JSON
api-version=2023-04-01 Copy definition Copy definition 4 EPAC EPAC
{ 9 items displayName: "SOC 2 Type 2" , policyType: "BuiltIn" , description: "A System and Organization Controls (SOC) 2 is a report based on the Trust Service Principles and Criteria established by the American Institute of Certified Public Accountants (AICPA). The Report evaluates an organization's information system relevant to the following principles: security, availability, processing integrity, confidentiality and privacy. These policies address a subset of SOC 2 Type 2 controls. For more information, visit https://docs.microsoft.com/azure/compliance/offerings/offering-soc-2" , metadata: { 2 items version: "1.11.0" , category: "Regulatory Compliance" } , version: "1.11.0" , parameters: { 242 items effect-82339799-d096-41ae-8538-b108becf0970: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Geo-redundant backup should be enabled for Azure Database for MySQL" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items ] , defaultValue: "Audit" } , effect-48af4db5-9b8b-401c-8e74-076be876a430: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Geo-redundant backup should be enabled for Azure Database for PostgreSQL" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items ] , defaultValue: "Audit" } , effect-0ec47710-77ff-4a3d-9181-6aa50af424d0: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Geo-redundant backup should be enabled for Azure Database for MariaDB" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items ] , defaultValue: "Audit" } , effect-013e242c-8828-4970-87b3-ab247555486d: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Azure Backup should be enabled for Virtual Machines" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-6e2593d9-add6-4083-9c9b-4b7d2188c899: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Email notification for high severity alerts should be enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Subscriptions should have a contact email address for security issues" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-0b15565f-aa9e-48ba-8619-45960f2c314d: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Email notification to subscription owner for high severity alerts should be enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Vulnerability assessment should be enabled on your SQL servers" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-501541f7-f7e7-4cd6-868c-4190fdad3ac9: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: A vulnerability assessment solution should be enabled on your virtual machines" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Vulnerability assessment should be enabled on SQL Managed Instance" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-f8456c1c-aa66-4dfb-861a-25d127b775c9: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: External accounts with owner permissions should be removed from your subscription" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-339353f6-2387-4a45-abe4-7f529d121046: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: External accounts with owner permissions should be removed from your subscription" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: Deprecated accounts with owner permissions should be removed from your subscription" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-0cfea604-3201-4e14-88fc-fae4c427a6c5: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Deprecated accounts with owner permissions should be removed from your subscription" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-4f11b553-d42e-4e3a-89be-32ca364cad4c: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: A maximum of 3 owners should be designated for your subscription" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: There should be more than one owner assigned to your subscription" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Internet-facing virtual machines should be protected with network security groups" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-e71308d3-144b-4262-b144-efdc3cc90517: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Subnets should be associated with a Network Security Group" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-bb91dfba-c30d-4263-9add-9c2384e659a6: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Non-internet-facing virtual machines should be protected with network security groups" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-9daedab3-fb2d-461e-b861-71790eead4f6: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: All network ports should be restricted on network security groups associated to your virtual machine" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Management ports of virtual machines should be protected with just-in-time network access control" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-22730e10-96f6-4aac-ad84-9383d35b5917: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Management ports should be closed on your virtual machines" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-08e6af2d-db70-460a-bfe9-d5bd474ba9d6: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: Adaptive network hardening recommendations should be applied on internet facing virtual machines" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "Disabled" } , effect-f9d614c5-c173-4d56-95a7-b4437057d193: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Function apps should use the latest TLS version" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Enforce SSL connection should be enabled for MySQL database servers" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items ] , defaultValue: "Audit" } , effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Enforce SSL connection should be enabled for PostgreSQL database servers" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items ] , defaultValue: "Audit" } , effect-a4af4a39-4135-47fb-b175-47fbdf85311d: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: App Service apps should only be accessible over HTTPS" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Disabled" , "Deny" ] , defaultValue: "Audit" } , effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Function apps should only be accessible over HTTPS" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items ] , defaultValue: "Audit" } , IncludeArcMachines: { 4 items type: "String" , metadata: { 2 items displayName: "Include Arc connected servers" , description: "By selecting this option, you agree to be charged monthly per Arc connected machine." } , allowedValues: [ 2 items ] , defaultValue: "false" } , minimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112: { 4 items type: "String" , metadata: { 2 items displayName: "Minimum TLS version" , description: "The minimum TLS protocol version that should be enabled. Windows web servers with lower TLS versions will be marked as non-compliant." } , allowedValues: [ 2 items ] , defaultValue: "1.2" } , effect-5752e6d6-1206-46d8-8ab1-ecc2f71a8112: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Windows web servers should be configured to use secure communication protocols" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: App Service apps should require FTPS only" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-404c3081-a854-4457-ae30-26a93ef643f9: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Secure transfer to storage accounts should be enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , effect-399b2637-a50f-4f95-96f8-3a145476eb15: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Function apps should require FTPS only" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Only secure connections to your Azure Cache for Redis should be enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Kubernetes clusters should be accessible only over HTTPS" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , excludedNamespaces-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace exclusions" , description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design." } , defaultValue: [ 3 items "kube-system" , "gatekeeper-system" , "azure-arc" ] } , namespaces-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace inclusions" , description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." } , defaultValue: [] } , labelSelector-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d: { 3 items type: "Object" , metadata: { 2 items displayName: "Kubernetes label selector" , description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." } , defaultValue: {} } , effect-e3576e28-8b17-4677-84c3-db2990658d64: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: MFA should be enabled on accounts with read permissions on your subscription" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: MFA should be enabled on accounts with read permissions on your subscription" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "Disabled" } , effect-aa633080-8b72-40c4-a2d7-d00c03e80bed: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: MFA should be enabled on accounts with owner permissions on your subscription" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-e3e008c3-56b9-4133-8fd7-d3347377402a: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: MFA should be enabled on accounts with owner permissions on your subscription" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "Disabled" } , effect-9297c21d-2ed6-4474-b48f-163f75654ce3: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: MFA should be enabled accounts with write permissions on your subscription" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-931e118d-50a1-4457-a5e4-78550e086c52: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: MFA should be enabled accounts with write permissions on your subscription" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "Disabled" } , effect-630c64f9-8b6b-4c64-b511-6544ceff6fd6: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Authentication to Linux machines should require SSH keys" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-fbb99e8e-e444-4da0-9ff1-75c92f5a85b2: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Storage account containing the container with activity logs must be encrypted with BYOK" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Azure Machine Learning workspaces should be encrypted with a customer-managed key" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , effect-ac01ad65-10e5-46df-bdd9-6b0cad13e1d2: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: SQL managed instances should use customer-managed keys to encrypt data at rest" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , effect-83cef61d-dbd1-4b20-a4fc-5fbc7da10833: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: MySQL servers should use customer-managed keys to encrypt data at rest" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-6fac406b-40ca-413b-bf8e-0bf964659c25: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Storage accounts should use customer-managed key for encryption" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items ] , defaultValue: "Audit" } , effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Cognitive Services accounts should enable data encryption with a customer-managed key" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Container registries should be encrypted with a customer-managed key" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , effect-18adea5e-f416-4d0f-8aa8-d24321e3e274: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: PostgreSQL servers should use customer-managed keys to encrypt data at rest" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-0a370ff3-6cab-4e85-8995-295fd854c5b8: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: SQL servers should use customer-managed keys to encrypt data at rest" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , effect-98728c90-32c7-4049-8429-847dc0f4fe37: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Key Vault secrets should have an expiration date" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , effect-152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Key Vault keys should have an expiration date" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , maximumValidityInMonths-0a075868-4c26-42ef-914c-5bc007359560: { 3 items type: "Integer" , metadata: { 2 items displayName: "The maximum validity in months" , description: "The limit to how long a certificate may be valid for. Certificates with lengthy validity periods aren't best practice." } , defaultValue: 12 } , effect-0a075868-4c26-42ef-914c-5bc007359560: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: [Preview]: Certificates should have the specified maximum validity period" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Key vaults should have soft delete enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Key vaults should have purge protection enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , effect-617c02be-7f02-4efd-8836-3180d47b6c68: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , effect-3657f5a0-770e-44a3-b44e-9431ba1e9735: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Automation account variables should be encrypted" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , effect-17k78e20-9358-41c9-923c-fb736d382a12: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Transparent Data Encryption on SQL databases should be enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-0961003e-5a0a-4549-abde-af6a37f2724d: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "Disabled" } , effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: Deprecated accounts should be removed from your subscription" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-8d7e1fde-fe26-4b5f-8108-f8e432cbc2be: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Deprecated accounts should be removed from your subscription" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: External accounts with read permissions should be removed from your subscription" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-e9ac8f8e-ce22-4355-8f04-99b911d6be52: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: External accounts with read permissions should be removed from your subscription" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: External accounts with write permissions should be removed from your subscription" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-94e1c2ac-cbbe-4cac-a2b5-389c812dee87: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: External accounts with write permissions should be removed from your subscription" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Role-Based Access Control (RBAC) should be used on Kubernetes Services" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items ] , defaultValue: "Audit" } , effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Audit usage of custom RBAC rules" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items ] , defaultValue: "Audit" } , effect-fc5e4038-4584-4632-8c85-c0448d374b2c: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: [Preview]: All Internet traffic should be routed via your deployed Azure Firewall" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-bd352bd5-2853-4985-bf0d-73806b4a5744: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: IP Forwarding on your virtual machine should be disabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Web Application Firewall (WAF) should be enabled for Application Gateway" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Azure Web Application Firewall should be enabled for Azure Front Door entry-points" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , effect-febd0533-8e55-448f-b837-bd0e06f16469: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Kubernetes cluster containers should only use allowed images" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , excludedNamespaces-febd0533-8e55-448f-b837-bd0e06f16469: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace exclusions" , description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design." } , defaultValue: [ 3 items "kube-system" , "gatekeeper-system" , "azure-arc" ] } , namespaces-febd0533-8e55-448f-b837-bd0e06f16469: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace inclusions" , description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." } , defaultValue: [] } , labelSelector-febd0533-8e55-448f-b837-bd0e06f16469: { 3 items type: "Object" , metadata: { 2 items displayName: "Kubernetes label selector" , description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." } , defaultValue: {} } , allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469: { 2 items type: "String" , metadata: { 2 items displayName: "Allowed registry or registries regex" , description: "The RegEx rule used to match allowed container image field in a Kubernetes cluster. For example, to allow any Azure Container Registry image by matching partial path: ^[^\/]+\.azurecr\.io\/.+$ and for multiple registries: ^([^\/]+\.azurecr\.io|registry\.io)\/.+$" } } , excludedContainers-febd0533-8e55-448f-b837-bd0e06f16469: { 3 items type: "Array" , metadata: { 2 items displayName: "Containers exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces." } , defaultValue: [] } , effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Kubernetes cluster pods and containers should only run with approved user and group IDs" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , excludedNamespaces-f06ddb64-5fa3-4b77-b166-acb36f7f6042: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace exclusions" , description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design." } , defaultValue: [ 3 items "kube-system" , "gatekeeper-system" , "azure-arc" ] } , namespaces-f06ddb64-5fa3-4b77-b166-acb36f7f6042: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace inclusions" , description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." } , defaultValue: [] } , labelSelector-f06ddb64-5fa3-4b77-b166-acb36f7f6042: { 3 items type: "Object" , metadata: { 2 items displayName: "Kubernetes label selector" , description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." } , defaultValue: {} } , runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042: { 4 items type: "String" , metadata: { 2 items displayName: "Run as user rule" , description: "The 'RunAsUser' rule that containers are allowed to run with. MustRunAs requires at least one range to be specified. MustRunAsNonRoot requires the pod be submitted with non-zero runAsUser or have USER directive defined (using a numeric UID) in the image. RunAsAny allows any runAsUser to be specified" } , allowedValues: [ 3 items "MustRunAs" , "MustRunAsNonRoot" , "RunAsAny" ] , defaultValue: "MustRunAsNonRoot" } , runAsUserRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042: { 3 items type: "Object" , metadata: { 2 items displayName: "Allowed user ID ranges" , description: "The user ID ranges that are allowed for containers to use. Set 'max' as '-1' to skip max limit evaluation. Empty array blocks every defined value for 'MustRunAs'." } , defaultValue: { 1 item } } , runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042: { 4 items type: "String" , metadata: { 2 items displayName: "Run as group rule" , description: "The 'RunAsGroup' rule that containers are allowed to run with. MustRunAs requires at least one range to be specified. MayRunAs does not require that 'RunAsGroup' be specified. RunAsAny allows any" } , allowedValues: [ 3 items "MustRunAs" , "MayRunAs" , "RunAsAny" ] , defaultValue: "RunAsAny" } , runAsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042: { 3 items type: "Object" , metadata: { 2 items displayName: "Allowed group ID ranges" , description: "The group ID ranges that are allowed for containers to use. Set 'max' as '-1' to skip max limit evaluation. Empty array blocks every defined value for 'MustRunAs' and 'MayRunAs'." } , defaultValue: { 1 item } } , supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042: { 4 items type: "String" , metadata: { 2 items displayName: "Supplemental group rule" , description: "The 'SupplementalGroups' rule that containers are allowed to run with. MustRunAs requires at least one range to be specified. MayRunAs does not require that 'SupplementalGroups' be specified. RunAsAny allows any" } , allowedValues: [ 3 items "MustRunAs" , "MayRunAs" , "RunAsAny" ] , defaultValue: "RunAsAny" } , supplementalGroupsRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042: { 3 items type: "Object" , metadata: { 2 items displayName: "Allowed supplemental group ID ranges" , description: "The supplemental group ID ranges that are allowed for containers to use. Set 'max' as '-1' to skip max limit evaluation. Empty array blocks every defined value for 'MustRunAs' and 'MayRunAs'." } , defaultValue: { 1 item } } , fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042: { 4 items type: "String" , metadata: { 2 items displayName: "File system group rule" , description: "The 'FSGroup' rule that containers are allowed to run with. MustRunAs requires at least one range to be specified. MayRunAs does not require that 'FSGroup' be specified. RunAsAny allows any" } , allowedValues: [ 3 items "MustRunAs" , "MayRunAs" , "RunAsAny" ] , defaultValue: "RunAsAny" } , fsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042: { 3 items type: "Object" , metadata: { 2 items displayName: "Allowed file system group ID ranges" , description: "The file system group ranges that are allowed for pods to use. Set 'max' as '-1' to skip max limit evaluation. Empty array blocks every defined value for 'MustRunAs' and 'MayRunAs'." } , defaultValue: { 1 item } } , excludedContainers-f06ddb64-5fa3-4b77-b166-acb36f7f6042: { 3 items type: "Array" , metadata: { 2 items displayName: "Containers exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces." } , defaultValue: [] } , excludedImages-f06ddb64-5fa3-4b77-b166-acb36f7f6042: { 3 items type: "Array" , metadata: { 2 items displayName: "Image exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository." } , defaultValue: [] } , effect-eaebaea7-8013-4ceb-9d14-7eb32271373c: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Function apps should have 'Client Certificates (Incoming client certificates)' enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items ] , defaultValue: "Audit" } , effect-e345eecc-fa47-480f-9e88-67dcc122b164: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , excludedNamespaces-e345eecc-fa47-480f-9e88-67dcc122b164: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace exclusions" , description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design." } , defaultValue: [ 3 items "kube-system" , "gatekeeper-system" , "azure-arc" ] } , namespaces-e345eecc-fa47-480f-9e88-67dcc122b164: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace inclusions" , description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." } , defaultValue: [] } , labelSelector-e345eecc-fa47-480f-9e88-67dcc122b164: { 3 items type: "Object" , metadata: { 2 items displayName: "Kubernetes label selector" , description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." } , defaultValue: {} } , cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164: { 2 items type: "String" , metadata: { 2 items displayName: "Max allowed CPU units" , description: "The maximum CPU units allowed for a container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits" } } , memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164: { 2 items type: "String" , metadata: { 2 items displayName: "Max allowed memory bytes" , description: "The maximum memory bytes allowed for a container. E.g. 1Gi. For more information, please refer https://aka.ms/k8s-policy-pod-limits" } } , excludedContainers-e345eecc-fa47-480f-9e88-67dcc122b164: { 3 items type: "Array" , metadata: { 2 items displayName: "Containers exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces." } , defaultValue: [] } , excludedImages-e345eecc-fa47-480f-9e88-67dcc122b164: { 3 items type: "Array" , metadata: { 2 items displayName: "Image exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository." } , defaultValue: [] } , effect-e2c1c086-2d84-4019-bff3-c44ccd95113c: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Function apps should use latest 'HTTP Version'" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-df49d893-a74c-421d-bc95-c663042e5b80: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Kubernetes cluster containers should run with a read only root file system" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , excludedNamespaces-df49d893-a74c-421d-bc95-c663042e5b80: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace exclusions" , description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design." } , defaultValue: [ 3 items "kube-system" , "gatekeeper-system" , "azure-arc" ] } , namespaces-df49d893-a74c-421d-bc95-c663042e5b80: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace inclusions" , description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." } , defaultValue: [] } , labelSelector-df49d893-a74c-421d-bc95-c663042e5b80: { 3 items type: "Object" , metadata: { 2 items displayName: "Kubernetes label selector" , description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." } , defaultValue: {} } , excludedContainers-df49d893-a74c-421d-bc95-c663042e5b80: { 3 items type: "Array" , metadata: { 2 items displayName: "Containers exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces." } , defaultValue: [] } , excludedImages-df49d893-a74c-421d-bc95-c663042e5b80: { 3 items type: "Array" , metadata: { 2 items displayName: "Image exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository." } , defaultValue: [] } , effect-d2e7ea85-6b44-4317-a0be-1b951587f626: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , excludedNamespaces-d2e7ea85-6b44-4317-a0be-1b951587f626: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace exclusions" , description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design." } , defaultValue: [ 3 items "kube-system" , "gatekeeper-system" , "azure-arc" ] } , namespaces-d2e7ea85-6b44-4317-a0be-1b951587f626: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace inclusions" , description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." } , defaultValue: [] } , labelSelector-d2e7ea85-6b44-4317-a0be-1b951587f626: { 3 items type: "Object" , metadata: { 2 items displayName: "Kubernetes label selector" , description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." } , defaultValue: {} } , excludedContainers-d2e7ea85-6b44-4317-a0be-1b951587f626: { 3 items type: "Array" , metadata: { 2 items displayName: "Containers exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces." } , defaultValue: [] } , excludedImages-d2e7ea85-6b44-4317-a0be-1b951587f626: { 3 items type: "Array" , metadata: { 2 items displayName: "Image exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository." } , defaultValue: [] } , effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: App Service apps should have remote debugging turned off" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-c9d007d0-c057-4772-b18c-01e546713bcd: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Storage accounts should allow access from trusted Microsoft services" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Kubernetes cluster containers should only use allowed capabilities" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , excludedNamespaces-c26596ff-4d70-4e6a-9a30-c2506bd2f80c: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace exclusions" , description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design." } , defaultValue: [ 3 items "kube-system" , "gatekeeper-system" , "azure-arc" ] } , namespaces-c26596ff-4d70-4e6a-9a30-c2506bd2f80c: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace inclusions" , description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." } , defaultValue: [] } , labelSelector-c26596ff-4d70-4e6a-9a30-c2506bd2f80c: { 3 items type: "Object" , metadata: { 2 items displayName: "Kubernetes label selector" , description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." } , defaultValue: {} } , allowedCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c: { 3 items type: "Array" , metadata: { 2 items displayName: "Allowed capabilities" , description: "The list of capabilities that are allowed to be added to a container. Provide empty list as input to block everything." } , defaultValue: [] } , requiredDropCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c: { 3 items type: "Array" , metadata: { 2 items displayName: "Required drop capabilities" , description: "The list of capabilities that must be dropped by a container." } , defaultValue: [] } , excludedContainers-c26596ff-4d70-4e6a-9a30-c2506bd2f80c: { 3 items type: "Array" , metadata: { 2 items displayName: "Containers exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces." } , defaultValue: [] } , excludedImages-c26596ff-4d70-4e6a-9a30-c2506bd2f80c: { 3 items type: "Array" , metadata: { 2 items displayName: "Image exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository." } , defaultValue: [] } , effect-9f061a12-e40d-4183-a00e-171812443373: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Kubernetes clusters should not use the default namespace" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , excludedNamespaces-9f061a12-e40d-4183-a00e-171812443373: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace exclusions" , description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design." } , defaultValue: [ 3 items "kube-system" , "gatekeeper-system" , "azure-arc" ] } , namespaces-9f061a12-e40d-4183-a00e-171812443373: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace inclusions" , description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." } , defaultValue: [ 1 item ] } , labelSelector-9f061a12-e40d-4183-a00e-171812443373: { 3 items type: "Object" , metadata: { 2 items displayName: "Kubernetes label selector" , description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." } , defaultValue: {} } , effect-95edb821-ddaf-4404-9732-666045e056b4: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Kubernetes cluster should not allow privileged containers" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , excludedNamespaces-95edb821-ddaf-4404-9732-666045e056b4: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace exclusions" , description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design." } , defaultValue: [ 3 items "kube-system" , "gatekeeper-system" , "azure-arc" ] } , namespaces-95edb821-ddaf-4404-9732-666045e056b4: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace inclusions" , description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." } , defaultValue: [] } , labelSelector-95edb821-ddaf-4404-9732-666045e056b4: { 3 items type: "Object" , metadata: { 2 items displayName: "Kubernetes label selector" , description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." } , defaultValue: {} } , excludedContainers-95edb821-ddaf-4404-9732-666045e056b4: { 3 items type: "Array" , metadata: { 2 items displayName: "Containers exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces." } , defaultValue: [] } , excludedImages-95edb821-ddaf-4404-9732-666045e056b4: { 3 items type: "Array" , metadata: { 2 items displayName: "Image exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository." } , defaultValue: [] } , effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: App Service apps should use latest 'HTTP Version'" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Kubernetes cluster pods should only use approved host network and port range" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , excludedNamespaces-82985f06-dc18-4a48-bc1c-b9f4f0098cfe: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace exclusions" , description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design." } , defaultValue: [ 3 items "kube-system" , "gatekeeper-system" , "azure-arc" ] } , namespaces-82985f06-dc18-4a48-bc1c-b9f4f0098cfe: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace inclusions" , description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." } , defaultValue: [] } , labelSelector-82985f06-dc18-4a48-bc1c-b9f4f0098cfe: { 3 items type: "Object" , metadata: { 2 items displayName: "Kubernetes label selector" , description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." } , defaultValue: {} } , allowHostNetwork-82985f06-dc18-4a48-bc1c-b9f4f0098cfe: { 3 items type: "Boolean" , metadata: { 2 items displayName: "Allow host network usage" , description: "Set this value to true if pod is allowed to use host network otherwise false." } , defaultValue: false } , minPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe: { 3 items type: "Integer" , metadata: { 2 items displayName: "Min host port" , description: "The minimum value in the allowable host port range that pods can use in the host network namespace." } , defaultValue: 0 } , maxPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe: { 3 items type: "Integer" , metadata: { 2 items displayName: "Max host port" , description: "The maximum value in the allowable host port range that pods can use in the host network namespace." } , defaultValue: 0 } , excludedContainers-82985f06-dc18-4a48-bc1c-b9f4f0098cfe: { 3 items type: "Array" , metadata: { 2 items displayName: "Containers exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces." } , defaultValue: [] } , excludedImages-82985f06-dc18-4a48-bc1c-b9f4f0098cfe: { 3 items type: "Array" , metadata: { 2 items displayName: "Image exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository." } , defaultValue: [] } , effect-6b2122c1-8120-4ff5-801b-17625a355590: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: [Preview]: Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-5bb220d9-2698-4ee4-8404-b9c30c9df609: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items ] , defaultValue: "Disabled" } , effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: App Service apps should not have CORS configured to allow every resource to access your apps" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-511f5417-5d12-434d-ab2e-816901e72a5e: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Kubernetes cluster containers should only use allowed AppArmor profiles" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , excludedNamespaces-511f5417-5d12-434d-ab2e-816901e72a5e: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace exclusions" , description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design." } , defaultValue: [ 3 items "kube-system" , "gatekeeper-system" , "azure-arc" ] } , namespaces-511f5417-5d12-434d-ab2e-816901e72a5e: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace inclusions" , description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." } , defaultValue: [] } , labelSelector-511f5417-5d12-434d-ab2e-816901e72a5e: { 3 items type: "Object" , metadata: { 2 items displayName: "Kubernetes label selector" , description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." } , defaultValue: {} } , allowedProfiles-511f5417-5d12-434d-ab2e-816901e72a5e: { 3 items type: "Array" , metadata: { 2 items displayName: "Allowed AppArmor profiles" , description: "The list of AppArmor profiles that containers are allowed to use. E.g. [ "runtime/default", "docker/default" ]. Provide empty list as input to block everything." } , defaultValue: [ 1 item ] } , excludedContainers-511f5417-5d12-434d-ab2e-816901e72a5e: { 3 items type: "Array" , metadata: { 2 items displayName: "Containers exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces." } , defaultValue: [] } , excludedImages-511f5417-5d12-434d-ab2e-816901e72a5e: { 3 items type: "Array" , metadata: { 2 items displayName: "Image exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository." } , defaultValue: [] } , effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Kubernetes cluster containers should not share host process ID or host IPC namespace" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , excludedNamespaces-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace exclusions" , description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design." } , defaultValue: [ 3 items "kube-system" , "gatekeeper-system" , "azure-arc" ] } , namespaces-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace inclusions" , description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." } , defaultValue: [] } , labelSelector-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8: { 3 items type: "Object" , metadata: { 2 items displayName: "Kubernetes label selector" , description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." } , defaultValue: {} } , excludedImages-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8: { 3 items type: "Array" , metadata: { 2 items displayName: "Image exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository." } , defaultValue: [] } , effect-423dd1ba-798e-40e4-9c4d-b6902674b423: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Kubernetes clusters should disable automounting API credentials" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , excludedImages-423dd1ba-798e-40e4-9c4d-b6902674b423: { 3 items type: "Array" , metadata: { 2 items displayName: "Image exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository." } , defaultValue: [] } , excludedNamespaces-423dd1ba-798e-40e4-9c4d-b6902674b423: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace exclusions" , description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design." } , defaultValue: [ 3 items "kube-system" , "gatekeeper-system" , "azure-arc" ] } , namespaces-423dd1ba-798e-40e4-9c4d-b6902674b423: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace inclusions" , description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." } , defaultValue: [] } , labelSelector-423dd1ba-798e-40e4-9c4d-b6902674b423: { 3 items type: "Object" , metadata: { 2 items displayName: "Kubernetes label selector" , description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." } , defaultValue: {} } , effect-233a2a17-77ca-4fb1-9b6b-69223d272a44: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Kubernetes cluster services should listen only on allowed ports" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , excludedNamespaces-233a2a17-77ca-4fb1-9b6b-69223d272a44: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace exclusions" , description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design." } , defaultValue: [ 3 items "kube-system" , "gatekeeper-system" , "azure-arc" ] } , namespaces-233a2a17-77ca-4fb1-9b6b-69223d272a44: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace inclusions" , description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." } , defaultValue: [] } , labelSelector-233a2a17-77ca-4fb1-9b6b-69223d272a44: { 3 items type: "Object" , metadata: { 2 items displayName: "Kubernetes label selector" , description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." } , defaultValue: {} } , allowedServicePortsList-233a2a17-77ca-4fb1-9b6b-69223d272a44: { 3 items type: "Array" , metadata: { 2 items displayName: "Allowed service ports list" , description: "The list of service ports allowed in a Kubernetes cluster. Array only accepts strings. Example: ["443", "80"]" } , defaultValue: [] } , effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Kubernetes clusters should not allow container privilege escalation" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , excludedNamespaces-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace exclusions" , description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design." } , defaultValue: [ 3 items "kube-system" , "gatekeeper-system" , "azure-arc" ] } , namespaces-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace inclusions" , description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." } , defaultValue: [] } , labelSelector-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99: { 3 items type: "Object" , metadata: { 2 items displayName: "Kubernetes label selector" , description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." } , defaultValue: {} } , excludedContainers-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99: { 3 items type: "Array" , metadata: { 2 items displayName: "Containers exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces." } , defaultValue: [] } , excludedImages-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99: { 3 items type: "Array" , metadata: { 2 items displayName: "Image exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository." } , defaultValue: [] } , effect-13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: [Preview]: Kubernetes clusters should gate deployment of vulnerable images" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Disabled" } , excludedNamespaces-13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759: { 3 items type: "Array" , metadata: { 3 items displayName: "[Deprecated]: Namespace exclusions" , description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design." , deprecated: true } , defaultValue: [ 3 items "kube-system" , "gatekeeper-system" , "azure-arc" ] } , namespaces-13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759: { 3 items type: "Array" , metadata: { 3 items displayName: "[Deprecated]: Namespace inclusions" , description: "List of Kubernetes namespaces the policy would apply to. An empty list means the policy is applied to all resources in all namespaces." , deprecated: true } , defaultValue: [] } , labelSelector-13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759: { 3 items type: "Object" , metadata: { 3 items displayName: "[Deprecated]: Kubernetes label selector" , description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." , deprecated: true } , defaultValue: {} } , excludedImages-13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759: { 3 items type: "Array" , metadata: { 3 items displayName: "[Deprecated]: Excluded images regex" , description: "A list of RegEx rules used to exclude container images from policy evaluation. For example: exclude all images from the repo microsoft-defender-in-cluster-defense-repo in the blockreg ACR - ["(blockreg.azurecr.io/microsoft-defender-in-cluster-defense-repo).*"]. Use an empty list to apply this policy to all container images." , deprecated: true } , defaultValue: [] } , severityThresholdForExcludingNotPatchableFindings-13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Severity threshold for excluding vulnerabilities without a patch" , description: "Specify the maximum severity for exempting vulnerabilities without a patch. For example, specify Medium to ignore Low and Medium vulnerabilities without a patch." , deprecated: true } , allowedValues: [ 4 items "None" , "Low" , "Medium" , "High" ] , defaultValue: "None" } , excludeFindingIDs-13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759: { 3 items type: "Array" , metadata: { 3 items displayName: "[Deprecated]: Exclude findings IDs" , description: "A list of finding IDs that the policy should exempt." , deprecated: true } , defaultValue: [] } , severity-13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759: { 3 items type: "Object" , metadata: { 3 items displayName: "[Deprecated]: Severity threshold" , description: "The number of allowed findings per severity for an image. e.g. "{"High":0,"Medium":3,"Low":10}"" , deprecated: true } , defaultValue: { 3 items } } , effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Function apps should have remote debugging turned off" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-0a15ec92-a229-4763-bb14-0ea34a568f8d: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items ] , defaultValue: "Audit" } , effect-098fc59e-46c7-4d99-9b16-64990e543d75: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Kubernetes cluster pod hostPath volumes should only use allowed host paths" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , excludedNamespaces-098fc59e-46c7-4d99-9b16-64990e543d75: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace exclusions" , description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design." } , defaultValue: [ 3 items "kube-system" , "gatekeeper-system" , "azure-arc" ] } , namespaces-098fc59e-46c7-4d99-9b16-64990e543d75: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace inclusions" , description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." } , defaultValue: [] } , labelSelector-098fc59e-46c7-4d99-9b16-64990e543d75: { 3 items type: "Object" , metadata: { 2 items displayName: "Kubernetes label selector" , description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." } , defaultValue: {} } , allowedHostPaths-098fc59e-46c7-4d99-9b16-64990e543d75: { 3 items type: "Object" , metadata: { 2 items displayName: "Allowed host paths" , description: "The host paths allowed for pod hostPath volumes to use. Provide an empty paths list to block all host paths." } , defaultValue: { 1 item } } , excludedContainers-098fc59e-46c7-4d99-9b16-64990e543d75: { 3 items type: "Array" , metadata: { 2 items displayName: "Containers exclusions" , description: "The list of InitContainers and Containers to exclude from readonly evaluation. It will not exclude the disallowed host path. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces." } , defaultValue: [] } , excludedImages-098fc59e-46c7-4d99-9b16-64990e543d75: { 3 items type: "Array" , metadata: { 2 items displayName: "Image exclusions" , description: "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository." } , defaultValue: [] } , effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Function apps should not have CORS configured to allow every resource to access your apps" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-fc9b3da7-8347-4380-8e70-0a0361d8dedd: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Linux machines should meet requirements for the Azure compute security baseline" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-f655e522-adff-494d-95c2-52d4f6d56a42: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-c0e996f8-39cf-4af9-9f45-83fbde810432: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Only approved VM extensions should be installed" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 3 items "Audit" , "Deny" , "Disabled" ] , defaultValue: "Audit" } , approvedExtensions-c0e996f8-39cf-4af9-9f45-83fbde810432: { 3 items type: "Array" , metadata: { 2 items displayName: "Approved extensions" , description: "The list of approved extension types that can be installed. Example: AzureDiskEncryption" } , defaultValue: [] } , effect-ae89ebca-1c92-4898-ac2c-9f63decb045c: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Guest Configuration extension should be installed on your machines" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-a21f8c92-9e22-4f09-b759-50500d1d2dda: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-97566dd7-78ae-4997-8b36-1c7bfe0d8121: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: [Preview]: Secure Boot should be enabled on supported Windows virtual machines" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items ] , defaultValue: "Audit" } , effect-72650e9f-97bc-4b2a-ab5f-9781a9fcecbc: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Windows machines should meet requirements of the Azure compute security baseline" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-672fe5a1-2fcd-42d7-b85d-902b6e28c6ff: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-1cb4d9c2-f88f-4069-bee0-dba239a57b09: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-1c30f9cd-b84c-49cc-aa2c-9288447cc3b3: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: [Preview]: vTPM should be enabled on supported virtual machines" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items ] , defaultValue: "Audit" } , effect-47a6b606-51aa-4496-8bb7-64b11cf66adc: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: Adaptive application controls for defining safe applications should be enabled on your machines" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "Disabled" } , effect-123a3936-f020-408a-ba0c-47873faf1534: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: Allowlist rules in your adaptive application control policy should be updated" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "Disabled" } , effect-af6cd1bd-1635-48cb-bde7-5b15693900b9: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: Monitor missing Endpoint Protection in Azure Security Center" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "Disabled" } , effect-8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: Endpoint protection health issues should be resolved on your machines" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "Disabled" } , effect-26a828e1-e88f-464e-bbb3-c134a282b9de: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: Endpoint protection solution should be installed on virtual machine scale sets" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "Disabled" } , effect-1f7c564c-0a90-4d44-b7e1-9d456cffaee8: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: Endpoint protection should be installed on your machines" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "Disabled" } , effect-c5447c04-a4d7-4ba8-a263-c9ee321a6858: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: An activity log alert should exist for specific Policy operations" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , operationName-c5447c04-a4d7-4ba8-a263-c9ee321a6858: { 4 items type: "String" , metadata: { 2 items displayName: "Operation Name" , description: "Policy Operation name for which activity log alert should exist" } , allowedValues: [ 2 items "Microsoft.Authorization/policyAssignments/write" , "Microsoft.Authorization/policyAssignments/delete" ] , defaultValue: "Microsoft.Authorization/policyAssignments/write" } , effect-c3d20c29-b36d-48fe-808b-99a87530ad99: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Azure Defender for Resource Manager should be enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , notAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40: { 4 items type: "String" , metadata: { 2 items displayName: "Status if Windows Defender is not available on machine" , description: "Windows Defender Exploit Guard is only available starting with Windows 10/Windows Server with update 1709. Setting this value to 'Non-Compliant' shows machines with older versions on which Windows Defender Exploit Guard is not available (such as Windows Server 2012 R2) as non-compliant. Setting this value to 'Compliant' shows these machines as compliant." } , allowedValues: [ 2 items "Compliant" , "Non-Compliant" ] , defaultValue: "Compliant" } , effect-bed48b13-6647-468e-aa2f-1af1d3f4dd40: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Windows Defender Exploit Guard should be enabled on your machines" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-b954148f-4c11-4c38-8221-be76711e194a: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: An activity log alert should exist for specific Administrative operations" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , operationName-b954148f-4c11-4c38-8221-be76711e194a: { 4 items type: "String" , metadata: { 2 items displayName: "Operation Name" , description: "Administrative Operation name for which activity log alert should be configured" } , allowedValues: [ 10 items "Microsoft.Sql/servers/firewallRules/write" , "Microsoft.Sql/servers/firewallRules/delete" , "Microsoft.Network/networkSecurityGroups/write" , "Microsoft.Network/networkSecurityGroups/delete" , "Microsoft.ClassicNetwork/networkSecurityGroups/write" , "Microsoft.ClassicNetwork/networkSecurityGroups/delete" , "Microsoft.Network/networkSecurityGroups/securityRules/write" , "Microsoft.Network/networkSecurityGroups/securityRules/delete" , "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write" , "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete" ] , defaultValue: "Microsoft.Sql/servers/firewallRules/write" } , effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Azure Defender for SQL should be enabled for unprotected SQL Managed Instances" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Azure Defender for SQL should be enabled for unprotected Azure SQL servers" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-a1840de2-8088-4ea8-b153-b4c723e9cb01: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Azure Kubernetes Service clusters should have Defender profile enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items ] , defaultValue: "Audit" } , effect-8dfab9c4-fe7b-49ad-85e4-1e9be085358f: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Azure Defender for Azure SQL Database servers should be enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-6581d072-105e-4418-827f-bd446d56421b: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Azure Defender for SQL servers on machines should be enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Azure Defender for servers should be enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-3b980d31-7904-4bb7-8575-5665739a8052: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: An activity log alert should exist for specific Security operations" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , operationName-3b980d31-7904-4bb7-8575-5665739a8052: { 4 items type: "String" , metadata: { 2 items displayName: "Operation Name" , description: "Security Operation name for which activity log alert should exist" } , allowedValues: [ 3 items "Microsoft.Security/policies/write" , "Microsoft.Security/securitySolutions/write" , "Microsoft.Security/securitySolutions/delete" ] , defaultValue: "Microsoft.Security/policies/write" } , effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa: { 4 items type: "String" , metadata: { 3 items displayName: "[Deprecated]: Effect for policy: Azure Defender for Storage should be enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" , deprecated: true } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "Disabled" } , effect-640d2586-54d2-465f-877f-9ffc1d2109f4: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Microsoft Defender for Storage should be enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-2913021d-f2fd-4f3d-b958-22354e2bdbcb: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Azure Defender for App Service should be enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-1c988dd6-ade4-430f-a608-2a3e5b0a6d38: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Microsoft Defender for Containers should be enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-0e6763cc-5078-4e64-889d-ff4d9a839047: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Azure Defender for Key Vault should be enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-0a9fbe0d-c5c4-4da8-87d8-f4fd77338835: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Azure Defender for open-source relational databases should be enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , effect-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6: { 4 items type: "String" , metadata: { 2 items displayName: "Effect for policy: Network Watcher should be enabled" , description: "For more information about effects, visit https://aka.ms/policyeffects" } , allowedValues: [ 2 items "AuditIfNotExists" , "Disabled" ] , defaultValue: "AuditIfNotExists" } , resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6: { 3 items type: "String" , metadata: { 2 items displayName: "NetworkWatcher resource group name" , description: "Name of the resource group of NetworkWatcher, such as NetworkWatcherRG. This is the resource group where the Network Watchers are located." } , defaultValue: "NetworkWatcherRG" } } , policyDefinitions: [ 308 items { 5 items policyDefinitionReferenceId: "33602e78-35e3-4f06-17fb-13dd887448e4" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/33602e78-35e3-4f06-17fb-13dd887448e4 Conduct capacity planning , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "fc26e2fd-3149-74b4-5988-d64bb90f8ef7" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/fc26e2fd-3149-74b4-5988-d64bb90f8ef7 Separately store backup information , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_A1.2" , "SOC_2_PI1.5" ] } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "aa892c0d-2c40-200c-0dd8-eac8c4748ede" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/aa892c0d-2c40-200c-0dd8-eac8c4748ede Employ automatic emergency lighting , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "a8f9c283-9a66-3eb3-9e10-bdba95b85884" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/a8f9c283-9a66-3eb3-9e10-bdba95b85884 Run simulation attacks , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_A1.2" , "SOC_2_CC7.5" ] } , { 5 items policyDefinitionReferenceId: "aa0ddd99-43eb-302d-3f8f-42b499182960" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/aa0ddd99-43eb-302d-3f8f-42b499182960 Install an alarm system , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "55a7f9a0-6397-7589-05ef-5ed59a8149e7" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/55a7f9a0-6397-7589-05ef-5ed59a8149e7 Control physical access , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 8 items "SOC_2_C1.1" , "SOC_2_C1.2" , "SOC_2_CC2.1" , "SOC_2_CC6.1" , "SOC_2_CC6.4" , "SOC_2_PI1.3" , "SOC_2_PI1.4" , "SOC_2_PI1.5" ] } , { 5 items policyDefinitionReferenceId: "e603da3a-8af7-4f8a-94cb-1bcc0e0333d2" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/e603da3a-8af7-4f8a-94cb-1bcc0e0333d2 Manage the input, output, processing, and storage of data , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 7 items "SOC_2_C1.1" , "SOC_2_C1.2" , "SOC_2_CC2.1" , "SOC_2_CC6.1" , "SOC_2_PI1.3" , "SOC_2_PI1.4" , "SOC_2_PI1.5" ] } , { 5 items policyDefinitionReferenceId: "e23444b9-9662-40f3-289e-6d25c02b48fa" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/e23444b9-9662-40f3-289e-6d25c02b48fa Review label activity and analytics , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 8 items "SOC_2_C1.1" , "SOC_2_C1.2" , "SOC_2_CC2.1" , "SOC_2_CC3.1" , "SOC_2_CC3.2" , "SOC_2_PI1.3" , "SOC_2_PI1.4" , "SOC_2_PI1.5" ] } , { 5 items policyDefinitionReferenceId: "42116f15-5665-a52a-87bb-b40e64c74b6c" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/42116f15-5665-a52a-87bb-b40e64c74b6c Develop acceptable use policies and procedures , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 3 items "SOC_2_CC1.1" , "SOC_2_CC1.5" , "SOC_2_CC2.2" ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "5fe84a4c-1b0c-a738-2aba-ed49c9069d3b" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/5fe84a4c-1b0c-a738-2aba-ed49c9069d3b Prohibit unfair practices , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "b2ea1058-8998-3dd1-84f1-82132ad482fd" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/b2ea1058-8998-3dd1-84f1-82132ad482fd Develop and establish a system security plan , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 3 items "SOC_2_CC1.2" , "SOC_2_CC1.3" , "SOC_2_CC2.3" ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "d36700f2-2f0d-7c2a-059c-bdadd1d79f70" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/d36700f2-2f0d-7c2a-059c-bdadd1d79f70 Establish a risk management strategy , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 8 items "SOC_2_CC1.2" , "SOC_2_CC1.3" , "SOC_2_CC3.1" , "SOC_2_CC3.2" , "SOC_2_CC3.4" , "SOC_2_CC5.1" , "SOC_2_CC8.1" , "SOC_2_CC9.1" ] } , { 5 items policyDefinitionReferenceId: "1cb7bf71-841c-4741-438a-67c65fdd7194" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/1cb7bf71-841c-4741-438a-67c65fdd7194 Provide security training for new users , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC1.4" , "SOC_2_CC2.2" ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "5decc032-95bd-2163-9549-a41aba83228e" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/5decc032-95bd-2163-9549-a41aba83228e Implement formal sanctions process , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items policyDefinitionReferenceId: "6228396e-2ace-7ca5-3247-45767dbf52f4" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/6228396e-2ace-7ca5-3247-45767dbf52f4 Notify personnel upon sanctions , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "70a7a065-a060-85f8-7863-eb7850ed2af9" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/70a7a065-a060-85f8-7863-eb7850ed2af9 Produce Security Assessment report , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC2.3" , "SOC_2_CC4.2" ] } , { 5 items policyDefinitionReferenceId: "8e49107c-3338-40d1-02aa-d524178a2afe" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/8e49107c-3338-40d1-02aa-d524178a2afe Deliver security assessment results , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC2.3" , "SOC_2_CC4.2" ] } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "06f84330-4c27-21f7-72cd-7488afd50244" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/06f84330-4c27-21f7-72cd-7488afd50244 Implement privacy notice delivery methods , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 6 items "SOC_2_CC2.3" , "SOC_2_P1.1" , "SOC_2_P2.1" , "SOC_2_P4.1" , "SOC_2_P6.7" , "SOC_2_PI1.1" ] } , { 5 items policyDefinitionReferenceId: "098a7b84-1031-66d8-4e78-bd15b5fd2efb" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/098a7b84-1031-66d8-4e78-bd15b5fd2efb Provide privacy notice , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 6 items "SOC_2_CC2.3" , "SOC_2_P1.1" , "SOC_2_P2.1" , "SOC_2_P4.1" , "SOC_2_P6.7" , "SOC_2_PI1.1" ] } , { 5 items policyDefinitionReferenceId: "5020f3f4-a579-2f28-72a8-283c5a0b15f9" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/5020f3f4-a579-2f28-72a8-283c5a0b15f9 Restrict communications , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 4 items "SOC_2_CC2.3" , "SOC_2_P4.1" , "SOC_2_P6.7" , "SOC_2_PI1.1" ] } , { 5 items policyDefinitionReferenceId: "52375c01-4d4c-7acc-3aa4-5b3d53a047ec" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/52375c01-4d4c-7acc-3aa4-5b3d53a047ec Define the duties of processors , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 4 items "SOC_2_CC2.3" , "SOC_2_CC9.2" , "SOC_2_P6.1" , "SOC_2_P6.4" ] } , { 5 items policyDefinitionReferenceId: "6b957f60-54cd-5752-44d5-ff5a64366c93" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/6b957f60-54cd-5752-44d5-ff5a64366c93 Develop SSP that meets criteria , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items policyDefinitionReferenceId: "93fa357f-2e38-22a9-5138-8cc5124e1923" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/93fa357f-2e38-22a9-5138-8cc5124e1923 Categorize information , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC3.1" , "SOC_2_CC3.2" ] } , { 5 items policyDefinitionReferenceId: "11ba0508-58a8-44de-5f3a-9e05d80571da" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/11ba0508-58a8-44de-5f3a-9e05d80571da Develop business classification schemes , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC3.1" , "SOC_2_CC3.2" ] } , { 5 items policyDefinitionReferenceId: "8c5d3d8d-5cba-0def-257c-5ab9ea9644dc" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/8c5d3d8d-5cba-0def-257c-5ab9ea9644dc Perform a risk assessment , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 9 items "SOC_2_CC3.1" , "SOC_2_CC3.2" , "SOC_2_CC3.3" , "SOC_2_CC3.4" , "SOC_2_CC5.1" , "SOC_2_CC5.2" , "SOC_2_CC5.3" , "SOC_2_CC8.1" , "SOC_2_CC9.1" ] } , { 5 items policyDefinitionReferenceId: "dbcef108-7a04-38f5-8609-99da110a2a57" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/dbcef108-7a04-38f5-8609-99da110a2a57 Determine information protection needs , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 3 items "SOC_2_CC3.1" , "SOC_2_CC3.2" , "SOC_2_CC9.1" ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f Perform vulnerability scans , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 3 items "SOC_2_CC3.2" , "SOC_2_CC6.8" , "SOC_2_CC7.1" ] } , { 5 items policyDefinitionReferenceId: "be38a620-000b-21cf-3cb3-ea151b704c3b" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/be38a620-000b-21cf-3cb3-ea151b704c3b Remediate information system flaws , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC3.2" , "SOC_2_CC7.1" ] } , { 5 items policyDefinitionReferenceId: "0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08 Assess risk in third party relationships , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC3.4" , "SOC_2_CC9.2" ] } , { 5 items } , { 5 items policyDefinitionReferenceId: "67ada943-8539-083d-35d0-7af648974125" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/67ada943-8539-083d-35d0-7af648974125 Determine supplier contract obligations , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 5 items "SOC_2_CC3.4" , "SOC_2_CC5.2" , "SOC_2_CC9.2" , "SOC_2_P6.1" , "SOC_2_P6.5" ] } , { 5 items } , { 5 items policyDefinitionReferenceId: "1c258345-5cd4-30c8-9ef3-5ee4dd5231d6" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/1c258345-5cd4-30c8-9ef3-5ee4dd5231d6 Develop security assessment plan , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items policyDefinitionReferenceId: "c423e64d-995c-9f67-0403-b540f65ba42a" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/c423e64d-995c-9f67-0403-b540f65ba42a Assess Security Controls , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "03b6427e-6072-4226-4bd9-a410ab65317e" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/03b6427e-6072-4226-4bd9-a410ab65317e Design an access control model , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 3 items "SOC_2_CC5.2" , "SOC_2_CC6.1" , "SOC_2_CC6.3" ] } , { 5 items policyDefinitionReferenceId: "1bc7fd64-291f-028e-4ed6-6e07886e163f" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/1bc7fd64-291f-028e-4ed6-6e07886e163f Employ least privilege access , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 3 items "SOC_2_CC5.2" , "SOC_2_CC6.1" , "SOC_2_CC6.3" ] } , { 5 items policyDefinitionReferenceId: "0803eaa7-671c-08a7-52fd-ac419f775e75" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/0803eaa7-671c-08a7-52fd-ac419f775e75 Document acquisition contract acceptance criteria , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 4 items "SOC_2_CC5.2" , "SOC_2_CC9.2" , "SOC_2_P6.1" , "SOC_2_P6.5" ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "2927e340-60e4-43ad-6b5f-7a1468232cc2" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/2927e340-60e4-43ad-6b5f-7a1468232cc2 Configure detection whitelist , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items policyDefinitionReferenceId: "9b55929b-0101-47c0-a16e-d6ac5c7d21f8" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/9b55929b-0101-47c0-a16e-d6ac5c7d21f8 Undergo independent security review , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items policyDefinitionReferenceId: "50e9324a-7410-0539-0662-2c1e775538b7" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/50e9324a-7410-0539-0662-2c1e775538b7 Authorize and manage access , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items policyDefinitionReferenceId: "10c4210b-3ec9-9603-050d-77e4d26c7ebb" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/10c4210b-3ec9-9603-050d-77e4d26c7ebb Enforce logical access , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items policyDefinitionReferenceId: "de770ba6-50dd-a316-2932-e0d972eaa734" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/de770ba6-50dd-a316-2932-e0d972eaa734 Require approval for account creation , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC6.1" , "SOC_2_CC6.2" ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "59bedbdc-0ba9-39b9-66bb-1d1c192384e6" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/59bedbdc-0ba9-39b9-66bb-1d1c192384e6 Control information flow , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 3 items "SOC_2_CC6.1" , "SOC_2_CC6.6" , "SOC_2_CC6.7" ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "dad8a2e9-6f27-4fc2-8933-7e99fe700c9c" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/dad8a2e9-6f27-4fc2-8933-7e99fe700c9c Authorize remote access , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC6.1" , "SOC_2_CC6.6" ] } , { 5 items policyDefinitionReferenceId: "83dfb2b8-678b-20a0-4c44-5c75ada023e6" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/83dfb2b8-678b-20a0-4c44-5c75ada023e6 Document mobility training , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC6.1" , "SOC_2_CC6.6" ] } , { 5 items policyDefinitionReferenceId: "3d492600-27ba-62cc-a1c3-66eb919f6a0d" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/3d492600-27ba-62cc-a1c3-66eb919f6a0d Document remote access guidelines , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC6.1" , "SOC_2_CC6.6" ] } , { 5 items } , { 5 items policyDefinitionReferenceId: "518eafdd-08e5-37a9-795b-15a8d798056d" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/518eafdd-08e5-37a9-795b-15a8d798056d Provide privacy training , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC6.1" , "SOC_2_CC6.6" ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "fe2dff43-0a8c-95df-0432-cb1c794b17d0" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/fe2dff43-0a8c-95df-0432-cb1c794b17d0 Notify users of system logon or access , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC6.1" , "SOC_2_CC6.6" ] } , { 5 items policyDefinitionReferenceId: "b11697e8-9515-16f1-7a35-477d5c8a1344" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/b11697e8-9515-16f1-7a35-477d5c8a1344 Protect data in transit using encryption , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 3 items "SOC_2_CC6.1" , "SOC_2_CC6.6" , "SOC_2_CC6.7" ] } , { 5 items policyDefinitionReferenceId: "043c1e56-5a16-52f8-6af8-583098ff3e60" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/043c1e56-5a16-52f8-6af8-583098ff3e60 Create a data inventory , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "7d7a8356-5c34-9a95-3118-1424cfaf192a" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/7d7a8356-5c34-9a95-3118-1424cfaf192a Adopt biometric authentication mechanisms , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC6.1" , "SOC_2_CC6.6" ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "c4ccd607-702b-8ae6-8eeb-fc3339cd4b42" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/c4ccd607-702b-8ae6-8eeb-fc3339cd4b42 Define cryptographic use , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items policyDefinitionReferenceId: "7a0ecd94-3699-5273-76a5-edb8499f655a" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/7a0ecd94-3699-5273-76a5-edb8499f655a Determine assertion requirements , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items policyDefinitionReferenceId: "97d91b33-7050-237b-3e23-a77d57d84e13" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/97d91b33-7050-237b-3e23-a77d57d84e13 Issue public key certificates , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items policyDefinitionReferenceId: "9c276cf3-596f-581a-7fbd-f5e46edaa0f4" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/9c276cf3-596f-581a-7fbd-f5e46edaa0f4 Manage symmetric cryptographic keys , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items policyDefinitionReferenceId: "8d140e8b-76c7-77de-1d46-ed1b2e112444" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/8d140e8b-76c7-77de-1d46-ed1b2e112444 Restrict access to private keys , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "a315c657-4a00-8eba-15ac-44692ad24423" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/a315c657-4a00-8eba-15ac-44692ad24423 Protect special information , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items policyDefinitionReferenceId: "4c6df5ff-4ef2-4f17-a516-0da9189c603b" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/4c6df5ff-4ef2-4f17-a516-0da9189c603b Assign account managers , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items policyDefinitionReferenceId: "a08b18c7-9e0a-89f1-3696-d80902196719" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/a08b18c7-9e0a-89f1-3696-d80902196719 Document access privileges , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items policyDefinitionReferenceId: "873895e8-0e3a-6492-42e9-22cd030e9fcd" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/873895e8-0e3a-6492-42e9-22cd030e9fcd Restrict access to privileged accounts , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC6.2" , "SOC_2_CC6.3" ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "49c23d9b-02b0-0e42-4f94-e8cef1b8381b" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/49c23d9b-02b0-0e42-4f94-e8cef1b8381b Audit user account status , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC6.2" , "SOC_2_CC6.3" ] } , { 5 items policyDefinitionReferenceId: "a830fe9e-08c9-a4fb-420c-6f6bf1702395" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/a830fe9e-08c9-a4fb-420c-6f6bf1702395 Review account provisioning logs , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC6.2" , "SOC_2_CC6.3" ] } , { 5 items policyDefinitionReferenceId: "79f081c7-1634-01a1-708e-376197999289" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/79f081c7-1634-01a1-708e-376197999289 Review user accounts , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC6.2" , "SOC_2_CC6.3" ] } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "f26af0b1-65b6-689a-a03f-352ad2d00f98" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/f26af0b1-65b6-689a-a03f-352ad2d00f98 Audit privileged functions , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items policyDefinitionReferenceId: "ed87d27a-9abf-7c71-714c-61d881889da4" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/ed87d27a-9abf-7c71-714c-61d881889da4 Monitor privileged role assignment , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items policyDefinitionReferenceId: "e714b481-8fac-64a2-14a9-6f079b2501a4" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/e714b481-8fac-64a2-14a9-6f079b2501a4 Use privileged identity management , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items policyDefinitionReferenceId: "f96d2186-79df-262d-3f76-f371e3b71798" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/f96d2186-79df-262d-3f76-f371e3b71798 Review user privileges , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items policyDefinitionReferenceId: "eaaae23f-92c9-4460-51cf-913feaea4d52" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/eaaae23f-92c9-4460-51cf-913feaea4d52 Employ a media sanitization mechanism , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC6.5" , "SOC_2_CC6.7" ] } , { 5 items policyDefinitionReferenceId: "e435f7e3-0dd9-58c9-451f-9b44b96c0232" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/e435f7e3-0dd9-58c9-451f-9b44b96c0232 Implement controls to secure all media , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 3 items "SOC_2_CC6.5" , "SOC_2_CC6.7" , "SOC_2_PI1.5" ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "01ae60e2-38bb-0a32-7b20-d3a091423409" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/01ae60e2-38bb-0a32-7b20-d3a091423409 Implement system boundary protection , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items policyDefinitionReferenceId: "9ca3a3ea-3a1f-8ba0-31a8-6aed0fe1a7a4" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/9ca3a3ea-3a1f-8ba0-31a8-6aed0fe1a7a4 Define mobile device requirements , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items policyDefinitionReferenceId: "4ac81669-00e2-9790-8648-71bc11bc91eb" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/4ac81669-00e2-9790-8648-71bc11bc91eb Manage the transportation of assets , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items policyDefinitionReferenceId: "b2d3e5a2-97ab-5497-565a-71172a729d93" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/b2d3e5a2-97ab-5497-565a-71172a729d93 Protect passwords with encryption , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "f06ddb64-5fa3-4b77-b166-acb36f7f6042" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs , definitionVersion: 6.*.*6.2.0 , parameters: { 14 items effect: { 1 item value: "[parameters('effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]" } , excludedNamespaces: { 1 item value: "[parameters('excludedNamespaces-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]" } , namespaces: { 1 item value: "[parameters('namespaces-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]" } , labelSelector: { 1 item value: "[parameters('labelSelector-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]" } , runAsUserRule: { 1 item value: "[parameters('runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]" } , runAsUserRanges: { 1 item value: "[parameters('runAsUserRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]" } , runAsGroupRule: { 1 item value: "[parameters('runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]" } , runAsGroupRanges: { 1 item value: "[parameters('runAsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]" } , supplementalGroupsRule: { 1 item value: "[parameters('supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]" } , supplementalGroupsRanges: { 1 item value: "[parameters('supplementalGroupsRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]" } , fsGroupRule: { 1 item value: "[parameters('fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]" } , fsGroupRanges: { 1 item value: "[parameters('fsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]" } , excludedContainers: { 1 item value: "[parameters('excludedContainers-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]" } , excludedImages: { 1 item value: "[parameters('excludedImages-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]" } } , groupNames: [ 2 items "SOC_2_CC6.8" , "SOC_2_CC8.1" ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "06a78e20-9358-41c9-923c-fb736d382a4d" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d Audit VMs that do not use managed disks , definitionVersion: 1.*.*1.0.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC6.8" , "SOC_2_CC8.1" ] } , { 5 items } , { 5 items policyDefinitionReferenceId: "63f63e71-6c3f-9add-4c43-64de23e554a7" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/63f63e71-6c3f-9add-4c43-64de23e554a7 Manage gateways , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items policyDefinitionReferenceId: "50e81644-923d-33fc-6ebb-9733bc8d1a06" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/50e81644-923d-33fc-6ebb-9733bc8d1a06 Perform a trend analysis on threats , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 4 items "SOC_2_CC6.8" , "SOC_2_CC7.2" , "SOC_2_CC7.4" , "SOC_2_CC7.5" ] } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65 Update antivirus definitions , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items policyDefinitionReferenceId: "0123edae-3567-a05a-9b05-b53ebe9d3e7e" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/0123edae-3567-a05a-9b05-b53ebe9d3e7e View and configure system diagnostic data , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC6.8" , "SOC_2_CC7.1" ] } , { 5 items policyDefinitionReferenceId: "b53aa659-513e-032c-52e6-1ce0ba46582f" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/b53aa659-513e-032c-52e6-1ce0ba46582f Configure actions for noncompliant devices , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC7.1" , "SOC_2_CC8.1" ] } , { 5 items } , { 5 items policyDefinitionReferenceId: "058e9719-1ff9-3653-4230-23f76b6492e0" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/058e9719-1ff9-3653-4230-23f76b6492e0 Enforce security configuration settings , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC7.1" , "SOC_2_CC8.1" ] } , { 5 items policyDefinitionReferenceId: "7380631c-5bf5-0e3a-4509-0873becd8a63" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/7380631c-5bf5-0e3a-4509-0873becd8a63 Establish a configuration control board , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC7.1" , "SOC_2_CC8.1" ] } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "426c172c-9914-10d1-25dd-669641fc1af4" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/426c172c-9914-10d1-25dd-669641fc1af4 Enable detection of network devices , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "2b4e134f-1e4c-2bff-573e-082d85479b6e" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/2b4e134f-1e4c-2bff-573e-082d85479b6e Develop an incident response plan , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 3 items "SOC_2_CC7.4" , "SOC_2_CC7.5" , "SOC_2_P6.6" ] } , { 5 items policyDefinitionReferenceId: "423f6d9c-0c73-9cc6-64f4-b52242490368" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/423f6d9c-0c73-9cc6-64f4-b52242490368 Develop security safeguards , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC7.4" , "SOC_2_CC7.5" ] } , { 5 items policyDefinitionReferenceId: "8c255136-994b-9616-79f5-ae87810e0dcf" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/8c255136-994b-9616-79f5-ae87810e0dcf Enable network protection , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC7.4" , "SOC_2_CC7.5" ] } , { 5 items policyDefinitionReferenceId: "54a9c072-4a93-2a03-6a43-a060d30383d7" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/54a9c072-4a93-2a03-6a43-a060d30383d7 Eradicate contaminated information , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC7.4" , "SOC_2_CC7.5" ] } , { 5 items } , { 5 items policyDefinitionReferenceId: "433de59e-7a53-a766-02c2-f80f8421469a" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/433de59e-7a53-a766-02c2-f80f8421469a Implement incident handling , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC7.4" , "SOC_2_CC7.5" ] } , { 5 items policyDefinitionReferenceId: "98145a9b-428a-7e81-9d14-ebb154a24f93" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/98145a9b-428a-7e81-9d14-ebb154a24f93 View and investigate restricted users , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC7.4" , "SOC_2_CC7.5" ] } , { 5 items policyDefinitionReferenceId: "37b0045b-3887-367b-8b4d-b9a6fa911bb9" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/37b0045b-3887-367b-8b4d-b9a6fa911bb9 Assess information security events , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC7.4" , "SOC_2_CC7.5" ] } , { 5 items policyDefinitionReferenceId: "37546841-8ea1-5be0-214d-8ac599588332" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/37546841-8ea1-5be0-214d-8ac599588332 Maintain incident response plan , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC7.4" , "SOC_2_CC7.5" ] } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "3545c827-26ee-282d-4629-23952a12008b" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/3545c827-26ee-282d-4629-23952a12008b Conduct incident response testing , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "203101f5-99a3-1491-1b56-acccd9b66a9e" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/203101f5-99a3-1491-1b56-acccd9b66a9e Conduct a security impact analysis , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items policyDefinitionReferenceId: "d18af1ac-0086-4762-6dc8-87cdded90e39" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/d18af1ac-0086-4762-6dc8-87cdded90e39 Perform a privacy impact assessment , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items policyDefinitionReferenceId: "8b1da407-5e60-5037-612e-2caa1b590719" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/8b1da407-5e60-5037-612e-2caa1b590719 Record disclosures of PII to third parties , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_CC9.2" , "SOC_2_P6.1" ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "b6b32f80-a133-7600-301e-398d688e7e0c" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/b6b32f80-a133-7600-301e-398d688e7e0c Evaluate and review PII holdings regularly , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_P3.1" , "SOC_2_P8.1" ] } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1 Adhere to retention periods defined , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items policyDefinitionReferenceId: "b5a4be05-3997-1731-3260-98be653610f6" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/b5a4be05-3997-1731-3260-98be653610f6 Perform disposition review , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "27ab3ac0-910d-724d-0afa-1a2a01e996c0" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/27ab3ac0-910d-724d-0afa-1a2a01e996c0 Respond to rectification requests , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "8bb40df9-23e4-4175-5db3-8dba86349b73" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/8bb40df9-23e4-4175-5db3-8dba86349b73 Confirm quality and integrity of PII , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items policyDefinitionReferenceId: "0461cacd-0b3b-4f66-11c5-81c9b19a3d22" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/0461cacd-0b3b-4f66-11c5-81c9b19a3d22 Verify inaccurate or outdated PII , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } , { 5 items } , { 5 items } , { 5 items policyDefinitionReferenceId: "8b1f29eb-1b22-4217-5337-9207cb55231e" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/8b1f29eb-1b22-4217-5337-9207cb55231e Perform information input validation , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 2 items "SOC_2_PI1.2" , "SOC_2_PI1.3" ] } , { 5 items policyDefinitionReferenceId: "c2cb4658-44dc-9d11-3dad-7c6802dd5ba3" , policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/c2cb4658-44dc-9d11-3dad-7c6802dd5ba3 Generate error messages , definitionVersion: 1.*.*1.1.0 , parameters: {} , groupNames: [ 1 item ] } , { 5 items } ] , policyDefinitionGroups: [ 61 items { 2 items name: "SOC_2_A1.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_A1.1" } , { 2 items name: "SOC_2_A1.2" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_A1.2" } , { 2 items name: "SOC_2_A1.3" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_A1.3" } , { 2 items name: "SOC_2_C1.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_C1.1" } , { 2 items name: "SOC_2_C1.2" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_C1.2" } , { 2 items name: "SOC_2_CC1.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC1.1" } , { 2 items name: "SOC_2_CC1.2" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC1.2" } , { 2 items name: "SOC_2_CC1.3" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC1.3" } , { 2 items name: "SOC_2_CC1.4" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC1.4" } , { 2 items name: "SOC_2_CC1.5" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC1.5" } , { 2 items name: "SOC_2_CC2.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC2.1" } , { 2 items name: "SOC_2_CC2.2" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC2.2" } , { 2 items name: "SOC_2_CC2.3" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC2.3" } , { 2 items name: "SOC_2_CC3.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC3.1" } , { 2 items name: "SOC_2_CC3.2" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC3.2" } , { 2 items name: "SOC_2_CC3.3" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC3.3" } , { 2 items name: "SOC_2_CC3.4" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC3.4" } , { 2 items name: "SOC_2_CC4.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC4.1" } , { 2 items name: "SOC_2_CC4.2" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC4.2" } , { 2 items name: "SOC_2_CC5.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC5.1" } , { 2 items name: "SOC_2_CC5.2" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC5.2" } , { 2 items name: "SOC_2_CC5.3" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC5.3" } , { 2 items name: "SOC_2_CC6.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC6.1" } , { 2 items name: "SOC_2_CC6.2" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC6.2" } , { 2 items name: "SOC_2_CC6.3" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC6.3" } , { 2 items name: "SOC_2_CC6.4" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC6.4" } , { 2 items name: "SOC_2_CC6.5" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC6.5" } , { 2 items name: "SOC_2_CC6.6" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC6.6" } , { 2 items name: "SOC_2_CC6.7" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC6.7" } , { 2 items name: "SOC_2_CC6.8" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC6.8" } , { 2 items name: "SOC_2_CC7.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC7.1" } , { 2 items name: "SOC_2_CC7.2" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC7.2" } , { 2 items name: "SOC_2_CC7.3" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC7.3" } , { 2 items name: "SOC_2_CC7.4" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC7.4" } , { 2 items name: "SOC_2_CC7.5" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC7.5" } , { 2 items name: "SOC_2_CC8.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC8.1" } , { 2 items name: "SOC_2_CC9.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC9.1" } , { 2 items name: "SOC_2_CC9.2" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_CC9.2" } , { 2 items name: "SOC_2_P1.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_P1.1" } , { 2 items name: "SOC_2_P2.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_P2.1" } , { 2 items name: "SOC_2_P3.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_P3.1" } , { 2 items name: "SOC_2_P3.2" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_P3.2" } , { 2 items name: "SOC_2_P4.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_P4.1" } , { 2 items name: "SOC_2_P4.2" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_P4.2" } , { 2 items name: "SOC_2_P4.3" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_P4.3" } , { 2 items name: "SOC_2_P5.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_P5.1" } , { 2 items name: "SOC_2_P5.2" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_P5.2" } , { 2 items name: "SOC_2_P6.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_P6.1" } , { 2 items name: "SOC_2_P6.2" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_P6.2" } , { 2 items name: "SOC_2_P6.3" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_P6.3" } , { 2 items name: "SOC_2_P6.4" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_P6.4" } , { 2 items name: "SOC_2_P6.5" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_P6.5" } , { 2 items name: "SOC_2_P6.6" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_P6.6" } , { 2 items name: "SOC_2_P6.7" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_P6.7" } , { 2 items name: "SOC_2_P7.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_P7.1" } , { 2 items name: "SOC_2_P8.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_P8.1" } , { 2 items name: "SOC_2_PI1.1" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_PI1.1" } , { 2 items name: "SOC_2_PI1.2" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_PI1.2" } , { 2 items name: "SOC_2_PI1.3" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_PI1.3" } , { 2 items name: "SOC_2_PI1.4" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_PI1.4" } , { 2 items name: "SOC_2_PI1.5" , additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/SOC_2_PI1.5" } ] , versions: [ 8 items "1.11.0" , "1.10.0" , "1.9.0" , "1.8.0" , "1.7.0" , "1.6.0" , "1.5.0" , "1.4.0" ] }
