| Policy DisplayName |
Policy Id |
Category |
Version |
Versioning |
Effect |
Roles# |
Roles |
State |
policy in AzUSGov |
| [Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data |
2e94d99a-8a36-4563-bc77-810d8893b671 |
Backup |
1.0.0-preview |
1x
1.0.0-preview |
Default
Audit
Allowed
Audit, Deny, Disabled |
0 |
|
Preview |
true |
| Allowed locations |
e56962a6-4747-49cd-b67b-bf8b01975c4c |
General |
1.0.0 |
1x
1.0.0 |
Fixed
deny |
0 |
|
GA |
unknown |
| Allowed locations for resource groups |
e765b5de-1225-4ba3-bd56-1ac6695af988 |
General |
1.0.0 |
1x
1.0.0 |
Fixed
deny |
0 |
|
GA |
unknown |
| Allowed resource types |
a08ec900-254a-4555-9bf5-e42af04b5c5c |
General |
1.0.0 |
1x
1.0.0 |
Fixed
deny |
0 |
|
GA |
unknown |
| Allowed virtual machine size SKUs |
cccc23c7-8427-4f53-ad12-b6a63eb452b3 |
Compute |
1.0.1 |
1x
1.0.1 |
Fixed
Deny |
0 |
|
GA |
unknown |
| Azure Container Instance container group should use customer-managed key for encryption |
0aa61e00-0a01-4a3c-9945-e93cffedf0e6 |
Container Instance |
1.0.0 |
1x
1.0.0 |
Default
Audit
Allowed
Audit, Disabled, Deny |
0 |
|
GA |
true |
| Azure Cosmos DB allowed locations |
0473574d-2d43-4217-aefe-941fcdf7e684 |
Cosmos DB |
1.1.0 |
1x
1.1.0 |
Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled |
0 |
|
GA |
unknown |
| Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys |
7d7be79c-23ba-4033-84dd-45e2a5ccdd67 |
Kubernetes |
1.0.1 |
1x
1.0.1 |
Default
Audit
Allowed
Audit, Deny, Disabled |
0 |
|
GA |
true |
| HPC Cache accounts should use customer-managed key for encryption |
970f84d8-71b6-4091-9979-ace7e3fb6dbb |
Storage |
2.0.0 |
1x
2.0.0 |
Default
Audit
Allowed
Audit, Disabled, Deny |
0 |
|
GA |
unknown |
| Managed disks should be double encrypted with both platform-managed and customer-managed keys |
ca91455f-eace-4f96-be59-e6e2c35b4816 |
Compute |
1.0.0 |
1x
1.0.0 |
Default
Audit
Allowed
Audit, Deny, Disabled |
0 |
|
GA |
true |
| MySQL servers should use customer-managed keys to encrypt data at rest |
83cef61d-dbd1-4b20-a4fc-5fbc7da10833 |
SQL |
1.0.4 |
1x
1.0.4 |
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled |
0 |
|
GA |
unknown |
| OS and data disks should be encrypted with a customer-managed key |
702dd420-7fcc-42c5-afe8-4026edd20fe0 |
Compute |
3.0.0 |
1x
3.0.0 |
Default
Audit
Allowed
Audit, Deny, Disabled |
0 |
|
GA |
true |
| PostgreSQL servers should use customer-managed keys to encrypt data at rest |
18adea5e-f416-4d0f-8aa8-d24321e3e274 |
SQL |
1.0.4 |
1x
1.0.4 |
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled |
0 |
|
GA |
true |
| Queue Storage should use customer-managed key for encryption |
f0e5abd0-2554-4736-b7c0-4ffef23475ef |
Storage |
1.0.0 |
1x
1.0.0 |
Default
Audit
Allowed
Audit, Deny, Disabled |
0 |
|
GA |
true |
| SQL managed instances should use customer-managed keys to encrypt data at rest |
ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 |
SQL |
2.0.0 |
1x
2.0.0 |
Default
Audit
Allowed
Audit, Deny, Disabled |
0 |
|
GA |
true |
| SQL servers should use customer-managed keys to encrypt data at rest |
0a370ff3-6cab-4e85-8995-295fd854c5b8 |
SQL |
2.0.1 |
1x
2.0.1 |
Default
Audit
Allowed
Audit, Deny, Disabled |
0 |
|
GA |
true |
| Storage account encryption scopes should use customer-managed keys to encrypt data at rest |
b5ec538c-daa0-4006-8596-35468b9148e8 |
Storage |
1.0.0 |
1x
1.0.0 |
Default
Audit
Allowed
Audit, Deny, Disabled |
0 |
|
GA |
true |
| Storage accounts should use customer-managed key for encryption |
6fac406b-40ca-413b-bf8e-0bf964659c25 |
Storage |
1.0.3 |
1x
1.0.3 |
Default
Audit
Allowed
Audit, Disabled |
0 |
|
GA |
true |
| Table Storage should use customer-managed key for encryption |
7c322315-e26d-4174-a99e-f49d351b4688 |
Storage |
1.0.0 |
1x
1.0.0 |
Default
Audit
Allowed
Audit, Deny, Disabled |
0 |
|
GA |
true |