last sync: 2024-Apr-24 17:47:19 UTC

[Preview]: Sovereignty Baseline - Confidential Policies

Azure BuiltIn Policy Initiative (PolicySet)

Source Azure Portal
Display name[Preview]: Sovereignty Baseline - Confidential Policies
Id03de05a4-c324-4ccd-882f-a814ea8ab9ea
Version1.0.0-preview
Details on versioning
CategoryRegulatory Compliance
Microsoft Learn
DescriptionThe Microsoft Cloud for Sovereignty recommends confidential policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions, denying resources that are not backed by Azure Confidential Computing, and denying data storage resources that are not using Customer-Managed Keys. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies
TypeBuiltIn
DeprecatedFalse
PreviewTrue
Policy count Total Policies: 17
Builtin Policies: 17
Static Policies: 0
Policy used
Policy DisplayName Policy Id Category Effect Roles# Roles State
[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data 2e94d99a-8a36-4563-bc77-810d8893b671 Backup Default
Audit
Allowed
Audit, Deny, Disabled
0 Preview
Allowed locations e56962a6-4747-49cd-b67b-bf8b01975c4c General Fixed
deny
0 GA
Allowed locations for resource groups e765b5de-1225-4ba3-bd56-1ac6695af988 General Fixed
deny
0 GA
Allowed resource types a08ec900-254a-4555-9bf5-e42af04b5c5c General Fixed
deny
0 GA
Allowed virtual machine size SKUs cccc23c7-8427-4f53-ad12-b6a63eb452b3 Compute Fixed
Deny
0 GA
Azure Cosmos DB allowed locations 0473574d-2d43-4217-aefe-941fcdf7e684 Cosmos DB Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA
Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys 7d7be79c-23ba-4033-84dd-45e2a5ccdd67 Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
HPC Cache accounts should use customer-managed key for encryption 970f84d8-71b6-4091-9979-ace7e3fb6dbb Storage Default
Audit
Allowed
Audit, Disabled, Deny
0 GA
Managed disks should be double encrypted with both platform-managed and customer-managed keys ca91455f-eace-4f96-be59-e6e2c35b4816 Compute Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
MySQL servers should use customer-managed keys to encrypt data at rest 83cef61d-dbd1-4b20-a4fc-5fbc7da10833 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
PostgreSQL servers should use customer-managed keys to encrypt data at rest 18adea5e-f416-4d0f-8aa8-d24321e3e274 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Queue Storage should use customer-managed key for encryption f0e5abd0-2554-4736-b7c0-4ffef23475ef Storage Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
SQL managed instances should use customer-managed keys to encrypt data at rest ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
SQL servers should use customer-managed keys to encrypt data at rest 0a370ff3-6cab-4e85-8995-295fd854c5b8 SQL Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Storage account encryption scopes should use customer-managed keys to encrypt data at rest b5ec538c-daa0-4006-8596-35468b9148e8 Storage Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Storage accounts should use customer-managed key for encryption 6fac406b-40ca-413b-bf8e-0bf964659c25 Storage Default
Audit
Allowed
Audit, Disabled
0 GA
Table Storage should use customer-managed key for encryption 7c322315-e26d-4174-a99e-f49d351b4688 Storage Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Roles used No Roles used
History
Date/Time (UTC ymd) (i) Changes
2023-12-12 19:47:53 add Initiative 03de05a4-c324-4ccd-882f-a814ea8ab9ea
JSON compare n/a
JSON
api-version=2021-06-01
EPAC