last sync: 2022-Aug-11 16:33:24 UTC

Azure Policy Initiative

[Preview]: SWIFT CSP-CSCF v2022

Name[Preview]: SWIFT CSP-CSCF v2022
Azure Portal
Id7bc7cd6c-4114-ff31-3cac-59be3157596d
Version1.0.0-preview
details on versioning
CategoryRegulatory Compliance
Microsoft docs
DescriptionThis initiative includes policies that address a subset of the SWIFT Customer Security Program's Customer Security Controls Framework v2022 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift2022-init.
TypeBuiltIn
DeprecatedFalse
PreviewTrue
History
Date/Time (UTC ymd) (i) Changes
2022-06-16 16:34:43 add Initiative 7bc7cd6c-4114-ff31-3cac-59be3157596d
Policy count Total Policies: 97
Builtin Policies: 97
Static Policies: 0
Policy used
Policy DisplayName Policy Id Category Effect State
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall fc5e4038-4584-4632-8c85-c0448d374b2c Network Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images 32133ab0-ee4b-4b44-98d6-042180979d50 Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines 04c4380f-3fae-46e8-96c9-30193528f602 Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines 2f2ee1de-44aa-4762-b6bd-0893fc3f306d Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
A maximum of 3 owners should be designated for your subscription 4f11b553-d42e-4e3a-89be-32ca364cad4c Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
A vulnerability assessment solution should be enabled on your virtual machines 501541f7-f7e7-4cd6-868c-4190fdad3ac9 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Activity log should be retained for at least one year b02aacc0-b073-424e-8298-42b22829ee0a Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Adaptive application controls for defining safe applications should be enabled on your machines 47a6b606-51aa-4496-8bb7-64b11cf66adc Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Adaptive network hardening recommendations should be applied on internet facing virtual machines 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Guest Configuration Fixed: modify GA
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 497dff13-db2a-4c0f-8603-28fa3b331ab6 Guest Configuration Fixed: modify GA
All network ports should be restricted on network security groups associated to your virtual machine 9daedab3-fb2d-461e-b861-71790eead4f6 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Allowlist rules in your adaptive application control policy should be updated 123a3936-f020-408a-ba0c-47873faf1534 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service apps should have resource logs enabled 91a78b24-f231-4a8a-8da9-02c35b2b6510 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service apps should use a virtual network service endpoint 2d21331d-a4c2-4def-a9ad-ee4e1e023beb Network Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Audit Linux machines that allow remote connections from accounts without passwords ea53dbee-c6c9-4f0e-9f9e-de0039b78023 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Audit Linux machines that do not have the passwd file permissions set to 0644 e6955644-301c-44b5-a4c4-528577de6861 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Audit Linux machines that have accounts without passwords f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Audit virtual machines without disaster recovery configured 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 Compute Fixed: auditIfNotExists GA
Audit VMs that do not use managed disks 06a78e20-9358-41c9-923c-fb736d382a4d Compute Fixed: audit GA
Audit Windows machines that allow re-use of the previous 24 passwords 5b054a0d-39e2-4d53-bea3-9734cad2c69b Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Audit Windows machines that contain certificates expiring within the specified number of days 1417908b-4bff-46ee-a2a6-4acc899320ab Guest Configuration Fixed: auditIfNotExists GA
Audit Windows machines that do not have a maximum password age of 70 days 4ceb8dc2-559c-478b-a15b-733fbf1e3738 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Audit Windows machines that do not have a minimum password age of 1 day 237b38db-ca4d-4259-9e47-7882441ca2c0 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Audit Windows machines that do not have the password complexity setting enabled bf16e0bb-31e1-4646-8202-60a235cc7e74 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Audit Windows machines that do not restrict the minimum password length to 14 characters a2d0e922-65d0-40c4-8f87-ea6da2d307a2 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Audit Windows machines that do not store passwords using reversible encryption da0f98fe-a24b-4ad5-af69-bd0400233661 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Audit Windows VMs with a pending reboot 4221adbc-5c0f-474f-88b7-037a99e6114c Guest Configuration Fixed: auditIfNotExists GA
Authentication to Linux machines should require SSH keys 630c64f9-8b6b-4c64-b511-6544ceff6fd6 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Auto provisioning of the Log Analytics agent should be enabled on your subscription 475aae12-b88a-4572-8b36-9b712b2b3a17 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Automation account variables should be encrypted 3657f5a0-770e-44a3-b44e-9431ba1e9735 Automation Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Azure Backup should be enabled for Virtual Machines 013e242c-8828-4970-87b3-ab247555486d Backup Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure DDoS Protection Standard should be enabled a7aca53f-2ed4-4466-a25e-0b45ade68efd Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Defender for App Service should be enabled 2913021d-f2fd-4f3d-b958-22354e2bdbcb Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Defender for Key Vault should be enabled 0e6763cc-5078-4e64-889d-ff4d9a839047 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Defender for servers should be enabled 4da35fc9-c9e7-4960-aec9-797fe7d9051d Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Defender for Storage should be enabled 308fbb08-4ab8-4e67-9b29-592e93fb94fa Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Key Vault should have firewall enabled 55615ac9-af46-4a59-874e-391cc3dfb490 Key Vault Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 1a4e592a-6a6e-44a5-9814-e36264ca96e7 Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) ea0dfaed-95fb-448c-934e-d6e713ce393d Monitoring Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
GA
Azure Monitor Logs clusters should be encrypted with customer-managed key 1f68a601-6e6d-4e42-babf-3f643a047ea2 Monitoring Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
GA
Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace d550e854-df1a-4de9-bf44-cd894b39a95e Monitoring Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
GA
Azure Monitor should collect activity logs from all regions 41388f1c-2db0-4c25-95b2-35d7f5ccbfa9 Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Monitor solution 'Security and Audit' must be deployed 3e596b57-105f-48a6-be97-03e9243bad6e Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 331e8ea8-378a-410f-a2e5-ae22f38bb0da Guest Configuration Fixed: deployIfNotExists GA
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 385f5831-96d4-41db-9a3c-cd3af78aaae6 Guest Configuration Fixed: deployIfNotExists GA
Deprecated accounts should be removed from your subscription 6b1cbf55-e8b6-442f-ba4c-7246b6381474 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Deprecated accounts with owner permissions should be removed from your subscription ebb62a0c-3560-49e1-89ed-27e074e9f8ad Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Email notification for high severity alerts should be enabled 6e2593d9-add6-4083-9c9b-4b7d2188c899 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Email notification to subscription owner for high severity alerts should be enabled 0b15565f-aa9e-48ba-8619-45960f2c314d Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Endpoint protection solution should be installed on virtual machine scale sets 26a828e1-e88f-464e-bbb3-c134a282b9de Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
External accounts with owner permissions should be removed from your subscription f8456c1c-aa66-4dfb-861a-25d127b775c9 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
External accounts with read permissions should be removed from your subscription 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
External accounts with write permissions should be removed from your subscription 5c607a2e-c700-4744-8254-d77e7c9eb5e4 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Flow logs should be configured for every network security group c251913d-7d24-4958-af87-478ed3b9ba41 Network Default: Audit
Allowed: (Audit, Disabled)
GA
Flow logs should be enabled for every network security group 27960feb-a23c-4577-8d36-ef8b5f35e0be Network Default: Audit
Allowed: (Audit, Disabled)
GA
Geo-redundant storage should be enabled for Storage Accounts bf045164-79ba-4215-8f95-f8048dc1780b Storage Default: Audit
Allowed: (Audit, Disabled)
GA
Internet-facing virtual machines should be protected with network security groups f6de0be7-9a8a-4b8a-b349-43cf02d22f7c Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
IP Forwarding on your virtual machine should be disabled bd352bd5-2853-4985-bf0d-73806b4a5744 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Key Vault should use a virtual network service endpoint ea4d6841-2173-4317-9747-ff522a45120f Network Default: Audit
Allowed: (Audit, Disabled)
GA
Key vaults should have purge protection enabled 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 Key Vault Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Management ports of virtual machines should be protected with just-in-time network access control b0f33259-77d7-4c9e-aac6-3aabcfae693c Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
MFA should be enabled accounts with write permissions on your subscription 9297c21d-2ed6-4474-b48f-163f75654ce3 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
MFA should be enabled on accounts with owner permissions on your subscription aa633080-8b72-40c4-a2d7-d00c03e80bed Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
MFA should be enabled on accounts with read permissions on your subscription e3576e28-8b17-4677-84c3-db2990658d64 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Microsoft Antimalware for Azure should be configured to automatically update protection signatures c43e4a30-77cb-48ab-a4dd-93f175c63b57 Compute Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Microsoft IaaSAntimalware extension should be deployed on Windows servers 9b597639-28e4-48eb-b506-56b05d366257 Compute Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Monitor missing Endpoint Protection in Azure Security Center af6cd1bd-1635-48cb-bde7-5b15693900b9 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Network Watcher flow logs should have traffic analytics enabled 2f080164-9f4d-497e-9db6-416dc9f7b48a Network Default: Audit
Allowed: (Audit, Disabled)
GA
Network Watcher should be enabled b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 Network Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Non-internet-facing virtual machines should be protected with network security groups bb91dfba-c30d-4263-9add-9c2384e659a6 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Resource logs in Batch accounts should be enabled 428256e6-1fac-4f48-a757-df34c2b3336d Batch Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Resource logs in Key Vault should be enabled cf820ca0-f99e-4f3e-84fb-66e913812d21 Key Vault Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Resource logs in Logic Apps should be enabled 34f95f76-5386-4de7-b824-0d8478470c9d Logic Apps Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Resource logs in Search services should be enabled b4330a05-a843-4bc8-bf9a-cacce50c67f4 Search Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Resource logs in Service Bus should be enabled f8d36e2f-389b-4ee4-898d-21aeb69a0f45 Service Bus Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Resource logs in Virtual Machine Scale Sets should be enabled 7c1b1214-f927-48bf-8882-84f0af6588b1 Compute Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption fa298e57-9444-42ba-bf04-86e8470e32c7 Monitoring Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
GA
Secure transfer to storage accounts should be enabled 404c3081-a854-4457-ae30-26a93ef643f9 Storage Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Storage account containing the container with activity logs must be encrypted with BYOK fbb99e8e-e444-4da0-9ff1-75c92f5a85b2 Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Storage accounts should restrict network access 34c877ad-507e-4c82-993e-3452a6e0ad3c Storage Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Storage Accounts should use a virtual network service endpoint 60d21c4f-21a3-4d94-85f4-b924e6aeeda4 Network Default: Audit
Allowed: (Audit, Disabled)
GA
Subnets should be associated with a Network Security Group e71308d3-144b-4262-b144-efdc3cc90517 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Subscriptions should have a contact email address for security issues 4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
System updates on virtual machine scale sets should be installed c3f317a7-a95c-4547-b7e7-11017ebdf2fe Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
System updates should be installed on your machines 86b3d65f-7626-441e-b690-81a8b71cff60 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
The Log Analytics extension should be installed on Virtual Machine Scale Sets efbde977-ba53-4479-b8e9-10b957924fbf Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
There should be more than one owner assigned to your subscription 09024ccc-0c5f-475e-9457-b7c0d9ed487b Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 0961003e-5a0a-4549-abde-af6a37f2724d Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Virtual machines should have the Log Analytics extension installed a70ca396-0a34-413a-88e1-b956c1e683be Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
VM Image Builder templates should use private link 2154edb9-244f-4741-9970-660785bccdaa VM Image Builder Default: Audit
Allowed: (Audit, Disabled, Deny)
GA
Vulnerabilities in container security configurations should be remediated e8cbc669-f12d-49eb-93e7-9273119e9933 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Vulnerabilities in security configuration on your machines should be remediated e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Security Options - Interactive Logon' d472d2c9-d6a3-4500-9f5f-b15f123005aa Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows web servers should be configured to use secure communication protocols 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
JSON