last sync: 2022-Jun-28 16:32:55 UTC

Azure Landing Zones (ALZ) Policy Initiative

Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit

NameDeny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit
Azure Landing Zones (ALZ) GitHub
IdEnforce-EncryptTransit
Version1.0.0
details on versioning
CategoryEncryption
Microsoft docs
DescriptionChoose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit.
TypeCustom Azure Landing Zones (ALZ)
DeprecatedFalse
PreviewFalse
History none
Policy count Total Policies: 22
Builtin Policies: 4
Static Policies: 0
ESLZ Policies: 18
Policy used
Policy DisplayName Policy Id Category Effect State Type
API App should only be accessible over HTTPS Deny-AppServiceApiApp-http App Service Default: Deny
Allowed: (Audit, Disabled, Deny)
GA ALZ
AppService append enable https only setting to enforce https setting. Append-AppService-httpsonly App Service Default: Append
Allowed: (Append, Disabled)
GA ALZ
AppService append sites with minimum TLS version to enforce. Append-AppService-latestTLS App Service Default: Append
Allowed: (Append, Disabled)
GA ALZ
Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS. Append-Redis-sslEnforcement Cache Default: Append
Allowed: (Append, Disabled)
GA ALZ
Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Append-Redis-disableNonSslPort Cache Default: Append
Allowed: (Append, Disabled, Modify)
GA ALZ
Azure Cache for Redis only secure connections should be enabled Deny-Redis-http Cache Default: Deny
Allowed: (Audit, Deny, Disabled)
GA ALZ
Azure Database for MySQL server deploy a specific min TLS version and enforce SSL. Deploy-MySQL-sslEnforcement SQL Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
GA ALZ
Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL Deploy-PostgreSQL-sslEnforcement SQL Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
GA ALZ
Azure SQL Database should have the minimal TLS version set to the highest version Deny-Sql-minTLS SQL Default: Audit
Allowed: (Audit, Disabled, Deny)
GA ALZ
Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS Deploy-Storage-sslEnforcement Storage Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
GA ALZ
Function App should only be accessible over HTTPS Deny-AppServiceFunctionApp-http App Service Default: Deny
Allowed: (Audit, Disabled, Deny)
GA ALZ
Kubernetes clusters should be accessible only over HTTPS 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
GA BuiltIn
Latest TLS version should be used in your API App 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA BuiltIn
Latest TLS version should be used in your Function App f9d614c5-c173-4d56-95a7-b4437057d193 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA BuiltIn
Latest TLS version should be used in your Web App f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA BuiltIn
MySQL database servers enforce SSL connections. Deny-MySql-http SQL Default: Deny
Allowed: (Audit, Disabled, Deny)
GA ALZ
PostgreSQL database servers enforce SSL connection. Deny-PostgreSql-http SQL Default: Deny
Allowed: (Audit, Disabled, Deny)
GA ALZ
SQL Managed Instance should have the minimal TLS version set to the highest version Deny-SqlMi-minTLS SQL Default: Audit
Allowed: (Audit, Disabled, Deny)
GA ALZ
SQL managed instances deploy a specific min TLS version requirement. Deploy-SqlMi-minTLS SQL Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
GA ALZ
SQL servers deploys a specific min TLS version requirement. Deploy-SQL-minTLS SQL Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
GA ALZ
Storage Account set to minimum TLS and Secure transfer should be enabled Deny-Storage-minTLS Storage Default: Deny
Allowed: (Audit, Deny, Disabled)
GA ALZ
Web Application should only be accessible over HTTPS Deny-AppServiceWebApp-http App Service Default: Deny
Allowed: (Audit, Disabled, Deny)
GA ALZ
JSON