-99e6-dc70d9f6af87 |
| Internet of Things | 2d6830fb-07eb-48e7-8c4d-2a442b35f0fb | Public network access on Azure IoT Hub should be disabled | Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-03-02 15:11:40
add: 2d6830fb-07eb-48e7-8c4d-2a442b35f0fb | |
| Monitoring | 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 | Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted | Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-03-02 15:11:40
change: Major (1.0.1 > 2.0.0) | |
| Batch | 0ef5aac7-c064-427a-b87b-d47b3ddcaf73 | Configure Batch accounts with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Batch accounts, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/batch/private-connectivity. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2021-03-02 15:11:40
add: 0ef5aac7-c064-427a-b87b-d47b3ddcaf73 |
| App Service | dcbc65aa-59f3-4239-8978-3bb869d82604 | Web apps should use an Azure file share for its content directory | The content directory of a web app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default: Audit Allowed: (Audit, Disabled) |
2021-03-02 15:11:40
add: dcbc65aa-59f3-4239-8978-3bb869d82604 | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Ensure only allowed container images in Kubernetes cluster | This policy ensures only allowed container images are running in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (5.0.1 > 6.0.0) | |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | [Preview]: Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | [Preview]: Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | |
| Compute | fc4d8e41-e223-45ea-9bf5-eada37891d87 | Virtual machines and virtual machine scale sets should have encryption at host enabled | Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-03-02 15:11:40
add: fc4d8e41-e223-45ea-9bf5-eada37891d87 | |
| SQL | 28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b | Configure Azure SQL Server to disable public network access | Disabling the public network access property shuts down public connectivity such that Azure SQL Server can only be accessed from a private endpoint. This configuration disables the public network access for all databases under the Azure SQL Server. | Default: Modify Allowed: (Modify, Disabled) | SQL Server Contributor |
2021-03-02 15:11:40
add: 28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | This policy blocks pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0) | |
| App Service | 324c7761-08db-4474-9661-d1039abc92ee | API apps should use an Azure file share for its content directory | The content directory of an API app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default: Audit Allowed: (Audit, Disabled) |
2021-03-02 15:11:40
add: 324c7761-08db-4474-9661-d1039abc92ee | |
| Compute | 702dd420-7fcc-42c5-afe8-4026edd20fe0 | OS and data disks should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-03-02 15:11:40
add: 702dd420-7fcc-42c5-afe8-4026edd20fe0 | |
| Internet of Things | 47031206-ce96-41f8-861b-6a915f3de284 | [Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK) | Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at https://aka.ms/dps/CMK. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-03-02 15:11:40
add: 47031206-ce96-41f8-861b-6a915f3de284 | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Do not allow privileged containers in Kubernetes cluster | This policy does not allow privileged containers creation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (5.0.1 > 6.0.0) | |
| Monitoring | 32133ab0-ee4b-4b44-98d6-042180979d50 | [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted | Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-03-02 15:11:40
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | |
| Storage | 1d320205-c6a1-4ac6-873d-46224024e8e2 | Azure File Sync should use private link | Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-03-02 15:11:40
add: 1d320205-c6a1-4ac6-873d-46224024e8e2 | |
| Monitoring | 1c210e94-a481-4beb-95fa-1571b434fb04 | Deploy Dependency agent for Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2021-03-02 15:11:40
change: Major (1.3.0 > 2.0.0) |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Ensure services listen only on allowed ports in Kubernetes cluster | This policy enforces services to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (5.0.1 > 6.0.0) | |
| Internet of Things | c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02 | Deploy - Configure Azure IoT Hubs to use private DNS zones | Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Hub private endpoints. | Default: deployIfNotExists Allowed: (deployIfNotExists, disabled) | Network Contributor Contributor |
2021-03-02 15:11:40
add: c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02 |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | This policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0) | |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default: deny Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (5.0.2 > 6.0.0) | |
| App Configuration | 7a860e27-9ca2-4fc6-822d-c2d248c300df | Configure private DNS zones for private endpoints connected to App Configuration | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve app configuration instances. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2021-03-02 15:11:40
add: 7a860e27-9ca2-4fc6-822d-c2d248c300df |
| Compute | ca91455f-eace-4f96-be59-e6e2c35b4816 | Managed disks should be double encrypted with both platform-managed and customer-managed keys | High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-03-02 15:11:40
add: ca91455f-eace-4f96-be59-e6e2c35b4816 | |
| Event Grid | 36f4658a-848a-467b-881c-e6fa20cf75fc | Deploy - Configure Azure Event Grid domains with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor EventGrid Contributor |
2021-03-02 15:11:40
add: 36f4658a-848a-467b-881c-e6fa20cf75fc |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster | This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (5.0.1 > 6.0.0) | |
| App Service | 7008174a-fd10-4ef0-817e-fc820a951d73 | Ensure that 'Python version' is the latest, if used as a part of the Web app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-03-02 15:11:40
change: Major (2.0.0 > 3.0.0) | |
| General | 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 | Not allowed resource types | This policy enables you to specify the resource types that your organization cannot deploy. | Default: Deny Allowed: (Audit, Deny, Disabled) |
2021-03-02 15:11:40
change: Major (1.0.0 > 2.0.0) | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | This policy does not allow containers to use privilege escalation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0) | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | This policy controls pod access to the host network and the allowable host port range in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0) | |
| HDInsight | b0ab5b05-1c98-40f7-bb9e-dc568e41b501 | Azure HDInsight clusters should be injected into a virtual network | Injecting Azure HDInsight clusters in a virtual network unlocks advanced HDInsight networking and security features and provides you with control over your network security configuration. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2021-03-02 15:11:40
add: b0ab5b05-1c98-40f7-bb9e-dc568e41b501 | |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | [Preview]: Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Enforce internal load balancers in Kubernetes cluster | This policy enforces load balancers do not have public IPs in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (5.0.1 > 6.0.0) | |
| Monitoring | 17b3de92-f710-4cf4-aa55-0e7859f1ed7b | [ASC Private Preview] Deploy - Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | [ASC Private Preview] Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor that do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. | Fixed: modify | Virtual Machine Contributor |
2021-03-02 15:11:40
change: Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) |
| Machine Learning | 5f0c7d88-c7de-45b8-ac49-db49e72eaa78 | Azure Machine Learning workspaces should use user-assigned managed identity | Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. Learn more at https://docs.microsoft.com/azure/machine-learning/how-to-use-managed-identities?tabs=python. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-03-02 15:11:40
add: 5f0c7d88-c7de-45b8-ac49-db49e72eaa78 | |
| Internet of Things | bf684997-3909-404e-929c-d4a38ed23b2e | Deploy - Configure Azure IoT Hubs with private endpoints | A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT hub to allow services inside your virtual network to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor Contributor |
2021-03-02 15:11:40
add: bf684997-3909-404e-929c-d4a38ed23b2e |
| App Configuration | 614ffa75-862c-456e-ad8b-eaa1b0844b07 | Configure private endpoints for App Configuration | Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your app configuration instances, data leakage risks are reduced. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2021-03-02 15:11:40
add: 614ffa75-862c-456e-ad8b-eaa1b0844b07 |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | [Preview]: Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | This policy ensures pod hostPath volumes can only use allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0) | |
| App Configuration | 73290fa2-dfa7-4bbb-945d-a5e23b75df2c | Configure App Configuration to disable public network access | Disable public network access for App Configuration so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default: Modify Allowed: (Modify, Disabled) | Contributor |
2021-03-02 15:11:40
add: 73290fa2-dfa7-4bbb-945d-a5e23b75df2c |
| Storage | 0e07b2e9-6cd9-4c40-9ccb-52817b95133b | Modify - Configure Azure File Sync to disable public network access | The Azure File Sync's internet-accessible public endpoint are disabled by your organizational policy. You may still access the Storage Sync Service via its private endpoint(s). | Default: Modify Allowed: (Modify, Disabled) | Contributor |
2021-03-02 15:11:40
add: 0e07b2e9-6cd9-4c40-9ccb-52817b95133b |
| Automation | 23b36a7c-9d26-4288-a8fd-c1d2fa284d8c | Configure Azure Automation accounts to disable public network access | Disable public network access for Azure Automation account so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your Automation account resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default: Modify Allowed: (Modify, Disabled) | Contributor |
2021-03-02 15:11:40
add: 23b36a7c-9d26-4288-a8fd-c1d2fa284d8c |
| Storage | 06695360-db88-47f6-b976-7500d4297475 | Configure Azure File Sync to use private DNS zones | To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s). | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Private DNS Zone Contributor Network Contributor |
2021-03-02 15:11:40
add: 06695360-db88-47f6-b976-7500d4297475 |
| App Service | 74c3584d-afae-46f7-a20a-6f8adba71a16 | Ensure that 'Python version' is the latest, if used as a part of the API app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-03-02 15:11:40
change: Major (2.0.0 > 3.0.0) | |
| Monitoring | 3be22e3b-d919-47aa-805e-8985dbeb0ad9 | Deploy Dependency agent for Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2021-03-02 15:11:40
change: Major (1.3.0 > 2.0.0) |
| Storage | b35dddd9-daf7-423b-8375-5a5b86806d5a | Configure Azure File Sync with private endpoints | A private endpoint is deployed for the indicated Storage Sync Service resource. This enables you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. The existence of one or more private endpoints by themselves does not disable the public endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2021-03-02 15:11:40
add: b35dddd9-daf7-423b-8375-5a5b86806d5a |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | This policy ensures containers run with a read only root file system in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0) | |
| Compute | d461a302-a187-421a-89ac-84acdb4edc04 | Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption | Requiring a specific set of disk encryption sets to be used with managed disks give you control over the keys used for encryption at rest. You are able to select the allowed encrypted sets and all others are rejected when attached to a disk. Learn more at https://aka.ms/disks-cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-03-02 15:11:40
add: d461a302-a187-421a-89ac-84acdb4edc04 | |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | This policy ensures pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0) | |
| Monitoring | e2dd799a-a932-4e9d-ac17-d473bc3c6c10 | Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted | Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-03-02 15:11:40
change: Major (1.0.1 > 2.0.0) | |
| Storage | 21a8cd35-125e-4d13-b82d-2e19b7208bb7 | Public network access should be disabled for Azure File Sync | Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-03-02 15:11:40
add: 21a8cd35-125e-4d13-b82d-2e19b7208bb7 | |
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy Log Analytics agent for Windows virtual machine scale sets | Deploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor Virtual Machine Contributor |
2021-03-02 15:11:40
change: Major (1.1.0 > 2.0.0) |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | This policy ensures containers do not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (3.0.1 > 4.0.0) | |
| App Service | 4d0bc837-6eff-477e-9ecd-33bf8d4212a5 | Function apps should use an Azure file share for its content directory | The content directory of a function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default: Audit Allowed: (Audit, Disabled) |
2021-03-02 15:11:40
add: 4d0bc837-6eff-477e-9ecd-33bf8d4212a5 | |
| Automanage | 270610db-8c04-438a-a739-e8e6745b22d3 | Enable Automanage - Azure virtual machine best practices | Automanage enrolls, configures, and monitors virtual machines with Azure VM best practice services. Use this policy to apply Automanage to your selected scope. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2021-03-02 15:11:40
change: Major (1.0.0 > 3.0.0) |
| Monitoring | 11ac78e3-31bc-4f0c-8434-37ab963cea07 | Audit Dependency agent deployment - VM Image (OS) unlisted | Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-03-02 15:11:40
change: Major (1.0.1 > 2.0.0) | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | This policy ensures containers only use allowed capabilities in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0) | |
| Monitoring | 0868462e-646c-4fe3-9ced-a733534b6a2c | Deploy Log Analytics agent for Windows VMs | Deploy Log Analytics agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2021-03-02 15:11:40
change: Major (1.1.0 > 2.0.0) |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | This policy ensures pods and containers only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (3.0.1 > 4.0.0) | |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Enforce labels on pods in Kubernetes cluster | This policy enforces the specified labels are provided for pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2021-03-02 15:11:40
change: Major (5.0.1 > 6.0.0) | |
| Monitoring | 17b3de92-f710-4cf4-aa55-0e7859f1ed7b | [ASC Private Preview] Deploy - Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | [ASC Private Preview] Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor that do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. | Fixed: modify | Virtual Machine Contributor |
2021-02-23 16:24:42
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) |
| Kubernetes | 6c66c325-74c8-42fd-a286-a74b0e2939d8 | Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace | Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2021-02-23 16:24:42
add: 6c66c325-74c8-42fd-a286-a74b0e2939d8 |
| Storage | 6f8f98a4-f108-47cb-8e98-91a0d85cd474 | Deploy - Configure diagnostic settings for storage accounts to Log Analytics workspace | Deploys the diagnostic settings for storage accounts to stream resource logs to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2021-02-23 16:24:42
add: 6f8f98a4-f108-47cb-8e98-91a0d85cd474 |
| Key Vault | 951af2fa-529b-416e-ab6e-066fd85ac459 | Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace | Deploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2021-02-23 16:24:42
add: 951af2fa-529b-416e-ab6e-066fd85ac459 |
| App Configuration | 89c8a434-18f0-402c-8147-630a8dea54e0 | App Configuration should use a SKU that supports private link | When using a supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-23 16:24:42
add: 89c8a434-18f0-402c-8147-630a8dea54e0 | |
| App Configuration | 3d9f5e4c-9947-4579-9539-2a7695fbc187 | App Configuration should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-23 16:24:42
add: 3d9f5e4c-9947-4579-9539-2a7695fbc187 | |
| Batch | 009a0c92-f5b4-4776-9b66-4ed2b4775563 | Private endpoint connections on Batch accounts should be enabled | Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Batch at https://docs.microsoft.com/azure/batch/private-connectivity. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-23 16:24:42
add: 009a0c92-f5b4-4776-9b66-4ed2b4775563 | |
| Batch | 4ec38ebc-381f-45ee-81a4-acbc4be878f8 | Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts | Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Batch, see https://docs.microsoft.com/azure/batch/private-connectivity. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor |
2021-02-23 16:24:42
add: 4ec38ebc-381f-45ee-81a4-acbc4be878f8 |
| Network | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-23 16:24:42
change: Major (1.1.0 > 2.0.0) | |
| Event Grid | 6fcec95c-fbdf-45e8-91e1-e3175d9c9eca | Deploy - Configure Azure Event Grid topics with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | n/a | n/a | 2021-02-22 14:29:52 remove: 6fcec95c-fbdf-45e8-91e1-e3175d9c9eca (i) |
| Event Grid | 36f4658a-848a-467b-881c-e6fa20cf75fc | Deploy - Configure Azure Event Grid domains with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | n/a | n/a | 2021-02-22 14:29:52 remove: 36f4658a-848a-467b-881c-e6fa20cf75fc (i) |
| App Service | c4d441f8-f9d9-4a9e-9cef-e82117cb3eef | Managed identity should be used in your API App | Use a managed identity for enhanced authentication security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-17 14:28:42
change: Major (1.0.0 > 2.0.0) | |
| Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | [Preview]: Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities | Default: audit Allowed: (audit, deny, disabled) |
2021-02-17 14:28:42
add: d2e7ea85-6b44-4317-a0be-1b951587f626 | |
| Monitoring | d550e854-df1a-4de9-bf44-cd894b39a95e | Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace | Link the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. | Default: audit Allowed: (audit, deny, disabled) |
2021-02-17 14:28:42
add: d550e854-df1a-4de9-bf44-cd894b39a95e | |
| Security Center | 0b15565f-aa9e-48ba-8619-45960f2c314d | Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-17 14:28:42
change: Major (1.0.1 > 2.0.0) | |
| Security Center | 509122b9-ddd9-47ba-a5f1-d0dac20be63c | Deploy Workflow Automation for Azure Security Center regulatory compliance | Enable automation of Azure Security Center regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2021-02-17 14:28:42
change: Major (2.0.0 > 3.0.0) |
| App Service | 2b9ad585-36bc-4615-b300-fd4435808332 | Managed identity should be used in your Web App | Use a managed identity for enhanced authentication security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-17 14:28:42
change: Major (1.0.0 > 2.0.0) | |
| Monitoring | 1f68a601-6e6d-4e42-babf-3f643a047ea2 | Azure Monitor Logs clusters should be encrypted with customer-managed key | Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. | Default: audit Allowed: (audit, deny, disabled) |
2021-02-17 14:28:42
add: 1f68a601-6e6d-4e42-babf-3f643a047ea2 | |
| Key Vault | a2a5b911-5617-447e-a49e-59dbe0e0434b | Resource logs in Azure Key Vault Managed HSM should be enabled | To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-17 14:28:42
add: a2a5b911-5617-447e-a49e-59dbe0e0434b | |
| Event Grid | d389df0a-e0d7-4607-833c-75a6fdac2c2d | Deploy - Configure Azure Event Grid domains to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. | Default: deployIfNotExists Allowed: (deployIfNotExists, Disabled) | Network Contributor |
2021-02-17 14:28:42
add: d389df0a-e0d7-4607-833c-75a6fdac2c2d |
| Security Center | f1525828-9a90-4fcf-be48-268cdd02361e | Deploy Workflow Automation for Azure Security Center alerts | Enable automation of Azure Security Center alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2021-02-17 14:28:42
change: Major (2.0.0 > 3.0.0) |
| Monitoring | b3884c81-31aa-473d-a9bb-9466fe0ec2a0 | Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM | Deploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Log Analytics workspace when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2021-02-17 14:28:42
add: b3884c81-31aa-473d-a9bb-9466fe0ec2a0 |
| Event Grid | 898e9824-104c-4965-8e0e-5197588fa5d4 | Modify - Configure Azure Event Grid domains to disable public network access | Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default: Modify Allowed: (Modify, Disabled) | EventGrid Contributor |
2021-02-17 14:28:42
add: 898e9824-104c-4965-8e0e-5197588fa5d4 |
| Event Grid | 9830b652-8523-49cc-b1b3-e17dce1127ca | Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit, Disabled) |
2021-02-17 14:28:42
change: Patch (1.0.1 > 1.0.2) | |
| Key Vault | c39ba22d-4428-4149-b981-70acb31fc383 | Azure Key Vault Managed HSM should have purge protection enabled | Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-17 14:28:42
add: c39ba22d-4428-4149-b981-70acb31fc383 | |
| App Service | 91a78b24-f231-4a8a-8da9-02c35b2b6510 | Resource logs in App Services should be enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-17 14:28:42
add: 91a78b24-f231-4a8a-8da9-02c35b2b6510 | |
| Event Grid | 6fcec95c-fbdf-45e8-91e1-e3175d9c9eca | Deploy - Configure Azure Event Grid topics with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor EventGrid Contributor |
2021-02-17 14:28:42
add: 6fcec95c-fbdf-45e8-91e1-e3175d9c9eca |
| Event Grid | 36f4658a-848a-467b-881c-e6fa20cf75fc | Deploy - Configure Azure Event Grid domains with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor EventGrid Contributor |
2021-02-17 14:28:42
add: 36f4658a-848a-467b-881c-e6fa20cf75fc |
| Event Grid | 4b90e17e-8448-49db-875e-bd83fb6f804f | Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit, Disabled) |
2021-02-17 14:28:42
change: Patch (1.0.1 > 1.0.2) | |
| Event Grid | 36ea4b4b-0f7f-4a54-89fa-ab18f555a172 | Modify - Configure Azure Event Grid topics to disable public network access | Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default: Modify Allowed: (Modify, Disabled) | EventGrid Contributor |
2021-02-17 14:28:42
add: 36ea4b4b-0f7f-4a54-89fa-ab18f555a172 |
| Security Center | 73d6ab6c-2475-4850-afd6-43795f3492ef | Deploy Workflow Automation for Azure Security Center recommendations | Enable automation of Azure Security Center recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2021-02-17 14:28:42
change: Major (2.0.0 > 3.0.0) |
| Event Grid | f8f774be-6aee-492a-9e29-486ef81f3a68 | Azure Event Grid domains should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-17 14:28:42
add: f8f774be-6aee-492a-9e29-486ef81f3a68 | |
| Monitoring | ea0dfaed-95fb-448c-934e-d6e713ce393d | Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) | To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. | Default: audit Allowed: (audit, deny, disabled) |
2021-02-17 14:28:42
add: ea0dfaed-95fb-448c-934e-d6e713ce393d | |
| App Service | 0da106f2-4ca3-48e8-bc85-c638fe6aea8f | Managed identity should be used in your Function App | Use a managed identity for enhanced authentication security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-17 14:28:42
change: Major (1.0.0 > 2.0.0) | |
| Event Grid | 1adadefe-5f21-44f7-b931-a59b54ccdb45 | Azure Event Grid topics should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-17 14:28:42
add: 1adadefe-5f21-44f7-b931-a59b54ccdb45 | |
| Event Grid | baf19753-7502-405f-8745-370519b20483 | Deploy - Configure Azure Event Grid topics to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. | Default: deployIfNotExists Allowed: (deployIfNotExists, Disabled) | Network Contributor |
2021-02-17 14:28:42
add: baf19753-7502-405f-8745-370519b20483 |
| Key Vault | a6d2c800-5230-4a40-bff3-8268b4987d42 | Deploy - Configure diagnostic settings to an Event Hub to be enabled on Azure Key Vault Managed HSM | Deploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Event Hub when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2021-02-17 14:28:42
add: a6d2c800-5230-4a40-bff3-8268b4987d42 |
| Monitoring | fa298e57-9444-42ba-bf04-86e8470e32c7 | Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption | Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries. | Default: audit Allowed: (audit, deny, disabled) |
2021-02-17 14:28:42
add: fa298e57-9444-42ba-bf04-86e8470e32c7 | |
| Backup | c717fb0c-d118-4c43-ab3d-ece30ac81fb3 | Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. | Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. | Fixed: deployIfNotExists | Monitoring Contributor Log Analytics Contributor |
2021-02-17 14:28:42
change: Version remains equal, old suffix: preview (1.0.2-preview > 1.0.2) |
| Batch | 99e9ccd8-3db9-4592-b0d1-14b1715a4d8a | Azure Batch account should use customer-managed keys to encrypt data | Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-10 14:43:58
change: Patch (1.0.0 > 1.0.1) | |
| Key Vault | cf820ca0-f99e-4f3e-84fb-66e913812d21 | Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-10 14:43:58
change: Major (3.0.0 > 4.0.1) | |
| SQL | b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13 | SQL Database should avoid using GRS backup redundancy | Databases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Default: Deny Allowed: (Deny, Disabled) |
2021-02-10 14:43:58
change: Patch (1.0.0 > 1.0.1) | |
| Search | b4330a05-a843-4bc8-bf9a-cacce50c67f4 | Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-10 14:43:58
change: Major (3.0.0 > 4.0.1) | |
| Data Factory | 4ec52d6d-beb7-40c4-9a9e-fe753254690e | Azure data factories should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-10 14:43:58
change: Patch (1.0.0 > 1.0.1) | |
| Cognitive Services | 67121cc7-ff39-4ab8-b7e3-95b84dab487d | Cognitive Services accounts should enable data encryption with a customer-managed key | Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-10 14:43:58
change: Patch (1.0.2 > 1.0.3) | |
| Stream Analytics | f9be5368-9bf5-4b84-9e0a-7850da98bb46 | Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-10 14:43:58
change: Major (3.0.0 > 4.0.1) | |
| Batch | 428256e6-1fac-4f48-a757-df34c2b3336d | Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-10 14:43:58
change: Major (3.0.0 > 4.0.1) | |
| Storage | 34c877ad-507e-4c82-993e-3452a6e0ad3c | Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-10 14:43:58
change: Patch (1.1.0 > 1.1.1) | |
| Data Factory | 6809a3d0-d354-42fb-b955-783d207c62a8 | [Preview]: Azure Data Factory linked service resource type should be in allow list | Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-10 14:43:58
add: 6809a3d0-d354-42fb-b955-783d207c62a8 | |
| Container Registry | 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 | Container registries should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-10 14:43:58
change: Patch (1.1.1 > 1.1.2) | |
| SQL | 18adea5e-f416-4d0f-8aa8-d24321e3e274 | Bring your own key data protection should be enabled for PostgreSQL servers | Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-10 14:43:58
change: Patch (1.0.2 > 1.0.3) | |
| Internet of Things | 383856f8-de7f-44a2-81fc-e5135b5c2aa4 | Resource logs in IoT Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-10 14:43:58
change: Major (2.0.0 > 3.0.1) | |
| Logic Apps | 34f95f76-5386-4de7-b824-0d8478470c9d | Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-10 14:43:58
change: Major (3.0.0 > 4.0.1) | |
| Data Factory | 77d40665-3120-4348-b539-3192ec808307 | [Preview]: Azure Data Factory should use a Git repository for source control | Enable source control on data factories, to gain capabilities such as change tracking, collaboration, continuous integration, and deployment. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-10 14:43:58
add: 77d40665-3120-4348-b539-3192ec808307 | |
| Data Lake | 057ef27e-665e-4328-8ea3-04b3122bd9fb | Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-10 14:43:58
change: Major (3.0.0 > 4.0.1) | |
| Key Vault | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | Key vaults should have soft delete enabled | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-10 14:43:58
change: Patch (1.0.1 > 1.0.2) | |
| Data Factory | f78ccdb4-7bf4-4106-8647-270491d2978a | [Preview]: Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported | Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-10 14:43:58
add: f78ccdb4-7bf4-4106-8647-270491d2978a | |
| Cache | 7d092e0a-7acd-40d2-a975-dca21cae48c4 | Azure Cache for Redis should reside within a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-10 14:43:58
change: Patch (1.0.2 > 1.0.3) | |
| Storage | 6fac406b-40ca-413b-bf8e-0bf964659c25 | Storage accounts should use customer-managed key for encryption | Secure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Default: Audit Allowed: (Audit, Disabled) |
2021-02-10 14:43:58
change: Patch (1.0.1 > 1.0.2) | |
| SQL | 89099bee-89e0-4b26-a5f4-165451757743 | SQL servers should be configured with 90 days auditing retention or higher | SQL servers should be configured with 90 days auditing retention or higher. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-10 14:43:58
change: Patch (2.0.0 > 2.0.1) | |
| Data Lake | c95c74d9-38fe-4f0d-af86-0c7d626a315c | Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-10 14:43:58
change: Major (3.0.0 > 4.0.1) | |
| SQL | 7ea8a143-05e3-4553-abfe-f56bef8b0b70 | Deploy - Configure diagnostic settings for Azure SQL Database server to Log Analytics workspace | Deploys the diagnostic settings for Azure SQL Database server to stream resource logs to a Log Analytics workspace when any SQL Server which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | SQL Security Manager Log Analytics Contributor |
2021-02-10 14:43:58
add: 7ea8a143-05e3-4553-abfe-f56bef8b0b70 |
| Cosmos DB | 1f905d99-2ab7-462c-a6b0-f709acca6c8f | Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. | Default: audit Allowed: (audit, deny, disabled) |
2021-02-10 14:43:58
change: Patch (1.0.1 > 1.0.2) | |
| General | 0a914e76-4921-4c19-b460-a2d36003525a | Audit resource location matches resource group location | Audit that the resource location matches its resource group location | Fixed: audit |
2021-02-10 14:43:58
change: Major (1.0.0 > 2.0.0) | |
| Data Factory | 85bb39b5-2f66-49f8-9306-77da3ac5130f | [Preview]: Azure Data Factory integration runtime should have a limit for number of cores | To manage your resources and costs, limit the number of cores for an integration runtime. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-10 14:43:58
add: 85bb39b5-2f66-49f8-9306-77da3ac5130f | |
| Compute | 7c1b1214-f927-48bf-8882-84f0af6588b1 | Resource logs in Virtual Machine Scale Sets should be enabled | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-10 14:43:58
change: Patch (2.0.0 > 2.0.1) | |
| Service Bus | f8d36e2f-389b-4ee4-898d-21aeb69a0f45 | Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-10 14:43:58
change: Major (3.0.0 > 4.0.1) | |
| Data Factory | 127ef6d7-242f-43b3-9eef-947faf1725d0 | [Preview]: Azure Data Factory linked services should use Key Vault for storing secrets | To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-10 14:43:58
add: 127ef6d7-242f-43b3-9eef-947faf1725d0 | |
| HDInsight | 64d314f6-6062-4780-a861-c23e8951bee5 | Azure HDInsight clusters should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-10 14:43:58
change: Patch (1.0.0 > 1.0.1) | |
| API for FHIR | 051cba44-2429-45b9-9649-46cec11c7119 | Azure API for FHIR should use a customer-managed key to encrypt data at rest | Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. | Default: audit Allowed: (audit, disabled) |
2021-02-10 14:43:58
change: Patch (1.0.0 > 1.0.1) | |
| Event Hub | 83a214f7-d01a-484b-91a9-ed54470c9a6a | Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-10 14:43:58
change: Major (3.0.0 > 4.0.1) | |
| Machine Learning | ba769a63-b8cc-4b2d-abf6-ac33c7204be8 | Azure Machine Learning workspaces should be encrypted with a customer-managed key | Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-10 14:43:58
change: Patch (1.0.2 > 1.0.3) | |
| SQL | a9934fd7-29f2-4e6d-ab3d-607ea38e9079 | SQL Managed Instances should avoid using GRS backup redundancy | Managed Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Default: Deny Allowed: (Deny, Disabled) |
2021-02-10 14:43:58
change: Patch (1.0.0 > 1.0.1) | |
| Backup | c717fb0c-d118-4c43-ab3d-ece30ac81fb3 | Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. | Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. | Fixed: deployIfNotExists | Monitoring Contributor Log Analytics Contributor |
2021-02-10 14:43:58
change: Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) |
| SQL | b79fa14e-238a-4c2d-b376-442ce508fc84 | Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace | Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2021-02-10 14:43:58
change: Patch (1.0.0 > 1.0.1) |
| SQL | 83cef61d-dbd1-4b20-a4fc-5fbc7da10833 | Bring your own key data protection should be enabled for MySQL servers | Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-02-10 14:43:58
change: Patch (1.0.2 > 1.0.3) | |
| Security Center | f1525828-9a90-4fcf-be48-268cdd02361e | Deploy Workflow Automation for Azure Security Center alerts | Enable automation of Azure Security Center alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2021-02-03 15:09:01
change: Major (1.0.0 > 2.0.0) |
| Security Center | ffb6f416-7bd2-4488-8828-56585fef2be9 | Deploy export to Log Analytics workspace for Azure Security Center data | Enable export to Log Analytics workspace of Azure Security Center data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2021-02-03 15:09:01
change: Major (2.0.0 > 3.0.0) |
| Azure Data Explorer | ec068d99-e9c7-401f-8cef-5bdde4e6ccf1 | Double encryption should be enabled on Azure Data Explorer | Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-03 15:09:01
change: Major (1.0.0 > 2.0.0) | |
| API Management | ef619a2c-cc4d-4d03-b2ba-8c94a834d85b | API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Default: Audit Allowed: (Audit, Disabled) |
2021-02-03 15:09:01
change: Patch (1.0.0 > 1.0.1) | |
| Azure Data Explorer | f4b53539-8df9-40e4-86c6-6b607703bd4e | Disk encryption should be enabled on Azure Data Explorer | Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-03 15:09:01
change: Major (1.0.0 > 2.0.0) | |
| Security Center | 509122b9-ddd9-47ba-a5f1-d0dac20be63c | Deploy Workflow Automation for Azure Security Center regulatory compliance | Enable automation of Azure Security Center regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2021-02-03 15:09:01
add: 509122b9-ddd9-47ba-a5f1-d0dac20be63c |
| Security Center | cdfcce10-4578-4ecd-9703-530938e4abcb | Deploy export to Event Hub for Azure Security Center data | Enable export to Event Hub of Azure Security Center data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2021-02-03 15:09:01
change: Major (2.0.0 > 3.0.0) |
| Security Center | 73d6ab6c-2475-4850-afd6-43795f3492ef | Deploy Workflow Automation for Azure Security Center recommendations | Enable automation of Azure Security Center recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2021-02-03 15:09:01
change: Major (1.0.0 > 2.0.0) |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default: deny Allowed: (audit, deny, disabled) |
2021-02-03 15:09:01
change: Patch (5.0.1 > 5.0.2) | |
| Kubernetes | 41425d9f-d1a5-499a-9932-f8ed8453932c | Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host | To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-03 15:09:01
add: 41425d9f-d1a5-499a-9932-f8ed8453932c | |
| Data Factory | 1cf164be-6819-4a50-b8fa-4bcaa4f98fb6 | Public network access on Azure Data Factory should be disabled | Disabling the public network access property improves security by ensuring your Azure Data Factory can only be accessed from a private endpoint. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-03 15:09:01
add: 1cf164be-6819-4a50-b8fa-4bcaa4f98fb6 | |
| SQL | b79fa14e-238a-4c2d-b376-442ce508fc84 | Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace | Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2021-02-03 15:09:01
add: b79fa14e-238a-4c2d-b376-442ce508fc84 |
| Automation | 56a5ee18-2ae6-4810-86f7-18e39ce5629b | Azure Automation accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-02-03 15:09:01
add: 56a5ee18-2ae6-4810-86f7-18e39ce5629b | |
| Attestation | 7b256a2d-058b-41f8-bed9-3f870541c40a | Azure Attestation providers should use private endpoints | Private endpoints provide a way to connect Azure Attestation providers to your Azure resources without sending traffic over the public internet. By preventing public access, private endpoints help protect against undesired anonymous access. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-27 16:54:46
add: 7b256a2d-058b-41f8-bed9-3f870541c40a | |
| Batch | 74c5a0ae-5e48-4738-b093-65e23a060488 | Public network access should be disabled for Batch accounts | Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-01-27 16:54:46
add: 74c5a0ae-5e48-4738-b093-65e23a060488 | |
| Bot Service | 6164527b-e1ee-4882-8673-572f425f5e0a | Bot Service endpoint should be a valid HTTPS URI | Data can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines. | Default: audit Allowed: (audit, deny, disabled) |
2021-01-27 16:54:46
change: Patch (1.0.0 > 1.0.1) | |
| Guest Configuration | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | Windows web servers should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. TLS 1.3 is faster and more secure than the earlier versions: TLS 1.0-1.2 and SSL 2-3, which are all considered legacy protocols. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-27 16:54:46
change: Major (1.0.0 > 2.0.0) | |
| Event Hub | a1ad735a-e96f-45d2-a7b2-9a4932cab7ec | Event Hub namespaces should use a customer-managed key for encryption | Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters. | Default: Audit Allowed: (Audit, Disabled) |
2021-01-27 16:54:46
add: a1ad735a-e96f-45d2-a7b2-9a4932cab7ec | |
| Bot Service | 51522a96-0869-4791-82f3-981000c2c67f | Bot Service should be encrypted with a customer-managed key | Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. | Default: audit Allowed: (audit, deny, disabled) |
2021-01-27 16:54:46
add: 51522a96-0869-4791-82f3-981000c2c67f | |
| Service Bus | 295fc8b1-dc9f-4f53-9c61-3f313ceab40a | Service Bus Premium namespaces should use a customer-managed key for encryption | Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces. | Default: Audit Allowed: (Audit, Disabled) |
2021-01-27 16:54:46
add: 295fc8b1-dc9f-4f53-9c61-3f313ceab40a | |
| Kubernetes | 0a15ec92-a229-4763-bb14-0ea34a568f8d | Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Default: Audit Allowed: (Audit, Disabled) |
2021-01-27 16:54:46
change: Patch, old suffix: preview (1.0.1-preview > 1.0.2) | |
| Key Vault | 5f0bc445-3935-4915-9981-011aa2b46147 | [Preview]: Private endpoint should be configured for Key Vault | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-01-27 16:54:46
change: Minor, suffix remains equal (1.0.2-preview > 1.1.0-preview) | |
| Security Center | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-27 16:54:46
change: Major (2.0.0 > 3.0.0) | |
| Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | [Preview]: Deploy - Configure Linux Azure Monitor agent to enable Azure Monitor assignments on Linux virtual machines | Configure Linux Azure Monitor agent to Linux virtual machines hosted in Azure that are supported by Azure Monitor. Azure Monitor agent collects events from the virtual machine that can be used to provide recommendations. Target virtual machines must be in a supported location. | Fixed: deployIfNotExists | Virtual Machine Contributor |
2021-01-22 09:14:53
add: a4034bc6-ae50-406d-bf76-50f4ee5a7811 |
| Security Center | 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 | [Preview]: Deploy - Configure Linux machines to automatically install the Azure Security agent | Configure Linux machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. | Fixed: deployIfNotExists | Contributor Log Analytics Contributor |
2021-01-22 09:14:53
add: 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 |
| Security Center | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-22 09:14:53
change: Patch (1.0.0 > 1.0.1) | |
| Security Center | 760a85ff-6162-42b3-8d70-698e268f648c | [Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution | Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. | Default: Disabled Allowed: (AuditIfNotExists, Disabled) |
2021-01-22 09:14:53
change: Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) | |
| HDInsight | 64d314f6-6062-4780-a861-c23e8951bee5 | Azure HDInsight clusters should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-01-22 09:14:53
add: 64d314f6-6062-4780-a861-c23e8951bee5 | |
| Synapse | 0049a6b3-a662-4f3e-8635-39cf44ace45a | Vulnerability assessment should be enabled on your Synapse workspaces | Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-22 09:14:53
add: 0049a6b3-a662-4f3e-8635-39cf44ace45a | |
| Security Center | b4d66858-c922-44e3-9566-5cdb7a7be744 | [Deprecated]: A security contact phone number should be provided for your subscription | Enter a phone number to receive notifications when Azure Security Center detects compromised resources - This policy is deprecated because phone numbers are no longer used in any scenario by Azure Security Center | Default: Disabled Allowed: (AuditIfNotExists, Disabled) |
2021-01-22 09:14:53
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | |
| Guest Configuration | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | [Preview]: Windows machines should meet requirements of the Azure Security Center baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure Security Center baseline. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-22 09:14:53
add: 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | |
| Compute | ac34a73f-9fa5-4067-9247-a3ecae514468 | Deploy - Configure disaster recovery on virtual machines by enabling replication | Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | Fixed: deployIfNotExists | Owner |
2021-01-22 09:14:53
add: ac34a73f-9fa5-4067-9247-a3ecae514468 |
| Security Center | 1537496a-b1e8-482b-a06a-1cc2415cdc7b | [Preview]: Deploy - Configure Windows machines to automatically install the Azure Security agent | Configure Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. | Fixed: deployIfNotExists | Contributor Log Analytics Contributor |
2021-01-22 09:14:53
add: 1537496a-b1e8-482b-a06a-1cc2415cdc7b |
| Security Center | ae89ebca-1c92-4898-ac2c-9f63decb045c | Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-22 09:14:53
change: Patch (1.0.0 > 1.0.1) | |
| Monitoring | 17b3de92-f710-4cf4-aa55-0e7859f1ed7b | [ASC Private Preview] Deploy - Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | [ASC Private Preview] Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor that do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. | Fixed: modify | Virtual Machine Contributor |
2021-01-22 09:14:53
add: 17b3de92-f710-4cf4-aa55-0e7859f1ed7b |
| Guest Configuration | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-22 09:14:53
change: Patch (1.1.0 > 1.1.1) | |
| HDInsight | 1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6 | Azure HDInsight clusters should use encryption at host to encrypt data at rest | Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-01-22 09:14:53
add: 1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6 | |
| Guest Configuration | fc9b3da7-8347-4380-8e70-0a0361d8dedd | [Preview]: Linux machines should meet requirements for the Azure security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines should meet the requirements for the Azure security baseline | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-22 09:14:53
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | |
| HDInsight | d9da03a1-f3c3-412a-9709-947156872263 | Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes | Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-01-22 09:14:53
add: d9da03a1-f3c3-412a-9709-947156872263 | |
| Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-22 09:14:53
change: Patch (2.0.0 > 2.0.1) | |
| Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | [Preview]: Deploy - Configure Windows Azure Monitor agent to enable Azure Monitor assignments on Windows virtual machines | Configure Windows Azure Monitor agent to Windows virtual machines hosted in Azure that are supported by Azure Monitor. Azure Monitor agent collects events from the virtual machine that can be used to provide recommendations. Target virtual machines must be in a supported location. | Fixed: deployIfNotExists | Virtual Machine Contributor |
2021-01-22 09:14:53
add: ca817e41-e85a-4783-bc7f-dc532d36235e |
| Data Factory | 4ec52d6d-beb7-40c4-9a9e-fe753254690e | Azure data factories should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-01-13 16:08:35
add: 4ec52d6d-beb7-40c4-9a9e-fe753254690e | |
| SQL | 7698e800-9299-47a6-b3b6-5a0fee576eed | Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Default: Audit Allowed: (Audit, Disabled) |
2021-01-13 16:08:35
change: Minor (1.0.1 > 1.1.0) | |
| SQL | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-01-13 16:08:35
change: Minor (1.0.1 > 1.1.0) | |
| Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | [Preview]: Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack(CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2021-01-13 16:08:35
add: d46c275d-1680-448d-b2ec-e495a3b6cc89 | |
| Security Center | e8cbc669-f12d-49eb-93e7-9273119e9933 | Vulnerabilities in container security configurations should be remediated | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | ebb62a0c-3560-49e1-89ed-27e074e9f8ad | Deprecated accounts with owner permissions should be removed from your subscription | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | bb91dfba-c30d-4263-9add-9c2384e659a6 | Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | 4f11b553-d42e-4e3a-89be-32ca364cad4c | A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | feedbf84-6b99-488c-acc2-71c829aa5ffc | Vulnerabilities on your SQL databases should be remediated | Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (3.0.0 > 4.0.0) | |
| Batch | 99e9ccd8-3db9-4592-b0d1-14b1715a4d8a | Azure Batch account should use customer-managed keys to encrypt data | Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2021-01-05 16:06:49
add: 99e9ccd8-3db9-4592-b0d1-14b1715a4d8a | |
| SQL | 36d49e87-48c4-4f2e-beed-ba4ed02b71f5 | Deploy Threat Detection on SQL servers | This policy ensures that Threat Detection is enabled on SQL Servers. | Fixed: DeployIfNotExists | SQL Security Manager |
2021-01-05 16:06:49
change: Major (1.1.0 > 2.0.0) |
| Monitoring | 6fc8115b-2008-441f-8c61-9b722c1e537f | Workbooks should be saved to storage accounts that you control | With bring your own storage (BYOS), your workbooks are uploaded into a storage account that you control. That means you control the encryption-at-rest policy, the lifetime management policy, and network access. You will, however, be responsible for the costs associated with that storage account. For more information, visit https://aka.ms/workbooksByos | Default: audit Allowed: (deny, audit, disabled) |
2021-01-05 16:06:49
add: 6fc8115b-2008-441f-8c61-9b722c1e537f | |
| Security Center | 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 | External accounts with read permissions should be removed from your subscription | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | Vulnerabilities in Azure Container Registry images should be remediated | Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (1.0.0 > 2.0.0) | |
| Security Center | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | System updates on virtual machine scale sets should be installed | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | Adaptive network hardening recommendations should be applied on internet facing virtual machines | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.1 > 3.0.0) | |
| Security Center | f8456c1c-aa66-4dfb-861a-25d127b775c9 | External accounts with owner permissions should be removed from your subscription | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | 123a3936-f020-408a-ba0c-47873faf1534 | Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | 09024ccc-0c5f-475e-9457-b7c0d9ed487b | There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | af6cd1bd-1635-48cb-bde7-5b15693900b9 | Monitor missing Endpoint Protection in Azure Security Center | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | aa633080-8b72-40c4-a2d7-d00c03e80bed | MFA should be enabled on accounts with owner permissions on your subscription | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | 6b1cbf55-e8b6-442f-ba4c-7246b6381474 | Deprecated accounts should be removed from your subscription | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | 5c607a2e-c700-4744-8254-d77e7c9eb5e4 | External accounts with write permissions should be removed from your subscription | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | 47a6b606-51aa-4496-8bb7-64b11cf66adc | Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | Vulnerabilities on your SQL servers on machine should be remediated | SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
add: 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d | |
| Security Center | 86b3d65f-7626-441e-b690-81a8b71cff60 | System updates should be installed on your machines | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | 22730e10-96f6-4aac-ad84-9383d35b5917 | Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | e3576e28-8b17-4677-84c3-db2990658d64 | MFA should be enabled on accounts with read permissions on your subscription | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349 | [Preview]: Sensitive data in your SQL databases should be classified | Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) | |
| Cosmos DB | 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb | Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Default: Deny Allowed: (Audit, Deny, Disabled) |
2021-01-05 16:06:49
change: Patch (1.0.0 > 1.0.1) | |
| Security Center | bd352bd5-2853-4985-bf0d-73806b4a5744 | IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Bot Service | 6164527b-e1ee-4882-8673-572f425f5e0a | Bot Service endpoint should be a valid HTTPS URI | Data can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines. | Default: audit Allowed: (audit, deny, disabled) |
2021-01-05 16:06:49
add: 6164527b-e1ee-4882-8673-572f425f5e0a | |
| Security Center | 9297c21d-2ed6-4474-b48f-163f75654ce3 | MFA should be enabled accounts with write permissions on your subscription | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | 26a828e1-e88f-464e-bbb3-c134a282b9de | Endpoint protection solution should be installed on virtual machine scale sets | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | b0f33259-77d7-4c9e-aac6-3aabcfae693c | Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Azure Stack Edge | b4ac1030-89c5-4697-8e00-28b5ba6a8811 | Azure Stack Edge devices should use double-encryption | To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. | Default: audit Allowed: (audit, deny, disabled) |
2021-01-05 16:06:49
add: b4ac1030-89c5-4697-8e00-28b5ba6a8811 | |
| Security Center | 9daedab3-fb2d-461e-b861-71790eead4f6 | All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.1 > 3.0.0) | |
| Security Center | 760a85ff-6162-42b3-8d70-698e268f648c | [Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution | Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. | Default: Disabled Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Security Center | a7aca53f-2ed4-4466-a25e-0b45ade68efd | Azure DDoS Protection Standard should be enabled | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0) | |
| Machine Learning | 40cec1dd-a100-4920-b15b-3024fe8901ab | Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Machine Learning workspaces instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/azureml-workspaces-privatelink. | Default: Audit Allowed: (Audit, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | [Preview]: Firewall should be enabled on Key Vault | Key vault's firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the firewall to make sure that only traffic from allowed networks can access your key vault. | Default: Audit Allowed: (Audit, Disabled) |
2020-12-11 15:42:52
change: Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | |
| Key Vault | 98728c90-32c7-4049-8429-847dc0f4fe37 | [Preview]: Key Vault secrets should have an expiration date | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-12-11 15:42:52
change: Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | |
| SQL | 89099bee-89e0-4b26-a5f4-165451757743 | SQL servers should be configured with 90 days auditing retention or higher | SQL servers should be configured with 90 days auditing retention or higher. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-12-11 15:42:52
change: Major (1.0.0 > 2.0.0) | |
| Security Center | 6e2593d9-add6-4083-9c9b-4b7d2188c899 | Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| VM Image Builder | 2154edb9-244f-4741-9970-660785bccdaa | VM Image Builder templates should use private link | Audit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead which may directly expose resources to the internet and increase the potential attack surface. | Default: Audit Allowed: (Audit, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | This policy ensures pods and containers only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (2.0.1 > 3.0.1) | |
| Key Vault | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | Key vaults should have soft delete enabled | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| Event Grid | 9830b652-8523-49cc-b1b3-e17dce1127ca | Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster | This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (4.0.1 > 5.0.1) | |
| Security Center | 4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 | Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| Network | 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 | Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| Cosmos DB | 1f905d99-2ab7-462c-a6b0-f709acca6c8f | Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| Storage | 6fac406b-40ca-413b-bf8e-0bf964659c25 | Storage accounts should use customer-managed key for encryption | Secure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Default: Audit Allowed: (Audit, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | [Preview]: Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
add: a27c700f-8a22-44ec-961c-41625264370b | |
| Cache | 7d092e0a-7acd-40d2-a975-dca21cae48c4 | Azure Cache for Redis should reside within a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2) | |
| Security Center | ffb6f416-7bd2-4488-8828-56585fef2be9 | Deploy export to Log Analytics workspace for Azure Security Center data | Enable export to Log Analytics workspace of Azure Security Center data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2020-12-11 15:42:52
change: Major (1.0.0 > 2.0.0) |
| Security Center | ae89ebca-1c92-4898-ac2c-9f63decb045c | Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-12-11 15:42:52
add: ae89ebca-1c92-4898-ac2c-9f63decb045c | |
| Security Center | 475aae12-b88a-4572-8b36-9b712b2b3a17 | Auto provisioning of the Log Analytics agent should be enabled on your subscription | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | 7d7be79c-23ba-4033-84dd-45e2a5ccdd67 | Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys | Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-12-11 15:42:52
add: 7d7be79c-23ba-4033-84dd-45e2a5ccdd67 | |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | This policy ensures pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1) | |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Enforce labels on pods in Kubernetes cluster | This policy enforces the specified labels are provided for pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (4.0.1 > 5.0.1) | |
| SQL | 18adea5e-f416-4d0f-8aa8-d24321e3e274 | Bring your own key data protection should be enabled for PostgreSQL servers | Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2) | |
| SQL | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| Security Center | d26f7642-7545-4e18-9b75-8c9bbdee3a9a | Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-12-11 15:42:52
add: d26f7642-7545-4e18-9b75-8c9bbdee3a9a | |
| Key Vault | 0a075868-4c26-42ef-914c-5bc007359560 | [Preview]: Certificates should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) | |
| Container Registry | d0793b48-0edc-4296-a390-4c75d1bdfd71 | Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet. | Default: Audit Allowed: (Audit, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| Container Registry | 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 | Container registries should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-12-11 15:42:52
change: Patch (1.1.0 > 1.1.1) | |
| Security Center | 0b15565f-aa9e-48ba-8619-45960f2c314d | Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| SignalR | 53503636-bcc9-4748-9663-5348217f160f | Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your SignalR resources instead of the entire service, you'll also be protected against data leakage risks .Learn more at: https://aka.ms/asrs/privatelink. | Default: Audit Allowed: (Audit, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| Guest Configuration | faf25c8c-9598-4305-b4de-0aee1317fb31 | [Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled | This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-12-11 15:42:52
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | |
| App Configuration | ca610c1d-041c-4332-9d88-7ed3094967c7 | App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2) | |
| App Service | eaebaea7-8013-4ceb-9d14-7eb32271373c | Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. | Default: Audit Allowed: (Audit, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Ensure services listen only on allowed ports in Kubernetes cluster | This policy enforces services to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (4.0.1 > 5.0.1) | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | This policy ensures containers do not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (2.0.1 > 3.0.1) | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | This policy ensures containers only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1) | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | This policy ensures containers only use allowed ProcMountType in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (2.0.1 > 3.0.1) | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | This policy blocks pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1) | |
| SQL | 0d134df8-db83-46fb-ad72-fe0c9428c8dd | SQL servers should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-12-11 15:42:52
change: Major (1.0.0 > 2.0.1) | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | This policy ensures pod FlexVolume volumes only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1) | |
| Data Box | 86efb160-8de7-451d-bc08-5d475b0aadae | Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password | Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-12-11 15:42:52
add: 86efb160-8de7-451d-bc08-5d475b0aadae | |
| Kubernetes | b2fd3e59-6390-4f2b-8247-ea676bd03e2d | [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster | This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major, suffix remains equal (3.0.1-deprecated > 4.0.1-deprecated) | |
| Network | 055aa869-bc98-4af8-bafc-23f1ab6ffe2c | Web Application Firewall (WAF) should be enabled for Azure Front Door Service service | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | [Preview]: Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
add: 423dd1ba-798e-40e4-9c4d-b6902674b423 | |
| Key Vault | 5f0bc445-3935-4915-9981-011aa2b46147 | [Preview]: Private endpoint should be configured for Key Vault | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-12-11 15:42:52
change: Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) | |
| Cognitive Services | 67121cc7-ff39-4ab8-b7e3-95b84dab487d | Cognitive Services accounts should enable data encryption with a customer-managed key | Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2) | |
| Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | [Preview]: Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
add: 9f061a12-e40d-4183-a00e-171812443373 | |
| Machine Learning | ba769a63-b8cc-4b2d-abf6-ac33c7204be8 | Azure Machine Learning workspaces should be encrypted with a customer-managed key | Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2) | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | This policy ensures containers only use allowed capabilities in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1) | |
| Storage | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | Storage accounts should restrict network access using virtual network rules | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default: deny Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (4.0.1 > 5.0.1) | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | This policy controls pod access to the host network and the allowable host port range in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1) | |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Enforce internal load balancers in Kubernetes cluster | This policy enforces load balancers do not have public IPs in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (4.0.1 > 5.0.1) | |
| Security Center | cdfcce10-4578-4ecd-9703-530938e4abcb | Deploy export to Event Hub for Azure Security Center data | Enable export to Event Hub of Azure Security Center data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2020-12-11 15:42:52
change: Major (1.0.0 > 2.0.0) |
| Key Vault | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | [Preview]: Key Vault keys should have an expiration date | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-12-11 15:42:52
change: Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) | |
| SQL | 7698e800-9299-47a6-b3b6-5a0fee576eed | Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Default: Audit Allowed: (Audit, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | This policy ensures containers run with a read only root file system in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1) | |
| Storage | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | [Preview]: Storage account public access should be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) | |
| Key Vault | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | Key vaults should have purge protection enabled | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-12-11 15:42:52
change: Patch (1.1.0 > 1.1.1) | |
| SQL | d38fc420-0735-4ef3-ac11-c806f651a570 | Long-term geo-redundant backup should be enabled for Azure SQL Databases | This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-12-11 15:42:52
change: Major (1.0.0 > 2.0.0) | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | This policy ensures pod hostPath volumes can only use allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1) | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Ensure only allowed container images in Kubernetes cluster | This policy ensures only allowed container images are running in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (4.0.1 > 5.0.1) | |
| Container Registry | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Default: Audit Allowed: (Audit, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| SQL | 83cef61d-dbd1-4b20-a4fc-5fbc7da10833 | Bring your own key data protection should be enabled for MySQL servers | Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2) | |
| SQL | fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | Public network access should be disabled for MariaDB servers | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default: Audit Allowed: (Audit, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2) | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Do not allow privileged containers in Kubernetes cluster | This policy does not allow privileged containers creation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (4.0.1 > 5.0.1) | |
| SQL | 048248b0-55cd-46da-b1ff-39efd52db260 | SQL managed instances should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2) | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | This policy does not allow containers to use privilege escalation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1) | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | This policy ensures containers only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1) | |
| Guest Configuration | 5fc23db3-dd4d-4c56-bcc7-43626243e601 | [Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled | This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-12-11 15:42:52
change: Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | |
| Data Box | c349d81b-9985-44ae-a8da-ff98d108ede8 | Azure Data Box jobs should enable double encryption for data at rest on the device | Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-12-11 15:42:52
add: c349d81b-9985-44ae-a8da-ff98d108ede8 | |
| Event Grid | 4b90e17e-8448-49db-875e-bd83fb6f804f | Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1) | |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | Ensure containers listen only on allowed ports in Kubernetes cluster | This policy enforces containers to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (4.0.1 > 5.0.1) | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | This policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1) | |
| SQL | b52376f7-9612-48a1-81cd-1ffe4b61032c | Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default: Audit Allowed: (Audit, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2) | |
| SQL | d9844e8a-1437-4aeb-a32c-0c992f056095 | Public network access should be disabled for MySQL servers | Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default: Audit Allowed: (Audit, Disabled) |
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2) | |
| Synapse | 56fd377d-098c-4f02-8406-81eb055902b8 | IP firewall rules on Azure Synapse workspaces should be removed | Removing all IP firewall rules improves security by ensuring your Azure Synapse workspace can only be accessed from a private endpoint. This configuration audits creation of firewall rules that allow public network access on the workspace. | Default: Audit Allowed: (Audit, Disabled) |
2020-11-17 14:39:37
add: 56fd377d-098c-4f02-8406-81eb055902b8 | |
| Tags | 61a4d60b-7326-440e-8051-9f94394d4dd1 | Add or replace a tag on subscriptions | Adds or replaces the specified tag and value on subscriptions via a remediation task. Existing resource groups can be remediated by triggering a remediation task. See https://aka.ms/azurepolicyremediation for more information on policy remediation. | Fixed: modify | Tag Contributor |
2020-11-17 14:39:37
add: 61a4d60b-7326-440e-8051-9f94394d4dd1 |
| Synapse | f7d52b2d-e161-4dfa-a82b-55e564167385 | Azure Synapse workspaces should use customer-managed keys to encrypt data at rest | Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-11-17 14:39:37
add: f7d52b2d-e161-4dfa-a82b-55e564167385 | |
| Synapse | 72d11df1-dd8a-41f7-8925-b05b960ebafc | Private endpoint connections on Azure Synapse workspaces should be enabled | Private endpoints can be configured to connect privately to an Azure Synapse workspace. This is used to enforce a secure communication channel to Azure Synapse workspace. | Default: Audit Allowed: (Audit, Disabled) |
2020-11-17 14:39:37
add: 72d11df1-dd8a-41f7-8925-b05b960ebafc | |
| Tags | 96d9a89c-0d67-41fc-899d-2b9599f76a24 | Add a tag to subscriptions | Adds the specified tag and value to subscriptions via a remediation task. If the tag exists with a different value it will not be changed. See https://aka.ms/azurepolicyremediation for more information on policy remediation. | Fixed: modify | Tag Contributor |
2020-11-17 14:39:37
add: 96d9a89c-0d67-41fc-899d-2b9599f76a24 |
| Security Center | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | Adaptive network hardening recommendations should be applied on internet facing virtual machines | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-11-17 14:39:37
change: Patch (2.0.0 > 2.0.1) | |
| Synapse | 2d9dbfa3-927b-4cf0-9d0f-08747f971650 | Managed workspace virtual network on Azure Synapse workspaces should be enabled | Enabling a managed workspace virtual network ensures that your workspace is network isolated from other workspaces. Data integration and Spark resources deployed in this virtual network also provides user level isolation for Spark activities. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-11-17 14:39:37
add: 2d9dbfa3-927b-4cf0-9d0f-08747f971650 | |
| Azure Data Explorer | 9ad2fd1f-b25f-47a2-aa01-1a5a779e6413 | Virtual network injection should be enabled for Azure Data Explorer | Secure your network perimeter with virtual network injection which allows you to enforce network security group rules, connect on-premises and secure your data connection sources with service endpoints. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-11-10 16:00:42
add: 9ad2fd1f-b25f-47a2-aa01-1a5a779e6413 | |
| API for FHIR | 1ee56206-5dd1-42ab-b02d-8aae8b1634ce | Azure API for FHIR should use private link | Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. | Default: Audit Allowed: (Audit, Disabled) |
2020-11-10 16:00:42
add: 1ee56206-5dd1-42ab-b02d-8aae8b1634ce | |
| Monitoring | 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 | Deploy Log Analytics agent for Linux virtual machine scale sets | Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Log Analytics Contributor Virtual Machine Contributor |
2020-11-10 16:00:42
change: Major (1.2.0 > 2.0.0) |
| Storage | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | [Preview]: Storage account public access should be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Default: audit Allowed: (audit, deny, disabled) |
2020-11-10 16:00:42
change: Major, suffix remains equal (1.0.1-preview > 2.0.0-preview) | |
| Security Center | feedbf84-6b99-488c-acc2-71c829aa5ffc | Vulnerabilities on your SQL databases should be remediated | Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-11-10 16:00:42
change: Major (2.0.0 > 3.0.0) | |
| Azure Data Explorer | f4b53539-8df9-40e4-86c6-6b607703bd4e | Disk encryption should be enabled on Azure Data Explorer | Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-11-10 16:00:42
add: f4b53539-8df9-40e4-86c6-6b607703bd4e | |
| Monitoring | 053d3325-282c-4e5c-b944-24faffd30d77 | Deploy Log Analytics agent for Linux VMs | Deploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-11-10 16:00:42
change: Major (1.2.0 > 2.0.0) |
| Security Center | 80e94a21-c6cd-4c95-a2c7-beb5704e61c0 | Deploy - Configure suppression rules for Azure Security Center alerts | Suppress Azure Security Center alerts to reduce alerts fatigue by deploying suppression rules on your management group or subscription. | Fixed: deployIfNotExists | Security Admin |
2020-11-10 16:00:42
add: 80e94a21-c6cd-4c95-a2c7-beb5704e61c0 |
| Stream Analytics | 87ba29ef-1ab3-4d82-b763-87fcd4f531f7 | Azure Stream Analytics jobs should use customer-managed keys to encrypt data | Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. | Default: audit Allowed: (audit, deny, disabled) |
2020-11-10 16:00:42
add: 87ba29ef-1ab3-4d82-b763-87fcd4f531f7 | |
| App Configuration | 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 | App Configuration should use a customer-managed key | Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-11-10 16:00:42
change: Minor (1.0.1 > 1.1.0) | |
| Azure Data Explorer | ec068d99-e9c7-401f-8cef-5bdde4e6ccf1 | Double encryption should be enabled on Azure Data Explorer | Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-11-10 16:00:42
add: ec068d99-e9c7-401f-8cef-5bdde4e6ccf1 | |
| Synapse | 3a003702-13d2-4679-941b-937e58c443f0 | Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants | Protect your Synapse workspace by only allowing connections to resources in approved Azure Active Directory (Azure AD) tenants. The approved Azure AD tenants can be defined during policy assignment. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2020-11-10 16:00:42
add: 3a003702-13d2-4679-941b-937e58c443f0 | |
| Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | [Preview]: Configure backup on VMs with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag | Fixed: deployIfNotExists | Virtual Machine Contributor Backup Contributor |
2020-11-10 16:00:42
add: 83644c87-93dd-49fe-bf9f-6aff8fd0834e |
| Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | [Preview]: Configure backup on VMs without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag | Fixed: deployIfNotExists | Virtual Machine Contributor Backup Contributor |
2020-11-10 16:00:42
add: 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 |
| Portal | 04c655fe-0ac7-48ae-9a32-3a2e208c7624 | Shared dashboards should not have markdown tiles with inline content | Disallow creating a shared dashboard that has inline content in markdown tiles and enforce that the content should be stored as a markdown file that's hosted online. If you use inline content in the markdown tile, you cannot manage encryption of the content. By configuring your own storage, you can encrypt, double encrypt and even bring your own keys. Enabling this policy restricts users to use 2020-09-01-preview or above version of shared dashboards REST API. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-11-10 16:00:42
add: 04c655fe-0ac7-48ae-9a32-3a2e208c7624 | |
| Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | [Preview]: Configure backup on VMs with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag | Default: deployIfNotExists Allowed: (deployIfNotExists, auditIfNotExists, disabled) | Virtual Machine Contributor Backup Contributor |
2020-11-10 16:00:42
add: 345fa903-145c-4fe1-8bcd-93ec2adccde8 |
| Azure Data Explorer | 81e74cea-30fd-40d5-802f-d72103c2aaaa | Azure Data Explorer encryption at rest should use a customer-managed key | Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-11-10 16:00:42
add: 81e74cea-30fd-40d5-802f-d72103c2aaaa | |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on VMs without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag | Default: deployIfNotExists Allowed: (deployIfNotExists, auditIfNotExists, disabled) | Virtual Machine Contributor Backup Contributor |
2020-11-10 16:00:42
change: Minor (1.0.0 > 1.1.0) |
| Machine Learning | ba769a63-b8cc-4b2d-abf6-ac33c7204be8 | Azure Machine Learning workspaces should be encrypted with a customer-managed key | Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-27 14:12:45
change: Patch (1.0.0 > 1.0.1) | |
| Guest Configuration | 0447bc18-e2f7-4c0d-aa20-bff034275be1 | Audit Linux machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. | Fixed: auditIfNotExists |
2020-10-27 14:12:45
change: Major (2.0.0 > 3.0.0) | |
| SQL | 36d49e87-48c4-4f2e-beed-ba4ed02b71f5 | Deploy Threat Detection on SQL servers | This policy ensures that Threat Detection is enabled on SQL Servers. | Fixed: DeployIfNotExists | SQL Security Manager |
2020-10-27 14:12:45
change: Minor (1.0.0 > 1.1.0) |
| SQL | 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9 | Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports | Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-10-27 14:12:45
change: Major (1.0.0 > 2.0.0) | |
| Monitoring | c5447c04-a4d7-4ba8-a263-c9ee321a6858 | An activity log alert should exist for specific Policy operations | This policy audits specific Policy operations with no activity log alerts configured. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-10-27 14:12:45
change: Major (2.0.0 > 3.0.0) | |
| SQL | 32e6bbec-16b6-44c2-be37-c5b672d103cf | Azure SQL Database should have the minimal TLS version of 1.2 | Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Default: Audit Allowed: (Audit, Disabled) |
2020-10-27 14:12:45
change: Patch (1.0.0 > 1.0.1) | |
| API for FHIR | 051cba44-2429-45b9-9649-46cec11c7119 | Azure API for FHIR should use a customer-managed key to encrypt data at rest | Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. | Default: audit Allowed: (audit, disabled) |
2020-10-27 14:12:45
add: 051cba44-2429-45b9-9649-46cec11c7119 | |
| Container Registry | 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 | Container registries should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-27 14:12:45
change: Minor (1.0.0 > 1.1.0) | |
| Guest Configuration | d3b823c9-e0fc-4453-9fb2-8213b7338523 | Audit Linux machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. | Fixed: auditIfNotExists |
2020-10-27 14:12:45
change: Major (2.0.0 > 3.0.0) | |
| SQL | a8793640-60f7-487c-b5c3-1d37215905c4 | SQL Managed Instance should have the minimal TLS version of 1.2 | Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Default: Audit Allowed: (Audit, Disabled) |
2020-10-27 14:12:45
change: Patch (1.0.0 > 1.0.1) | |
| Key Vault | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | Key vaults should have soft delete enabled | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-23 13:31:09
add: 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | |
| Key Vault | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | Key vaults should have purge protection enabled | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-23 13:31:09
change: Minor (1.0.0 > 1.1.0) | |
| App Service | 496223c3-ad65-4ecd-878a-bae78737e9ed | Ensure that 'Java version' is the latest, if used as a part of the Web app | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0) | |
| App Service | 7008174a-fd10-4ef0-817e-fc820a951d73 | Ensure that 'Python version' is the latest, if used as a part of the Web app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0) | |
| SQL | 24fba194-95d6-48c0-aea7-f65bf859c598 | Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers | Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-20 13:29:33
add: 24fba194-95d6-48c0-aea7-f65bf859c598 | |
| App Service | 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba | Ensure that 'PHP version' is the latest, if used as a part of the API app | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0) | |
| App Service | 991310cd-e9f3-47bc-b7b6-f57b557d07db | Ensure that 'HTTP Version' is the latest, if used to run the API app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0) | |
| App Service | 8c122334-9d20-4eb8-89ea-ac9a705b74ae | Ensure that 'HTTP Version' is the latest, if used to run the Web app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-10-20 13:29:33
change: Major (1.1.0 > 2.0.0) | |
| SQL | c9299215-ae47-4f50-9c54-8a392f68a052 | Public network access should be disabled for MySQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-20 13:29:33
add: c9299215-ae47-4f50-9c54-8a392f68a052 | |
| App Service | 74c3584d-afae-46f7-a20a-6f8adba71a16 | Ensure that 'Python version' is the latest, if used as a part of the API app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0) | |
| App Service | e2c1c086-2d84-4019-bff3-c44ccd95113c | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0) | |
| Kubernetes | a8eff44f-8c92-45c3-a3fb-9880802d67a7 | Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. | Fixed: deployIfNotExists | Azure Kubernetes Service Contributor Role |
2020-10-20 13:29:33
add: a8eff44f-8c92-45c3-a3fb-9880802d67a7 |
| App Service | 88999f4c-376a-45c8-bcb3-4058f713cf39 | Ensure that 'Java version' is the latest, if used as a part of the API app | Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0) | |
| App Service | 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc | Ensure that 'Java version' is the latest, if used as a part of the Function app | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-10-20 13:29:33
change: Major (1.0.1 > 2.0.0) | |
| App Service | 7238174a-fd10-4ef0-817e-fc820a951d73 | Ensure that 'Python version' is the latest, if used as a part of the Function app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0) | |
| App Service | 7261b898-8a84-4db8-9e04-18527132abb3 | Ensure that 'PHP version' is the latest, if used as a part of the WEB app | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0) | |
| SQL | 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 | Public network access should be disabled for PostgreSQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-20 13:29:33
add: 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 | |
| SQL | 3a58212a-c829-4f13-9872-6371df2fd0b4 | Infrastructure encryption should be enabled for Azure Database for MySQL servers | Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-20 13:29:33
add: 3a58212a-c829-4f13-9872-6371df2fd0b4 | |
| Key Vault | 587c79fe-dd04-4a5e-9d0b-f89598c7261b | [Preview]: Keys should be backed by a hardware security module (HSM) | An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-16 12:27:50
add: 587c79fe-dd04-4a5e-9d0b-f89598c7261b | |
| Key Vault | 82067dbb-e53b-4e06-b631-546d197452d9 | [Preview]: Keys using RSA cryptography should have a specified minimum key size | Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-16 12:27:50
add: 82067dbb-e53b-4e06-b631-546d197452d9 | |
| Key Vault | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | [Preview]: Key Vault keys should have an expiration date | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-16 12:27:50
add: 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | |
| Key Vault | 342e8053-e12e-4c44-be01-c3c2f318400f | [Preview]: Secrets should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-16 12:27:50
add: 342e8053-e12e-4c44-be01-c3c2f318400f | |
| Key Vault | 49a22571-d204-4c91-a7b6-09b1a586fbc9 | [Preview]: Keys should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-16 12:27:50
add: 49a22571-d204-4c91-a7b6-09b1a586fbc9 | |
| Key Vault | 75c4f823-d65c-4f29-a733-01d0077fdbcb | [Preview]: Keys should be the specified cryptographic type RSA or EC | Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-16 12:27:50
add: 75c4f823-d65c-4f29-a733-01d0077fdbcb | |
| Key Vault | ff25f3c8-b739-4538-9d07-3d6d25cfb255 | [Preview]: Keys using elliptic curve cryptography should have the specified curve names | Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-16 12:27:50
add: ff25f3c8-b739-4538-9d07-3d6d25cfb255 | |
| Key Vault | 98728c90-32c7-4049-8429-847dc0f4fe37 | [Preview]: Key Vault secrets should have an expiration date | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-16 12:27:50
add: 98728c90-32c7-4049-8429-847dc0f4fe37 | |
| Key Vault | 75262d3e-ba4a-4f43-85f8-9f72c090e5e3 | [Preview]: Secrets should have content type set | A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-16 12:27:50
add: 75262d3e-ba4a-4f43-85f8-9f72c090e5e3 | |
| Key Vault | c26e4b24-cf98-4c67-b48b-5a25c4c69eb9 | [Preview]: Keys should not be active for longer than the specified number of days | Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-16 12:27:50
add: c26e4b24-cf98-4c67-b48b-5a25c4c69eb9 | |
| Key Vault | e8d99835-8a06-45ae-a8e0-87a91941ccfe | [Preview]: Secrets should not be active for longer than the specified number of days | If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-16 12:27:50
add: e8d99835-8a06-45ae-a8e0-87a91941ccfe | |
| Key Vault | b0eb591a-5e70-4534-a8bf-04b9c489584a | [Preview]: Secrets should have more than the specified number of days before expiration | If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-16 12:27:50
add: b0eb591a-5e70-4534-a8bf-04b9c489584a | |
| Key Vault | 5ff38825-c5d8-47c5-b70e-069a21955146 | [Preview]: Keys should have more than the specified number of days before expiration | If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-16 12:27:50
add: 5ff38825-c5d8-47c5-b70e-069a21955146 | |
| General | 6fdb9205-3462-4cfc-87d8-16c7860b53f4 | [Deprecated]: Allow resource creation only in Japan data centers | Allows resource creation in the following locations only: Japan East, Japan West | n/a | n/a | 2020-10-15 14:28:11 remove: 6fdb9205-3462-4cfc-87d8-16c7860b53f4 (i) |
| General | e01598e8-6538-41ed-95e8-8b29746cd697 | [Deprecated]: Allow resource creation only in Japan data centers | Allows resource creation in the following locations only: Japan East, Japan West | n/a | n/a | 2020-10-15 14:28:11 remove: e01598e8-6538-41ed-95e8-8b29746cd697 (i) |
| Lighthouse | 7a8a51a3-ad87-4def-96f3-65a1839242b6 | Allow managing tenant ids to onboard through Azure Lighthouse | Restricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources. | Fixed: deny |
2020-10-13 13:23:36
change: Patch (1.0.0 > 1.0.1) | |
| Storage | 4733ea7b-a883-42fe-8cac-97454c2a9e4a | Storage accounts should have infrastructure encryption | Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-10-07 16:00:33
add: 4733ea7b-a883-42fe-8cac-97454c2a9e4a | |
| Lighthouse | 7a8a51a3-ad87-4def-96f3-65a1839242b6 | Allow managing tenant ids to onboard through Azure Lighthouse | Restricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources. | Fixed: deny |
2020-09-30 14:32:32
add: 7a8a51a3-ad87-4def-96f3-65a1839242b6 | |
| Guest Configuration | 144f1397-32f9-4598-8c88-118decc3ccba | [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members |
| Guest Configuration | cc7cda28-f867-4311-8497-a526129a8d19 | [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified members | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Show audit results from Windows VMs in which the Administrators group does not contain only the specified members | |
| Guest Configuration | 5bb36dda-8a78-4df9-affd-4f05a8612a8a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one |
| Guest Configuration | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-16 13:09:49
change: Previous DisplayName: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled | |
| Guest Configuration | f3b44e5d-1456-475f-9c67-c66c4618e85a | [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified members | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members | |
| Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-16 13:09:49
change: Previous DisplayName: Audit Linux virtual machines on which the use of passwords for SSH is allowed | |
| Guest Configuration | b821191b-3a12-44bc-9c38-212138a29ff3 | [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members |
| Guest Configuration | bde62c94-ccca-4821-a815-92c1d31a76de | [Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Show audit results from Windows VMs in which the Administrators group contains any of the specified members | |
| Kubernetes | 0a15ec92-a229-4763-bb14-0ea34a568f8d | Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Default: Audit Allowed: (Audit, Disabled) |
2020-09-16 13:09:49
change: Previous DisplayName: [Preview]: Kubernetes Management Policy add-on should be installed and enabled on your clusters | |
| Guest Configuration | 02a84be7-c304-421f-9bb7-5d2c26af54ad | [Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified one | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Show audit results from Windows VMs on which the remote host connection status does not match the specified one | |
| Guest Configuration | 93507a81-10a4-4af0-9ee2-34cf25a96e98 | [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | This policy ensures pods and containers only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pods and containers should only use allowed SELinux options | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | This policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pods and containers should only run with approved user and group IDs | |
| Automanage | 270610db-8c04-438a-a739-e8e6745b22d3 | Enable Automanage - Azure virtual machine best practices | Automanage enrolls, configures, and monitors virtual machines with Azure VM best practice services. Use this policy to apply Automanage to your selected scope. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2020-09-15 14:06:41
add: 270610db-8c04-438a-a739-e8e6745b22d3 |
| Guest Configuration | e068b215-0026-4354-b347-8fb2766f73a2 | Windows machines should meet requirements for 'User Rights Assignment' | Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'User Rights Assignment' | |
| Guest Configuration | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled | |
| Guest Configuration | b4a4d1eb-0263-441b-84cb-a44073d8372d | Windows machines should meet requirements for 'Security Options - Shutdown' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Shutdown' | |
| Guest Configuration | 492a29ed-d143-4f03-b6a4-705ce081b463 | Windows machines should meet requirements for 'Security Options - User Account Control' | Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - User Account Control' | |
| Guest Configuration | 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd | Windows machines should meet requirements for 'Security Options - Network Access' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Network Access' | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | This policy ensures containers do not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should not use forbidden sysctl interfaces | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | This policy ensures pod hostPath volumes can only use allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pod hostPath volumes should only use allowed host paths | |
| Guest Configuration | 35d9882c-993d-44e6-87d2-db66ce21b636 | Windows machines should meet requirements for 'Windows Firewall Properties' | Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Windows Firewall Properties' | |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | This policy ensures pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pods should only use allowed volume types | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | This policy ensures pod FlexVolume volumes only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster | This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster | |
| Guest Configuration | caf2d518-f029-4f6b-833b-d7081702f253 | Windows machines should meet requirements for 'Security Options - Microsoft Network Server' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Microsoft Network Server' | |
| Guest Configuration | f2143251-70de-4e81-87a8-36cee5a2f29d | Windows machines should meet requirements for 'Security Settings - Account Policies' | Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Settings - Account Policies' | |
| Guest Configuration | ee984370-154a-4ee8-9726-19d900e56fc0 | Windows machines should meet requirements for 'Security Options - Accounts' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Accounts' | |
| Guest Configuration | 19be9779-c776-4dfa-8a15-a2fd5dc843d6 | Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | This policy ensures containers only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed seccomp profiles | |
| Guest Configuration | e0a7e899-2ce2-4253-8a13-d808fdeb75af | Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Ensure only allowed container images in Kubernetes cluster | This policy ensures only allowed container images are running in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Ensure only allowed container images in Kubernetes cluster | |
| Guest Configuration | 1221c620-d201-468c-81e7-2817e6107e84 | Windows machines should meet requirements for 'Security Options - Network Security' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Network Security' | |
| Guest Configuration | 43bb60fe-1d7e-4b82-9e93-496bfc99e7d5 | Windows machines should meet requirements for 'System Audit Policies - Account Logon' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Account Logon' | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | This policy ensures containers only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed AppArmor profiles | |
| Guest Configuration | 6141c932-9384-44c6-a395-59e4c057d7c9 | Configure time zone on Windows machines. | This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. | Fixed: deployIfNotExists | Contributor |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Configure time zone on Windows machines. |
| Guest Configuration | 8794ff4f-1a35-4e18-938f-0b22055067cd | Windows machines should meet requirements for 'Security Options - Devices' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Devices' | |
| Guest Configuration | 8316fa92-d69c-4810-8124-62414f560dcf | Windows machines should meet requirements for 'System Audit Policies - System' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - System' | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Do not allow privileged containers in Kubernetes cluster | This policy does not allow privileged containers creation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Do not allow privileged containers in Kubernetes cluster | |
| Guest Configuration | d6c69680-54f0-4349-af10-94dd05f4225e | Windows machines should meet requirements for 'Security Options - Microsoft Network Client' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Microsoft Network Client' | |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Enforce labels on pods in Kubernetes cluster | This policy enforces the specified labels are provided for pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Enforce labels on pods in Kubernetes cluster | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | This policy ensures containers run with a read only root file system in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should run with a read only root file system | |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default: deny Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Enforce HTTPS ingress in Kubernetes cluster | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | This policy ensures containers only use allowed capabilities in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed capabilities | |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs |
| Guest Configuration | d472d2c9-d6a3-4500-9f5f-b15f123005aa | Windows machines should meet requirements for 'Security Options - Interactive Logon' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Interactive Logon' | |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Ensure services listen only on allowed ports in Kubernetes cluster | This policy enforces services to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Ensure services listen only on allowed ports in Kubernetes cluster | |
| Guest Configuration | 8537fe96-8cbe-43de-b0ef-131bc72bc22a | Windows machines should meet requirements for 'Windows Components' | Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Windows Components' | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | This policy blocks pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should not share host process ID or host IPC namespace | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | This policy ensures containers only use allowed ProcMountType in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed ProcMountType | |
| Guest Configuration | 3aa2661b-02d7-4ba6-99bc-dc36b10489fd | Windows machines should meet requirements for 'Administrative Templates - Control Panel' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - Control Panel' | |
| Guest Configuration | 58383b73-94a9-4414-b382-4146eb02611b | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | |
| Guest Configuration | 67e010c1-640d-438e-a3a5-feaccb533a98 | Windows machines should meet requirements for 'Administrative Templates - Network' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - Network' | |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities |
| Guest Configuration | 2a7a701e-dff3-4da9-9ec5-42cb98594c0b | Windows machines should meet requirements for 'System Audit Policies - Policy Change' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Policy Change' | |
| Guest Configuration | 35781875-8026-4628-b19b-f6efb4d88a1d | Windows machines should meet requirements for 'System Audit Policies - Object Access' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Object Access' | |
| Guest Configuration | f71be03e-e25b-4d0f-b8bc-9b3e309b66c0 | Windows machines should meet requirements for 'Security Options - Recovery console' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Recovery console' | |
| Guest Configuration | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs |
| Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Audit Linux virtual machines on which the use of passwords for SSH is allowed | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | This policy controls pod access to the host network and the allowable host port range in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pods should only use approved host network and port range | |
| Guest Configuration | 94d9aca8-3757-46df-aa51-f218c5f11954 | Windows machines should meet requirements for 'System Audit Policies - Account Management' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Account Management' | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | This policy does not allow containers to use privilege escalation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes clusters should not allow container privilege escalation | |
| Guest Configuration | 12017595-5a75-4bb1-9d97-4c2c939ea3c3 | Windows machines should meet requirements for 'Security Options - System settings' | Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - System settings' | |
| Guest Configuration | 87845465-c458-45f3-af66-dcd62176f397 | Windows machines should meet requirements for 'System Audit Policies - Privilege Use' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Privilege Use' | |
| Guest Configuration | 2f262ace-812a-4fd0-b731-b38ba9e9708d | Windows machines should meet requirements for 'Security Options - System objects' | Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - System objects' | |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | Ensure containers listen only on allowed ports in Kubernetes cluster | This policy enforces containers to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Ensure containers listen only on allowed ports in Kubernetes cluster | |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Enforce internal load balancers in Kubernetes cluster | This policy enforces load balancers do not have public IPs in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Enforce internal load balancers in Kubernetes cluster | |
| Guest Configuration | 33936777-f2ac-45aa-82ec-07958ec9ade4 | Windows machines should meet requirements for 'Security Options - Audit' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Audit' | |
| Guest Configuration | 968410dc-5ca0-4518-8a5b-7b55f0530ea9 | Windows machines should meet requirements for 'Administrative Templates - System' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - System' | |
| Guest Configuration | c633f6a2-7f8b-4d9e-9456-02f0f04f5505 | Audit Windows machines that are not set to the specified time zone | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. | Fixed: auditIfNotExists |
2020-09-09 11:24:03
add: c633f6a2-7f8b-4d9e-9456-02f0f04f5505 | |
| Guest Configuration | e6ebf138-3d71-4935-a13b-9c7fdddd94df | Audit Windows machines on which the specified services are not installed and 'Running' | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. | Fixed: auditIfNotExists |
2020-09-09 11:24:03
add: e6ebf138-3d71-4935-a13b-9c7fdddd94df | |
| SQL | b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13 | SQL Database should avoid using GRS backup redundancy | Databases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Default: Deny Allowed: (Deny, Disabled) |
2020-09-09 11:24:03
add: b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13 | |
| Guest Configuration | ec49586f-4939-402d-a29e-6ff502b20592 | [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords |
| Guest Configuration | 5bb36dda-8a78-4df9-affd-4f05a8612a8a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one |
| Guest Configuration | 5aa11bbc-5c76-4302-80e5-aba46a4282e7 | [Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 day | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not have a minimum password age of 1 day | |
| Guest Configuration | 68511db2-bd02-41c4-ae6b-1900a012968a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected |
| Guest Configuration | 3d2a3320-2a72-4c67-ac5f-caa40fbee2b2 | Audit Windows machines that have extra accounts in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. | Fixed: auditIfNotExists |
2020-09-09 11:24:03
add: 3d2a3320-2a72-4c67-ac5f-caa40fbee2b2 | |
| Guest Configuration | 0447bc18-e2f7-4c0d-aa20-bff034275be1 | Audit Linux machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. | Fixed: auditIfNotExists |
2020-09-09 11:24:03
add: 0447bc18-e2f7-4c0d-aa20-bff034275be1 | |
| Guest Configuration | c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a | [Deprecated]: Show audit results from Windows VMs on which the specified services are not installed and 'Running' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and 'Running'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs on which the specified services are not installed and 'Running' | |
| Guest Configuration | 4ceb8dc2-559c-478b-a15b-733fbf1e3738 | Audit Windows machines that do not have a maximum password age of 70 days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-09 11:24:03
add: 4ceb8dc2-559c-478b-a15b-733fbf1e3738 | |
| Guest Configuration | 9f658460-46b7-43af-8565-94fc0662be38 | [Deprecated]: Show audit results from Windows VMs that are not set to the specified time zone | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that are not set to the specified time zone | |
| Guest Configuration | cc7cda28-f867-4311-8497-a526129a8d19 | [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified members | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs in which the Administrators group does not contain only the specified members | |
| Security Center | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-09 11:24:03
add: a3a6ea0c-e018-4933-9ef0-5aaa1501449b | |
| Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | [Preview]: Firewall should be enabled on Key Vault | Key vault's firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the firewall to make sure that only traffic from allowed networks can access your key vault. | Default: Audit Allowed: (Audit, Disabled) |
2020-09-09 11:24:03
add: 55615ac9-af46-4a59-874e-391cc3dfb490 | |
| Security Center | d62cfe2b-3ab0-4d41-980d-76803b58ca65 | Log Analytics agent health issues should be resolved on your machines | Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-09 11:24:03
add: d62cfe2b-3ab0-4d41-980d-76803b58ca65 | |
| Guest Configuration | f3b9ad83-000d-4dc1-bff0-6d54533dd03f | [Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root | |
| Guest Configuration | 4d1c04de-2172-403f-901b-90608c35c721 | [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed |
| Guest Configuration | 5aebc8d1-020d-4037-89a0-02043a7524ec | [Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters | |
| Guest Configuration | 02a84be7-c304-421f-9bb7-5d2c26af54ad | [Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified one | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs on which the remote host connection status does not match the specified one | |
| Guest Configuration | 5b842acb-0fe7-41b0-9f40-880ec4ad84d8 | [Deprecated]: Show audit results from Linux VMs that have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that have the specified applications installed | |
| Guest Configuration | b2fc8f91-866d-4434-9089-5ebfe38d6fd8 | [Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols | This policy creates a Guest Configuration assignment to audit Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols |
| Guest Configuration | 7227ebe5-9ff7-47ab-b823-171cd02fb90f | [Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliant | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs on which the DSC configuration is not compliant | |
| Guest Configuration | 58c460e9-7573-4bb2-9676-339c2f2486bb | Audit Windows machines on which Windows Serial Console is not enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. | Fixed: auditIfNotExists |
2020-09-09 11:24:03
add: 58c460e9-7573-4bb2-9676-339c2f2486bb | |
| Key Vault | 5f0bc445-3935-4915-9981-011aa2b46147 | [Preview]: Private endpoint should be configured for Key Vault | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-09-09 11:24:03
add: 5f0bc445-3935-4915-9981-011aa2b46147 | |
| Guest Configuration | c5b85cba-6e6f-4de4-95e1-f0233cd712ac | Audit Windows machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. | Fixed: auditIfNotExists |
2020-09-09 11:24:03
add: c5b85cba-6e6f-4de4-95e1-f0233cd712ac | |
| Guest Configuration | beb6ccee-b6b8-4e91-9801-a5fa4260a104 | Audit Windows machines that have not restarted within the specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter. | Fixed: auditIfNotExists |
2020-09-09 11:24:03
add: beb6ccee-b6b8-4e91-9801-a5fa4260a104 | |
| Guest Configuration | d7ccd0ca-8d78-42af-a43d-6b7f928accbc | [Deprecated]: Show audit results from Windows Server VMs on which Windows Serial Console is not enabled | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows Server VMs on which Windows Serial Console is not enabled | |
| Guest Configuration | b18175dd-c599-4c64-83ba-bb018a06d35b | [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 | |
| Guest Configuration | 16390df4-2f73-4b42-af13-c801066763df | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day |
| Guest Configuration | cdbf72d9-ac9c-4026-8a3a-491a5ac59293 | [Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that allow re-use of the previous 24 passwords | |
| Guest Configuration | d38b4c26-9d2e-47d7-aefe-18d859a8706a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant | This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant |
| Guest Configuration | 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f | Audit Windows machines that have the specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. | Fixed: auditIfNotExists |
2020-09-09 11:24:03
add: 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f | |
| Guest Configuration | 60ffe3e2-4604-4460-8f22-0f1da058266c | [Deprecated]: Show audit results from Windows web servers that are not using secure communication protocols | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows web servers that are not using secure communication protocols | |
| Guest Configuration | 24dde96d-f0b1-425e-884f-4a1421e2dcdc | [Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not have a maximum password age of 70 days | |
| Guest Configuration | 7e84ba44-6d03-46fd-950e-5efa5a1112fa | [Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that have not restarted within the specified number of days | |
| Guest Configuration | 8b0de57a-f511-4d45-a277-17cb79cb163b | [Deprecated]: Show audit results from Windows VMs with a pending reboot | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs with a pending reboot | |
| Guest Configuration | 7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled |
| SQL | a9934fd7-29f2-4e6d-ab3d-607ea38e9079 | SQL Managed Instances should avoid using GRS backup redundancy | Managed Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Default: Deny Allowed: (Deny, Disabled) |
2020-09-09 11:24:03
add: a9934fd7-29f2-4e6d-ab3d-607ea38e9079 | |
| Guest Configuration | 9328f27e-611e-44a7-a244-39109d7d35ab | [Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that contain certificates expiring within the specified number of days | |
| Guest Configuration | a030a57e-4639-4e8f-ade9-a92f33afe7ee | [Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected | |
| Guest Configuration | 2d67222d-05fd-4526-a171-2ee132ad9e83 | [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that allow remote connections from accounts without passwords | |
| Guest Configuration | 726671ac-c4de-4908-8c7d-6043ae62e3b6 | [Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords | This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords |
| Guest Configuration | 4221adbc-5c0f-474f-88b7-037a99e6114c | Audit Windows VMs with a pending reboot | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path. | Fixed: auditIfNotExists |
2020-09-09 11:24:03
add: 4221adbc-5c0f-474f-88b7-037a99e6114c | |
| Guest Configuration | 7a031c68-d6ab-406e-a506-697a19c634b0 | [Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled | This policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled |
| Guest Configuration | ea53dbee-c6c9-4f0e-9f9e-de0039b78023 | Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-09 11:24:03
add: ea53dbee-c6c9-4f0e-9f9e-de0039b78023 | |
| Guest Configuration | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | Windows web servers should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. TLS 1.3 is faster and more secure than the earlier versions: TLS 1.0-1.2 and SSL 2-3, which are all considered legacy protocols. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-09 11:24:03
add: 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | |
| Guest Configuration | 356a906e-05e5-4625-8729-90771e0ee934 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days |
| Guest Configuration | 630ac30f-a234-4533-ac2d-e0df77acda51 | Audit Windows machines network connectivity | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter. | Fixed: auditIfNotExists |
2020-09-09 11:24:03
add: 630ac30f-a234-4533-ac2d-e0df77acda51 | |
| Guest Configuration | 84662df4-0e37-44a6-9ce1-c9d2150db18c | Audit Windows machines that are not joined to the specified domain | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter. | Fixed: auditIfNotExists |
2020-09-09 11:24:03
add: 84662df4-0e37-44a6-9ce1-c9d2150db18c | |
| Guest Configuration | f0633351-c7b2-41ff-9981-508fc08553c2 | [Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installed | This policy creates a Guest Configuration assignment to audit Windows virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that have the specified applications installed |
| Guest Configuration | fee5cb2b-9d9b-410e-afe3-2902d90d0004 | [Deprecated]: Show audit results from Linux VMs that do not have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that do not have the specified applications installed | |
| Security Center | 6646a0bd-e110-40ca-bb97-84fcee63c414 | Service principals should be used to protect your subscriptions instead of management certificates | Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-09 11:24:03
add: 6646a0bd-e110-40ca-bb97-84fcee63c414 | |
| Guest Configuration | d3b823c9-e0fc-4453-9fb2-8213b7338523 | Audit Linux machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. | Fixed: auditIfNotExists |
2020-09-09 11:24:03
add: d3b823c9-e0fc-4453-9fb2-8213b7338523 | |
| Guest Configuration | a2d0e922-65d0-40c4-8f87-ea6da2d307a2 | Audit Windows machines that do not restrict the minimum password length to 14 characters | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-09 11:24:03
add: a2d0e922-65d0-40c4-8f87-ea6da2d307a2 | |
| Guest Configuration | 144f1397-32f9-4598-8c88-118decc3ccba | [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members |
| Guest Configuration | 23020aa6-1135-4be2-bae2-149982b06eca | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters |
| Guest Configuration | 106ccbe4-a791-4f33-a44a-06796944b8d5 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root | This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root |
| Security Center | a4fe33eb-e377-4efb-ab31-0784311bc499 | Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-09 11:24:03
add: a4fe33eb-e377-4efb-ab31-0784311bc499 | |
| Guest Configuration | f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 | Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-09 11:24:03
add: f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 | |
| Guest Configuration | da0f98fe-a24b-4ad5-af69-bd0400233661 | Audit Windows machines that do not store passwords using reversible encryption | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-09 11:24:03
add: da0f98fe-a24b-4ad5-af69-bd0400233661 | |
| Guest Configuration | b821191b-3a12-44bc-9c38-212138a29ff3 | [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members |
| Security Center | 5a913c68-0590-402c-a531-e57e19379da3 | Operating system version should be the most current version for your cloud service roles | Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-09 11:24:03
add: 5a913c68-0590-402c-a531-e57e19379da3 | |
| Guest Configuration | 237b38db-ca4d-4259-9e47-7882441ca2c0 | Audit Windows machines that do not have a minimum password age of 1 day | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-09 11:24:03
add: 237b38db-ca4d-4259-9e47-7882441ca2c0 | |
| Guest Configuration | c21f7060-c148-41cf-a68b-0ab3e14c764c | [Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone | This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone |
| Guest Configuration | 315c850a-272d-4502-8935-b79010405970 | [Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain | This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain |
| Guest Configuration | c40c9087-1981-4e73-9f53-39743eda9d05 | [Deprecated]: Show audit results from Linux VMs that have accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that have accounts without passwords | |
| Managed Application | 9db7917b-1607-4e7d-a689-bca978dd0633 | Application definition for Managed Application should use customer provided storage account | Use your own storage account to control the application definition data when this is a regulatory or compliance requirement. You can choose to store your managed application definition within a storage account provided by you during creation, so that its location and access can be fully managed by you to fulfill regulatory compliance requirements. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-09 11:24:03
add: 9db7917b-1607-4e7d-a689-bca978dd0633 | |
| Guest Configuration | f4b245d4-46c9-42be-9b1a-49e2b5b94194 | [Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days |
| Guest Configuration | 32b1e4d4-6cd5-47b4-a935-169da8a5c262 | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running' | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the specified services are not installed and 'Running'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running' |
| Guest Configuration | c96f3246-4382-4264-bf6b-af0b35e23c3c | [Deprecated]: Deploy prerequisites to audit Windows VMs with a pending reboot | This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs with a pending reboot |
| Guest Configuration | bde62c94-ccca-4821-a815-92c1d31a76de | [Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs in which the Administrators group contains any of the specified members | |
| Guest Configuration | 08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd | Audit Windows machines on which the DSC configuration is not compliant | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. | Fixed: auditIfNotExists |
2020-09-09 11:24:03
add: 08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd | |
| Guest Configuration | 6265018c-d7e2-432f-a75d-094d5f6f4465 | Audit Windows machines on which the Log Analytics agent is not connected as expected | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. | Fixed: auditIfNotExists |
2020-09-09 11:24:03
add: 6265018c-d7e2-432f-a75d-094d5f6f4465 | |
| Guest Configuration | f48b2913-1dc5-4834-8c72-ccc1dfd819bb | [Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabled | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not have the password complexity setting enabled | |
| Guest Configuration | 1417908b-4bff-46ee-a2a6-4acc899320ab | Audit Windows machines that contain certificates expiring within the specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. | Fixed: auditIfNotExists |
2020-09-09 11:24:03
add: 1417908b-4bff-46ee-a2a6-4acc899320ab | |
| Guest Configuration | 934345e1-4dfb-4c70-90d7-41990dc9608b | Audit Windows machines that do not contain the specified certificates in Trusted Root | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. | Fixed: auditIfNotExists |
2020-09-09 11:24:03
add: 934345e1-4dfb-4c70-90d7-41990dc9608b | |
| Guest Configuration | c5fbc59e-fb6f-494f-81e2-d99a671bdaa8 | [Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days |
| Guest Configuration | 8ff0b18b-262e-4512-857a-48ad0aeb9a78 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption |
| Guest Configuration | 5b054a0d-39e2-4d53-bea3-9734cad2c69b | Audit Windows machines that allow re-use of the previous 24 passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-09 11:24:03
add: 5b054a0d-39e2-4d53-bea3-9734cad2c69b | |
| Guest Configuration | 2d60d3b7-aa10-454c-88a8-de39d99d17c6 | [Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryption | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not store passwords using reversible encryption | |
| Guest Configuration | 7e56b49b-5990-4159-a734-511ea19b731c | [Deprecated]: Show audit results from Windows VMs that have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that have the specified applications installed | |
| Guest Configuration | bf16e0bb-31e1-4646-8202-60a235cc7e74 | Audit Windows machines that do not have the password complexity setting enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-09 11:24:03
add: bf16e0bb-31e1-4646-8202-60a235cc7e74 | |
| Guest Configuration | f19aa1c1-6b91-4c27-ae6a-970279f03db9 | [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 |
| Guest Configuration | 12f7e5d0-42a7-4630-80d8-54fb7cff9bd6 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed |
| Guest Configuration | e6955644-301c-44b5-a4c4-528577de6861 | Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-09 11:24:03
add: e6955644-301c-44b5-a4c4-528577de6861 | |
| Guest Configuration | ebb67efd-3c46-49b0-adfe-5599eb944998 | Audit Windows machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. | Fixed: auditIfNotExists |
2020-09-09 11:24:03
add: ebb67efd-3c46-49b0-adfe-5599eb944998 | |
| Guest Configuration | 884b209a-963b-4520-8006-d20cb3c213e0 | [Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that have the specified applications installed |
| Guest Configuration | 5e393799-e3ca-4e43-a9a5-0ec4648a57d9 | [Deprecated]: Show audit results from Windows VMs that do not have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not have the specified applications installed | |
| Guest Configuration | 30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7 | Audit Windows machines missing any of specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. | Fixed: auditIfNotExists |
2020-09-09 11:24:03
add: 30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7 | |
| Guest Configuration | 3470477a-b35a-49db-aca5-1073d04524fe | [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that have accounts without passwords |
| Guest Configuration | a29ee95c-0395-4515-9851-cc04ffe82a91 | [Deprecated]: Show audit results from Windows VMs that are not joined to the specified domain | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that are not joined to the specified domain | |
| Guest Configuration | f3b44e5d-1456-475f-9c67-c66c4618e85a | [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified members | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members | |
| Guest Configuration | 93507a81-10a4-4af0-9ee2-34cf25a96e98 | [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members |
| Key Vault | f772fb64-8e40-40ad-87bc-7706e1949427 | [Preview]: Certificates should not expire within the specified number of days | Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificates that are within a specified number of days of expiration | |
| App Service | 843664e0-7563-41ee-a9cb-7522c382d2c4 | [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app | This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that '.Net Framework' version is the latest, if used as a part of the Web app | |
| Cognitive Services | 67121cc7-ff39-4ab8-b7e3-95b84dab487d | Cognitive Services accounts should enable data encryption with a customer-managed key | Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-09-02 14:03:46
change: Previous DisplayName: Cognitive Services accounts should enable data encryption with customer managed key | |
| App Service | f0473e7a-a1ba-4e86-afb2-e829e11b01d8 | [Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function App | This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that Register with Azure Active Directory is enabled on Function App | |
| Key Vault | 12ef42cb-9903-4e39-9c26-422d29570417 | [Preview]: Certificates should have the specified lifetime action triggers | Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificate lifetime action triggers | |
| App Service | ab965db2-d2bf-4b64-8b39-c38ec8179461 | [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app | PHP cannot be used with Function apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that 'PHP version' is the latest, if used as a part of the Function app | |
| Key Vault | cee51871-e572-4576-855c-047c820360f0 | [Preview]: Certificates using RSA cryptography should have the specified minimum key size | Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage minimum key size for RSA certificates | |
| App Service | 86d97760-d216-4d81-a3ad-163087b2b6c3 | [Deprecated]: Ensure that Register with Azure Active Directory is enabled on API app | This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that Register with Azure Active Directory is enabled on API app | |
| App Service | aa81768c-cb87-4ce2-bfaa-00baa10d760c | [Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB App | This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that Register with Azure Active Directory is enabled on WEB App | |
| Key Vault | 1151cede-290b-4ba0-8b38-0ad145ac888f | [Preview]: Certificates should use allowed key types | Manage your organizational compliance requirements by restricting the key types allowed for certificates. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage allowed certificate key types | |
| Security Center | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-02 14:03:46
change: Previous DisplayName: Vulnerability assessment should be enabled on virtual machines | |
| Key Vault | 0a075868-4c26-42ef-914c-5bc007359560 | [Preview]: Certificates should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificate validity period | |
| Key Vault | a22f4a40-01d3-4c7d-8071-da157eeff341 | [Preview]: Certificates should be issued by the specified non-integrated certificate authority | Manage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificates issued by a non-integrated CA | |
| Guest Configuration | fc9b3da7-8347-4380-8e70-0a0361d8dedd | [Preview]: Linux machines should meet requirements for the Azure security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines should meet the requirements for the Azure security baseline | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-02 14:03:46
add: fc9b3da7-8347-4380-8e70-0a0361d8dedd | |
| App Service | 10c1859c-e1a7-4df3-ab97-a487fa8059f6 | [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App | This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that '.Net Framework' version is the latest, if used as a part of the Function App | |
| App Service | c2e7ca55-f62c-49b2-89a4-d41eb661d2f0 | [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app | This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that '.Net Framework' version is the latest, if used as a part of the API app | |
| Key Vault | bd78111f-4953-4367-9fd5-7e08808b54bf | [Preview]: Certificates using elliptic curve cryptography should have allowed curve names | Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage allowed curve names for elliptic curve cryptography certificates | |
| Key Vault | 8e826246-c976-48f6-b03e-619bb92b3d82 | [Preview]: Certificates should be issued by the specified integrated certificate authority | Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. | Default: audit Allowed: (audit, deny, disabled) |
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificates issued by an integrated CA | |
| Synapse | 84ce0900-69cd-4b5e-b676-0b5a66d027c9 | [Preview]: Resource type for Azure Synapse linked service should be in allowed list | You can define an allowed list of resource types for Azure Synapse linked service to restrict creation or update on a scope. With this policy in place you can have a better control over the boundary of data movement. | n/a | n/a | 2020-08-31 13:45:20 remove: 84ce0900-69cd-4b5e-b676-0b5a66d027c9 (i) |
| Network | 0db34a60-64f4-4bf6-bd44-f95c16cf34b9 | Deploy a flow log resource with target network security group | Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. | Fixed: deployIfNotExists | Contributor |
2020-08-27 15:39:26
add: 0db34a60-64f4-4bf6-bd44-f95c16cf34b9 |
| 84ce0900-69cd-4b5e-b676-0b5a66d027c9 | Fixed: |
2020-08-27 15:39:26
add: 84ce0900-69cd-4b5e-b676-0b5a66d027c9 | ||||
| Network | c251913d-7d24-4958-af87-478ed3b9ba41 | Flow log should be configured for every network security group | Audit for network security groups to verify if flow log resource is configured. Flow log allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Fixed: audit |
2020-08-27 15:39:26
add: c251913d-7d24-4958-af87-478ed3b9ba41 | |
| Guest Configuration | c648fbbb-591c-4acd-b465-ce9b176ca173 | Audit Windows machines that do not have the specified Windows PowerShell execution policy | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-27 15:39:26
add: c648fbbb-591c-4acd-b465-ce9b176ca173 | |
| Guest Configuration | 16f9b37c-4408-4c30-bc17-254958f2e2d6 | [Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-27 15:39:26
change: Previous DisplayName: Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed | |
| Machine Learning | 40cec1dd-a100-4920-b15b-3024fe8901ab | Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Machine Learning workspaces instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/azureml-workspaces-privatelink. | Default: Audit Allowed: (Audit, Disabled) |
2020-08-27 15:39:26
add: 40cec1dd-a100-4920-b15b-3024fe8901ab | |
| Storage | 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | [Preview]: Storage account public access should be disallowed | Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. | Default: audit Allowed: (audit, deny, disabled) |
2020-08-27 15:39:26
add: 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 | |
| Guest Configuration | 90ba2ee7-4ca8-4673-84d1-c851c50d3baf | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified Windows PowerShell modules installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-27 15:39:26
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed |
| Guest Configuration | f8036bd0-c10b-4931-86bb-94a878add855 | [Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-27 15:39:26
change: Previous DisplayName: Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy | |
| Guest Configuration | 3e4e2bd5-15a2-4628-b3e1-58977e9793f3 | Audit Windows machines that do not have the specified Windows PowerShell modules installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-27 15:39:26
add: 3e4e2bd5-15a2-4628-b3e1-58977e9793f3 | |
| Guest Configuration | e0efc13a-122a-47c5-b817-2ccfe5d12615 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy | This policy creates a Guest Configuration assignment to audit Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-27 15:39:26
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy |
| Machine Learning | ba769a63-b8cc-4b2d-abf6-ac33c7204be8 | Azure Machine Learning workspaces should be encrypted with a customer-managed key | Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-08-27 15:39:26
add: ba769a63-b8cc-4b2d-abf6-ac33c7204be8 | |
| Guest Configuration | d6c69680-54f0-4349-af10-94dd05f4225e | Windows machines should meet requirements for 'Security Options - Microsoft Network Client' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: d6c69680-54f0-4349-af10-94dd05f4225e | |
| Guest Configuration | e3d95ab7-f47a-49d8-a347-784177b6c94c | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' |
| Guest Configuration | a1e8dda3-9fd2-4835-aec3-0e55531fde33 | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - System' | |
| Guest Configuration | dd4680ed-0559-4a6a-ad10-081d14cbb484 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change' | |
| Guest Configuration | f1f4825d-58fb-4257-8016-8c00e3c9ed9d | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' |
| Guest Configuration | 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd | Windows machines should meet requirements for 'Security Options - Network Access' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd | |
| Guest Configuration | 968410dc-5ca0-4518-8a5b-7b55f0530ea9 | Windows machines should meet requirements for 'Administrative Templates - System' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 968410dc-5ca0-4518-8a5b-7b55f0530ea9 | |
| Guest Configuration | 33936777-f2ac-45aa-82ec-07958ec9ade4 | Windows machines should meet requirements for 'Security Options - Audit' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 33936777-f2ac-45aa-82ec-07958ec9ade4 | |
| Guest Configuration | c04255ee-1b9f-42c1-abaa-bf1553f79930 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' |
| Guest Configuration | 7066131b-61a6-4917-a7e4-72e8983f0aa6 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - System' | |
| Guest Configuration | 86880e5c-df35-43c5-95ad-7e120635775e | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' |
| Guest Configuration | 5c028d2a-1889-45f6-b821-31f42711ced8 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Network Security' | |
| Guest Configuration | c1e289c0-ffad-475d-a924-adc058765d65 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' |
| Guest Configuration | bc87d811-4a9b-47cc-ae54-0a41abda7768 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon' | |
| Guest Configuration | 492a29ed-d143-4f03-b6a4-705ce081b463 | Windows machines should meet requirements for 'Security Options - User Account Control' | Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 492a29ed-d143-4f03-b6a4-705ce081b463 | |
| Guest Configuration | f56a3ab2-89d1-44de-ac0d-2ada5962e22a | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' |
| Guest Configuration | 36e17963-7202-494a-80c3-f508211c826b | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' |
| Guest Configuration | 498b810c-59cd-4222-9338-352ba146ccf3 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' |
| Guest Configuration | 12ae2d24-3805-4b37-9fa9-465968bfbcfa | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' |
| Guest Configuration | b4a4d1eb-0263-441b-84cb-a44073d8372d | Windows machines should meet requirements for 'Security Options - Shutdown' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: b4a4d1eb-0263-441b-84cb-a44073d8372d | |
| Guest Configuration | 8bbd627e-4d25-4906-9a6e-3789780af3ec | [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Windows Firewall Properties' | |
| Guest Configuration | 21e2995e-683e-497a-9e81-2f42ad07050a | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Audit' | |
| Guest Configuration | 35781875-8026-4628-b19b-f6efb4d88a1d | Windows machines should meet requirements for 'System Audit Policies - Object Access' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 35781875-8026-4628-b19b-f6efb4d88a1d | |
| Guest Configuration | 6481cc21-ed6e-4480-99dd-ea7c5222e897 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' |
| Guest Configuration | 7040a231-fb65-4412-8c0a-b365f4866c24 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' |
| Guest Configuration | 225e937e-d32e-4713-ab74-13ce95b3519a | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management' | |
| Guest Configuration | 40917425-69db-4018-8dae-2a0556cef899 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' |
| Guest Configuration | 58383b73-94a9-4414-b382-4146eb02611b | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 58383b73-94a9-4414-b382-4146eb02611b | |
| Guest Configuration | ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' |
| Guest Configuration | ba12366f-f9a6-42b8-9d98-157d0b1a837b | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Recovery console' | |
| Guest Configuration | 35d9882c-993d-44e6-87d2-db66ce21b636 | Windows machines should meet requirements for 'Windows Firewall Properties' | Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 35d9882c-993d-44e6-87d2-db66ce21b636 | |
| Guest Configuration | 3aa2661b-02d7-4ba6-99bc-dc36b10489fd | Windows machines should meet requirements for 'Administrative Templates - Control Panel' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 3aa2661b-02d7-4ba6-99bc-dc36b10489fd | |
| Guest Configuration | bbcdd8fa-b600-4ee3-85b8-d184e3339652 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' |
| Guest Configuration | b3802d79-dd88-4bce-b81d-780218e48280 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | |
| Guest Configuration | 2a7a701e-dff3-4da9-9ec5-42cb98594c0b | Windows machines should meet requirements for 'System Audit Policies - Policy Change' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 2a7a701e-dff3-4da9-9ec5-42cb98594c0b | |
| Guest Configuration | 94d9aca8-3757-46df-aa51-f218c5f11954 | Windows machines should meet requirements for 'System Audit Policies - Account Management' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 94d9aca8-3757-46df-aa51-f218c5f11954 | |
| Guest Configuration | a9a33475-481d-4b81-9116-0bf02ffe67e8 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | |
| Guest Configuration | fcbc55c9-f25a-4e55-a6cb-33acb3be778b | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' | |
| Guest Configuration | b872a447-cc6f-43b9-bccf-45703cd81607 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Accounts' | |
| Guest Configuration | 3d7b154e-2700-4c8c-9e46-cb65ac1578c2 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Devices' | |
| Guest Configuration | 8316fa92-d69c-4810-8124-62414f560dcf | Windows machines should meet requirements for 'System Audit Policies - System' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 8316fa92-d69c-4810-8124-62414f560dcf | |
| Guest Configuration | 8a39d1f1-5513-4628-b261-f469a5a3341b | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - System settings' | |
| Guest Configuration | e5b81f87-9185-4224-bf00-9f505e9f89f3 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' |
| Guest Configuration | e3a77a94-cf41-4ee8-b45c-98be28841c03 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Shutdown' | |
| Guest Configuration | 909c958d-1b99-4c74-b88f-46a5c5bc34f9 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' |
| Guest Configuration | 6fe4ef56-7576-4dc4-8e9c-26bad4b087ce | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' | |
| Guest Configuration | 0a9991e6-21be-49f9-8916-a06d934bcf29 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' |
| Guest Configuration | 97646672-5efa-4622-9b54-740270ad60bf | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | |
| Guest Configuration | e425e402-a050-45e5-b010-bd3f934589fc | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' |
| Guest Configuration | 30040dab-4e75-4456-8273-14b8f75d91d9 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Network Access' | |
| Guest Configuration | 12017595-5a75-4bb1-9d97-4c2c939ea3c3 | Windows machines should meet requirements for 'Security Options - System settings' | Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 12017595-5a75-4bb1-9d97-4c2c939ea3c3 | |
| Guest Configuration | 7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use' | |
| Guest Configuration | 437a1f8f-8552-47a8-8b12-a2fee3269dd5 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' |
| Guest Configuration | 8537fe96-8cbe-43de-b0ef-131bc72bc22a | Windows machines should meet requirements for 'Windows Components' | Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 8537fe96-8cbe-43de-b0ef-131bc72bc22a | |
| Guest Configuration | d472d2c9-d6a3-4500-9f5f-b15f123005aa | Windows machines should meet requirements for 'Security Options - Interactive Logon' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: d472d2c9-d6a3-4500-9f5f-b15f123005aa | |
| Guest Configuration | 985285b7-b97a-419c-8d48-c88cc934c8d8 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' |
| Guest Configuration | 9178b430-2295-406e-bb28-f6a7a2a2f897 | [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Windows Components' | |
| Guest Configuration | f8b0158d-4766-490f-bea0-259e52dba473 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' |
| Guest Configuration | 620e58b5-ac75-49b4-993f-a9d4f0459636 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - System objects' | |
| Guest Configuration | 2f262ace-812a-4fd0-b731-b38ba9e9708d | Windows machines should meet requirements for 'Security Options - System objects' | Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 2f262ace-812a-4fd0-b731-b38ba9e9708d | |
| Guest Configuration | ddb53c61-9db4-41d4-a953-2abff5b66c12 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' | |
| Guest Configuration | 8794ff4f-1a35-4e18-938f-0b22055067cd | Windows machines should meet requirements for 'Security Options - Devices' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 8794ff4f-1a35-4e18-938f-0b22055067cd | |
| Guest Configuration | c961dac9-5916-42e8-8fb1-703148323994 | [Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'User Rights Assignment' | |
| Guest Configuration | 42a07bbf-ffcf-459a-b4b1-30ecd118a505 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' |
| Guest Configuration | ee984370-154a-4ee8-9726-19d900e56fc0 | Windows machines should meet requirements for 'Security Options - Accounts' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: ee984370-154a-4ee8-9726-19d900e56fc0 | |
| Guest Configuration | 29829ec2-489d-4925-81b7-bda06b1718e0 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - User Account Control' | |
| Guest Configuration | 19be9779-c776-4dfa-8a15-a2fd5dc843d6 | Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 19be9779-c776-4dfa-8a15-a2fd5dc843d6 | |
| Guest Configuration | f71be03e-e25b-4d0f-b8bc-9b3e309b66c0 | Windows machines should meet requirements for 'Security Options - Recovery console' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: f71be03e-e25b-4d0f-b8bc-9b3e309b66c0 | |
| Guest Configuration | 3750712b-43d0-478e-9966-d2c26f6141b9 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' |
| Guest Configuration | e0a7e899-2ce2-4253-8a13-d808fdeb75af | Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: e0a7e899-2ce2-4253-8a13-d808fdeb75af | |
| Guest Configuration | 43bb60fe-1d7e-4b82-9e93-496bfc99e7d5 | Windows machines should meet requirements for 'System Audit Policies - Account Logon' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 43bb60fe-1d7e-4b82-9e93-496bfc99e7d5 | |
| Guest Configuration | 7229bd6a-693d-478a-87f0-1dc1af06f3b8 | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - Network' | |
| Guest Configuration | ec7ac234-2af5-4729-94d2-c557c071799d | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' |
| Guest Configuration | 67e010c1-640d-438e-a3a5-feaccb533a98 | Windows machines should meet requirements for 'Administrative Templates - Network' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 67e010c1-640d-438e-a3a5-feaccb533a98 | |
| Guest Configuration | 8e170edb-e0f5-497a-bb36-48b3280cec6a | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' |
| Guest Configuration | caf2d518-f029-4f6b-833b-d7081702f253 | Windows machines should meet requirements for 'Security Options - Microsoft Network Server' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: caf2d518-f029-4f6b-833b-d7081702f253 | |
| Guest Configuration | 60aeaf73-a074-417a-905f-7ce9df0ff77b | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access' | |
| Guest Configuration | e068b215-0026-4354-b347-8fb2766f73a2 | Windows machines should meet requirements for 'User Rights Assignment' | Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: e068b215-0026-4354-b347-8fb2766f73a2 | |
| Guest Configuration | 87b590fe-4a1d-4697-ae74-d4fe72ab786c | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel' | |
| Guest Configuration | c8abcef9-fc26-482f-b8db-5fa60ee4586d | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon' | |
| Guest Configuration | f2143251-70de-4e81-87a8-36cee5a2f29d | Windows machines should meet requirements for 'Security Settings - Account Policies' | Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: f2143251-70de-4e81-87a8-36cee5a2f29d | |
| Guest Configuration | 87845465-c458-45f3-af66-dcd62176f397 | Windows machines should meet requirements for 'System Audit Policies - Privilege Use' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 87845465-c458-45f3-af66-dcd62176f397 | |
| Guest Configuration | 1221c620-d201-468c-81e7-2817e6107e84 | Windows machines should meet requirements for 'Security Options - Network Security' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-20 14:05:01
add: 1221c620-d201-468c-81e7-2817e6107e84 | |
| Guest Configuration | 815dcc9f-6662-43f2-9a03-1b83e9876f24 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' |
| Guest Configuration | ce2370f6-0ac5-4d85-8ab4-10721cc640b0 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' |
| Guest Configuration | 97b595c8-fd10-400e-8543-28e2b9138b13 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' |
| Guest Configuration | 1f8c20ce-3414-4496-8b26-0e902a1541da | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' |
| Security Center | ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 | Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Default: Audit Allowed: (Audit, Disabled) |
2020-08-19 13:49:29
change: Previous DisplayName: [Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services | |
| App Platform | af35e2a4-ef96-44e7-a9ae-853dd97032c4 | Azure Spring Cloud should use network injection | Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. | Default: Audit Allowed: (Audit, Disabled, Deny) |
2020-08-19 13:49:29
add: af35e2a4-ef96-44e7-a9ae-853dd97032c4 | |
| Security Center | fb893a29-21bb-418c-a157-e99480ec364c | Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version | Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ | Default: Audit Allowed: (Audit, Disabled) |
2020-08-19 13:49:29
change: Previous DisplayName: [Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version | |
| Security Center | 0e246bcf-5f6f-4f87-bc6f-775d4712c7ea | Authorized IP ranges should be defined on Kubernetes Services | Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. | Default: Audit Allowed: (Audit, Disabled) |
2020-08-19 13:49:29
change: Previous DisplayName: [Preview]: Authorized IP ranges should be defined on Kubernetes Services | |
| Security Center | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | Vulnerabilities in Azure Container Registry images should be remediated | Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-19 13:49:29
add: 5f0f936f-2f01-4bf5-b6be-d423792fa562 | |
| Storage | 6fac406b-40ca-413b-bf8e-0bf964659c25 | Storage accounts should use customer-managed key for encryption | Secure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Default: Audit Allowed: (Audit, Disabled) |
2020-08-18 14:06:57
add: 6fac406b-40ca-413b-bf8e-0bf964659c25 | |
| Storage | 6edd7eda-6dd8-40f7-810d-67160c639cd9 | Storage account should use a private link connection | Private links enforce secure communication, by providing private connectivity to the storage account | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-08-18 14:06:57
add: 6edd7eda-6dd8-40f7-810d-67160c639cd9 | |
| Storage | 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | Storage accounts should restrict network access using virtual network rules | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-08-18 14:06:57
add: 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f | |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2020-08-05 13:05:29
change: Previous DisplayName: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with a user-assigned identity |
| SQL | c8343d2f-fdc9-4a97-b76f-fc71d1163bfc | [Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings | Audit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. | Default: Disabled Allowed: (AuditIfNotExists, Disabled) |
2020-08-05 13:05:29
change: Previous DisplayName: [Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings | |
| SQL | aeb23562-188d-47cb-80b8-551f16ef9fff | [Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings | Audit that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins. | Default: Disabled Allowed: (AuditIfNotExists, Disabled) |
2020-08-05 13:05:29
change: Previous DisplayName: [Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL Managed Instance advanced data security settings | |
| Guest Configuration | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-08-05 13:05:29
change: Previous DisplayName: [Preview]: Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows virtual machines |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-08-05 13:05:29
change: Previous DisplayName: [Preview]: Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux virtual machines |
| App Configuration | 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 | App Configuration should use a customer-managed key | Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-08-05 13:05:29
change: Previous DisplayName: App Configuration should use a customer managed key | |
| SQL | 3965c43d-b5f4-482e-b74a-d89ee0e0b3a8 | [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts | Ensure that an email address is provided for the 'Send alerts to' field in the advanced data security settings. This email address receives alert notifications when anomalous activities are detected on SQL Managed Instance. | Default: Disabled Allowed: (AuditIfNotExists, Disabled) |
2020-08-05 13:05:29
change: Previous DisplayName: [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address to receive security alerts | |
| Guest Configuration | 0ecd903d-91e7-4726-83d3-a229d7f2e293 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-07-17 15:57:10
change: Previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2020-07-17 15:57:10
add: 3cf2ab00-13f1-4d0c-8971-2ac904541a7e |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2020-07-17 15:57:10
add: 497dff13-db2a-4c0f-8603-28fa3b331ab6 |
| Guest Configuration | fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-07-17 15:57:10
change: Previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. |
| Security Center | c25d9a16-bc35-4e15-a7e5-9db606bf9ed4 | Azure Defender for container registries should be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on Azure Container Registry | |
| Security Center | 6581d072-105e-4418-827f-bd446d56421b | Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-07-14 15:28:17
change: Previous DisplayName: Advanced data security should be enabled on SQL Server on Virtual Machines | |
| Security Center | 0e6763cc-5078-4e64-889d-ff4d9a839047 | Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on Key Vault | |
| Security Center | 2913021d-f2fd-4f3d-b958-22354e2bdbcb | Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on App Service | |
| SQL | a8793640-60f7-487c-b5c3-1d37215905c4 | SQL Managed Instance should have the minimal TLS version of 1.2 | Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Default: Audit Allowed: (Audit, Disabled) |
2020-07-14 15:28:17
add: a8793640-60f7-487c-b5c3-1d37215905c4 | |
| SQL | 32e6bbec-16b6-44c2-be37-c5b672d103cf | Azure SQL Database should have the minimal TLS version of 1.2 | Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Default: Audit Allowed: (Audit, Disabled) |
2020-07-14 15:28:17
add: 32e6bbec-16b6-44c2-be37-c5b672d103cf | |
| Security Center | 123a3936-f020-408a-ba0c-47873faf1534 | Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-07-14 15:28:17
change: Previous DisplayName: Whitelisting rules in your adaptive application control policy should be updated | |
| Security Center | 47a6b606-51aa-4496-8bb7-64b11cf66adc | Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-07-14 15:28:17
change: Previous DisplayName: Adaptive application controls for whitelisting safe applications should be enabled on your machines | |
| Security Center | 308fbb08-4ab8-4e67-9b29-592e93fb94fa | Azure Defender for Storage should be enabled | Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on Storage accounts | |
| Security Center | 523b5cd1-3e23-492f-a539-13118b6d1e3a | Azure Defender for Kubernetes should be enabled | Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on Azure Kubernetes Service | |
| Security Center | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-07-14 15:28:17
change: Previous DisplayName: [Preview] Vulnerability Assessment should be enabled on Virtual Machines | |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | This policy ensures pod FlexVolume volumes only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-07-08 14:28:08
add: f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | |
| SQL | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-07-08 14:28:08
change: Previous DisplayName: Audit public network access setting for Azure SQL Database | |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | This policy ensures containers only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-07-08 14:28:08
add: 511f5417-5d12-434d-ab2e-816901e72a5e | |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | This policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-07-08 14:28:08
add: f06ddb64-5fa3-4b77-b166-acb36f7f6042 | |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | This policy ensures pod hostPath volumes can only use allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-07-08 14:28:08
add: 098fc59e-46c7-4d99-9b16-64990e543d75 | |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | This policy ensures containers do not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-07-08 14:28:08
add: 56d0a13f-712f-466b-8416-56fb354fb823 | |
| Network | be7ed5c8-2660-4136-8216-e6f3412ba909 | [Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway | Requires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. | Default: Deny Allowed: (Audit, Deny, Disabled) |
2020-07-08 14:28:08
change: Previous DisplayName: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway | |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | This policy controls pod access to the host network and the allowable host port range in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-07-08 14:28:08
add: 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | |
| Network | 425bea59-a659-4cbb-8d31-34499bd030b8 | Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service | Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-07-08 14:28:08
add: 425bea59-a659-4cbb-8d31-34499bd030b8 | |
| SQL | 77e8b146-0078-4fb2-b002-e112381199f0 | Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure SQL Database while ensuring the traffic stays within the Azure boundary. | Fixed: AuditIfNotExists |
2020-07-08 14:28:08
add: 77e8b146-0078-4fb2-b002-e112381199f0 | |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | This policy ensures pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-07-08 14:28:08
add: 16697877-1118-4fb1-9b65-9898ec2509ec | |
| SQL | 7698e800-9299-47a6-b3b6-5a0fee576eed | Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Default: Audit Allowed: (Audit, Disabled) |
2020-07-08 14:28:08
change: Previous DisplayName: Azure SQL Databases should have private endpoint connections | |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | This policy ensures containers only use allowed capabilities in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-07-08 14:28:08
add: c26596ff-4d70-4e6a-9a30-c2506bd2f80c | |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | This policy does not allow containers to use privilege escalation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-07-08 14:28:08
add: 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | |
| Network | f6b68e5a-7207-4638-a1fb-47d90404209e | [Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service | Mandates detect or prevent mode to be active on all Web Application Firewall policies for Azure Front Door and Application Gateway. Web Application Firewall policies can have a consistent mode configuration across a resource group. | Default: Deny Allowed: (Audit, Deny, Disabled) |
2020-07-08 14:28:08
change: Previous DisplayName: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service | |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | This policy blocks pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. | Default: audit Allowed: (audit, deny, disabled) |
2020-07-08 14:28:08
add: 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | This policy ensures containers only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-07-08 14:28:08
add: 975ce327-682c-4f2e-aa46-b9598289b86c | |
| Network | 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 | Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-07-08 14:28:08
add: 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 | |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | This policy ensures containers only use allowed ProcMountType in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-07-08 14:28:08
add: f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | This policy ensures containers run with a read only root file system in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. | Default: audit Allowed: (audit, deny, disabled) |
2020-07-08 14:28:08
add: df49d893-a74c-421d-bc95-c663042e5b80 | |
| Network | 055aa869-bc98-4af8-bafc-23f1ab6ffe2c | Web Application Firewall (WAF) should be enabled for Azure Front Door Service service | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-07-08 14:28:08
add: 055aa869-bc98-4af8-bafc-23f1ab6ffe2c | |
| Network | 12430be1-6cc8-4527-a9a8-e3d38f250096 | Web Application Firewall (WAF) should use the specified mode for Application Gateway | Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-07-08 14:28:08
add: 12430be1-6cc8-4527-a9a8-e3d38f250096 | |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | This policy ensures pods and containers only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) |
2020-07-08 14:28:08
add: e1e6c427-07d9-46ab-9689-bfa85431e636 | |
| SignalR | 53503636-bcc9-4748-9663-5348217f160f | Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your SignalR resources instead of the entire service, you'll also be protected against data leakage risks .Learn more at: https://aka.ms/asrs/privatelink. | Default: Audit Allowed: (Audit, Disabled) |
2020-07-01 14:50:07
change: Previous DisplayName: [Preview]: Azure SignalR Service should use private links | |
| SQL | bda18df3-5e41-4709-add9-2554ce68c966 | [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings | It's recommended to enable all Advanced Threat Protection types on your SQL Managed Instance. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. | Default: Disabled Allowed: (AuditIfNotExists, Disabled) |
2020-07-01 14:50:07
change: Previous DisplayName: Advanced Threat Protection types should be set to 'All' in SQL managed instance Advanced Data Security settings | |
| SQL | 9677b740-f641-4f3c-b9c5-466005c85278 | [Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts | Ensure that an email address is provided for the 'Send alerts to' field in the Advanced Data Security server settings. This email address receives alert notifications when anomalous activities are detected on SQL servers. | Default: Disabled Allowed: (AuditIfNotExists, Disabled) |
2020-07-01 14:50:07
change: Previous DisplayName: Advanced data security settings for SQL server should contain an email address to receive security alerts | |
| VM Image Builder | 2154edb9-244f-4741-9970-660785bccdaa | VM Image Builder templates should use private link | Audit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead which may directly expose resources to the internet and increase the potential attack surface. | Default: Audit Allowed: (Audit, Disabled) |
2020-07-01 14:50:07
add: 2154edb9-244f-4741-9970-660785bccdaa | |
| SQL | c8343d2f-fdc9-4a97-b76f-fc71d1163bfc | [Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings | Audit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. | Default: Disabled Allowed: (AuditIfNotExists, Disabled) |
2020-07-01 14:50:07
change: Previous DisplayName: Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings | |
| SQL | aeb23562-188d-47cb-80b8-551f16ef9fff | [Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings | Audit that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins. | Default: Disabled Allowed: (AuditIfNotExists, Disabled) |
2020-07-01 14:50:07
change: Previous DisplayName: Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings | |
| SQL | 3965c43d-b5f4-482e-b74a-d89ee0e0b3a8 | [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts | Ensure that an email address is provided for the 'Send alerts to' field in the advanced data security settings. This email address receives alert notifications when anomalous activities are detected on SQL Managed Instance. | Default: Disabled Allowed: (AuditIfNotExists, Disabled) |
2020-07-01 14:50:07
change: Previous DisplayName: Advanced data security settings for SQL managed instance should contain an email address to receive security alerts | |
| SQL | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-07-01 14:50:07
add: 1b8ca024-1d5c-4dec-8995-b1a932b41780 | |
| SQL | e756b945-1b1b-480b-8de8-9a0859d5f7ad | [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings | It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. | Default: Disabled Allowed: (AuditIfNotExists, Disabled) |
2020-07-01 14:50:07
change: Previous DisplayName: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings | |
| SQL | 7698e800-9299-47a6-b3b6-5a0fee576eed | Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Default: Audit Allowed: (Audit, Disabled) |
2020-07-01 14:50:07
add: 7698e800-9299-47a6-b3b6-5a0fee576eed | |
| Guest Configuration | 5fc23db3-dd4d-4c56-bcc7-43626243e601 | [Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled | This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-06-30 14:58:19
change: Previous DisplayName: Audit prerequisites to enable Guest Configuration policies on Windows VMs. | |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | n/a | n/a | 2020-06-29 05:46:45 remove: 3cf2ab00-13f1-4d0c-8971-2ac904541a7e (i) |
| Guest Configuration | fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-06-29 05:46:45
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. |
| Guest Configuration | 0ecd903d-91e7-4726-83d3-a229d7f2e293 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-06-29 05:46:45
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | n/a | n/a | 2020-06-29 05:46:45 remove: 497dff13-db2a-4c0f-8603-28fa3b331ab6 (i) |
| API for FHIR | 0fea8f8a-4169-495d-8307-30ec335f387d | CORS should not allow every domain to access your API for FHIR | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. | Default: audit Allowed: (audit, disabled) |
2020-06-23 16:03:25
add: 0fea8f8a-4169-495d-8307-30ec335f387d | |
| Security Center | 4da35fc9-c9e7-4960-aec9-797fe7d9051d | Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-06-23 16:03:25
add: 4da35fc9-c9e7-4960-aec9-797fe7d9051d | |
| Cosmos DB | 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb | Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Default: Deny Allowed: (Audit, Deny, Disabled) |
2020-06-23 16:03:25
add: 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb | |
| Security Center | 523b5cd1-3e23-492f-a539-13118b6d1e3a | Azure Defender for Kubernetes should be enabled | Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-06-23 16:03:25
add: 523b5cd1-3e23-492f-a539-13118b6d1e3a | |
| Guest Configuration | 0ecd903d-91e7-4726-83d3-a229d7f2e293 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-06-23 16:03:25
change: Previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. |
| Security Center | c25d9a16-bc35-4e15-a7e5-9db606bf9ed4 | Azure Defender for container registries should be enabled | Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-06-23 16:03:25
add: c25d9a16-bc35-4e15-a7e5-9db606bf9ed4 | |
| Guest Configuration | fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-06-23 16:03:25
change: Previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. |
| Kubernetes | 0a15ec92-a229-4763-bb14-0ea34a568f8d | Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Default: Audit Allowed: (Audit, Disabled) |
2020-06-23 16:03:25
add: 0a15ec92-a229-4763-bb14-0ea34a568f8d | |
| Security Center | 2913021d-f2fd-4f3d-b958-22354e2bdbcb | Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-06-23 16:03:25
add: 2913021d-f2fd-4f3d-b958-22354e2bdbcb | |
| Guest Configuration | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-06-23 16:03:25
add: 385f5831-96d4-41db-9a3c-cd3af78aaae6 |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2020-06-23 16:03:25
add: 3cf2ab00-13f1-4d0c-8971-2ac904541a7e |
| Security Center | 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 | Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-06-23 16:03:25
add: 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 | |
| Security Center | 0e6763cc-5078-4e64-889d-ff4d9a839047 | Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-06-23 16:03:25
add: 0e6763cc-5078-4e64-889d-ff4d9a839047 | |
| Security Center | 6581d072-105e-4418-827f-bd446d56421b | Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-06-23 16:03:25
add: 6581d072-105e-4418-827f-bd446d56421b | |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-06-23 16:03:25
add: 331e8ea8-378a-410f-a2e5-ae22f38bb0da |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | This policy helps provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2020-06-23 16:03:25
add: 6a6f7384-63de-11ea-bc55-0242ac130003 | |
| Guest Configuration | faf25c8c-9598-4305-b4de-0aee1317fb31 | [Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled | This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-06-23 16:03:25
add: faf25c8c-9598-4305-b4de-0aee1317fb31 | |
| Security Center | 308fbb08-4ab8-4e67-9b29-592e93fb94fa | Azure Defender for Storage should be enabled | Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-06-23 16:03:25
add: 308fbb08-4ab8-4e67-9b29-592e93fb94fa | |
| Cosmos DB | 1f905d99-2ab7-462c-a6b0-f709acca6c8f | Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. | Default: audit Allowed: (audit, deny, disabled) |
2020-06-23 16:03:25
add: 1f905d99-2ab7-462c-a6b0-f709acca6c8f | |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2020-06-23 16:03:25
add: 497dff13-db2a-4c0f-8603-28fa3b331ab6 |
| Monitoring | 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee | Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-06-22 16:06:25
change: Previous DisplayName: Deploy Dependency agent for Linux VMs |
| Monitoring | 1c210e94-a481-4beb-95fa-1571b434fb04 | Deploy Dependency agent for Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2020-06-22 16:06:25
change: Previous DisplayName: Deploy Dependency agent for Windows VMs |
| Network | f6b68e5a-7207-4638-a1fb-47d90404209e | [Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service | Mandates detect or prevent mode to be active on all Web Application Firewall policies for Azure Front Door and Application Gateway. Web Application Firewall policies can have a consistent mode configuration across a resource group. | Default: Deny Allowed: (Audit, Deny, Disabled) |
2020-06-11 19:46:04
add: f6b68e5a-7207-4638-a1fb-47d90404209e | |
| Network | be7ed5c8-2660-4136-8216-e6f3412ba909 | [Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway | Requires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. | Default: Deny Allowed: (Audit, Deny, Disabled) |
2020-06-11 19:46:04
add: be7ed5c8-2660-4136-8216-e6f3412ba909 | |
| Guest Configuration | 8ff0b18b-262e-4512-857a-48ad0aeb9a78 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption |
| Guest Configuration | 97b595c8-fd10-400e-8543-28e2b9138b13 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' |
| Guest Configuration | a1e8dda3-9fd2-4835-aec3-0e55531fde33 | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - System' | |
| Guest Configuration | e425e402-a050-45e5-b010-bd3f934589fc | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' |
| Guest Configuration | 6fe4ef56-7576-4dc4-8e9c-26bad4b087ce | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' | |
| Guest Configuration | 6481cc21-ed6e-4480-99dd-ea7c5222e897 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' |
| Guest Configuration | 620e58b5-ac75-49b4-993f-a9d4f0459636 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - System objects' | |
| Guest Configuration | f4b245d4-46c9-42be-9b1a-49e2b5b94194 | [Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days |
| Guest Configuration | f1f4825d-58fb-4257-8016-8c00e3c9ed9d | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' |
| Guest Configuration | 97646672-5efa-4622-9b54-740270ad60bf | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | |
| Guest Configuration | 40917425-69db-4018-8dae-2a0556cef899 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' |
| Guest Configuration | 7227ebe5-9ff7-47ab-b823-171cd02fb90f | [Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliant | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs on which the DSC configuration is not compliant | |
| Cognitive Services | 2bdd0062-9d75-436e-89df-487dd8e4b3c7 | Cognitive Services accounts should enable data encryption | This policy audits any Cognitive Services account not using data encryption. For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-06-09 16:25:53
add: 2bdd0062-9d75-436e-89df-487dd8e4b3c7 | |
| Cognitive Services | 46aa9b05-0e60-4eae-a88b-1e9d374fa515 | Cognitive Services accounts should use customer owned storage | This policy audits any Cognitive Services account not using customer owned storage. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-06-09 16:25:53
add: 46aa9b05-0e60-4eae-a88b-1e9d374fa515 | |
| Kubernetes | 1d61c4d2-aef2-432b-87fc-7f96b019b7e1 | [Preview]: Deploy GitOps to Kubernetes cluster | This policy deploys a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth from the defined git repo. For instructions on using this policy, visit https://aka.ms/K8sGitOpsPolicy. | Fixed: DeployIfNotExists | Contributor |
2020-06-09 16:25:53
add: 1d61c4d2-aef2-432b-87fc-7f96b019b7e1 |
| Security Center | bb91dfba-c30d-4263-9add-9c2384e659a6 | Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-06-09 16:25:53
add: bb91dfba-c30d-4263-9add-9c2384e659a6 | |
| Guest Configuration | c40c9087-1981-4e73-9f53-39743eda9d05 | [Deprecated]: Show audit results from Linux VMs that have accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Linux VMs that have accounts without passwords | |
| Guest Configuration | 437a1f8f-8552-47a8-8b12-a2fee3269dd5 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' |
| Guest Configuration | 7040a231-fb65-4412-8c0a-b365f4866c24 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' |
| Guest Configuration | 8bbd627e-4d25-4906-9a6e-3789780af3ec | [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties' | |
| Guest Configuration | c5fbc59e-fb6f-494f-81e2-d99a671bdaa8 | [Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days |
| Guest Configuration | 2d60d3b7-aa10-454c-88a8-de39d99d17c6 | [Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryption | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not store passwords using reversible encryption | |
| Guest Configuration | 60aeaf73-a074-417a-905f-7ce9df0ff77b | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access' | |
| Guest Configuration | 23020aa6-1135-4be2-bae2-149982b06eca | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters |
| Guest Configuration | 985285b7-b97a-419c-8d48-c88cc934c8d8 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' |
| Guest Configuration | f48b2913-1dc5-4834-8c72-ccc1dfd819bb | [Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabled | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not have the password complexity setting enabled | |
| Guest Configuration | 0a9991e6-21be-49f9-8916-a06d934bcf29 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' |
| Guest Configuration | 909c958d-1b99-4c74-b88f-46a5c5bc34f9 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' |
| Guest Configuration | e3a77a94-cf41-4ee8-b45c-98be28841c03 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown' | |
| Guest Configuration | 30040dab-4e75-4456-8273-14b8f75d91d9 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Network Access' | |
| Guest Configuration | 5bb36dda-8a78-4df9-affd-4f05a8612a8a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one |
| Cognitive Services | 67121cc7-ff39-4ab8-b7e3-95b84dab487d | Cognitive Services accounts should enable data encryption with a customer-managed key | Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-06-09 16:25:53
add: 67121cc7-ff39-4ab8-b7e3-95b84dab487d | |
| Guest Configuration | fcbc55c9-f25a-4e55-a6cb-33acb3be778b | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' | |
| Guest Configuration | 726671ac-c4de-4908-8c7d-6043ae62e3b6 | [Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords | This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords |
| Guest Configuration | d38b4c26-9d2e-47d7-aefe-18d859a8706a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant | This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant |
| Guest Configuration | 42a07bbf-ffcf-459a-b4b1-30ecd118a505 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' |
| Guest Configuration | c8abcef9-fc26-482f-b8db-5fa60ee4586d | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon' | |
| Guest Configuration | a9a33475-481d-4b81-9116-0bf02ffe67e8 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | |
| Guest Configuration | 86880e5c-df35-43c5-95ad-7e120635775e | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' |
| Guest Configuration | 3d7b154e-2700-4c8c-9e46-cb65ac1578c2 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Devices' | |
| Guest Configuration | 16390df4-2f73-4b42-af13-c801066763df | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day |
| Guest Configuration | 3470477a-b35a-49db-aca5-1073d04524fe | [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Linux VMs that have accounts without passwords |
| Guest Configuration | f3b9ad83-000d-4dc1-bff0-6d54533dd03f | [Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root | |
| Guest Configuration | 2d67222d-05fd-4526-a171-2ee132ad9e83 | [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Linux VMs that allow remote connections from accounts without passwords | |
| Guest Configuration | f19aa1c1-6b91-4c27-ae6a-970279f03db9 | [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 |
| Guest Configuration | bbcdd8fa-b600-4ee3-85b8-d184e3339652 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' |
| Guest Configuration | 7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use' | |
| Guest Configuration | 36e17963-7202-494a-80c3-f508211c826b | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' |
| Guest Configuration | b18175dd-c599-4c64-83ba-bb018a06d35b | [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 | |
| Guest Configuration | 356a906e-05e5-4625-8729-90771e0ee934 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days |
| Guest Configuration | 3750712b-43d0-478e-9966-d2c26f6141b9 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' |
| Guest Configuration | 225e937e-d32e-4713-ab74-13ce95b3519a | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management' | |
| Guest Configuration | 21e2995e-683e-497a-9e81-2f42ad07050a | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Audit' | |
| Guest Configuration | e3d95ab7-f47a-49d8-a347-784177b6c94c | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' |
| Guest Configuration | 815dcc9f-6662-43f2-9a03-1b83e9876f24 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' |
| Guest Configuration | 29829ec2-489d-4925-81b7-bda06b1718e0 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control' | |
| Guest Configuration | 8a39d1f1-5513-4628-b261-f469a5a3341b | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - System settings' | |
| Guest Configuration | ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' |
| Guest Configuration | f8b0158d-4766-490f-bea0-259e52dba473 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' |
| Guest Configuration | 1f8c20ce-3414-4496-8b26-0e902a1541da | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' |
| Guest Configuration | cdbf72d9-ac9c-4026-8a3a-491a5ac59293 | [Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords | |
| Guest Configuration | 12ae2d24-3805-4b37-9fa9-465968bfbcfa | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' |
| Guest Configuration | 5aebc8d1-020d-4037-89a0-02043a7524ec | [Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters | |
| Guest Configuration | 02a84be7-c304-421f-9bb7-5d2c26af54ad | [Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified one | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs on which the remote host connection status does not match the specified one | |
| Guest Configuration | a030a57e-4639-4e8f-ade9-a92f33afe7ee | [Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected | |
| Guest Configuration | 7066131b-61a6-4917-a7e4-72e8983f0aa6 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - System' | |
| Guest Configuration | 68511db2-bd02-41c4-ae6b-1900a012968a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected |
| Guest Configuration | ec49586f-4939-402d-a29e-6ff502b20592 | [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords |
| Guest Configuration | 5c028d2a-1889-45f6-b821-31f42711ced8 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Network Security' | |
| Guest Configuration | c04255ee-1b9f-42c1-abaa-bf1553f79930 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' |
| Guest Configuration | 9328f27e-611e-44a7-a244-39109d7d35ab | [Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days | |
| Cognitive Services | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | Public network access should be disabled for Cognitive Services accounts | This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-06-09 16:25:53
add: 0725b4dd-7e76-479c-a735-68e7ee23d5ca | |
| Cognitive Services | 11566b39-f7f7-4b82-ab06-68d8700eb0a4 | Cognitive Services accounts should use customer owned storage or enable data encryption. | This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-06-09 16:25:53
add: 11566b39-f7f7-4b82-ab06-68d8700eb0a4 | |
| Guest Configuration | b872a447-cc6f-43b9-bccf-45703cd81607 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Accounts' | |
| Guest Configuration | c1e289c0-ffad-475d-a924-adc058765d65 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' |
| Guest Configuration | c961dac9-5916-42e8-8fb1-703148323994 | [Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'User Rights Assignment' | |
| Guest Configuration | f56a3ab2-89d1-44de-ac0d-2ada5962e22a | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' |
| Guest Configuration | b3802d79-dd88-4bce-b81d-780218e48280 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | |
| Guest Configuration | 7229bd6a-693d-478a-87f0-1dc1af06f3b8 | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network' | |
| Guest Configuration | 24dde96d-f0b1-425e-884f-4a1421e2dcdc | [Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not have a maximum password age of 70 days | |
| Guest Configuration | ba12366f-f9a6-42b8-9d98-157d0b1a837b | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console' | |
| Guest Configuration | 7e84ba44-6d03-46fd-950e-5efa5a1112fa | [Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that have not restarted within the specified number of days | |
| Guest Configuration | ce2370f6-0ac5-4d85-8ab4-10721cc640b0 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' |
| Guest Configuration | 87b590fe-4a1d-4697-ae74-d4fe72ab786c | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel' | |
| Guest Configuration | 106ccbe4-a791-4f33-a44a-06796944b8d5 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root | This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root |
| Guest Configuration | bc87d811-4a9b-47cc-ae54-0a41abda7768 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon' | |
| Guest Configuration | 8e170edb-e0f5-497a-bb36-48b3280cec6a | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' |
| Guest Configuration | 498b810c-59cd-4222-9338-352ba146ccf3 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' |
| Guest Configuration | e5b81f87-9185-4224-bf00-9f505e9f89f3 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' |
| Guest Configuration | 5aa11bbc-5c76-4302-80e5-aba46a4282e7 | [Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 day | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not have a minimum password age of 1 day | |
| Guest Configuration | ddb53c61-9db4-41d4-a953-2abff5b66c12 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' | |
| Guest Configuration | 7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled |
| Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-06-09 16:25:53
add: 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | |
| Guest Configuration | 9178b430-2295-406e-bb28-f6a7a2a2f897 | [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Windows Components' | |
| Guest Configuration | ec7ac234-2af5-4729-94d2-c557c071799d | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' |
| SignalR | 53503636-bcc9-4748-9663-5348217f160f | Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your SignalR resources instead of the entire service, you'll also be protected against data leakage risks .Learn more at: https://aka.ms/asrs/privatelink. | Default: Audit Allowed: (Audit, Disabled) |
2020-06-09 16:25:53
add: 53503636-bcc9-4748-9663-5348217f160f | |
| Guest Configuration | dd4680ed-0559-4a6a-ad10-081d14cbb484 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change' | |
| Security Center | a7aca53f-2ed4-4466-a25e-0b45ade68efd | Azure DDoS Protection Standard should be enabled | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-06-08 18:42:36
change: Previous DisplayName: DDoS Protection Standard should be enabled | |
| Security Center | 47a6b606-51aa-4496-8bb7-64b11cf66adc | Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-06-08 18:42:36
change: Previous DisplayName: Adaptive Application Controls should be enabled on virtual machines | |
| SQL | abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9 | Advanced data security should be enabled on SQL Managed Instance | Audit each SQL Managed Instance without advanced data security. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-06-08 18:42:36
change: Previous DisplayName: Advanced data security should be enabled on your SQL managed instances | |
| SQL | 1b7aa243-30e4-4c9e-bca8-d0d3022b634a | Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-06-08 18:42:36
change: Previous DisplayName: Vulnerability assessment should be enabled on your SQL managed instances | |
| Kubernetes service | 25dee3db-6ce0-4c02-ab5d-245887b24077 | [Deprecated]: Ensure services listen only on allowed ports in AKS | This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) |
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Ensure services listen only on allowed ports in AKS | |
| Kubernetes service | a2d3ed81-8d11-4079-80a5-1faadc0024f4 | [Deprecated]: Ensure CPU and memory resource limits defined on containers in AKS | This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) |
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Ensure CPU and memory resource limits defined on containers in AKS | |
| Kubernetes service | 5f86cb6e-c4da-441b-807c-44bd0cc14e66 | [Deprecated]: Ensure only allowed container images in AKS | This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) |
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Ensure only allowed container images in AKS | |
| Security Center | b0f33259-77d7-4c9e-aac6-3aabcfae693c | Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-06-01 18:36:18
change: Previous DisplayName: Just-In-Time network access control should be applied on virtual machines | |
| Kubernetes service | a74d8f00-2fd9-4ce4-968e-0ee1eb821698 | [Deprecated]: Enforce internal load balancers in AKS | This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) |
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Enforce internal load balancers in AKS | |
| Kubernetes service | 7ce7ac02-a5c6-45d6-8d1b-844feb1c1531 | [Deprecated]: Do not allow privileged containers in AKS | This policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) |
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Do not allow privileged containers in AKS | |
| Kubernetes service | 16c6ca72-89d2-4798-b87e-496f9de7fcb7 | [Deprecated]: Enforce labels on pods in AKS | This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) |
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Enforce labels on pods in AKS | |
| Security Center | bd352bd5-2853-4985-bf0d-73806b4a5744 | IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-06-01 18:36:18
change: Previous DisplayName: [Preview]: IP Forwarding on your virtual machine should be disabled | |
| Cache | 22bee202-a82f-4305-9a2a-6d7f44d4dedb | Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-06-01 18:36:18
change: Previous DisplayName: Only secure connections to your Redis Cache should be enabled | |
| Kubernetes service | d011d9f7-ba32-4005-b727-b3d09371ca60 | [Deprecated]: Enforce unique ingress hostnames across namespaces in AKS | This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) |
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS | |
| Kubernetes service | 0f636243-1b1c-4d50-880f-310f6199f2cb | [Deprecated]: Ensure containers listen only on allowed ports in AKS | This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) |
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Ensure containers listen only on allowed ports in AKS | |
| Kubernetes service | 2fbff515-eecc-4b7e-9b63-fcc7138b7dc3 | [Deprecated]: Enforce HTTPS ingress in AKS | This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) |
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Enforce HTTPS ingress in AKS | |
| Container Registry | 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 | Container registries should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Container Registries should be encrypted with a Customer-Managed Key (CMK) | |
| Security Center | 123a3936-f020-408a-ba0c-47873faf1534 | Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-05-29 15:39:09
add: 123a3936-f020-408a-ba0c-47873faf1534 | |
| Cosmos DB | 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf | Azure Cosmos DB throughput should be limited | This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. | Default: deny Allowed: (audit, deny, disabled) |
2020-05-29 15:39:09
add: 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf | |
| Monitoring | 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf | [Preview]: Deploy Log Analytics agent to Linux Azure Arc machines | This policy deploys the Log Analytics agent to Linux Azure Arc machines if the agent isn't installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-05-29 15:39:09
add: 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf |
| API Management | ef619a2c-cc4d-4d03-b2ba-8c94a834d85b | API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Default: Audit Allowed: (Audit, Disabled) |
2020-05-29 15:39:09
add: ef619a2c-cc4d-4d03-b2ba-8c94a834d85b | |
| Cognitive Services | 037eea7a-bd0a-46c5-9a66-03aea78705d3 | Cognitive Services accounts should restrict network access | Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-05-29 15:39:09
add: 037eea7a-bd0a-46c5-9a66-03aea78705d3 | |
| Security Center | cdfcce10-4578-4ecd-9703-530938e4abcb | Deploy export to Event Hub for Azure Security Center data | Enable export to Event Hub of Azure Security Center data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2020-05-29 15:39:09
add: cdfcce10-4578-4ecd-9703-530938e4abcb |
| Security Center | 73d6ab6c-2475-4850-afd6-43795f3492ef | Deploy Workflow Automation for Azure Security Center recommendations | Enable automation of Azure Security Center recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2020-05-29 15:39:09
add: 73d6ab6c-2475-4850-afd6-43795f3492ef |
| Monitoring | 69af7d4a-7b18-4044-93a9-2651498ef203 | [Preview]: Deploy Log Analytics agent to Windows Azure Arc machines | This policy deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Deploy Log Analytics agent to hybrid Windows VMs managed in Azure Arc |
| Container Registry | d0793b48-0edc-4296-a390-4c75d1bdfd71 | Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet. | Default: Audit Allowed: (Audit, Disabled) |
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Container Registries should not allow unrestricted network access | |
| Security Center | ffb6f416-7bd2-4488-8828-56585fef2be9 | Deploy export to Log Analytics workspace for Azure Security Center data | Enable export to Log Analytics workspace of Azure Security Center data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2020-05-29 15:39:09
add: ffb6f416-7bd2-4488-8828-56585fef2be9 |
| Event Grid | 9830b652-8523-49cc-b1b3-e17dce1127ca | Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit, Disabled) |
2020-05-29 15:39:09
add: 9830b652-8523-49cc-b1b3-e17dce1127ca | |
| Container Registry | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Default: Audit Allowed: (Audit, Disabled) |
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Container Registries should use private links | |
| Cosmos DB | 4750c32b-89c0-46af-bfcb-2e4541a818d5 | Azure Cosmos DB key based metadata write access should be disabled | This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. | Fixed: append |
2020-05-29 15:39:09
add: 4750c32b-89c0-46af-bfcb-2e4541a818d5 | |
| Monitoring | d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e | [Preview]: Log Analytics agent should be installed on your Windows Azure Arc machines | This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-05-29 15:39:09
add: d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e | |
| Security Center | f1525828-9a90-4fcf-be48-268cdd02361e | Deploy Workflow Automation for Azure Security Center alerts | Enable automation of Azure Security Center alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2020-05-29 15:39:09
add: f1525828-9a90-4fcf-be48-268cdd02361e |
| Monitoring | deacecc0-9f84-44d2-bb82-46f32d766d43 | [Preview]: Deploy Dependency agent to hybrid Linux Azure Arc machines | This policy deploys the Dependency agent to Linux Azure Arc machines if the agent isn't installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-05-29 15:39:09
add: deacecc0-9f84-44d2-bb82-46f32d766d43 |
| Monitoring | 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 | [Preview]: Deploy Dependency agent to Windows Azure Arc machines | This policy deploys the Dependency agent to Windows Azure Arc machines if the agent isn't installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Deploy Dependency agent to hybrid Windows VMs managed in Azure Arc |
| Monitoring | 842c54e8-c2f9-4d79-ae8d-38d8b8019373 | [Preview]: Log Analytics agent should be installed on your Linux Azure Arc machines | This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-05-29 15:39:09
add: 842c54e8-c2f9-4d79-ae8d-38d8b8019373 | |
| Event Grid | 4b90e17e-8448-49db-875e-bd83fb6f804f | Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit, Disabled) |
2020-05-29 15:39:09
add: 4b90e17e-8448-49db-875e-bd83fb6f804f | |
| Cache | 7d092e0a-7acd-40d2-a975-dca21cae48c4 | Azure Cache for Redis should reside within a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-05-21 16:06:38
add: 7d092e0a-7acd-40d2-a975-dca21cae48c4 | |
| Monitoring | 69af7d4a-7b18-4044-93a9-2651498ef203 | [Preview]: Deploy Log Analytics agent to Windows Azure Arc machines | This policy deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-05-21 16:06:38
add: 69af7d4a-7b18-4044-93a9-2651498ef203 |
| Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | This policy helps provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2020-05-13 05:56:52
add: 77eeea86-7e81-4a7d-9067-de844d096752 | |
| Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | This policy helps configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2020-05-13 05:56:52
add: 3948394e-63de-11ea-bc55-0242ac130003 | |
| Security Center | 8e7da0a5-0a0e-4bbc-bfc0-7773c018b616 | Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. | Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2020-05-13 05:56:52
add: 8e7da0a5-0a0e-4bbc-bfc0-7773c018b616 |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | This policy helps provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2020-05-13 05:56:52
add: 53c70b02-63dd-11ea-bc55-0242ac130003 | |
| Security Center | 6df2fee6-a9ed-4fef-bced-e13be1b25f1c | Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. | Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2020-05-13 05:56:52
add: 6df2fee6-a9ed-4fef-bced-e13be1b25f1c |
| Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | This policy helps provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2020-05-13 05:56:52
add: 1d413020-63de-11ea-bc55-0242ac130003 | |
| Monitoring | 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 | [Preview]: Deploy Dependency agent to Windows Azure Arc machines | This policy deploys the Dependency agent to Windows Azure Arc machines if the agent isn't installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-05-13 05:56:52
add: 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 |
| Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | This policy helps provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) |
2020-05-13 05:56:52
add: 5853517a-63de-11ea-bc55-0242ac130003 | |
| Compute | cccc23c7-8427-4f53-ad12-b6a63eb452b3 | Allowed virtual machine size SKUs | This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. | Fixed: Deny |
2020-05-09 14:57:51
change: Previous DisplayName: Allowed virtual machine SKUs | |
| Storage | 34c877ad-507e-4c82-993e-3452a6e0ad3c | Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-05-09 14:57:51
change: Previous DisplayName: Audit unrestricted network access to storage accounts | |
| SQL | 18adea5e-f416-4d0f-8aa8-d24321e3e274 | Bring your own key data protection should be enabled for PostgreSQL servers | Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-04-28 14:50:57
add: 18adea5e-f416-4d0f-8aa8-d24321e3e274 | |
| SQL | fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | Public network access should be disabled for MariaDB servers | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default: Audit Allowed: (Audit, Disabled) |
2020-04-28 14:50:57
add: fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | |
| SQL | b52376f7-9612-48a1-81cd-1ffe4b61032c | Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default: Audit Allowed: (Audit, Disabled) |
2020-04-28 14:50:57
add: b52376f7-9612-48a1-81cd-1ffe4b61032c | |
| SQL | 83cef61d-dbd1-4b20-a4fc-5fbc7da10833 | Bring your own key data protection should be enabled for MySQL servers | Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-04-28 14:50:57
add: 83cef61d-dbd1-4b20-a4fc-5fbc7da10833 | |
| Container Registry | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Default: Audit Allowed: (Audit, Disabled) |
2020-04-28 14:50:57
add: e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | |
| SQL | d9844e8a-1437-4aeb-a32c-0c992f056095 | Public network access should be disabled for MySQL servers | Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Default: Audit Allowed: (Audit, Disabled) |
2020-04-28 14:50:57
add: d9844e8a-1437-4aeb-a32c-0c992f056095 | |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default: deny Allowed: (audit, deny, disabled) |
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster | |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Enforce labels on pods in Kubernetes cluster | This policy enforces the specified labels are provided for pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Enforce labels on pods in Kubernetes cluster | |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Ensure services listen only on allowed ports in Kubernetes cluster | This policy enforces services to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster | |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Ensure only allowed container images in Kubernetes cluster | This policy ensures only allowed container images are running in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Ensure only allowed container images in Kubernetes cluster | |
| Kubernetes | b2fd3e59-6390-4f2b-8247-ea676bd03e2d | [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster | This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Enforce unique ingress hostnames across namespaces in Kubernetes cluster | |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | Ensure containers listen only on allowed ports in Kubernetes cluster | This policy enforces containers to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Ensure containers listen only on allowed ports in Kubernetes cluster | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster | This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster | |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Do not allow privileged containers in Kubernetes cluster | This policy does not allow privileged containers creation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Do not allow privileged containers in Kubernetes cluster | |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Enforce internal load balancers in Kubernetes cluster | This policy enforces load balancers do not have public IPs in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Enforce internal load balancers in Kubernetes cluster | |
| Monitoring | f47b5582-33ec-4c5c-87c0-b010a6b2e917 | Audit Log Analytics workspace for VM - Report Mismatch | Reports VMs as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. | Fixed: audit |
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Audit Log Analytics Workspace for VM - Report Mismatch | |
| Monitoring | 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee | Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Dependency Agent for Linux VMs |
| Monitoring | 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 | Deploy Log Analytics agent for Linux virtual machine scale sets | Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Log Analytics Contributor Virtual Machine Contributor |
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Log Analytics Agent for Linux Virtual Machine Scale Sets |
| Monitoring | 1c210e94-a481-4beb-95fa-1571b434fb04 | Deploy Dependency agent for Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Dependency Agent for Windows VMs |
| Monitoring | 0868462e-646c-4fe3-9ced-a733534b6a2c | Deploy Log Analytics agent for Windows VMs | Deploy Log Analytics agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor |
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Log Analytics Agent for Windows VMs |
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy Log Analytics agent for Windows virtual machine scale sets | Deploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor Virtual Machine Contributor |
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Log Analytics Agent for Windows Virtual Machine Scale Sets |
| Monitoring | 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 | Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Virtual Machine Contributor |
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Dependency Agent for Linux Virtual Machine Scale Sets |
| Monitoring | 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 | Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted | Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Audit Log Analytics Agent Deployment in Virtual Machine Scale Sets - VM Image (OS) unlisted | |
| Monitoring | e2dd799a-a932-4e9d-ac17-d473bc3c6c10 | Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted | Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Audit Dependency Agent Deployment in Virtual Machine Scale Sets - VM Image (OS) unlisted | |
| Monitoring | 3be22e3b-d919-47aa-805e-8985dbeb0ad9 | Deploy Dependency agent for Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Dependency Agent for Windows Virtual Machine Scale Sets |
| Monitoring | 053d3325-282c-4e5c-b944-24faffd30d77 | Deploy Log Analytics agent for Linux VMs | Deploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Log Analytics Agent for Linux VMs |
| Monitoring | 11ac78e3-31bc-4f0c-8434-37ab963cea07 | Audit Dependency agent deployment - VM Image (OS) unlisted | Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Audit Dependency Agent Deployment - VM Image (OS) unlisted | |
| Cosmos DB | 0473574d-2d43-4217-aefe-941fcdf7e684 | Azure Cosmos DB allowed locations | This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. | Default: deny Allowed: (deny, audit, disabled) |
2020-03-17 09:22:59
add: 0473574d-2d43-4217-aefe-941fcdf7e684 | |
| Guest Configuration | 0d9b45ff-9ddd-43fc-bf59-fbd1c8423053 | [Deprecated]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-03-17 09:22:59
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled | |
| Guest Configuration | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-03-17 09:22:59
add: bed48b13-6647-468e-aa2f-1af1d3f4dd40 | |
| Network | fc5e4038-4584-4632-8c85-c0448d374b2c | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-03-17 09:22:59
add: fc5e4038-4584-4632-8c85-c0448d374b2c | |
| Guest Configuration | 6a7a2bcf-f9be-4e35-9734-4f9657a70f1d | [Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-03-17 09:22:59
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled |
| Guest Configuration | 5fc23db3-dd4d-4c56-bcc7-43626243e601 | [Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled | This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-03-17 09:22:59
add: 5fc23db3-dd4d-4c56-bcc7-43626243e601 | |
| Tags | 96670d01-0a4d-4649-9c89-2d3abc0a5025 | Require a tag on resource groups | Enforces existence of a tag on resource groups. | Fixed: deny |
2020-03-10 16:29:49
change: Previous DisplayName: Require specified tag on resource groups | |
| Tags | 49c88fc8-6fd1-46fd-a676-f12d1d3a4c71 | Append a tag and its value to resource groups | Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). | Fixed: append |
2020-03-10 16:29:49
change: Previous DisplayName: Append tag and its default value to resource groups | |
| Tags | 8ce3da23-7156-49e4-b145-24f95f9dcb46 | Require a tag and its value on resource groups | Enforces a required tag and its value on resource groups. | Fixed: deny |
2020-03-10 16:29:49
change: Previous DisplayName: Require tag and its value on resource groups | |
| Tags | 9ea02ca2-71db-412d-8b00-7c7ca9fcd32d | Append a tag and its value from the resource group | Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). | Fixed: append |
2020-03-10 16:29:49
change: Previous DisplayName: Append tag and its value from the resource group | |
| Tags | 2a0e14a6-b0a6-4fab-991a-187a4f81c498 | Append a tag and its value to resources | Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). | Fixed: append |
2020-03-10 16:29:49
change: Previous DisplayName: Append tag and its default value | |
| Tags | 871b6d14-10aa-478d-b590-94f262ecfa99 | Require a tag on resources | Enforces existence of a tag. Does not apply to resource groups. | Fixed: deny |
2020-03-10 16:29:49
change: Previous DisplayName: Require specified tag | |
| Tags | 1e30110a-5ceb-460c-a204-c1c3969c6d62 | Require a tag and its value on resources | Enforces a required tag and its value. Does not apply to resource groups. | Fixed: deny |
2020-03-10 16:29:49
change: Previous DisplayName: Require tag and its value | |
| Monitoring | e2dd799a-a932-4e9d-ac17-d473bc3c6c10 | Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted | Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-02-29 21:43:10
change: Previous DisplayName: [Preview]: Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted | |
| Monitoring | 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 | Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Virtual Machine Contributor |
2020-02-29 21:43:10
change: Previous DisplayName: [Preview]: Deploy Dependency Agent for Linux VM Scale Sets (VMSS) |
| Monitoring | 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 | Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted | Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-02-29 21:43:10
change: Previous DisplayName: [Preview]: Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted | |
| Monitoring | 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 | Deploy Log Analytics agent for Linux virtual machine scale sets | Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Log Analytics Contributor Virtual Machine Contributor |
2020-02-29 21:43:10
change: Previous DisplayName: [Preview]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS) |
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy Log Analytics agent for Windows virtual machine scale sets | Deploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor Virtual Machine Contributor |
2020-02-29 21:43:10
change: Previous DisplayName: [Preview]: Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS) |
| Monitoring | 3be22e3b-d919-47aa-805e-8985dbeb0ad9 | Deploy Dependency agent for Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor |
2020-02-29 21:43:10
change: Previous DisplayName: [Preview]: Deploy Dependency Agent for Windows VM Scale Sets (VMSS) |
| SQL | 0a1302fb-a631-4106-9753-f3d494733990 | Private endpoint should be enabled for MariaDB servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-02-27 09:26:21
add: 0a1302fb-a631-4106-9753-f3d494733990 | |
| SQL | dfbd9a64-6114-48de-a47d-90574dc2e489 | MariaDB server should use a virtual network service endpoint | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MariaDB while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MariaDB has virtual network service endpoint being used. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-02-27 09:26:21
add: dfbd9a64-6114-48de-a47d-90574dc2e489 | |
| SQL | 7595c971-233d-4bcf-bd18-596129188c49 | Private endpoint should be enabled for MySQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-02-27 09:26:21
add: 7595c971-233d-4bcf-bd18-596129188c49 | |
| SQL | 3c14b034-bcb6-4905-94e7-5b8e98a47b65 | PostgreSQL server should use a virtual network service endpoint | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for PostgreSQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for PostgreSQL has virtual network service endpoint being used. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-02-27 09:26:21
add: 3c14b034-bcb6-4905-94e7-5b8e98a47b65 | |
| SQL | 3375856c-3824-4e0e-ae6a-79e011dd4c47 | MySQL server should use a virtual network service endpoint | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MySQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MySQL has virtual network service endpoint being used. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-02-27 09:26:21
add: 3375856c-3824-4e0e-ae6a-79e011dd4c47 | |
| SQL | 0564d078-92f5-4f97-8398-b9f58a51f70b | Private endpoint should be enabled for PostgreSQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-02-27 09:26:21
add: 0564d078-92f5-4f97-8398-b9f58a51f70b | |
| Security Center | 1a833ff1-d297-4a0f-9944-888428f8e0ff | [Deprecated]: Access to App Services should be restricted | Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges that are too broad | Default: Disabled Allowed: (AuditIfNotExists, Disabled) |
2020-02-25 11:29:35
change: Previous DisplayName: [Preview]: Access to App Services should be restricted | |
| Tags | b27a0cbd-a167-4dfa-ae64-4337be671140 | Inherit a tag from the subscription | Adds or replaces the specified tag and value from the containing subscription when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. | Fixed: modify | Contributor |
2020-02-20 08:25:18
add: b27a0cbd-a167-4dfa-ae64-4337be671140 |
| Tags | 40df99da-1232-49b1-a39a-6da8d878f469 | Inherit a tag from the subscription if missing | Adds the specified tag with its value from the containing subscription when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. | Fixed: modify | Contributor |
2020-02-20 08:25:18
add: 40df99da-1232-49b1-a39a-6da8d878f469 |
| Security Center | 201ea587-7c90-41c3-910f-c280ae01cfd6 | [Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM | Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly permissive with regards to the web application ports | Default: Disabled Allowed: (AuditIfNotExists, Disabled) |
2020-02-20 08:25:18
change: Previous DisplayName: Web ports should be restricted on Network Security Groups associated to your VM | |
| Container Registry | d0793b48-0edc-4296-a390-4c75d1bdfd71 | Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet. | Default: Audit Allowed: (Audit, Disabled) |
2020-02-12 02:52:44
add: d0793b48-0edc-4296-a390-4c75d1bdfd71 | |
| Backup | c717fb0c-d118-4c43-ab3d-ece30ac81fb3 | Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. | Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. | Fixed: deployIfNotExists | Monitoring Contributor Log Analytics Contributor |
2020-02-12 02:52:44
add: c717fb0c-d118-4c43-ab3d-ece30ac81fb3 |
| App Platform | 0f2d8593-4667-4932-acca-6a9f187af109 | [Preview]: Audit Azure Spring Cloud instances where distributed tracing is not enabled | Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state. | Default: Audit Allowed: (Audit, Disabled) |
2020-02-12 02:52:44
add: 0f2d8593-4667-4932-acca-6a9f187af109 | |
| App Configuration | 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 | App Configuration should use a customer-managed key | Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-02-12 02:52:44
add: 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 | |
| Container Registry | 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 | Container registries should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2020-02-12 02:52:44
add: 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 | |
| App Configuration | ca610c1d-041c-4332-9d88-7ed3094967c7 | App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-02-12 02:52:44
add: ca610c1d-041c-4332-9d88-7ed3094967c7 | |
| App Service | 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc | Ensure that 'Java version' is the latest, if used as a part of the Function app | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-02-08 03:50:24
change: Previous DisplayName: Ensure that 'Java version' is the latest, if used as a part of the Funtion app | |
| Guest Configuration | 97646672-5efa-4622-9b54-740270ad60bf | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists |
2020-02-08 03:50:24
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Adminstrative Templates - MSS (Legacy)' | |
| Guest Configuration | f1f4825d-58fb-4257-8016-8c00e3c9ed9d | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-02-08 03:50:24
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Adminstrative Templates - MSS (Legacy)' |
| Monitoring | 3b980d31-7904-4bb7-8575-5665739a8052 | An activity log alert should exist for specific Security operations | This policy audits specific Security operations with no activity log alerts configured. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-01-29 21:53:30
add: 3b980d31-7904-4bb7-8575-5665739a8052 | |
| Network | e372f825-a257-4fb8-9175-797a8a8627d6 | RDP access from the Internet should be blocked | This policy audits any network security rule that allows RDP access from Internet | Default: Audit Allowed: (Audit, Disabled) |
2020-01-29 21:53:30
add: e372f825-a257-4fb8-9175-797a8a8627d6 | |
| Security Center | ac076320-ddcf-4066-b451-6154267e8ad2 | Enable Azure Security Center on your subscription | Identifies existing subscriptions that are not monitored by Azure Security Center (ASC). Subscriptions not monitored by ASC will be registered to the free pricing tier. Subscriptions already monitored by ASC (free or standard), will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment and create a remediation task. Repeat this step when you have one or more new subscriptions you want to monitor with Security Center. | Fixed: deployIfNotExists | Security Admin |
2020-01-29 21:53:30
add: ac076320-ddcf-4066-b451-6154267e8ad2 |
| Network | 2c89a2e5-7285-40fe-afe0-ae8654b92fab | SSH access from the Internet should be blocked | This policy audits any network security rule that allows SSH access from Internet | Default: Audit Allowed: (Audit, Disabled) |
2020-01-29 21:53:30
add: 2c89a2e5-7285-40fe-afe0-ae8654b92fab | |
| Monitoring | b954148f-4c11-4c38-8221-be76711e194a | An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-01-29 21:53:30
add: b954148f-4c11-4c38-8221-be76711e194a | |
| Monitoring | c5447c04-a4d7-4ba8-a263-c9ee321a6858 | An activity log alert should exist for specific Policy operations | This policy audits specific Policy operations with no activity log alerts configured. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-01-29 21:53:30
add: c5447c04-a4d7-4ba8-a263-c9ee321a6858 | |
| Security Center | af8051bf-258b-44e2-a2bf-165330459f9d | [Deprecated]: Monitor unaudited SQL servers in Azure Security Center | SQL servers which don't have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: 'Auditing should be enabled on advanced data security settings on SQL Server' | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-01-29 05:56:46
change: Previous DisplayName: [Deprecated] Monitor unaudited SQL servers in Azure Security Center | |
| Security Center | a8bef009-a5c9-4d0f-90d7-6018734e8a16 | [Deprecated]: Monitor unencrypted SQL databases in Azure Security Center | Unencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent Data Encryption on SQL databases should be enabled' | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-01-29 05:56:46
change: Previous DisplayName: [Deprecated] Monitor unencrypted SQL databases in Azure Security Center | |
| Security Center | 201ea587-7c90-41c3-910f-c280ae01cfd6 | [Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM | Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly permissive with regards to the web application ports | Default: Disabled Allowed: (AuditIfNotExists, Disabled) |
2020-01-10 16:39:23
change: Previous DisplayName: The NSGs rules for web applications on IaaS should be hardened | |
| Security Center | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | Adaptive network hardening recommendations should be applied on internet facing virtual machines | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-01-10 16:39:23
change: Previous DisplayName: Network Security Group Rules for Internet facing virtual machines should be hardened | |
| Security Center | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-01-10 16:39:23
change: Previous DisplayName: Virtual machines should be associated with a Network Security Group | |
| SQL | a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 | Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2020-01-10 16:39:23
change: Previous DisplayName: Auditing should be enabled on advanced data security settings on SQL Server | |
| Guest Configuration | 97b595c8-fd10-400e-8543-28e2b9138b13 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Policy Change' |
| Guest Configuration | 0a9991e6-21be-49f9-8916-a06d934bcf29 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Account Management' |
| Guest Configuration | ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Recovery console' |
| Guest Configuration | 40917425-69db-4018-8dae-2a0556cef899 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Administrative Templates - System' |
| Guest Configuration | 12ae2d24-3805-4b37-9fa9-465968bfbcfa | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - System objects' |
| Guest Configuration | 1f8c20ce-3414-4496-8b26-0e902a1541da | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Shutdown' |
| Guest Configuration | 3750712b-43d0-478e-9966-d2c26f6141b9 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Interactive Logon' |
| Guest Configuration | 985285b7-b97a-419c-8d48-c88cc934c8d8 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Administrative Templates - Network' |
| Guest Configuration | 437a1f8f-8552-47a8-8b12-a2fee3269dd5 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - System settings' |
| Guest Configuration | f1f4825d-58fb-4257-8016-8c00e3c9ed9d | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Adminstrative Templates - MSS (Legacy)' |
| Guest Configuration | bbcdd8fa-b600-4ee3-85b8-d184e3339652 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' |
| Guest Configuration | e5b81f87-9185-4224-bf00-9f505e9f89f3 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Accounts' |
| Guest Configuration | 86880e5c-df35-43c5-95ad-7e120635775e | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' |
| Guest Configuration | e425e402-a050-45e5-b010-bd3f934589fc | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - User Account Control' |
| Guest Configuration | 498b810c-59cd-4222-9338-352ba146ccf3 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Audit' |
| Guest Configuration | f56a3ab2-89d1-44de-ac0d-2ada5962e22a | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Network Access' |
| Guest Configuration | 815dcc9f-6662-43f2-9a03-1b83e9876f24 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'User Rights Assignment' |
| Guest Configuration | 909c958d-1b99-4c74-b88f-46a5c5bc34f9 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Windows Firewall Properties' |
| Guest Configuration | 6481cc21-ed6e-4480-99dd-ea7c5222e897 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Devices' |
| Guest Configuration | 42a07bbf-ffcf-459a-b4b1-30ecd118a505 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' |
| Guest Configuration | e3d95ab7-f47a-49d8-a347-784177b6c94c | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Settings - Account Policies' |
| Guest Configuration | 7040a231-fb65-4412-8c0a-b365f4866c24 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Windows Components' |
| Guest Configuration | f8b0158d-4766-490f-bea0-259e52dba473 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - System' |
| Guest Configuration | c1e289c0-ffad-475d-a924-adc058765d65 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Account Logon' |
| Guest Configuration | 36e17963-7202-494a-80c3-f508211c826b | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Network Security' |
| Guest Configuration | ec7ac234-2af5-4729-94d2-c557c071799d | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Administrative Templates - Control Panel' |
| Guest Configuration | c04255ee-1b9f-42c1-abaa-bf1553f79930 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' |
| Guest Configuration | 8e170edb-e0f5-497a-bb36-48b3280cec6a | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Object Access' |
| Guest Configuration | ce2370f6-0ac5-4d85-8ab4-10721cc640b0 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' |
| Guest Configuration | 6141c932-9384-44c6-a395-59e4c057d7c9 | Configure time zone on Windows machines. | This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. | Fixed: deployIfNotExists | Contributor |
2019-12-11 09:18:30
change: Previous DisplayName: Configure time zone on Windows machines. |
| App Service | 95bccee9-a7f8-4bec-9ee9-62c3473701fc | Authentication should be enabled on your web app | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-12-11 09:18:30
add: 95bccee9-a7f8-4bec-9ee9-62c3473701fc | |
| App Service | c4ebc54a-46e1-481a-bee2-d4411e95d828 | Authentication should be enabled on your API app | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-12-11 09:18:30
add: c4ebc54a-46e1-481a-bee2-d4411e95d828 | |
| App Service | c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 | Authentication should be enabled on your Function app | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-12-11 09:18:30
add: c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 | |
| Backup | 013e242c-8828-4970-87b3-ab247555486d | Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-12-11 09:18:30
add: 013e242c-8828-4970-87b3-ab247555486d | |
| Monitoring | fbb99e8e-e444-4da0-9ff1-75c92f5a85b2 | Storage account containing the container with activity logs must be encrypted with BYOK | This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-12-11 09:18:30
add: fbb99e8e-e444-4da0-9ff1-75c92f5a85b2 | |
| Monitoring | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-27 16:06:41
add: 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | |
| Monitoring | 04c4380f-3fae-46e8-96c9-30193528f602 | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-27 16:06:41
add: 04c4380f-3fae-46e8-96c9-30193528f602 | |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on VMs without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag | Default: deployIfNotExists Allowed: (deployIfNotExists, auditIfNotExists, disabled) | Virtual Machine Contributor Backup Contributor |
2019-11-19 11:26:09
change: Previous DisplayName: Deploy prerequisites to backup VMs of a location to an existing central Vault in the same location |
| Key Vault | 1151cede-290b-4ba0-8b38-0ad145ac888f | [Preview]: Certificates should use allowed key types | Manage your organizational compliance requirements by restricting the key types allowed for certificates. | Default: audit Allowed: (audit, deny, disabled) |
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificates should have the specified key types | |
| Key Vault | 0a075868-4c26-42ef-914c-5bc007359560 | [Preview]: Certificates should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. | Default: audit Allowed: (audit, deny, disabled) |
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificates should not have a lengthy validity period | |
| Key Vault | 8e826246-c976-48f6-b03e-619bb92b3d82 | [Preview]: Certificates should be issued by the specified integrated certificate authority | Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. | Default: audit Allowed: (audit, deny, disabled) |
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificates should be issued by an approved Azure Key Vault supported Certificate Authority provider | |
| Key Vault | f772fb64-8e40-40ad-87bc-7706e1949427 | [Preview]: Certificates should not expire within the specified number of days | Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. | Default: audit Allowed: (audit, deny, disabled) |
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificates should not expire in the specified number of days | |
| Key Vault | a22f4a40-01d3-4c7d-8071-da157eeff341 | [Preview]: Certificates should be issued by the specified non-integrated certificate authority | Manage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault. | Default: audit Allowed: (audit, deny, disabled) |
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificates should be issued by an approved custom Certificate Authority provider | |
| Key Vault | cee51871-e572-4576-855c-047c820360f0 | [Preview]: Certificates using RSA cryptography should have the specified minimum key size | Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. | Default: audit Allowed: (audit, deny, disabled) |
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificate key sizes should be sufficiently large | |
| Key Vault | 12ef42cb-9903-4e39-9c26-422d29570417 | [Preview]: Certificates should have the specified lifetime action triggers | Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. | Default: audit Allowed: (audit, deny, disabled) |
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificates should have the specified lifetime action trigger | |
| Kubernetes service | 25dee3db-6ce0-4c02-ab5d-245887b24077 | [Deprecated]: Ensure services listen only on allowed ports in AKS | This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) |
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Ensure services listen only on allowed ports in AKS | |
| App Service | e2c1c086-2d84-4019-bff3-c44ccd95113c | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
add: e2c1c086-2d84-4019-bff3-c44ccd95113c | |
| App Service | 496223c3-ad65-4ecd-878a-bae78737e9ed | Ensure that 'Java version' is the latest, if used as a part of the Web app | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
add: 496223c3-ad65-4ecd-878a-bae78737e9ed | |
| App Service | 6ad61431-88ce-4357-a0e1-6da43f292bd7 | [Deprecated]: Ensure WEB app is using the latest version of TLS encryption | Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
change: Previous DisplayName: Ensure WEB app is using the latest version of TLS encryption | |
| App Service | eaebaea7-8013-4ceb-9d14-7eb32271373c | Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. | Default: Audit Allowed: (Audit, Disabled) |
2019-11-12 19:11:12
add: eaebaea7-8013-4ceb-9d14-7eb32271373c | |
| Kubernetes service | 5f86cb6e-c4da-441b-807c-44bd0cc14e66 | [Deprecated]: Ensure only allowed container images in AKS | This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) |
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Ensure only allowed container images in AKS | |
| App Service | 74c3584d-afae-46f7-a20a-6f8adba71a16 | Ensure that 'Python version' is the latest, if used as a part of the API app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
add: 74c3584d-afae-46f7-a20a-6f8adba71a16 | |
| App Service | 7261b898-8a84-4db8-9e04-18527132abb3 | Ensure that 'PHP version' is the latest, if used as a part of the WEB app | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
add: 7261b898-8a84-4db8-9e04-18527132abb3 | |
| Kubernetes service | a2d3ed81-8d11-4079-80a5-1faadc0024f4 | [Deprecated]: Ensure CPU and memory resource limits defined on containers in AKS | This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) |
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Ensure CPU and memory resource limits defined on containers in AKS | |
| App Service | 0c192fe8-9cbb-4516-85b3-0ade8bd03886 | Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. | Default: Audit Allowed: (Audit, Disabled) |
2019-11-12 19:11:12
add: 0c192fe8-9cbb-4516-85b3-0ade8bd03886 | |
| App Service | 5bb220d9-2698-4ee4-8404-b9c30c9df609 | Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. | Default: Audit Allowed: (Audit, Disabled) |
2019-11-12 19:11:12
add: 5bb220d9-2698-4ee4-8404-b9c30c9df609 | |
| Kubernetes service | 0f636243-1b1c-4d50-880f-310f6199f2cb | [Deprecated]: Ensure containers listen only on allowed ports in AKS | This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) |
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Ensure containers listen only on allowed ports in AKS | |
| App Service | 8c122334-9d20-4eb8-89ea-ac9a705b74ae | Ensure that 'HTTP Version' is the latest, if used to run the Web app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
add: 8c122334-9d20-4eb8-89ea-ac9a705b74ae | |
| App Service | 7008174a-fd10-4ef0-817e-fc820a951d73 | Ensure that 'Python version' is the latest, if used as a part of the Web app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
add: 7008174a-fd10-4ef0-817e-fc820a951d73 | |
| App Service | c2e7ca55-f62c-49b2-89a4-d41eb661d2f0 | [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app | This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
add: c2e7ca55-f62c-49b2-89a4-d41eb661d2f0 | |
| App Service | 88999f4c-376a-45c8-bcb3-4058f713cf39 | Ensure that 'Java version' is the latest, if used as a part of the API app | Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
add: 88999f4c-376a-45c8-bcb3-4058f713cf39 | |
| App Service | 843664e0-7563-41ee-a9cb-7522c382d2c4 | [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app | This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
add: 843664e0-7563-41ee-a9cb-7522c382d2c4 | |
| App Service | e567365d-4228-430f-ac39-7d5d46e617ac | Ensure API app is using the latest version of TLS encryption | The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. | n/a | n/a | 2019-11-12 19:11:12 remove: e567365d-4228-430f-ac39-7d5d46e617ac (i) |
| App Service | 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc | Ensure that 'Java version' is the latest, if used as a part of the Function app | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
add: 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc | |
| App Service | 86d97760-d216-4d81-a3ad-163087b2b6c3 | [Deprecated]: Ensure that Register with Azure Active Directory is enabled on API app | This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
add: 86d97760-d216-4d81-a3ad-163087b2b6c3 | |
| App Service | 7238174a-fd10-4ef0-817e-fc820a951d73 | Ensure that 'Python version' is the latest, if used as a part of the Function app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
add: 7238174a-fd10-4ef0-817e-fc820a951d73 | |
| App Service | 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba | Ensure that 'PHP version' is the latest, if used as a part of the API app | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
add: 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba | |
| Kubernetes service | 16c6ca72-89d2-4798-b87e-496f9de7fcb7 | [Deprecated]: Enforce labels on pods in AKS | This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) |
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Enforce labels on pods in AKS | |
| Kubernetes service | a74d8f00-2fd9-4ce4-968e-0ee1eb821698 | [Deprecated]: Enforce internal load balancers in AKS | This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) |
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Enforce internal load balancers in AKS | |
| App Service | f0473e7a-a1ba-4e86-afb2-e829e11b01d8 | [Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function App | This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
add: f0473e7a-a1ba-4e86-afb2-e829e11b01d8 | |
| App Service | ab965db2-d2bf-4b64-8b39-c38ec8179461 | [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app | PHP cannot be used with Function apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
add: ab965db2-d2bf-4b64-8b39-c38ec8179461 | |
| App Service | aa81768c-cb87-4ce2-bfaa-00baa10d760c | [Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB App | This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
add: aa81768c-cb87-4ce2-bfaa-00baa10d760c | |
| Kubernetes service | 7ce7ac02-a5c6-45d6-8d1b-844feb1c1531 | [Deprecated]: Do not allow privileged containers in AKS | This policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) |
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Do not allow privileged containers in AKS | |
| App Service | 58d94fc1-a072-47c2-bd37-9cdb38e77453 | [Deprecated]: Ensure Function app is using the latest version of TLS encryption | Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
change: Previous DisplayName: Ensure Function app is using the latest version of TLS encryption | |
| Kubernetes service | 2fbff515-eecc-4b7e-9b63-fcc7138b7dc3 | [Deprecated]: Enforce HTTPS ingress in AKS | This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) |
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Enforce HTTPS ingress in AKS | |
| App Service | 991310cd-e9f3-47bc-b7b6-f57b557d07db | Ensure that 'HTTP Version' is the latest, if used to run the API app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
add: 991310cd-e9f3-47bc-b7b6-f57b557d07db | |
| Kubernetes service | d011d9f7-ba32-4005-b727-b3d09371ca60 | [Deprecated]: Enforce unique ingress hostnames across namespaces in AKS | This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) |
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Enforce unique ingress hostnames across namespaces in AKS | |
| App Service | 10c1859c-e1a7-4df3-ab97-a487fa8059f6 | [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App | This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-11-12 19:11:12
add: 10c1859c-e1a7-4df3-ab97-a487fa8059f6 | |
| Key Vault | bd78111f-4953-4367-9fd5-7e08808b54bf | [Preview]: Certificates using elliptic curve cryptography should have allowed curve names | Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. | Default: audit Allowed: (audit, deny, disabled) |
2019-11-02 10:12:34
add: bd78111f-4953-4367-9fd5-7e08808b54bf | |
| SQL | d38fc420-0735-4ef3-ac11-c806f651a570 | Long-term geo-redundant backup should be enabled for Azure SQL Databases | This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-29 23:04:36
add: d38fc420-0735-4ef3-ac11-c806f651a570 | |
| Guest Configuration | fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2019-10-29 23:04:36
add: fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 |
| SQL | 82339799-d096-41ae-8538-b108becf0970 | Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Default: Audit Allowed: (Audit, Disabled) |
2019-10-29 23:04:36
add: 82339799-d096-41ae-8538-b108becf0970 | |
| Custom Provider | c15c281f-ea5c-44cd-90b8-fc3c14d13f0c | Deploy associations for a custom provider | Deploys an association resource that associates selected resource types to the specified custom provider. This policy deployment does not support nested resource types. | Fixed: deployIfNotExists | Contributor |
2019-10-29 23:04:36
add: c15c281f-ea5c-44cd-90b8-fc3c14d13f0c |
| Monitoring | db51110f-0865-4a6e-b274-e2e07a5b2cd7 | Deploy Diagnostic Settings for Batch Account to Event Hub | Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2019-10-29 23:04:36
add: db51110f-0865-4a6e-b274-e2e07a5b2cd7 |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Enforce labels on pods in Kubernetes cluster | This policy enforces the specified labels are provided for pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2019-10-29 23:04:36
add: 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | |
| Monitoring | 1f6e93e8-6b31-41b1-83f6-36e449a42579 | Deploy Diagnostic Settings for Event Hub to Log Analytics workspace | Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2019-10-29 23:04:36
add: 1f6e93e8-6b31-41b1-83f6-36e449a42579 |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Ensure only allowed container images in Kubernetes cluster | This policy ensures only allowed container images are running in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2019-10-29 23:04:36
add: febd0533-8e55-448f-b837-bd0e06f16469 | |
| App Service | 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e | Latest TLS version should be used in your API App | Upgrade to the latest TLS version | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-29 23:04:36
add: 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e | |
| SQL | 48af4db5-9b8b-401c-8e74-076be876a430 | Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Default: Audit Allowed: (Audit, Disabled) |
2019-10-29 23:04:36
add: 48af4db5-9b8b-401c-8e74-076be876a430 | |
| Managed Application | 17763ad9-70c0-4794-9397-53d765932634 | Deploy associations for a managed application | Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource types. | Fixed: deployIfNotExists | Contributor |
2019-10-29 23:04:36
add: 17763ad9-70c0-4794-9397-53d765932634 |
| App Service | 2b9ad585-36bc-4615-b300-fd4435808332 | Managed identity should be used in your Web App | Use a managed identity for enhanced authentication security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-29 23:04:36
add: 2b9ad585-36bc-4615-b300-fd4435808332 | |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default: deny Allowed: (audit, deny, disabled) |
2019-10-29 23:04:36
add: 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | |
| Kubernetes | b2fd3e59-6390-4f2b-8247-ea676bd03e2d | [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster | This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2019-10-29 23:04:36
add: b2fd3e59-6390-4f2b-8247-ea676bd03e2d | |
| e567365d-4228-430f-ac39-7d5d46e617ac | Fixed: |
2019-10-29 23:04:36
add: e567365d-4228-430f-ac39-7d5d46e617ac | ||||
| Monitoring | b889a06c-ec72-4b03-910a-cb169ee18721 | Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace | Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2019-10-29 23:04:36
add: b889a06c-ec72-4b03-910a-cb169ee18721 |
| App Service | f9d614c5-c173-4d56-95a7-b4437057d193 | Latest TLS version should be used in your Function App | Upgrade to the latest TLS version | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-29 23:04:36
add: f9d614c5-c173-4d56-95a7-b4437057d193 | |
| Monitoring | c84e5349-db6d-4769-805e-e14037dab9b5 | Deploy Diagnostic Settings for Batch Account to Log Analytics workspace | Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2019-10-29 23:04:36
add: c84e5349-db6d-4769-805e-e14037dab9b5 |
| Monitoring | 6b51af03-9277-49a9-a3f8-1c69c9ff7403 | Deploy Diagnostic Settings for Service Bus to Event Hub | Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2019-10-29 23:04:36
add: 6b51af03-9277-49a9-a3f8-1c69c9ff7403 |
| Monitoring | d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03 | Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace | Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2019-10-29 23:04:36
add: d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03 |
| Monitoring | bef3f64c-5290-43b7-85b0-9b254eef4c47 | Deploy Diagnostic Settings for Key Vault to Log Analytics workspace | Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2019-10-29 23:04:36
add: bef3f64c-5290-43b7-85b0-9b254eef4c47 |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Enforce internal load balancers in Kubernetes cluster | This policy enforces load balancers do not have public IPs in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2019-10-29 23:04:36
add: 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | |
| Monitoring | edf3780c-3d70-40fe-b17e-ab72013dafca | Deploy Diagnostic Settings for Stream Analytics to Event Hub | Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2019-10-29 23:04:36
add: edf3780c-3d70-40fe-b17e-ab72013dafca |
| Monitoring | ef7b61ef-b8e4-4c91-8e78-6946c6b0023f | Deploy Diagnostic Settings for Event Hub to Event Hub | Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2019-10-29 23:04:36
add: ef7b61ef-b8e4-4c91-8e78-6946c6b0023f |
| Guest Configuration | 0ecd903d-91e7-4726-83d3-a229d7f2e293 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2019-10-29 23:04:36
add: 0ecd903d-91e7-4726-83d3-a229d7f2e293 |
| Monitoring | 04d53d87-841c-4f23-8a5b-21564380b55e | Deploy Diagnostic Settings for Service Bus to Log Analytics workspace | Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2019-10-29 23:04:36
add: 04d53d87-841c-4f23-8a5b-21564380b55e |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Do not allow privileged containers in Kubernetes cluster | This policy does not allow privileged containers creation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2019-10-29 23:04:36
add: 95edb821-ddaf-4404-9732-666045e056b4 | |
| Monitoring | a1dae6c7-13f3-48ea-a149-ff8442661f60 | Deploy Diagnostic Settings for Logic Apps to Event Hub | Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2019-10-29 23:04:36
add: a1dae6c7-13f3-48ea-a149-ff8442661f60 |
| Lighthouse | 76bed37b-484f-430f-a009-fd7592dff818 | Audit delegation of scopes to a managing tenant | Audit delegation of scopes to a managing tenant via Azure Lighthouse. | Default: Audit Allowed: (Audit, Disabled) |
2019-10-29 23:04:36
add: 76bed37b-484f-430f-a009-fd7592dff818 | |
| App Service | 9a1b8c48-453a-4044-86c3-d8bfd823e4f5 | FTPS only should be required in your API App | Enable FTPS enforcement for enhanced security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-29 23:04:36
add: 9a1b8c48-453a-4044-86c3-d8bfd823e4f5 | |
| App Service | 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b | FTPS should be required in your Web App | Enable FTPS enforcement for enhanced security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-29 23:04:36
add: 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b | |
| Monitoring | 237e0f7e-b0e8-4ec4-ad46-8c12cb66d673 | Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace | Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2019-10-29 23:04:36
add: 237e0f7e-b0e8-4ec4-ad46-8c12cb66d673 |
| Monitoring | 3d5da587-71bd-41f5-ac95-dd3330c2d58d | Deploy Diagnostic Settings for Search Services to Event Hub | Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2019-10-29 23:04:36
add: 3d5da587-71bd-41f5-ac95-dd3330c2d58d |
| Monitoring | 08ba64b8-738f-4918-9686-730d2ed79c7d | Deploy Diagnostic Settings for Search Services to Log Analytics workspace | Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2019-10-29 23:04:36
add: 08ba64b8-738f-4918-9686-730d2ed79c7d |
| Monitoring | 4daddf25-4823-43d4-88eb-2419eb6dcc08 | Deploy Diagnostic Settings for Data Lake Analytics to Event Hub | Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2019-10-29 23:04:36
add: 4daddf25-4823-43d4-88eb-2419eb6dcc08 |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | Ensure containers listen only on allowed ports in Kubernetes cluster | This policy enforces containers to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2019-10-29 23:04:36
add: 440b515e-a580-421e-abeb-b159a61ddcbc | |
| Monitoring | e8d096bc-85de-4c5f-8cfb-857bd1b9d62d | Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub | Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor |
2019-10-29 23:04:36
add: e8d096bc-85de-4c5f-8cfb-857bd1b9d62d |
| Monitoring | 25763a0a-5783-4f14-969e-79d4933eb74b | Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace | Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor Log Analytics Contributor |
2019-10-29 23:04:36
add: 25763a0a-5783-4f14-969e-79d4933eb74b |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Ensure services listen only on allowed ports in Kubernetes cluster | This policy enforces services to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2019-10-29 23:04:36
add: 233a2a17-77ca-4fb1-9b6b-69223d272a44 | |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster | This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit, deny, disabled) |
2019-10-29 23:04:36
add: e345eecc-fa47-480f-9e88-67dcc122b164 | |
| App Service | f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b | Latest TLS version should be used in your Web App | Upgrade to the latest TLS version | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-29 23:04:36
add: f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b | |
| App Service | 0da106f2-4ca3-48e8-bc85-c638fe6aea8f | Managed identity should be used in your Function App | Use a managed identity for enhanced authentication security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-29 23:04:36
add: 0da106f2-4ca3-48e8-bc85-c638fe6aea8f | |
| SQL | 0ec47710-77ff-4a3d-9181-6aa50af424d0 | Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Default: Audit Allowed: (Audit, Disabled) |
2019-10-29 23:04:36
add: 0ec47710-77ff-4a3d-9181-6aa50af424d0 | |
| Storage | bf045164-79ba-4215-8f95-f8048dc1780b | Geo-redundant storage should be enabled for Storage Accounts | This policy audits any Storage Account with geo-redundant storage not enabled. | Default: Audit Allowed: (Audit, Disabled) |
2019-10-29 23:04:36
add: bf045164-79ba-4215-8f95-f8048dc1780b | |
| App Service | c4d441f8-f9d9-4a9e-9cef-e82117cb3eef | Managed identity should be used in your API App | Use a managed identity for enhanced authentication security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-29 23:04:36
add: c4d441f8-f9d9-4a9e-9cef-e82117cb3eef | |
| App Service | 399b2637-a50f-4f95-96f8-3a145476eb15 | FTPS only should be required in your Function App | Enable FTPS enforcement for enhanced security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-29 23:04:36
add: 399b2637-a50f-4f95-96f8-3a145476eb15 | |
| SQL | 464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf | [Deprecated]: Require SQL Server version 12.0 | This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version other than 12.0. | Fixed: Deny |
2019-10-29 21:52:54
change: Previous DisplayName: Require SQL Server version 12.0 | |
| Network | d416745a-506c-48b6-8ab1-83cb814bcaa3 | Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Default: Audit Allowed: (Audit, Deny, Disabled) |
2019-10-11 00:02:54
add: d416745a-506c-48b6-8ab1-83cb814bcaa3 | |
| Network | 235359c5-7c52-4b82-9055-01c75cf9f60e | Service Bus should use a virtual network service endpoint | This policy audits any Service Bus not configured to use a virtual network service endpoint. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-11 00:02:54
add: 235359c5-7c52-4b82-9055-01c75cf9f60e | |
| Network | ae5d2f14-d830-42b6-9899-df6cfe9c71a3 | SQL Server should use a virtual network service endpoint | This policy audits any SQL Server not configured to use a virtual network service endpoint. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-11 00:02:54
add: ae5d2f14-d830-42b6-9899-df6cfe9c71a3 | |
| Network | 60d21c4f-21a3-4d94-85f4-b924e6aeeda4 | Storage Accounts should use a virtual network service endpoint | This policy audits any Storage Account not configured to use a virtual network service endpoint. | Default: Audit Allowed: (Audit, Disabled) |
2019-10-11 00:02:54
add: 60d21c4f-21a3-4d94-85f4-b924e6aeeda4 | |
| Network | f1776c76-f58c-4245-a8d0-2b207198dc8b | Virtual networks should use specified virtual network gateway | This policy audits any virtual network if the default route does not point to the specified virtual network gateway. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-11 00:02:54
add: f1776c76-f58c-4245-a8d0-2b207198dc8b | |
| Network | e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9 | Cosmos DB should use a virtual network service endpoint | This policy audits any Cosmos DB not configured to use a virtual network service endpoint. | Default: Audit Allowed: (Audit, Disabled) |
2019-10-11 00:02:54
add: e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9 | |
| Network | ea4d6841-2173-4317-9747-ff522a45120f | Key Vault should use a virtual network service endpoint | This policy audits any Key Vault not configured to use a virtual network service endpoint. | Default: Audit Allowed: (Audit, Disabled) |
2019-10-11 00:02:54
add: ea4d6841-2173-4317-9747-ff522a45120f | |
| Network | c4857be7-912a-4c75-87e6-e30292bcdf78 | [Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Default: Audit Allowed: (Audit, Disabled) |
2019-10-11 00:02:54
add: c4857be7-912a-4c75-87e6-e30292bcdf78 | |
| Network | d63edb4a-c612-454d-b47d-191a724fcbf0 | Event Hub should use a virtual network service endpoint | This policy audits any Event Hub not configured to use a virtual network service endpoint. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-11 00:02:54
add: d63edb4a-c612-454d-b47d-191a724fcbf0 | |
| Network | 2d21331d-a4c2-4def-a9ad-ee4e1e023beb | App Service should use a virtual network service endpoint | This policy audits any App Service not configured to use a virtual network service endpoint. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-11 00:02:54
add: 2d21331d-a4c2-4def-a9ad-ee4e1e023beb | |
| Monitoring | a70ca396-0a34-413a-88e1-b956c1e683be | The Log Analytics agent should be installed on virtual machines | This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-11 00:02:54
add: a70ca396-0a34-413a-88e1-b956c1e683be | |
| Monitoring | efbde977-ba53-4479-b8e9-10b957924fbf | The Log Analytics agent should be installed on Virtual Machine Scale Sets | This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-11 00:02:54
add: efbde977-ba53-4479-b8e9-10b957924fbf | |
| General | 983211ba-f348-4758-983b-21fa29294869 | [Deprecated]: Allow resource creation only in United States data centers | Allows resource creation in the following locations only: Central US, East US, East US2, North Central US, South Central US, West US | Fixed: Deny |
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation only in United States data centers | |
| General | 94c19f19-8192-48cd-a11b-e37099d3e36b | [Deprecated]: Allow resource creation only in European data centers | Allows resource creation in the following locations only: North Europe, West Europe | Fixed: Deny |
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation only in European data centers | |
| Compute | 3d8640fc-63f6-4734-8dcb-cfd3d8c78f38 | [Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMs | This policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the selected Log Analytics workspace | Fixed: deployIfNotExists | Log Analytics Contributor |
2019-10-08 15:55:12
change: Previous DisplayName: Deploy default Log Analytics Agent for Ubuntu VMs |
| 6fdb9205-3462-4cfc-87d8-16c7860b53f4 | Fixed: |
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation only in Japan data centers | ||||
| General | c1b9cbed-08e3-427d-b9ce-7c535b1e9b94 | [Deprecated]: Allow resource creation only in Asia data centers | Allows resource creation in the following locations only: East Asia, Southeast Asia, West India, South India, Central India, Japan East, Japan West | Fixed: Deny |
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation only in Asia data centers | |
| e01598e8-6538-41ed-95e8-8b29746cd697 | Fixed: |
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation only in Japan data centers | ||||
| General | 5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54 | [Deprecated]: Allow resource creation only in India data centers | Allows resource creation in the following locations only: West India, South India, Central India | Fixed: Deny |
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation only in India data centers | |
| Tags | cd8dc879-a2ae-43c3-8211-1877c5755064 | [Deprecated]: Allow resource creation if 'department' tag set | Allows resource creation only if the 'department' tag is set | Fixed: Deny |
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation if 'department' tag set | |
| Tags | ac7e5fc0-c029-4b12-91d4-a8500ce697f9 | [Deprecated]: Allow resource creation if 'environment' tag value in allowed values | Allows resource creation if the 'environment' tag is set to one of the following values: production, dev, test, staging | Fixed: Deny |
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation if 'environment' tag value in allowed values | |
| SQL | 06a78e20-9358-41c9-923c-fb736d382a12 | [Deprecated]: Audit SQL DB Level Audit Setting | Audit DB level audit setting for SQL databases | Fixed: AuditIfNotExists |
2019-10-08 15:55:12
change: Previous DisplayName: Audit SQL DB Level Audit Setting | |
| Security Center | abcc6037-1fc4-47f6-aac5-89706589be24 | [Deprecated]: Automatic provisioning of security monitoring agent | Installs security agent on VMs for advanced security alerts and preventions in Azure Security Center. Applies only for subscriptions that use Azure Security Center. | Fixed: AuditIfNotExists |
2019-10-08 15:55:12
change: Previous DisplayName: Automatic provisioning of security monitoring agent | |
| SQL | eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d | Log checkpoints should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-03 22:58:00
add: eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d | |
| SQL | eb6f77b9-bd53-4e35-a23d-7f65d5f0e446 | Disconnections should be logged for PostgreSQL database servers. | This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-03 22:58:00
add: eb6f77b9-bd53-4e35-a23d-7f65d5f0e446 | |
| SQL | eb6f77b9-bd53-4e35-a23d-7f65d5f0e442 | Log connections should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-03 22:58:00
add: eb6f77b9-bd53-4e35-a23d-7f65d5f0e442 | |
| SQL | eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3 | Log duration should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_duration setting enabled. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-03 22:58:00
add: eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3 | |
| SQL | 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9 | Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports | Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) |
2019-10-03 22:58:00
add: 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9 |