The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators: <, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx: Learn more
Description change: 'The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v3, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.' to 'The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.' Name change: 'Azure Security Benchmark' to 'Microsoft cloud security benchmark'
Description change: 'The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.' to 'The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v3, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.'
Description change: 'Monitor all the available security recommendations in Azure Security Center. This is the default policy for Azure Security Center.' to 'The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.' Name change: 'Enable Monitoring in Azure Security Center' to 'Azure Security Benchmark'
"description": "The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.",
"description": "The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.",
description: "The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.",
displayName: "[Deprecated]: Service principals should be used to protect your subscriptions instead of management certificates",
description: "[Deprecated: With Cloud Services (classic) retiring (see https://azure.microsoft.com/updates/cloud-services-retirement-announcement), there will no longer be a need for this assessment as management certificates will be obsolete.] Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise.",
displayName: "[Deprecated]: Operating system version should be the most current version for your cloud service roles",
description: "Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture.",
displayName: "[Deprecated]: Log Analytics agent health issues should be resolved on your machines",
description: "Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace.",
displayName: "[Deprecated]: Log Analytics agent should be installed on your virtual machine for Microsoft Defender for Cloud monitoring",
description: "This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats",
displayName: "[Deprecated]: Adaptive application controls for defining safe applications should be enabled on your machines",
description: "Enable or disable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run",
displayName: "[Deprecated]: Allowlist rules in your adaptive application control policy should be updated",
description: "Enable or disable the monitoring for changes in behavior on groups of machines configured for auditing by Microsoft Defender for Cloud's adaptive application controls",
displayName: "Resource logs in Azure Kubernetes Service should be enabled",
description: "Enable or disable the monitoring of resource logs in Kubernetes managed clusters. Enabling Azure Kubernetes Service's resource logs can help recreate activity trails when investigating future security incidents"
displayName: "SQL databases should have vulnerability findings resolved",
description: "Enable or disable the monitoring of vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities."
displayName: "SQL servers on machines should have vulnerability findings resolved",
description: "SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture."
displayName: "[Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts",
description: "Enable or disable the monitoring that advanced data security settings for SQL server contain at least one email address to receive security alerts",
displayName: "[Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address to receive security alerts",
description: "Enable or disable the monitoring that advanced data security settings for SQL Managed Instance contain at least one email address to receive security alerts.",
displayName: "[Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings",
description: "Enable or disable auditing that 'email notification to admins and subscription owners' is enabled in the SQL Server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins.",
displayName: "[Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL Managed Instance advanced data security settings",
description: "Enable or disable auditing that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins.",
displayName: "Vulnerability assessment should be enabled on SQL Managed Instance",
description: "Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities."
displayName: "Vulnerability assessment should be enabled on your SQL servers",
description: "Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities."
displayName: "[Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings",
description: "It's recommended to enable all Advanced Threat Protection types on your SQL Managed Instance. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.",
displayName: "[Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings",
description: "It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.",
displayName: "[Deprecated]: SQL server TDE protector should be encrypted with your own key",
description: "Enable or disable the monitoring of Transparent Data Encryption (TDE) with your own key support. TDE with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.",
displayName: "[Deprecated]: SQL Managed Instance TDE protector should be encrypted with your own key",
description: "Enable or disable the monitoring of Transparent Data Encryption (TDE) with your own key support. TDE with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.",
displayName: "SQL server TDE protector should be encrypted with your own key",
description: "Enable or disable the monitoring of Transparent Data Encryption (TDE) with your own key support. TDE with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties."
displayName: "SQL Managed Instance TDE protector should be encrypted with your own key",
description: "Enable or disable the monitoring of Transparent Data Encryption (TDE) with your own key support. TDE with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties."
displayName: "Kubernetes image to exclude from monitoring of all container related polices",
description: "The list of InitContainers and Containers to exclude from Kubernetes container related policy evaluation. It will apply to all container related policies except 'Container images should be deployed from trusted registries only' and 'Kubernetes clusters should gate deployment of vulnerable images'. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository."
displayName: "Allowed registry or registries regex",
description: "The RegEx rule used to match allowed container image field in a Kubernetes cluster. For example, to allow any Azure Container Registry image by matching partial path: ^[^\/]+\.azurecr\.io\/.+$ and for multiple registries: ^([^\/]+\.azurecr\.io|registry\.io)\/.+$"
displayName: "Kubernetes namespaces to exclude from monitoring of allowed container images",
description: "List of Kubernetes namespaces to exclude from evaluation of allowed container images in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design."
description: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
displayName: "Kubernetes namespaces to exclude from monitoring of privileged containers",
description: "List of Kubernetes namespaces to exclude from evaluation of privileged containers in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design."
description: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
displayName: "[Deprecated]: Kubernetes namespaces to exclude from monitoring of allowed container port",
description: "List of Kubernetes namespaces to exclude from evaluation of allowed container ports in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design.",
displayName: "Kubernetes namespaces to exclude from monitoring of allowed service ports",
description: "List of Kubernetes namespaces to exclude from evaluation of allowed service ports in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design."
description: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
displayName: "Kubernetes namespaces to exclude from monitoring of privileged escalation containers",
description: "List of Kubernetes namespaces to exclude from evaluation of privileged escalation containers in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design."
description: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
displayName: "Kubernetes namespaces to exclude from monitoring of sharing sensitive host namespaces in Kubernetes clusters",
description: "List of Kubernetes namespaces to exclude from evaluation of sharing sensitive host namespaces in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design."
description: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
displayName: "Kubernetes namespaces to exclude from monitoring of containers running with a read only root file system",
description: "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers running with a read only root file system in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design."
description: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
displayName: "Kubernetes namespaces to exclude from monitoring of containers use only allowed capabilities",
description: "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers using only allowed capabilities in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design."
description: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
displayName: "Kubernetes namespaces to exclude from monitoring of containers modification of AppArmor profile",
description: "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers modifying of AppArmor profile in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design."
description: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
description: "The list of AppArmor profiles that containers are allowed to use. E.g. [ "runtime/default", "docker/default" ]. Provide empty list as input to block everything."
displayName: "Kubernetes namespaces to exclude from monitoring of containers host networking and ports",
description: "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers host networking and ports in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design."
description: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
displayName: "Kubernetes namespaces to exclude from monitoring of pod HostPath volume mounts",
description: "List of Kubernetes namespaces to exclude from evaluation to monitoring of pod HostPath volume mounts in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design."
description: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
displayName: "Kubernetes namespaces to exclude from monitoring of memory and CPU limits",
description: "List of Kubernetes namespaces to exclude from evaluation of memory and CPU limits in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design."
description: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
displayName: "[Deprecated]: Kubernetes namespaces to exclude from monitoring of containers with vulnerable images",
description: "List of Kubernetes namespaces to exclude from evaluation of block vulnerable images in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design.",
description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces.",
displayName: "[Deprecated]: Excluded images regex for gating vulnerable images in Kubernetes cluster",
description: "A list of RegEx rules used to exclude container images from policy evaluation. For example: exclude all images from the repo microsoft-defender-in-cluster-defense-repo in the blockreg ACR - ["(blockreg.azurecr.io/microsoft-defender-in-cluster-defense-repo).*"]. Use an empty list to apply this policy to all container images.",
displayName: "[Deprecated]: Severity threshold for excluding gating of image vulnerabilities without a patch in Kubernetes cluster",
description: "Specify the maximum severity for exempting vulnerabilities without a patch. For example, specify Medium to ignore Low and Medium vulnerabilities without a patch.",
displayName: "Kubernetes namespaces to exclude from monitoring of containers running as root user",
description: "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers running as root users. To list multiple namespaces, use semicolons (;) to separate them. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design."
description: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
displayName: "[Deprecated]: Vulnerabilities in Azure Container Registry images should be remediated",
description: "Enable or disable monitoring of Azure container registries by Microsoft Defender for Cloud vulnerability assessment (powered by Qualys)",
displayName: "Vulnerabilities in Azure Container Registry images should be remediated",
description: "Enable or disable monitoring of Azure container registries by Microsoft Defender for Cloud vulnerability assessment (powered by Microsoft Defender Vulnerability Management)"
displayName: "Azure Backup should be enabled for Virtual Machines",
description: "Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure."
displayName: "Georedundant backup should be enabled for Azure Database for MariaDB",
description: "Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create."
displayName: "Georedundant backup should be enabled for Azure Database for PostgreSQL",
description: "Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create."
displayName: "[Deprecated]: Ensure WEB app has Client Certificates Incoming client certificates set to On",
description: "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.",
displayName: "Georedundant backup should be enabled for Azure Database for MySQL",
description: "Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create."
displayName: "Resource logs in App Services should be enabled",
description: "Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised"
displayName: "Enforce SSL connection should be enabled for PostgreSQL database servers",
description: "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server."
displayName: "Enforce SSL connection should be enabled for MySQL database servers",
description: "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server."
displayName: "[Deprecated]: Ensure that PHP version is the latest if used as a part of the API app",
description: "Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.",
displayName: "[Deprecated]: Ensure that PHP version is the latest if used as a part of the WEB app",
description: "Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.",
displayName: "[Deprecated]: Ensure that Java version is the latest if used as a part of the Web app",
description: "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.",
displayName: "[Deprecated]: Ensure that Java version is the latest if used as a part of the Function app",
description: "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.",
displayName: "[Deprecated]: Ensure that Java version is the latest if used as a part of the API app",
description: "Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.",
displayName: "[Deprecated]: Ensure that Python version is the latest if used as a part of the Web app",
description: "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.",
displayName: "[Deprecated]: Ensure that Python version is the latest if used as a part of the Function app",
description: "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.",
displayName: "[Deprecated]: Ensure that Python version is the latest if used as a part of the API app",
description: "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.",
displayName: "Private endpoint should be enabled for PostgreSQL servers",
description: "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure."
displayName: "Private endpoint should be enabled for MariaDB servers",
description: "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure."
displayName: "Private endpoint should be enabled for MySQL servers",
description: "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure."
displayName: "[Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled",
description: "Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.",
displayName: "Cognitive Services accounts should enable data encryption with a customer-managed key",
description: "Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed key encryption at https://aka.ms/cosmosdb-cmk."
displayName: "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest",
description: "Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed key encryption at https://aka.ms/cosmosdb-cmk."
displayName: "Cosmos DB database accounts should have local authentication methods disabled",
description: "Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth."
displayName: "Key vaults should have purge protection enabled",
description: "Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period."
displayName: "Key vaults should have soft delete enabled",
description: "Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period."
displayName: "[Deprecated]: Azure Cache for Redis should reside within a virtual network",
description: "Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network."
displayName: "Azure Cache for Redis should use private link",
description: "Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link."
displayName: "Storage accounts should use customer-managed key for encryption",
description: "Secure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data."
displayName: "Storage accounts should restrict network access using virtual network rules",
description: "Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts."
displayName: "Container registries should be encrypted with a customer-managed key",
description: "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed key encryption at https://aka.ms/acr/CMK."
displayName: "Container registries should not allow unrestricted network access",
description: "Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet."
displayName: "Container registries should use private link",
description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link."
displayName: "App Configuration should use private link",
description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint."
displayName: "Azure Event Grid domains should use private link",
description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your Event Grid domains instead of the entire service, you'll also be protected against data leakage risks.Learn more at: https://aka.ms/privateendpoints."
displayName: "Azure Event Grid topics should use private link",
description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your topics instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints."
displayName: "Azure SignalR Service should use private link",
description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your SignalR resources instead of the entire service, you'll also be protected against data leakage risks .Learn more at: https://aka.ms/asrs/privatelink."
displayName: "Azure Machine Learning workspaces should be encrypted with a customer-managed key",
description: "Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed key encryption at https://aka.ms/azureml-workspaces-cmk."
displayName: "Azure Machine Learning workspaces should use private link",
description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Machine Learning workspaces instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/azureml-workspaces-privatelink."
displayName: "Azure Web Application Firewall should be enabled for Azure Front Door entry-points",
description: "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules."
displayName: "Web Application Firewall (WAF) should be enabled for Application Gateway",
description: "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules."
displayName: "Public network access should be disabled for MariaDB servers",
description: "Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules."
displayName: "Public network access should be disabled for MySQL servers",
description: "Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules."
displayName: "MySQL servers should use customer-managed keys to encrypt data at rest",
description: "Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management."
displayName: "Public network access should be disabled for PostgreSQL servers",
description: "Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules."
displayName: "PostgreSQL servers should use customer-managed keys to encrypt data at rest",
description: "Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management."
displayName: "VM Image Builder templates should use private link",
description: "Audit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead which may directly expose resources to the internet and increase the potential attack surface."
displayName: "Firewall should be enabled on Key Vault",
description: "Key vault's firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the firewall to make sure that only traffic from allowed networks can access your key vault."
displayName: "Private endpoint should be configured for Key Vault",
description: "Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration."
displayName: "Azure Spring Cloud should use network injection",
description: "Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud."
displayName: "Subscriptions should have a contact email address for security issues",
description: "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center."
displayName: "[Deprecated]: Auto provisioning of the Log Analytics agent should be enabled on your subscription",
description: "To monitor for security vulnerabilities and threats, Microsoft Defender for Cloud collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.",
displayName: "Email notification for high severity alerts should be enabled",
description: "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center."
displayName: "Email notification to subscription owner for high severity alerts should be enabled",
description: "To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center."
displayName: "Authentication to Linux machines should require SSH keys",
description: "Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed."
displayName: "Public network access on Azure SQL Database should be disabled",
description: "Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules."
displayName: "[Deprecated]: Ensure API app has Client Certificates Incoming client certificates set to On",
description: "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.",
displayName: "Kubernetes clusters should be accessible only over HTTPS",
description: "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc"
displayName: "Kubernetes namespaces to exclude from evaluation of HTTPS only access",
description: "List of Kubernetes namespaces to exclude from evaluation of HTTPS only access. To list multiple namespaces, use semicolons (;) to separate them. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design."
description: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
displayName: "Windows web servers should be configured to use secure communication protocols",
description: "To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines."
displayName: "Cognitive Services accounts should restrict network access",
description: "Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges."
displayName: "[Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption",
description: "This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption.",
displayName: "[Deprecated]: Public network access should be disabled for Cognitive Services accounts",
description: "This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed.",
displayName: "[Deprecated]: Cognitive Services accounts should enable data encryption",
description: "This policy audits any Cognitive Services account not using data encryption. For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key.",
displayName: "API Management services should use a virtual network",
description: "Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network."
displayName: "Azure Cosmos DB accounts should have firewall rules",
description: "Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant."
description: "Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure."
displayName: "Azure Defender for Resource Manager should be enabled",
description: "Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center ."
displayName: "[Deprecated]: Azure Defender for DNS should be enabled",
description: "Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .",
displayName: "Azure Defender for open-source relational databases should be enabled",
description: "Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center."
displayName: "Microsoft Defender CSPM should be enabled",
description: "Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud."
displayName: "Kubernetes clusters should not use the default namespace",
description: "Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc."
description: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
displayName: "Kubernetes clusters should disable automounting API credentials",
description: "Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc."
displayName: "Kubernetes namespaces to exclude from restricting automounting API credentials",
description: "List of Kubernetes namespaces to exclude from evaluation to restrict automounting API credentials. To list multiple namespaces, use semicolons (;) to separate them. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design."
description: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
displayName: "Kubernetes clusters should not grant CAPSYSADMIN security capabilities",
description: "To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc."
displayName: "Kubernetes namespaces to exclude from restricting CAP_SYS_ADMIN Linux capabilities",
description: "List of Kubernetes namespaces to exclude from evaluation to restrict CAP_SYS_ADMIN Linux capabilities. To list multiple namespaces, use semicolons (;) to separate them. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design."
description: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
displayName: "vTPM should be enabled on supported virtual machines",
description: "Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines."
displayName: "Secure Boot should be enabled on supported Windows virtual machines",
description: "Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment only applies to trusted launch enabled Windows virtual machines."
displayName: "Guest Attestation extension should be installed on supported Linux virtual machines",
description: "Install Guest Attestation extension on supported Linux virtual machines to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machines."
displayName: "Guest Attestation extension should be installed on supported Linux virtual machines scale sets",
description: "Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machine scale sets."
displayName: "Guest Attestation extension should be installed on supported Windows virtual machines",
description: "Install Guest Attestation extension on supported virtual machines to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machines."
displayName: "Guest Attestation extension should be installed on supported Windows virtual machines scale sets",
description: "Install Guest Attestation extension on supported virtual machines scale sets to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machine scale sets."
displayName: "Linux virtual machines should use only signed and trusted boot components",
description: "All OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Defender for Cloud has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allow list or remove the identified components."
displayName: "[Deprecated]: Endpoint protection health issues should be resolved on your machines",
description: "Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Microsoft Defender for Cloud supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.",
