AzInitiativeAdvertizer

last sync: 2024-May-01 17:45:25 UTC

[Preview]: Sovereignty Baseline - Confidential Policies

Azure BuiltIn Policy Initiative (PolicySet)

Source

Azure Portal

Display name

[Preview]: Sovereignty Baseline - Confidential Policies

03de05a4-c324-4ccd-882f-a814ea8ab9ea

Version

1.0.0-preview
Details on versioning

Category

Regulatory Compliance
Microsoft Learn

Description

The Microsoft Cloud for Sovereignty recommends confidential policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions, denying resources that are not backed by Azure Confidential Computing, and denying data storage resources that are not using Customer-Managed Keys. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies

Type

BuiltIn

Deprecated

False

Preview

True

Policy count

Total Policies: 17
Builtin Policies: 17
Static Policies: 0

Policy used

Policy DisplayName	Policy Id	Category	Effect	State
[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data	2e94d99a-8a36-4563-bc77-810d8893b671	Backup	Default Audit Allowed Audit, Deny, Disabled	Preview
Allowed locations	e56962a6-4747-49cd-b67b-bf8b01975c4c	General	Fixed deny	GA
Allowed locations for resource groups	e765b5de-1225-4ba3-bd56-1ac6695af988	General	Fixed deny	GA
Allowed resource types	a08ec900-254a-4555-9bf5-e42af04b5c5c	General	Fixed deny	GA
Allowed virtual machine size SKUs	cccc23c7-8427-4f53-ad12-b6a63eb452b3	Compute	Fixed Deny	GA
Azure Cosmos DB allowed locations	0473574d-2d43-4217-aefe-941fcdf7e684	Cosmos DB	Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled	GA
Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys	7d7be79c-23ba-4033-84dd-45e2a5ccdd67	Kubernetes	Default Audit Allowed Audit, Deny, Disabled	GA
HPC Cache accounts should use customer-managed key for encryption	970f84d8-71b6-4091-9979-ace7e3fb6dbb	Storage	Default Audit Allowed Audit, Disabled, Deny	GA
Managed disks should be double encrypted with both platform-managed and customer-managed keys	ca91455f-eace-4f96-be59-e6e2c35b4816	Compute	Default Audit Allowed Audit, Deny, Disabled	GA
MySQL servers should use customer-managed keys to encrypt data at rest	83cef61d-dbd1-4b20-a4fc-5fbc7da10833	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
PostgreSQL servers should use customer-managed keys to encrypt data at rest	18adea5e-f416-4d0f-8aa8-d24321e3e274	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	GA
Queue Storage should use customer-managed key for encryption	f0e5abd0-2554-4736-b7c0-4ffef23475ef	Storage	Default Audit Allowed Audit, Deny, Disabled	GA
SQL managed instances should use customer-managed keys to encrypt data at rest	ac01ad65-10e5-46df-bdd9-6b0cad13e1d2	SQL	Default Audit Allowed Audit, Deny, Disabled	GA
SQL servers should use customer-managed keys to encrypt data at rest	0a370ff3-6cab-4e85-8995-295fd854c5b8	SQL	Default Audit Allowed Audit, Deny, Disabled	GA
Storage account encryption scopes should use customer-managed keys to encrypt data at rest	b5ec538c-daa0-4006-8596-35468b9148e8	Storage	Default Audit Allowed Audit, Deny, Disabled	GA
Storage accounts should use customer-managed key for encryption	6fac406b-40ca-413b-bf8e-0bf964659c25	Storage	Default Audit Allowed Audit, Disabled	GA
Table Storage should use customer-managed key for encryption	7c322315-e26d-4174-a99e-f49d351b4688	Storage	Default Audit Allowed Audit, Deny, Disabled	GA

Roles used

No Roles used

History

Date/Time (UTC ymd) (i)	Changes
2023-12-12 19:47:53	add Initiative 03de05a4-c324-4ccd-882f-a814ea8ab9ea

JSON compare

n/a

JSON

api-version=2021-06-01
EPAC