last sync: 2023-Sep-29 17:58:50 UTC

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit

Source Repository Azure Landing Zones (ALZ) GitHub
JSON Enforce-EncryptTransit
Display nameDeny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit
IdEnforce-EncryptTransit
Version2.0.0
details on versioning
CategoryEncryption
Microsoft docs
DescriptionChoose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit.
TypeCustom Azure Landing Zones (ALZ)
DeprecatedFalse
PreviewFalse
Policy count Total Policies: 21
Builtin Policies: 3
Static Policies: 0
ALZ Policies: 18
Policy used
Policy DisplayName Policy Id Category Effect Roles# Roles State Type
API App should only be accessible over HTTPS Deny-AppServiceApiApp-http App Service Default
Deny
Allowed
Audit, Disabled, Deny
0 GA ALZ
App Service apps should use the latest TLS version f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA BuiltIn
AppService append enable https only setting to enforce https setting. Append-AppService-httpsonly App Service Default
Append
Allowed
Append, Disabled
0 GA ALZ
AppService append sites with minimum TLS version to enforce. Append-AppService-latestTLS App Service Default
Append
Allowed
Append, Disabled
0 GA ALZ
Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS. Append-Redis-sslEnforcement Cache Default
Append
Allowed
Append, Disabled
0 GA ALZ
Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Append-Redis-disableNonSslPort Cache Default
Append
Allowed
Append, Disabled
0 GA ALZ
Azure Cache for Redis only secure connections should be enabled Deny-Redis-http Cache Default
Deny
Allowed
Audit, Deny, Disabled
0 GA ALZ
Azure Database for MySQL server deploy a specific min TLS version and enforce SSL. Deploy-MySQL-sslEnforcement SQL Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Contributor GA ALZ
Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL Deploy-PostgreSQL-sslEnforcement SQL Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Contributor GA ALZ
Azure SQL Database should have the minimal TLS version set to the highest version Deny-Sql-minTLS SQL Default
Audit
Allowed
Audit, Disabled, Deny
0 GA ALZ
Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS Deploy-Storage-sslEnforcement Storage Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Storage Account Contributor GA ALZ
Function App should only be accessible over HTTPS Deny-AppServiceFunctionApp-http App Service Default
Deny
Allowed
Audit, Disabled, Deny
0 GA ALZ
Function apps should use the latest TLS version f9d614c5-c173-4d56-95a7-b4437057d193 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA BuiltIn
Kubernetes clusters should be accessible only over HTTPS 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA BuiltIn
MySQL database servers enforce SSL connections. Deny-MySql-http SQL Default
Deny
Allowed
Audit, Disabled, Deny
0 GA ALZ
PostgreSQL database servers enforce SSL connection. Deny-PostgreSql-http SQL Default
Deny
Allowed
Audit, Disabled, Deny
0 GA ALZ
SQL Managed Instance should have the minimal TLS version set to the highest version Deny-SqlMi-minTLS SQL Default
Audit
Allowed
Audit, Disabled, Deny
0 GA ALZ
SQL managed instances deploy a specific min TLS version requirement. Deploy-SqlMi-minTLS SQL Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 SQL Managed Instance Contributor GA ALZ
SQL servers deploys a specific min TLS version requirement. Deploy-SQL-minTLS SQL Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 SQL Server Contributor GA ALZ
Storage Account set to minimum TLS and Secure transfer should be enabled Deny-Storage-minTLS Storage Default
Deny
Allowed
Audit, Deny, Disabled
0 GA ALZ
Web Application should only be accessible over HTTPS Deny-AppServiceWebApp-http App Service Default
Deny
Allowed
Audit, Disabled, Deny
0 GA ALZ
Roles used
History none
JSON compare
compare mode: version left: version right:
JSON