last sync: 2024-Oct-07 17:51:37 UTC

Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Source Repository Azure Landing Zones (ALZ) GitHub
JSON Enforce-EncryptTransit_20240509
Display nameDeny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit
IdEnforce-EncryptTransit_20240509
Version1.0.0
Details on versioning
CategoryEncryption
DescriptionChoose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit.
TypeCustom Azure Landing Zones (ALZ)
DeprecatedFalse
PreviewFalse
Replaces PolicySet This ALZ PolicySet definition replaces [Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit (Enforce-EncryptTransit)
More information on Azure Landing Zones deprecated Policy and PolicySet definitions
Policy count Total Policies: 37
Builtin Policies: 17
Static Policies: 0
ALZ Policies: 20
Policy used
Policy DisplayName Policy Id Category Effect Roles# Roles State Type
API App should only be accessible over HTTPS Deny-AppServiceApiApp-http App Service Default
Deny
Allowed
Audit, Disabled, Deny
0 GA ALZ
App Service app slots should only be accessible over HTTPS ae1b9a8c-dfce-4605-bd91-69213b4a26fc App Service Default
Audit
Allowed
Audit, Disabled, Deny
0 GA BuiltIn
App Service apps should only be accessible over HTTPS a4af4a39-4135-47fb-b175-47fbdf85311d App Service Default
Audit
Allowed
Audit, Disabled, Deny
0 GA BuiltIn
App Service apps should use the latest TLS version f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA BuiltIn
App Service Environment should have TLS 1.0 and 1.1 disabled d6545c6b-dd9d-4265-91e6-0b451e2f1c50 App Service Default
Audit
Allowed
Audit, Deny, Disabled
0 GA BuiltIn
AppService append enable https only setting to enforce https setting. Append-AppService-httpsonly App Service Default
Append
Allowed
Append, Disabled
0 GA ALZ
AppService append sites with minimum TLS version to enforce. Append-AppService-latestTLS App Service Default
Append
Allowed
Append, Disabled
0 GA ALZ
Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS. Append-Redis-sslEnforcement Cache Default
Append
Allowed
Append, Disabled
0 GA ALZ
Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Append-Redis-disableNonSslPort Cache Default
Append
Allowed
Append, Disabled
0 GA ALZ
Azure Cache for Redis only secure connections should be enabled Deny-Redis-http Cache Default
Deny
Allowed
Audit, Deny, Disabled
0 GA ALZ
Azure Database for MySQL server deploy a specific min TLS version and enforce SSL. Deploy-MySQL-sslEnforcement SQL Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Contributor GA ALZ
Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL Deploy-PostgreSQL-sslEnforcement SQL Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Contributor GA ALZ
Azure SQL Database should be running TLS version 1.2 or newer 32e6bbec-16b6-44c2-be37-c5b672d103cf SQL Default
Audit
Allowed
Audit, Disabled, Deny
0 GA BuiltIn
Azure SQL Database should have the minimal TLS version set to the highest version Deny-Sql-minTLS SQL Default
Audit
Allowed
Audit, Disabled, Deny
0 GA ALZ
Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS Deploy-Storage-sslEnforcement Storage Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Storage Account Contributor GA ALZ
Azure Synapse Workspace SQL Server should be running TLS version 1.2 or newer cb3738a6-82a2-4a18-b87b-15217b9deff4 Synapse Default
Audit
Allowed
Audit, Deny, Disabled
0 GA BuiltIn
Configure App Service app slots to use the latest TLS version 014664e7-e348-41a3-aeb9-566e4ff6a9df App Service Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Website Contributor GA BuiltIn
Configure App Service apps to use the latest TLS version ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d App Service Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Website Contributor GA BuiltIn
Configure Function app slots to use the latest TLS version fa3a6357-c6d6-4120-8429-855577ec0063 App Service Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Website Contributor GA BuiltIn
Configure Function apps to use the latest TLS version 1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0 App Service Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Website Contributor GA BuiltIn
Configure Logic apps to use the latest TLS version Deploy-LogicApp-TLS Logic Apps Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Website Contributor GA ALZ
Container Apps should only be accessible over HTTPS 0e80e269-43a4-4ae9-b5bc-178126b8a5cb Container Apps Default
Audit
Allowed
Audit, Deny, Disabled
0 GA BuiltIn
Event Hub namespaces should use a valid TLS version Deny-EH-minTLS Event Hub Default
Deny
Allowed
Audit, Deny, Disabled
0 GA ALZ
Function App should only be accessible over HTTPS Deny-AppServiceFunctionApp-http App Service Default
Deny
Allowed
Audit, Disabled, Deny
0 GA ALZ
Function app slots should only be accessible over HTTPS 5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71 App Service Default
Audit
Allowed
Audit, Disabled, Deny
0 GA BuiltIn
Function apps should only be accessible over HTTPS 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab App Service Default
Audit
Allowed
Audit, Disabled, Deny
0 GA BuiltIn
Function apps should use the latest TLS version f9d614c5-c173-4d56-95a7-b4437057d193 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA BuiltIn
Kubernetes clusters should be accessible only over HTTPS 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA BuiltIn
Logic app should only be accessible over HTTPS Deny-LogicApps-Without-Https Logic Apps Default
Deny
Allowed
Audit, Deny, Disabled
0 GA ALZ
MySQL database servers enforce SSL connections. Deny-MySql-http SQL Default
Deny
Allowed
Audit, Disabled, Deny
0 GA ALZ
PostgreSQL database servers enforce SSL connection. Deny-PostgreSql-http SQL Default
Deny
Allowed
Audit, Disabled, Deny
0 GA ALZ
SQL Managed Instance should have the minimal TLS version of 1.2 a8793640-60f7-487c-b5c3-1d37215905c4 SQL Default
Audit
Allowed
Audit, Disabled
0 GA BuiltIn
SQL Managed Instance should have the minimal TLS version set to the highest version Deny-SqlMi-minTLS SQL Default
Audit
Allowed
Audit, Disabled, Deny
0 GA ALZ
SQL managed instances deploy a specific min TLS version requirement. Deploy-SqlMi-minTLS SQL Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 SQL Managed Instance Contributor GA ALZ
SQL servers deploys a specific min TLS version requirement. Deploy-SQL-minTLS SQL Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 SQL Server Contributor GA ALZ
Storage accounts should have the specified minimum TLS version fe83a0eb-a853-422d-aac2-1bffd182c5d0 Storage Default
Audit
Allowed
Audit, Deny, Disabled
0 GA BuiltIn
Web Application should only be accessible over HTTPS Deny-AppServiceWebApp-http App Service Default
Deny
Allowed
Audit, Disabled, Deny
0 GA ALZ
Roles used
History none
JSON compare n/a
JSON
EPAC