AzPolicyInitiativesAdvertizer

Azure Policy Initiative

[Deprecated]: Azure Security Benchmark v2

Policy DisplayName

Policy Id

Category

Effect

State

[Deprecated]: RDP access from the Internet should be blocked

e372f825-a257-4fb8-9175-797a8a8627d6

Network

Default: Audit
Allowed: (Audit, Disabled)

Deprecated

[Deprecated]: SSH access from the Internet should be blocked

2c89a2e5-7285-40fe-afe0-ae8654b92fab

Network

Default: Audit
Allowed: (Audit, Disabled)

Deprecated

[Preview]: All Internet traffic should be routed via your deployed Azure Firewall

fc5e4038-4584-4632-8c85-c0448d374b2c

Network

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Preview

[Preview]: Azure Key Vault should disable public network access

55615ac9-af46-4a59-874e-391cc3dfb490

Key Vault

Default: Audit
Allowed: (Audit, Deny, Disabled)

Preview

[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines

842c54e8-c2f9-4d79-ae8d-38d8b8019373

Monitoring

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Preview

[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines

d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e

Monitoring

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Preview

[Preview]: Network traffic data collection agent should be installed on Linux virtual machines

04c4380f-3fae-46e8-96c9-30193528f602

Monitoring

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Preview

[Preview]: Network traffic data collection agent should be installed on Windows virtual machines

2f2ee1de-44aa-4762-b6bd-0893fc3f306d

Monitoring

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Preview

[Preview]: Private endpoint should be configured for Key Vault

5f0bc445-3935-4915-9981-011aa2b46147

Key Vault

Default: Audit
Allowed: (Audit, Deny, Disabled)

Preview

[Preview]: Sensitive data in your SQL databases should be classified

cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Preview

[Preview]: Storage account public access should be disallowed

4fa4b6c0-31ca-4c0d-b10d-24b96f62a751

Storage

Default: audit
Allowed: (audit, deny, disabled)

Preview

A maximum of 3 owners should be designated for your subscription

4f11b553-d42e-4e3a-89be-32ca364cad4c

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

A vulnerability assessment solution should be enabled on your virtual machines

501541f7-f7e7-4cd6-868c-4190fdad3ac9

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Adaptive application controls for defining safe applications should be enabled on your machines

47a6b606-51aa-4496-8bb7-64b11cf66adc

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Adaptive network hardening recommendations should be applied on internet facing virtual machines

08e6af2d-db70-460a-bfe9-d5bd474ba9d6

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

An Azure Active Directory administrator should be provisioned for SQL servers

1f314764-cb73-4fc9-b863-8eca98ac36e9

SQL

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

API App should only be accessible over HTTPS

b7ddfbdc-1260-477d-91fd-98bd9be789a6

App Service

Default: Audit
Allowed: (Audit, Disabled)

API Management services should use a virtual network

ef619a2c-cc4d-4d03-b2ba-8c94a834d85b

API Management

Default: Audit
Allowed: (Audit, Disabled)

App Configuration should use private link

ca610c1d-041c-4332-9d88-7ed3094967c7

App Configuration

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Audit usage of custom RBAC rules

a451c1ef-c6ca-483d-87ed-f49761e3ffb5

General

Default: Audit
Allowed: (Audit, Disabled)

Auditing on SQL server should be enabled

a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9

SQL

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Authorized IP ranges should be defined on Kubernetes Services

0e246bcf-5f6f-4f87-bc6f-775d4712c7ea

Security Center

Default: Audit
Allowed: (Audit, Disabled)

Auto provisioning of the Log Analytics agent should be enabled on your subscription

475aae12-b88a-4572-8b36-9b712b2b3a17

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Automation account variables should be encrypted

3657f5a0-770e-44a3-b44e-9431ba1e9735

Automation

Default: Audit
Allowed: (Audit, Deny, Disabled)

Azure Backup should be enabled for Virtual Machines

013e242c-8828-4970-87b3-ab247555486d

Backup

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Azure Cache for Redis should reside within a virtual network

7d092e0a-7acd-40d2-a975-dca21cae48c4

Cache

Default: Audit
Allowed: (Audit, Deny, Disabled)

Azure Cosmos DB accounts should have firewall rules

862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb

Cosmos DB

Default: Deny
Allowed: (Audit, Deny, Disabled)

Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest

1f905d99-2ab7-462c-a6b0-f709acca6c8f

Cosmos DB

Default: audit
Allowed: (audit, deny, disabled)

Azure DDoS Protection Standard should be enabled

a7aca53f-2ed4-4466-a25e-0b45ade68efd

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Azure Defender for App Service should be enabled

2913021d-f2fd-4f3d-b958-22354e2bdbcb

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Azure Defender for Azure SQL Database servers should be enabled

7fe3b40f-802b-4cdd-8bd4-fd799c948cc2

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Azure Defender for container registries should be enabled

c25d9a16-bc35-4e15-a7e5-9db606bf9ed4

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Azure Defender for Key Vault should be enabled

0e6763cc-5078-4e64-889d-ff4d9a839047

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Azure Defender for Kubernetes should be enabled

523b5cd1-3e23-492f-a539-13118b6d1e3a

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Azure Defender for servers should be enabled

4da35fc9-c9e7-4960-aec9-797fe7d9051d

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Azure Defender for SQL servers on machines should be enabled

6581d072-105e-4418-827f-bd446d56421b

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Azure Defender for SQL should be enabled for unprotected SQL Managed Instances

abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9

SQL

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Azure Defender for Storage should be enabled

308fbb08-4ab8-4e67-9b29-592e93fb94fa

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Azure Event Grid domains should use private link

9830b652-8523-49cc-b1b3-e17dce1127ca

Event Grid

Default: Audit
Allowed: (Audit, Disabled)

Azure Event Grid topics should use private link

4b90e17e-8448-49db-875e-bd83fb6f804f

Event Grid

Default: Audit
Allowed: (Audit, Disabled)

Azure Machine Learning workspaces should be encrypted with a customer-managed key

ba769a63-b8cc-4b2d-abf6-ac33c7204be8

Machine Learning

Default: Audit
Allowed: (Audit, Deny, Disabled)

Azure Machine Learning workspaces should use private link

40cec1dd-a100-4920-b15b-3024fe8901ab

Machine Learning

Default: Audit
Allowed: (Audit, Deny, Disabled)

Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters

0a15ec92-a229-4763-bb14-0ea34a568f8d

Kubernetes

Default: Audit
Allowed: (Audit, Disabled)

Azure SignalR Service should use private link

53503636-bcc9-4748-9663-5348217f160f

SignalR

Default: Audit
Allowed: (Audit, Deny, Disabled)

Azure Spring Cloud should use network injection

af35e2a4-ef96-44e7-a9ae-853dd97032c4

App Platform

Default: Audit
Allowed: (Audit, Disabled, Deny)

Cognitive Services accounts should disable public network access

0725b4dd-7e76-479c-a735-68e7ee23d5ca

Cognitive Services

Default: Audit
Allowed: (Audit, Deny, Disabled)

Cognitive Services accounts should enable data encryption with a customer-managed key

67121cc7-ff39-4ab8-b7e3-95b84dab487d

Cognitive Services

Default: Audit
Allowed: (Audit, Deny, Disabled)

Cognitive Services accounts should restrict network access

037eea7a-bd0a-46c5-9a66-03aea78705d3

Cognitive Services

Default: Audit
Allowed: (Audit, Deny, Disabled)

Container registries should be encrypted with a customer-managed key

5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580

Container Registry

Default: Audit
Allowed: (Audit, Deny, Disabled)

Container registries should not allow unrestricted network access

d0793b48-0edc-4296-a390-4c75d1bdfd71

Container Registry

Default: Audit
Allowed: (Audit, Deny, Disabled)

Container registries should use private link

e8eef0a8-67cf-4eb4-9386-14b0e78733d4

Container Registry

Default: Audit
Allowed: (Audit, Disabled)

CORS should not allow every resource to access your API App

358c20a6-3f9e-4f0e-97ff-c6ce485e2aac

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

CORS should not allow every resource to access your Function Apps

0820b7b9-23aa-4725-a1ce-ae4558f718e5

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

CORS should not allow every resource to access your Web Applications

5744710e-cc2f-4ee8-8809-3b11e89f4bc9

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Custom subscription owner roles should not exist

10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9

General

Default: Audit
Allowed: (Audit, Disabled)

Deprecated accounts should be removed from your subscription

6b1cbf55-e8b6-442f-ba4c-7246b6381474

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Deprecated accounts with owner permissions should be removed from your subscription

ebb62a0c-3560-49e1-89ed-27e074e9f8ad

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Diagnostic logs in App Services should be enabled

b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Email notification for high severity alerts should be enabled

6e2593d9-add6-4083-9c9b-4b7d2188c899

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Email notification to subscription owner for high severity alerts should be enabled

0b15565f-aa9e-48ba-8619-45960f2c314d

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Endpoint protection solution should be installed on virtual machine scale sets

26a828e1-e88f-464e-bbb3-c134a282b9de

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Enforce SSL connection should be enabled for MySQL database servers

e802a67a-daf5-4436-9ea6-f6d821dd0c5d

SQL

Default: Audit
Allowed: (Audit, Disabled)

Enforce SSL connection should be enabled for PostgreSQL database servers

d158790f-bfb0-486c-8631-2dc6b4e8e6af

SQL

Default: Audit
Allowed: (Audit, Disabled)

Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'

0c192fe8-9cbb-4516-85b3-0ade8bd03886

App Service

Default: Audit
Allowed: (Audit, Disabled)

Ensure that 'Java version' is the latest, if used as a part of the API app

88999f4c-376a-45c8-bcb3-4058f713cf39

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Ensure that 'Java version' is the latest, if used as a part of the Function app

9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Ensure that 'Java version' is the latest, if used as a part of the Web app

496223c3-ad65-4ecd-878a-bae78737e9ed

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Ensure that 'PHP version' is the latest, if used as a part of the API app

1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Ensure that 'PHP version' is the latest, if used as a part of the WEB app

7261b898-8a84-4db8-9e04-18527132abb3

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Ensure that 'Python version' is the latest, if used as a part of the API app

74c3584d-afae-46f7-a20a-6f8adba71a16

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Ensure that 'Python version' is the latest, if used as a part of the Function app

7238174a-fd10-4ef0-817e-fc820a951d73

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Ensure that 'Python version' is the latest, if used as a part of the Web app

7008174a-fd10-4ef0-817e-fc820a951d73

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'

5bb220d9-2698-4ee4-8404-b9c30c9df609

App Service

Default: Audit
Allowed: (Audit, Disabled)

External accounts with owner permissions should be removed from your subscription

f8456c1c-aa66-4dfb-861a-25d127b775c9

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

External accounts with read permissions should be removed from your subscription

5f76cf89-fbf2-47fd-a3f4-b891fa780b60

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

External accounts with write permissions should be removed from your subscription

5c607a2e-c700-4744-8254-d77e7c9eb5e4

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

FTPS only should be required in your API App

9a1b8c48-453a-4044-86c3-d8bfd823e4f5

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

FTPS only should be required in your Function App

399b2637-a50f-4f95-96f8-3a145476eb15

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

FTPS should be required in your Web App

4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Function App should only be accessible over HTTPS

6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab

App Service

Default: Audit
Allowed: (Audit, Disabled)

Function apps should have 'Client Certificates (Incoming client certificates)' enabled

eaebaea7-8013-4ceb-9d14-7eb32271373c

App Service

Default: Audit
Allowed: (Audit, Disabled)

Geo-redundant backup should be enabled for Azure Database for MariaDB

0ec47710-77ff-4a3d-9181-6aa50af424d0

SQL

Default: Audit
Allowed: (Audit, Disabled)

Geo-redundant backup should be enabled for Azure Database for MySQL

82339799-d096-41ae-8538-b108becf0970

SQL

Default: Audit
Allowed: (Audit, Disabled)

Geo-redundant backup should be enabled for Azure Database for PostgreSQL

48af4db5-9b8b-401c-8e74-076be876a430

SQL

Default: Audit
Allowed: (Audit, Disabled)

Internet-facing virtual machines should be protected with network security groups

f6de0be7-9a8a-4b8a-b349-43cf02d22f7c

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

IP Forwarding on your virtual machine should be disabled

bd352bd5-2853-4985-bf0d-73806b4a5744

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Key vaults should have purge protection enabled

0b60c0b2-2dc2-4e1c-b5c9-abbed971de53

Key Vault

Default: Audit
Allowed: (Audit, Deny, Disabled)

Key vaults should have soft delete enabled

1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d

Key Vault

Default: Audit
Allowed: (Audit, Deny, Disabled)

Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits

e345eecc-fa47-480f-9e88-67dcc122b164

Kubernetes

Default: deny
Allowed: (audit, deny, disabled)

Kubernetes cluster containers should not share host process ID or host IPC namespace

47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8

Kubernetes

Default: audit
Allowed: (audit, deny, disabled)

Kubernetes cluster containers should only listen on allowed ports

440b515e-a580-421e-abeb-b159a61ddcbc

Kubernetes

Default: deny
Allowed: (audit, deny, disabled)

Kubernetes cluster containers should only use allowed AppArmor profiles

511f5417-5d12-434d-ab2e-816901e72a5e

Kubernetes

Default: audit
Allowed: (audit, deny, disabled)

Kubernetes cluster containers should only use allowed capabilities

c26596ff-4d70-4e6a-9a30-c2506bd2f80c

Kubernetes

Default: audit
Allowed: (audit, deny, disabled)

Kubernetes cluster containers should only use allowed images

febd0533-8e55-448f-b837-bd0e06f16469

Kubernetes

Default: deny
Allowed: (audit, deny, disabled)

Kubernetes cluster containers should run with a read only root file system

df49d893-a74c-421d-bc95-c663042e5b80

Kubernetes

Default: audit
Allowed: (audit, deny, disabled)

Kubernetes cluster pod hostPath volumes should only use allowed host paths

098fc59e-46c7-4d99-9b16-64990e543d75

Kubernetes

Default: audit
Allowed: (audit, deny, disabled)

Kubernetes cluster pods and containers should only run with approved user and group IDs

f06ddb64-5fa3-4b77-b166-acb36f7f6042

Kubernetes

Default: audit
Allowed: (audit, deny, disabled)

Kubernetes cluster pods should only use approved host network and port range

82985f06-dc18-4a48-bc1c-b9f4f0098cfe

Kubernetes

Default: audit
Allowed: (audit, deny, disabled)

Kubernetes cluster services should listen only on allowed ports

233a2a17-77ca-4fb1-9b6b-69223d272a44

Kubernetes

Default: deny
Allowed: (audit, deny, disabled)

Kubernetes cluster should not allow privileged containers

95edb821-ddaf-4404-9732-666045e056b4

Kubernetes

Default: deny
Allowed: (audit, deny, disabled)

Kubernetes clusters should be accessible only over HTTPS

1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d

Kubernetes

Default: deny
Allowed: (audit, deny, disabled)

Kubernetes clusters should not allow container privilege escalation

1c6e92c9-99f0-4e55-9cf2-0c234dc48f99

Kubernetes

Default: audit
Allowed: (audit, deny, disabled)

Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version

fb893a29-21bb-418c-a157-e99480ec364c

Security Center

Default: Audit
Allowed: (Audit, Disabled)

Latest TLS version should be used in your API App

8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Latest TLS version should be used in your Function App

f9d614c5-c173-4d56-95a7-b4437057d193

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Latest TLS version should be used in your Web App

f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Log Analytics agent health issues should be resolved on your machines

d62cfe2b-3ab0-4d41-980d-76803b58ca65

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring

a4fe33eb-e377-4efb-ab31-0784311bc499

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring

a3a6ea0c-e018-4933-9ef0-5aaa1501449b

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Long-term geo-redundant backup should be enabled for Azure SQL Databases

d38fc420-0735-4ef3-ac11-c806f651a570

SQL

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Managed identity should be used in your API App

c4d441f8-f9d9-4a9e-9cef-e82117cb3eef

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Managed identity should be used in your Function App

0da106f2-4ca3-48e8-bc85-c638fe6aea8f

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Managed identity should be used in your Web App

2b9ad585-36bc-4615-b300-fd4435808332

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Management ports of virtual machines should be protected with just-in-time network access control

b0f33259-77d7-4c9e-aac6-3aabcfae693c

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Management ports should be closed on your virtual machines

22730e10-96f6-4aac-ad84-9383d35b5917

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

MFA should be enabled accounts with write permissions on your subscription

9297c21d-2ed6-4474-b48f-163f75654ce3

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

MFA should be enabled on accounts with owner permissions on your subscription

aa633080-8b72-40c4-a2d7-d00c03e80bed

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

MFA should be enabled on accounts with read permissions on your subscription

e3576e28-8b17-4677-84c3-db2990658d64

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Monitor missing Endpoint Protection in Azure Security Center

af6cd1bd-1635-48cb-bde7-5b15693900b9

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

MySQL servers should use customer-managed keys to encrypt data at rest

83cef61d-dbd1-4b20-a4fc-5fbc7da10833

SQL

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Network Watcher should be enabled

b6e2945c-0b7b-40f5-9233-7a5323b5cdc6

Network

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Only secure connections to your Azure Cache for Redis should be enabled

22bee202-a82f-4305-9a2a-6d7f44d4dedb

Cache

Default: Audit
Allowed: (Audit, Deny, Disabled)

PostgreSQL servers should use customer-managed keys to encrypt data at rest

18adea5e-f416-4d0f-8aa8-d24321e3e274

SQL

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Private endpoint connections on Azure SQL Database should be enabled

7698e800-9299-47a6-b3b6-5a0fee576eed

SQL

Default: Audit
Allowed: (Audit, Disabled)

Private endpoint should be enabled for MariaDB servers

0a1302fb-a631-4106-9753-f3d494733990

SQL

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Private endpoint should be enabled for MySQL servers

7595c971-233d-4bcf-bd18-596129188c49

SQL

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Private endpoint should be enabled for PostgreSQL servers

0564d078-92f5-4f97-8398-b9f58a51f70b

SQL

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Public network access on Azure SQL Database should be disabled

1b8ca024-1d5c-4dec-8995-b1a932b41780

SQL

Default: Audit
Allowed: (Audit, Deny, Disabled)

Public network access should be disabled for MariaDB servers

fdccbe47-f3e3-4213-ad5d-ea459b2fa077

SQL

Default: Audit
Allowed: (Audit, Disabled)

Public network access should be disabled for MySQL servers

d9844e8a-1437-4aeb-a32c-0c992f056095

SQL

Default: Audit
Allowed: (Audit, Disabled)

Public network access should be disabled for PostgreSQL servers

b52376f7-9612-48a1-81cd-1ffe4b61032c

SQL

Default: Audit
Allowed: (Audit, Disabled)

Remote debugging should be turned off for API Apps

e9c8d085-d9cc-4b17-9cdc-059f1f01f19e

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Remote debugging should be turned off for Function Apps

0e60b895-3786-45da-8377-9c6b4b6ac5f9

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Remote debugging should be turned off for Web Applications

cb510bfd-1cba-4d9f-a230-cb0976f4bb71

App Service

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Resource logs in Azure Data Lake Store should be enabled

057ef27e-665e-4328-8ea3-04b3122bd9fb

Data Lake

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Resource logs in Azure Stream Analytics should be enabled

f9be5368-9bf5-4b84-9e0a-7850da98bb46

Stream Analytics

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Resource logs in Batch accounts should be enabled

428256e6-1fac-4f48-a757-df34c2b3336d

Batch

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Resource logs in Data Lake Analytics should be enabled

c95c74d9-38fe-4f0d-af86-0c7d626a315c

Data Lake

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Resource logs in Event Hub should be enabled

83a214f7-d01a-484b-91a9-ed54470c9a6a

Event Hub

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Resource logs in IoT Hub should be enabled

383856f8-de7f-44a2-81fc-e5135b5c2aa4

Internet of Things

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Resource logs in Key Vault should be enabled

cf820ca0-f99e-4f3e-84fb-66e913812d21

Key Vault

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Resource logs in Logic Apps should be enabled

34f95f76-5386-4de7-b824-0d8478470c9d

Logic Apps

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Resource logs in Search services should be enabled

b4330a05-a843-4bc8-bf9a-cacce50c67f4

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Resource logs in Service Bus should be enabled

f8d36e2f-389b-4ee4-898d-21aeb69a0f45

Service Bus

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Resource logs in Virtual Machine Scale Sets should be enabled

7c1b1214-f927-48bf-8882-84f0af6588b1

Compute

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Role-Based Access Control (RBAC) should be used on Kubernetes Services

ac4a19c2-fa67-49b4-8ae5-0b2e78c49457

Security Center

Default: Audit
Allowed: (Audit, Disabled)

Secure transfer to storage accounts should be enabled

404c3081-a854-4457-ae30-26a93ef643f9

Storage

Default: Audit
Allowed: (Audit, Deny, Disabled)

Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign

617c02be-7f02-4efd-8836-3180d47b6c68

Service Fabric

Default: Audit
Allowed: (Audit, Deny, Disabled)

Service Fabric clusters should only use Azure Active Directory for client authentication

b54ed75b-3e1a-44ac-a333-05ba39b99ff0

Service Fabric

Default: Audit
Allowed: (Audit, Deny, Disabled)

Service principals should be used to protect your subscriptions instead of management certificates

6646a0bd-e110-40ca-bb97-84fcee63c414

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

SQL databases should have vulnerability findings resolved

feedbf84-6b99-488c-acc2-71c829aa5ffc

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

SQL managed instances should use customer-managed keys to encrypt data at rest

048248b0-55cd-46da-b1ff-39efd52db260

SQL

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

SQL servers should use customer-managed keys to encrypt data at rest

0d134df8-db83-46fb-ad72-fe0c9428c8dd

SQL

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Storage accounts should be migrated to new Azure Resource Manager resources

37e0d2fe-28a5-43d6-a273-67d37d1f5606

Storage

Default: Audit
Allowed: (Audit, Deny, Disabled)

Storage accounts should restrict network access

34c877ad-507e-4c82-993e-3452a6e0ad3c

Storage

Default: Audit
Allowed: (Audit, Deny, Disabled)

Storage accounts should restrict network access using virtual network rules

2a1a9cdf-e04d-429a-8416-3bfb72a1b26f

Storage

Default: Audit
Allowed: (Audit, Deny, Disabled)

Storage accounts should use customer-managed key for encryption

6fac406b-40ca-413b-bf8e-0bf964659c25

Storage

Default: Audit
Allowed: (Audit, Disabled)

Storage accounts should use private link

6edd7eda-6dd8-40f7-810d-67160c639cd9

Storage

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Subnets should be associated with a Network Security Group

e71308d3-144b-4262-b144-efdc3cc90517

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Subscriptions should have a contact email address for security issues

4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

System updates on virtual machine scale sets should be installed

c3f317a7-a95c-4547-b7e7-11017ebdf2fe

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

System updates should be installed on your machines

86b3d65f-7626-441e-b690-81a8b71cff60

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

There should be more than one owner assigned to your subscription

09024ccc-0c5f-475e-9457-b7c0d9ed487b

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Transparent Data Encryption on SQL databases should be enabled

17k78e20-9358-41c9-923c-fb736d382a12

SQL

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Virtual machines should be migrated to new Azure Resource Manager resources

1d84d5fb-01f6-4d12-ba4f-4a26081d403d

Compute

Default: Audit
Allowed: (Audit, Deny, Disabled)

Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources

0961003e-5a0a-4549-abde-af6a37f2724d

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

VM Image Builder templates should use private link

2154edb9-244f-4741-9970-660785bccdaa

VM Image Builder

Default: Audit
Allowed: (Audit, Disabled, Deny)

Vulnerabilities in Azure Container Registry images should be remediated

5f0f936f-2f01-4bf5-b6be-d423792fa562

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Vulnerabilities in container security configurations should be remediated

e8cbc669-f12d-49eb-93e7-9273119e9933

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Vulnerabilities in security configuration on your machines should be remediated

e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Vulnerabilities in security configuration on your virtual machine scale sets should be remediated

3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4

Security Center

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Vulnerability assessment should be enabled on SQL Managed Instance

1b7aa243-30e4-4c9e-bca8-d0d3022b634a

SQL

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Vulnerability assessment should be enabled on your SQL servers

ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9

SQL

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Web Application Firewall (WAF) should be enabled for Application Gateway

564feb30-bf6a-4854-b4bb-0d2d2d1e6c66

Network

Default: Audit
Allowed: (Audit, Deny, Disabled)

Web Application Firewall (WAF) should be enabled for Azure Front Door Service service

055aa869-bc98-4af8-bafc-23f1ab6ffe2c

Network

Default: Audit
Allowed: (Audit, Deny, Disabled)

Web Application should only be accessible over HTTPS

a4af4a39-4135-47fb-b175-47fbdf85311d

App Service

Default: Audit
Allowed: (Audit, Disabled)

Windows Defender Exploit Guard should be enabled on your machines

bed48b13-6647-468e-aa2f-1af1d3f4dd40

Guest Configuration

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Windows web servers should be configured to use secure communication protocols

5752e6d6-1206-46d8-8ab1-ecc2f71a8112

Guest Configuration

Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

{ "displayName": "[Deprecated]: Azure Security Benchmark v2", "policyType": "BuiltIn", "description": "This initiative has been deprecated. The Azure Security Benchmark v2 policy set is now represented in the consolidated Azure Security Benchmark initiative, which also serves as the Azure Security Center default policy initiative. Please assign that initiative, or manage its policies and compliance results within Azure Security Center", "metadata": { "version": "2.1.1-deprecated", "deprecated": true, "category": "Regulatory Compliance" }, "parameters": { "effect-e71308d3-144b-4262-b144-efdc3cc90517": { "type": "String", "metadata": { "displayName": "Effect for policy: Subnets should be associated with a Network Security Group", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c": { "type": "String", "metadata": { "displayName": "Effect for policy: Internet-facing virtual machines should be protected with network security groups", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-bd352bd5-2853-4985-bf0d-73806b4a5744": { "type": "String", "metadata": { "displayName": "Effect for policy: IP Forwarding on your virtual machine should be disabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-22730e10-96f6-4aac-ad84-9383d35b5917": { "type": "String", "metadata": { "displayName": "Effect for policy: Management ports should be closed on your virtual machines", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c": { "type": "String", "metadata": { "displayName": "Effect for policy: Management ports of virtual machines should be protected with just-in-time network access control", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-fc5e4038-4584-4632-8c85-c0448d374b2c": { "type": "String", "metadata": { "displayName": "Effect for policy: All Internet traffic should be routed via your deployed Azure Firewall", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-34c877ad-507e-4c82-993e-3452a6e0ad3c": { "type": "String", "metadata": { "displayName": "Effect for policy: Storage accounts should restrict network access", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-0e246bcf-5f6f-4f87-bc6f-775d4712c7ea": { "type": "String", "metadata": { "displayName": "Effect for policy: Authorized IP ranges should be defined on Kubernetes Services", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-08e6af2d-db70-460a-bfe9-d5bd474ba9d6": { "type": "String", "metadata": { "displayName": "Effect for policy: Adaptive Network Hardening recommendations should be applied on internet facing virtual machines", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-55615ac9-af46-4a59-874e-391cc3dfb490": { "type": "String", "metadata": { "displayName": "Effect for policy: Firewall should be enabled on Key Vault", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure Cosmos DB accounts should have firewall rules", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-037eea7a-bd0a-46c5-9a66-03aea78705d3": { "type": "String", "metadata": { "displayName": "Effect for policy: Cognitive Services accounts should restrict network access", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", "metadata": { "displayName": "Effect for policy: Public network access should be disabled for Cognitive Services accounts", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f": { "type": "String", "metadata": { "displayName": "Effect for policy: Storage accounts should restrict network access using virtual network rules", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-d0793b48-0edc-4296-a390-4c75d1bdfd71": { "type": "String", "metadata": { "displayName": "Effect for policy: Container registries should not allow unrestricted network access", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-b52376f7-9612-48a1-81cd-1ffe4b61032c": { "type": "String", "metadata": { "displayName": "Effect for policy: Public network access should be disabled for PostgreSQL servers", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-d9844e8a-1437-4aeb-a32c-0c992f056095": { "type": "String", "metadata": { "displayName": "Effect for policy: Public network access should be disabled for MySQL servers", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-fdccbe47-f3e3-4213-ad5d-ea459b2fa077": { "type": "String", "metadata": { "displayName": "Effect for policy: Public network access should be disabled for MariaDB servers", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b": { "type": "String", "metadata": { "displayName": "Effect for policy: API Management services should use a virtual network", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "evaluatedSkuNames-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b": { "type": "Array", "metadata": { "displayName": "API Management SKUs that should use a virtual network", "description": "List of API Management SKUs against which this policy will be evaluated" }, "allowedValues": [ "Developer", "Basic", "Standard", "Premium", "Consumption" ], "defaultValue": [ "Developer", "Premium" ] }, "effect-0564d078-92f5-4f97-8398-b9f58a51f70b": { "type": "String", "metadata": { "displayName": "Effect for policy: Private endpoint should be enabled for PostgreSQL servers", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-0a1302fb-a631-4106-9753-f3d494733990": { "type": "String", "metadata": { "displayName": "Effect for policy: Private endpoint should be enabled for MariaDB servers", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-7595c971-233d-4bcf-bd18-596129188c49": { "type": "String", "metadata": { "displayName": "Effect for policy: Private endpoint should be enabled for MySQL servers", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-2154edb9-244f-4741-9970-660785bccdaa": { "type": "String", "metadata": { "displayName": "Effect for policy: VM Image Builder templates should use private link", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-40cec1dd-a100-4920-b15b-3024fe8901ab": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure Machine Learning workspaces should use private link", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-4b90e17e-8448-49db-875e-bd83fb6f804f": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure Event Grid topics should use private links", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-53503636-bcc9-4748-9663-5348217f160f": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure SignalR Service should use private links", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-5f0bc445-3935-4915-9981-011aa2b46147": { "type": "String", "metadata": { "displayName": "Effect for policy: Private endpoint should be configured for Key Vault", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-6edd7eda-6dd8-40f7-810d-67160c639cd9": { "type": "String", "metadata": { "displayName": "Effect for policy: Storage account should use a private link connection", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-9830b652-8523-49cc-b1b3-e17dce1127ca": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure Event Grid domains should use private links", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-ca610c1d-041c-4332-9d88-7ed3094967c7": { "type": "String", "metadata": { "displayName": "Effect for policy: App Configuration should use a private link", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-e8eef0a8-67cf-4eb4-9386-14b0e78733d4": { "type": "String", "metadata": { "displayName": "Effect for policy: Container registries should use private links", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-7d092e0a-7acd-40d2-a975-dca21cae48c4": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure Cache for Redis should reside within a virtual network", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-af35e2a4-ef96-44e7-a9ae-853dd97032c4": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure Spring Cloud should use network injection", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled", "Deny" ], "defaultValue": "Audit" }, "evaluatedSkuNames-af35e2a4-ef96-44e7-a9ae-853dd97032c4": { "type": "Array", "metadata": { "displayName": "Azure Spring Cloud SKUs that should use network injection", "description": "List of Azure Spring Cloud SKUs against which this policy will be evaluated" }, "allowedValues": [ "Standard" ], "defaultValue": [ "Standard" ] }, "effect-a7aca53f-2ed4-4466-a25e-0b45ade68efd": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure DDoS Protection Standard should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab": { "type": "String", "metadata": { "displayName": "Effect for policy: SSH access from the Internet should be blocked", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-e372f825-a257-4fb8-9175-797a8a8627d6": { "type": "String", "metadata": { "displayName": "Effect for policy: RDP access from the Internet should be blocked", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c": { "type": "String", "metadata": { "displayName": "Effect for policy: Web Application Firewall (WAF) should be enabled for Azure Front Door Service", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66": { "type": "String", "metadata": { "displayName": "Effect for policy: Web Application Firewall (WAF) should be enabled for Application Gateway", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-1f314764-cb73-4fc9-b863-8eca98ac36e9": { "type": "String", "metadata": { "displayName": "Effect for policy: An Azure Active Directory administrator should be provisioned for SQL servers", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-b54ed75b-3e1a-44ac-a333-05ba39b99ff0": { "type": "String", "metadata": { "displayName": "Effect for policy: Service Fabric clusters should only use Azure Active Directory for client authentication", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-0da106f2-4ca3-48e8-bc85-c638fe6aea8f": { "type": "String", "metadata": { "displayName": "Effect for policy: Managed identity should be used in your Function App", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-2b9ad585-36bc-4615-b300-fd4435808332": { "type": "String", "metadata": { "displayName": "Effect for policy: Managed identity should be used in your Web App", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-c4d441f8-f9d9-4a9e-9cef-e82117cb3eef": { "type": "String", "metadata": { "displayName": "Effect for policy: Managed identity should be used in your API App", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-6646a0bd-e110-40ca-bb97-84fcee63c414": { "type": "String", "metadata": { "displayName": "Effect for policy: Service principals should be used to protect your subscriptions instead of management certificates", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-aa633080-8b72-40c4-a2d7-d00c03e80bed": { "type": "String", "metadata": { "displayName": "Effect for policy: MFA should be enabled on accounts with owner permissions on your subscription", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-9297c21d-2ed6-4474-b48f-163f75654ce3": { "type": "String", "metadata": { "displayName": "Effect for policy: MFA should be enabled accounts with write permissions on your subscription", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-e3576e28-8b17-4677-84c3-db2990658d64": { "type": "String", "metadata": { "displayName": "Effect for policy: MFA should be enabled on accounts with read permissions on your subscription", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-4f11b553-d42e-4e3a-89be-32ca364cad4c": { "type": "String", "metadata": { "displayName": "Effect for policy: A maximum of 3 owners should be designated for your subscription", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b": { "type": "String", "metadata": { "displayName": "Effect for policy: There should be more than one owner assigned to your subscription", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-f8456c1c-aa66-4dfb-861a-25d127b775c9": { "type": "String", "metadata": { "displayName": "Effect for policy: External accounts with owner permissions should be removed from your subscription", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad": { "type": "String", "metadata": { "displayName": "Effect for policy: Deprecated accounts with owner permissions should be removed from your subscription", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474": { "type": "String", "metadata": { "displayName": "Effect for policy: Deprecated accounts should be removed from your subscription", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60": { "type": "String", "metadata": { "displayName": "Effect for policy: External accounts with read permissions should be removed from your subscription", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4": { "type": "String", "metadata": { "displayName": "Effect for policy: External accounts with write permissions should be removed from your subscription", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457": { "type": "String", "metadata": { "displayName": "Effect for policy: Role-Based Access Control (RBAC) should be used on Kubernetes Services", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5": { "type": "String", "metadata": { "displayName": "Effect for policy: Audit usage of custom RBAC rules", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9": { "type": "String", "metadata": { "displayName": "Effect for policy: Custom subscription owner roles should not exist", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349": { "type": "String", "metadata": { "displayName": "Effect for policy: Sensitive data in your SQL databases should be classified", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751": { "type": "String", "metadata": { "displayName": "Effect for policy: Storage account public access should be disallowed", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "audit", "deny", "disabled" ], "defaultValue": "audit" }, "effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure Defender for Storage should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-6581d072-105e-4418-827f-bd446d56421b": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure Defender for SQL servers on machines should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure Defender for Azure SQL Database servers should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9": { "type": "String", "metadata": { "displayName": "Effect for policy: Advanced data security should be enabled on SQL Managed Instance", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-17k78e20-9358-41c9-923c-fb736d382a12": { "type": "String", "metadata": { "displayName": "Effect for policy: Transparent Data Encryption on SQL databases should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-0961003e-5a0a-4549-abde-af6a37f2724d": { "type": "String", "metadata": { "displayName": "Effect for policy: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-2bdd0062-9d75-436e-89df-487dd8e4b3c7": { "type": "String", "metadata": { "displayName": "[Deprecated]: Effect for policy: Cognitive Services accounts should enable data encryption", "description": "For more information about effects, visit https://aka.ms/policyeffects", "deprecated": true }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Disabled" }, "effect-404c3081-a854-4457-ae30-26a93ef643f9": { "type": "String", "metadata": { "displayName": "Effect for policy: Secure transfer to storage accounts should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e": { "type": "String", "metadata": { "displayName": "Effect for policy: Latest TLS version should be used in your API App", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b": { "type": "String", "metadata": { "displayName": "Effect for policy: Latest TLS version should be used in your Web App", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-f9d614c5-c173-4d56-95a7-b4437057d193": { "type": "String", "metadata": { "displayName": "Effect for policy: Latest TLS version should be used in your Function App", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab": { "type": "String", "metadata": { "displayName": "Effect for policy: Function App should only be accessible over HTTPS", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-a4af4a39-4135-47fb-b175-47fbdf85311d": { "type": "String", "metadata": { "displayName": "Effect for policy: Web Application should only be accessible over HTTPS", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6": { "type": "String", "metadata": { "displayName": "Effect for policy: API App should only be accessible over HTTPS", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d": { "type": "String", "metadata": { "displayName": "Effect for policy: Enforce SSL connection should be enabled for MySQL database servers", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af": { "type": "String", "metadata": { "displayName": "Effect for policy: Enforce SSL connection should be enabled for PostgreSQL database servers", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb": { "type": "String", "metadata": { "displayName": "Effect for policy: Only secure connections to your Azure Cache for Redis should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-399b2637-a50f-4f95-96f8-3a145476eb15": { "type": "String", "metadata": { "displayName": "Effect for policy: FTPS only should be required in your Function App", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b": { "type": "String", "metadata": { "displayName": "Effect for policy: FTPS should be required in your Web App", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-9a1b8c48-453a-4044-86c3-d8bfd823e4f5": { "type": "String", "metadata": { "displayName": "Effect for policy: FTPS only should be required in your API App", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d": { "type": "String", "metadata": { "displayName": "Effect for policy: Enforce HTTPS ingress in Kubernetes cluster", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "audit", "deny", "disabled" ], "defaultValue": "audit" }, "excludedNamespaces-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d": { "type": "Array", "metadata": { "displayName": "Namespaces excluded from evaluation of policy: Enforce HTTPS ingress in Kubernetes cluster", "description": "List of Kubernetes namespaces to exclude from policy evaluation" }, "defaultValue": [ "kube-system", "gatekeeper-system", "azure-arc" ] }, "IncludeArcMachines-5752e6d6-1206-46d8-8ab1-ecc2f71a8112": { "type": "String", "metadata": { "displayName": "Include Arc-connected servers when evaluating policy: Audit Windows web servers that are not using secure communication protocols", "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine" }, "allowedValues": [ "true", "false" ], "defaultValue": "false" }, "MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112": { "type": "String", "metadata": { "displayName": "Minimum TLS version for Windows web servers", "description": "Windows web servers with lower TLS versions will be assessed as non-compliant" }, "allowedValues": [ "1.1", "1.2" ], "defaultValue": "1.2" }, "effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd": { "type": "String", "metadata": { "displayName": "Effect for policy: SQL server TDE protector should be encrypted with your own key", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-048248b0-55cd-46da-b1ff-39efd52db260": { "type": "String", "metadata": { "displayName": "Effect for policy: SQL Managed Instance TDE protector should be encrypted with your own key", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-3657f5a0-770e-44a3-b44e-9431ba1e9735": { "type": "String", "metadata": { "displayName": "Effect for policy: Automation account variables should be encrypted", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-617c02be-7f02-4efd-8836-3180d47b6c68": { "type": "String", "metadata": { "displayName": "Effect for policy: Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-11566b39-f7f7-4b82-ab06-68d8700eb0a4": { "type": "String", "metadata": { "displayName": "[Deprecated]: Effect for policy: Cognitive Services accounts should use customer owned storage or enable data encryption.", "description": "For more information about effects, visit https://aka.ms/policyeffects", "deprecated": true }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Disabled" }, "effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure Cosmos DB account should use customer-managed keys to encrypt data at rest", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "audit", "deny", "disabled" ], "defaultValue": "audit" }, "effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580": { "type": "String", "metadata": { "displayName": "Effect for policy: Container registries should be encrypted with a customer-managed key", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d": { "type": "String", "metadata": { "displayName": "Effect for policy: Cognitive Services accounts should enable data encryption with customer-managed key", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-6fac406b-40ca-413b-bf8e-0bf964659c25": { "type": "String", "metadata": { "displayName": "Effect for policy: Storage account should use customer-managed key for encryption", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure Machine Learning workspaces should be encrypted with a customer-managed key", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-18adea5e-f416-4d0f-8aa8-d24321e3e274": { "type": "String", "metadata": { "displayName": "Effect for policy: Bring your own key data protection should be enabled for PostgreSQL servers", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-83cef61d-dbd1-4b20-a4fc-5fbc7da10833": { "type": "String", "metadata": { "displayName": "Effect for policy: Bring your own key data protection should be enabled for MySQL servers", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d": { "type": "String", "metadata": { "displayName": "Effect for policy: Virtual machines should be migrated to new Azure Resource Manager resources", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606": { "type": "String", "metadata": { "displayName": "Effect for policy: Storage accounts should be migrated to new Azure Resource Manager resources", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-47a6b606-51aa-4496-8bb7-64b11cf66adc": { "type": "String", "metadata": { "displayName": "Effect for policy: Adaptive application controls for defining safe applications should be enabled on your machines", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-0e6763cc-5078-4e64-889d-ff4d9a839047": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure Defender for Key Vault should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-2913021d-f2fd-4f3d-b958-22354e2bdbcb": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure Defender for App Service should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure Defender for servers should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-523b5cd1-3e23-492f-a539-13118b6d1e3a": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure Defender for Kubernetes should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure Defender for container registries should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-2f2ee1de-44aa-4762-b6bd-0893fc3f306d": { "type": "String", "metadata": { "displayName": "Effect for policy: Network traffic data collection agent should be installed on Windows virtual machines", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-04c4380f-3fae-46e8-96c9-30193528f602": { "type": "String", "metadata": { "displayName": "Effect for policy: Network traffic data collection agent should be installed on Linux virtual machines", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "listOfLocations-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6": { "type": "Array", "metadata": { "displayName": "[Deprecated]: List of regions where Network Watcher should be enabled", "description": "To see a complete list of regions, run the PowerShell command Get-AzLocation", "strongType": "location", "deprecated": true }, "defaultValue": [ "[]" ] }, "resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6": { "type": "String", "metadata": { "displayName": "Name of the resource group for Network Watcher", "description": "Name of the resource group where Network Watchers are located" }, "defaultValue": "NetworkWatcherRG" }, "effect-057ef27e-665e-4328-8ea3-04b3122bd9fb": { "type": "String", "metadata": { "displayName": "Effect for policy: Resource logs in Azure Data Lake Store should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "requiredRetentionDays-057ef27e-665e-4328-8ea3-04b3122bd9fb": { "type": "String", "metadata": { "displayName": "Required retention period (days) for Azure Data Lake Store resource logs" }, "defaultValue": "365" }, "effect-34f95f76-5386-4de7-b824-0d8478470c9d": { "type": "String", "metadata": { "displayName": "Effect for policy: Resource logs in Logic Apps should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "requiredRetentionDays-34f95f76-5386-4de7-b824-0d8478470c9d": { "type": "String", "metadata": { "displayName": "Required retention period (days) for Logic Apps resource logs" }, "defaultValue": "365" }, "effect-383856f8-de7f-44a2-81fc-e5135b5c2aa4": { "type": "String", "metadata": { "displayName": "Effect for policy: Resource logs in IoT Hub should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "requiredRetentionDays-383856f8-de7f-44a2-81fc-e5135b5c2aa4": { "type": "String", "metadata": { "displayName": "Required retention period (days) for IoT Hub resource logs" }, "defaultValue": "365" }, "effect-428256e6-1fac-4f48-a757-df34c2b3336d": { "type": "String", "metadata": { "displayName": "Effect for policy: Resource logs in Batch accounts should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "requiredRetentionDays-428256e6-1fac-4f48-a757-df34c2b3336d": { "type": "String", "metadata": { "displayName": "Required retention period (days) for Azure Batch resource logs" }, "defaultValue": "365" }, "effect-7c1b1214-f927-48bf-8882-84f0af6588b1": { "type": "String", "metadata": { "displayName": "Effect for policy: Resource logs in Virtual Machine Scale Sets should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "includeAKSClusters-7c1b1214-f927-48bf-8882-84f0af6588b1": { "type": "Boolean", "metadata": { "displayName": "Include AKS clusters when auditing if virtual machine scale set resource logs are enabled" }, "defaultValue": false }, "effect-83a214f7-d01a-484b-91a9-ed54470c9a6a": { "type": "String", "metadata": { "displayName": "Effect for policy: Resource logs in Event Hub should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "requiredRetentionDays-83a214f7-d01a-484b-91a9-ed54470c9a6a": { "type": "String", "metadata": { "displayName": "Required retention period (days) for Event Hub resource logs" }, "defaultValue": "365" }, "effect-b4330a05-a843-4bc8-bf9a-cacce50c67f4": { "type": "String", "metadata": { "displayName": "Effect for policy: Resource logs in Search services should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "requiredRetentionDays-b4330a05-a843-4bc8-bf9a-cacce50c67f4": { "type": "String", "metadata": { "displayName": "Required retention period (days) for Azure Search resource logs" }, "defaultValue": "365" }, "effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0": { "type": "String", "metadata": { "displayName": "Effect for policy: Resource logs in App Services should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-c95c74d9-38fe-4f0d-af86-0c7d626a315c": { "type": "String", "metadata": { "displayName": "Effect for policy: Resource logs in Data Lake Analytics should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "requiredRetentionDays-c95c74d9-38fe-4f0d-af86-0c7d626a315c": { "type": "String", "metadata": { "displayName": "Required retention period (days) for Data Lake Analytics resource logs" }, "defaultValue": "365" }, "effect-cf820ca0-f99e-4f3e-84fb-66e913812d21": { "type": "String", "metadata": { "displayName": "Effect for policy: Resource logs in Key Vault should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "requiredRetentionDays-cf820ca0-f99e-4f3e-84fb-66e913812d21": { "type": "String", "metadata": { "displayName": "Required retention period (days) for Key Vault resource logs" }, "defaultValue": "365" }, "effect-f8d36e2f-389b-4ee4-898d-21aeb69a0f45": { "type": "String", "metadata": { "displayName": "Effect for policy: Resource logs in Service Bus should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "requiredRetentionDays-f8d36e2f-389b-4ee4-898d-21aeb69a0f45": { "type": "String", "metadata": { "displayName": "Required retention period (days) for Service Bus resource logs" }, "defaultValue": "365" }, "effect-f9be5368-9bf5-4b84-9e0a-7850da98bb46": { "type": "String", "metadata": { "displayName": "Effect for policy: Resource logs in Azure Stream Analytics should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "requiredRetentionDays-f9be5368-9bf5-4b84-9e0a-7850da98bb46": { "type": "String", "metadata": { "displayName": "Required retention period (days) for Azure Stream Analytics resource logs" }, "defaultValue": "365" }, "effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9": { "type": "String", "metadata": { "displayName": "Effect for policy: Auditing on SQL server should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9": { "type": "String", "metadata": { "displayName": "Required auditing setting for SQL servers" }, "allowedValues": [ "enabled", "Disabled" ], "defaultValue": "enabled" }, "effect-a4fe33eb-e377-4efb-ab31-0784311bc499": { "type": "String", "metadata": { "displayName": "Effect for policy: Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-a3a6ea0c-e018-4933-9ef0-5aaa1501449b": { "type": "String", "metadata": { "displayName": "Effect for policy: Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-475aae12-b88a-4572-8b36-9b712b2b3a17": { "type": "String", "metadata": { "displayName": "Effect for policy: Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-d62cfe2b-3ab0-4d41-980d-76803b58ca65": { "type": "String", "metadata": { "displayName": "Effect for policy: Log Analytics agent health issues should be resolved on your machines", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-842c54e8-c2f9-4d79-ae8d-38d8b8019373": { "type": "String", "metadata": { "displayName": "Effect for policy: Log Analytics agent should be installed on your Linux Azure Arc machines", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e": { "type": "String", "metadata": { "displayName": "Effect for policy: Log Analytics agent should be installed on your Windows Azure Arc machines", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7": { "type": "String", "metadata": { "displayName": "Effect for policy: A security contact email address should be provided for your subscription", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-6e2593d9-add6-4083-9c9b-4b7d2188c899": { "type": "String", "metadata": { "displayName": "Effect for policy: Email notification for high severity alerts should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-0b15565f-aa9e-48ba-8619-45960f2c314d": { "type": "String", "metadata": { "displayName": "Effect for policy: Email notification to subscription owner for high severity alerts should be enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9": { "type": "String", "metadata": { "displayName": "Effect for policy: CORS should not allow every resource to access your Web Applications", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5": { "type": "String", "metadata": { "displayName": "Effect for policy: CORS should not allow every resource to access your Function Apps", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac": { "type": "String", "metadata": { "displayName": "Effect for policy: CORS should not allow every resource to access your API App", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71": { "type": "String", "metadata": { "displayName": "Effect for policy: Remote debugging should be turned off for Web Applications", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9": { "type": "String", "metadata": { "displayName": "Effect for policy: Remote debugging should be turned off for Function Apps", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e": { "type": "String", "metadata": { "displayName": "Effect for policy: Remote debugging should be turned off for API Apps", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-0c192fe8-9cbb-4516-85b3-0ade8bd03886": { "type": "String", "metadata": { "displayName": "Effect for policy: Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-eaebaea7-8013-4ceb-9d14-7eb32271373c": { "type": "String", "metadata": { "displayName": "Effect for policy: Ensure Function app has 'Client Certificates (Incoming client certificates)' set to 'On'", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-5bb220d9-2698-4ee4-8404-b9c30c9df609": { "type": "String", "metadata": { "displayName": "Effect for policy: Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-0a15ec92-a229-4763-bb14-0ea34a568f8d": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469": { "type": "String", "metadata": { "displayName": "Allowed container images for Kubernetes clusters", "description": "Regular expression used to match allowed container images in a Kubernetes cluster; Ex: allow any Azure Container Registry image by matching partial path: ^.+azurecr.io/.+$" }, "defaultValue": "^(.+){0}$" }, "effect-febd0533-8e55-448f-b837-bd0e06f16469": { "type": "String", "metadata": { "displayName": "Effect for policy: Ensure only allowed container images in Kubernetes cluster", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "audit", "deny", "disabled" ], "defaultValue": "audit" }, "excludedNamespaces-febd0533-8e55-448f-b837-bd0e06f16469": { "type": "Array", "metadata": { "displayName": "Namespaces excluded from evaluation of policy: Ensure only allowed container images in Kubernetes cluster", "description": "List of Kubernetes namespaces to exclude from policy evaluation" }, "defaultValue": [ "kube-system", "gatekeeper-system", "azure-arc" ] }, "effect-95edb821-ddaf-4404-9732-666045e056b4": { "type": "String", "metadata": { "displayName": "Effect for policy: Do not allow privileged containers in Kubernetes cluster", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "audit", "deny", "disabled" ], "defaultValue": "audit" }, "excludedNamespaces-95edb821-ddaf-4404-9732-666045e056b4": { "type": "Array", "metadata": { "displayName": "Namespaces excluded from evaluation of policy: Do not allow privileged containers in Kubernetes cluster", "description": "List of Kubernetes namespaces to exclude from policy evaluation" }, "defaultValue": [ "kube-system", "gatekeeper-system", "azure-arc" ] }, "allowedContainerPortsList-440b515e-a580-421e-abeb-b159a61ddcbc": { "type": "Array", "metadata": { "displayName": "Allowed container ports in Kubernetes clusters" }, "defaultValue": [ "-1" ] }, "effect-440b515e-a580-421e-abeb-b159a61ddcbc": { "type": "String", "metadata": { "displayName": "Effect for policy: Ensure containers listen only on allowed ports in Kubernetes cluster", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "audit", "deny", "disabled" ], "defaultValue": "audit" }, "excludedNamespaces-440b515e-a580-421e-abeb-b159a61ddcbc": { "type": "Array", "metadata": { "displayName": "Namespaces excluded from evaluation of policy: Ensure containers listen only on allowed ports in Kubernetes cluster", "description": "List of Kubernetes namespaces to exclude from policy evaluation" }, "defaultValue": [ "kube-system", "gatekeeper-system", "azure-arc" ] }, "allowedServicePortsList-233a2a17-77ca-4fb1-9b6b-69223d272a44": { "type": "Array", "metadata": { "displayName": "Allowed services ports in Kubernetes clusters" }, "defaultValue": [ "-1" ] }, "effect-233a2a17-77ca-4fb1-9b6b-69223d272a44": { "type": "String", "metadata": { "displayName": "Effect for policy: Ensure services listen only on allowed ports in Kubernetes cluster", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "audit", "deny", "disabled" ], "defaultValue": "audit" }, "excludedNamespaces-233a2a17-77ca-4fb1-9b6b-69223d272a44": { "type": "Array", "metadata": { "displayName": "Namespaces excluded from evaluation of policy: Ensure services listen only on allowed ports in Kubernetes cluster", "description": "List of Kubernetes namespaces to exclude from policy evaluation" }, "defaultValue": [ "kube-system", "gatekeeper-system", "azure-arc" ] }, "effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99": { "type": "String", "metadata": { "displayName": "Effect for policy: Kubernetes clusters should not allow container privilege escalation", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "audit", "deny", "disabled" ], "defaultValue": "audit" }, "excludedNamespaces-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99": { "type": "Array", "metadata": { "displayName": "Namespaces excluded from evaluation of policy: Kubernetes clusters should not allow container privilege escalation", "description": "List of Kubernetes namespaces to exclude from policy evaluation" }, "defaultValue": [ "kube-system", "gatekeeper-system", "azure-arc" ] }, "cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164": { "type": "String", "metadata": { "displayName": "Maximum allowed CPU units for containers in Kubernetes clusters", "description": "Ex: 200m; for more information, visit https://aka.ms/k8s-policy-pod-limits" }, "defaultValue": "0" }, "memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164": { "type": "String", "metadata": { "displayName": "Maximum allowed memory (bytes) for a container in Kubernetes clusters", "description": "Ex: 1Gi; for more information, visit https://aka.ms/k8s-policy-pod-limits" }, "defaultValue": "0" }, "effect-e345eecc-fa47-480f-9e88-67dcc122b164": { "type": "String", "metadata": { "displayName": "Effect for policy: Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "audit", "deny", "disabled" ], "defaultValue": "audit" }, "excludedNamespaces-e345eecc-fa47-480f-9e88-67dcc122b164": { "type": "Array", "metadata": { "displayName": "Namespaces excluded from evaluation of policy: Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster", "description": "List of Kubernetes namespaces to exclude from policy evaluation" }, "defaultValue": [ "kube-system", "gatekeeper-system", "azure-arc" ] }, "effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042": { "type": "String", "metadata": { "displayName": "Effect for policy: Kubernetes cluster pods and containers should only run with approved user and group IDs", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "audit", "deny", "disabled" ], "defaultValue": "audit" }, "excludedNamespaces-f06ddb64-5fa3-4b77-b166-acb36f7f6042": { "type": "Array", "metadata": { "displayName": "Namespaces excluded from evaluation of policy: Kubernetes cluster pods and containers should only run with approved user and group IDs", "description": "List of Kubernetes namespaces to exclude from policy evaluation" }, "defaultValue": [ "kube-system", "gatekeeper-system", "azure-arc" ] }, "effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8": { "type": "String", "metadata": { "displayName": "Effect for policy: Kubernetes cluster containers should not share host process ID or host IPC namespace", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "audit", "deny", "disabled" ], "defaultValue": "audit" }, "excludedNamespaces-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8": { "type": "Array", "metadata": { "displayName": "Namespaces excluded from evaluation of policy: Kubernetes cluster containers should not share host process ID or host IPC namespace", "description": "List of Kubernetes namespaces to exclude from policy evaluation" }, "defaultValue": [ "kube-system", "gatekeeper-system", "azure-arc" ] }, "effect-df49d893-a74c-421d-bc95-c663042e5b80": { "type": "String", "metadata": { "displayName": "Effect for policy: Kubernetes cluster containers should run with a read only root file system", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "audit", "deny", "disabled" ], "defaultValue": "audit" }, "excludedNamespaces-df49d893-a74c-421d-bc95-c663042e5b80": { "type": "Array", "metadata": { "displayName": "Namespaces excluded from evaluation of policy: Kubernetes cluster containers should run with a read only root file system", "description": "List of Kubernetes namespaces to exclude from policy evaluation" }, "defaultValue": [ "kube-system", "gatekeeper-system", "azure-arc" ] }, "effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": { "type": "String", "metadata": { "displayName": "Effect for policy: Kubernetes cluster containers should only use allowed capabilities", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "audit", "deny", "disabled" ], "defaultValue": "audit" }, "excludedNamespaces-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": { "type": "Array", "metadata": { "displayName": "Namespaces excluded from evaluation of policy: Kubernetes cluster containers should only use allowed capabilities", "description": "List of Kubernetes namespaces to exclude from policy evaluation" }, "defaultValue": [ "kube-system", "gatekeeper-system", "azure-arc" ] }, "allowedCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": { "type": "Array", "metadata": { "displayName": "List of capabilities that are allowed to be added to a container", "description": "Provide empty list as input to block everything" }, "defaultValue": [ "[]" ] }, "requiredDropCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": { "type": "Array", "metadata": { "displayName": "The list of capabilities that must be dropped by a container" }, "defaultValue": [ "[]" ] }, "effect-511f5417-5d12-434d-ab2e-816901e72a5e": { "type": "String", "metadata": { "displayName": "Effect for policy: Kubernetes cluster containers should only use allowed AppArmor profiles", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "audit", "deny", "disabled" ], "defaultValue": "audit" }, "excludedNamespaces-511f5417-5d12-434d-ab2e-816901e72a5e": { "type": "Array", "metadata": { "displayName": "Namespaces excluded from evaluation of policy: Kubernetes cluster containers should only use allowed AppArmor profiles", "description": "List of Kubernetes namespaces to exclude from policy evaluation" }, "defaultValue": [ "kube-system", "gatekeeper-system", "azure-arc" ] }, "allowedProfiles-511f5417-5d12-434d-ab2e-816901e72a5e": { "type": "Array", "metadata": { "displayName": "The list of AppArmor profiles that containers are allowed to use", "description": "Ex: 'runtime/default;docker/default'; provide empty list as input to block everything" }, "defaultValue": [ "[]" ] }, "effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": { "type": "String", "metadata": { "displayName": "Effect for policy: Kubernetes cluster pods should only use approved host network and port range", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "audit", "deny", "disabled" ], "defaultValue": "audit" }, "excludedNamespaces-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": { "type": "Array", "metadata": { "displayName": "Namespaces excluded from evaluation of policy: Kubernetes cluster pods should only use approved host network and port range", "description": "List of Kubernetes namespaces to exclude from policy evaluation" }, "defaultValue": [ "kube-system", "gatekeeper-system", "azure-arc" ] }, "allowHostNetwork-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": { "type": "Boolean", "metadata": { "displayName": "Allow host network usage for Kubernetes cluster pods", "description": "Set this value to true if pod is allowed to use host network, otherwise set to false" }, "defaultValue": false }, "minPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": { "type": "Integer", "metadata": { "displayName": "Minimum value in the allowable host port range that pods can use in the host network namespace" }, "defaultValue": 0 }, "maxPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": { "type": "Integer", "metadata": { "displayName": "Maximum value in the allowable host port range that pods can use in the host network namespace" }, "defaultValue": 0 }, "effect-098fc59e-46c7-4d99-9b16-64990e543d75": { "type": "String", "metadata": { "displayName": "Effect for policy: Kubernetes cluster pod hostPath volumes should only use allowed host paths", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "audit", "deny", "disabled" ], "defaultValue": "audit" }, "excludedNamespaces-098fc59e-46c7-4d99-9b16-64990e543d75": { "type": "Array", "metadata": { "displayName": "Namespaces excluded from evaluation of policy: Kubernetes cluster pod hostPath volumes should only use allowed host paths", "description": "List of Kubernetes namespaces to exclude from policy evaluation" }, "defaultValue": [ "kube-system", "gatekeeper-system", "azure-arc" ] }, "allowedHostPaths-098fc59e-46c7-4d99-9b16-64990e543d75": { "type": "Object", "metadata": { "displayName": "Allowed host paths for pod hostPath volumes to use", "description": "Provide an empty paths list to block all host paths" }, "defaultValue": { "paths": [] } }, "effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15": { "type": "String", "metadata": { "displayName": "Effect for policy: Vulnerabilities in security configuration on your machines should be remediated", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-e8cbc669-f12d-49eb-93e7-9273119e9933": { "type": "String", "metadata": { "displayName": "Effect for policy: Vulnerabilities in container security configurations should be remediated", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4": { "type": "String", "metadata": { "displayName": "Effect for policy: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9": { "type": "String", "metadata": { "displayName": "Effect for policy: Vulnerability assessment should be enabled on your SQL servers", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a": { "type": "String", "metadata": { "displayName": "Effect for policy: Vulnerability assessment should be enabled on SQL Managed Instance", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-501541f7-f7e7-4cd6-868c-4190fdad3ac9": { "type": "String", "metadata": { "displayName": "Effect for policy: A vulnerability assessment solution should be enabled on your virtual machines", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-760a85ff-6162-42b3-8d70-698e268f648c": { "type": "String", "metadata": { "displayName": "[Deprecated]: Effect for policy: Vulnerabilities should be remediated by a Vulnerability Assessment solution", "description": "For more information about effects, visit https://aka.ms/policyeffects", "deprecated": true }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "Disabled" }, "effect-feedbf84-6b99-488c-acc2-71c829aa5ffc": { "type": "String", "metadata": { "displayName": "Effect for policy: Vulnerabilities on your SQL databases should be remediated", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-5f0f936f-2f01-4bf5-b6be-d423792fa562": { "type": "String", "metadata": { "displayName": "Effect for policy: Vulnerabilities in Azure Container Registry images should be remediated", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-86b3d65f-7626-441e-b690-81a8b71cff60": { "type": "String", "metadata": { "displayName": "Effect for policy: System updates should be installed on your machines", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe": { "type": "String", "metadata": { "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba": { "type": "String", "metadata": { "displayName": "Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the API app", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "PHPLatestVersion": { "type": "String", "metadata": { "displayName": "Latest PHP version for App Services", "description": "Latest supported PHP version for App Services" }, "defaultValue": "7.3" }, "effect-7261b898-8a84-4db8-9e04-18527132abb3": { "type": "String", "metadata": { "displayName": "Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the WEB app", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-496223c3-ad65-4ecd-878a-bae78737e9ed": { "type": "String", "metadata": { "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Web app", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "JavaLatestVersion": { "type": "String", "metadata": { "displayName": "Latest Java version for App Services", "description": "Latest supported Java version for App Services" }, "defaultValue": "11" }, "effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc": { "type": "String", "metadata": { "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Function app", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-88999f4c-376a-45c8-bcb3-4058f713cf39": { "type": "String", "metadata": { "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the API app", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-7008174a-fd10-4ef0-817e-fc820a951d73": { "type": "String", "metadata": { "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Web app", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "LinuxPythonLatestVersion": { "type": "String", "metadata": { "displayName": "Latest Python version for Linux for App Services", "description": "Latest supported Python version for App Services" }, "defaultValue": "3.8" }, "effect-7238174a-fd10-4ef0-817e-fc820a951d73": { "type": "String", "metadata": { "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Function app", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-74c3584d-afae-46f7-a20a-6f8adba71a16": { "type": "String", "metadata": { "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the API app", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-fb893a29-21bb-418c-a157-e99480ec364c": { "type": "String", "metadata": { "displayName": "Effect for policy: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-af6cd1bd-1635-48cb-bde7-5b15693900b9": { "type": "String", "metadata": { "displayName": "Effect for policy: Monitor missing Endpoint Protection in Azure Security Center", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-26a828e1-e88f-464e-bbb3-c134a282b9de": { "type": "String", "metadata": { "displayName": "Effect for policy: Endpoint protection solution should be installed on virtual machine scale sets", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "IncludeArcMachines-bed48b13-6647-468e-aa2f-1af1d3f4dd40": { "type": "String", "metadata": { "displayName": "Include Arc-connected servers when evaluating policy: Audit Windows machines on which Windows Defender Exploit Guard is not enabled", "description": "By selecting 'true,' you agree to be charged monthly per Arc connected machine" }, "allowedValues": [ "true", "false" ], "defaultValue": "false" }, "NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40": { "type": "String", "metadata": { "displayName": "Compliance status to report for Windows servers where Windows Defender Exploit Guard is not supported" }, "allowedValues": [ "Compliant", "Non-Compliant" ], "defaultValue": "Compliant" }, "effect-bed48b13-6647-468e-aa2f-1af1d3f4dd40": { "type": "String", "metadata": { "displayName": "Effect for policy: Audit Windows machines on which Windows Defender Exploit Guard is not enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-d38fc420-0735-4ef3-ac11-c806f651a570": { "type": "String", "metadata": { "displayName": "Effect for policy: Long-term geo-redundant backup should be enabled for Azure SQL Databases", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-82339799-d096-41ae-8538-b108becf0970": { "type": "String", "metadata": { "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for MySQL", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-48af4db5-9b8b-401c-8e74-076be876a430": { "type": "String", "metadata": { "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for PostgreSQL", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-0ec47710-77ff-4a3d-9181-6aa50af424d0": { "type": "String", "metadata": { "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for MariaDB", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Disabled" ], "defaultValue": "Audit" }, "effect-013e242c-8828-4970-87b3-ab247555486d": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure Backup should be enabled for Virtual Machines", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d": { "type": "String", "metadata": { "displayName": "Effect for policy: Key vault should have soft delete enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" }, "effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53": { "type": "String", "metadata": { "displayName": "Effect for policy: Key vault should have purge protection enabled", "description": "For more information about effects, visit https://aka.ms/policyeffects" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" } }, "policyDefinitions": [ { "policyDefinitionReferenceId": "subnetsShouldBeAssociatedWithANetworkSecurityGroup", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517", "parameters": { "effect": { "value": "[parameters('effect-e71308d3-144b-4262-b144-efdc3cc90517')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1", "Azure_Security_Benchmark_v2.0_NS-4" ] }, { "policyDefinitionReferenceId": "internetFacingVirtualMachinesShouldBeProtectedWithNetworkSecurityGroups", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c", "parameters": { "effect": { "value": "[parameters('effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1", "Azure_Security_Benchmark_v2.0_NS-4" ] }, { "policyDefinitionReferenceId": "iPForwardingOnYourVirtualMachineShouldBeDisabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744", "parameters": { "effect": { "value": "[parameters('effect-bd352bd5-2853-4985-bf0d-73806b4a5744')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1", "Azure_Security_Benchmark_v2.0_NS-4" ] }, { "policyDefinitionReferenceId": "managementPortsShouldBeClosedOnYourVirtualMachines", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917", "parameters": { "effect": { "value": "[parameters('effect-22730e10-96f6-4aac-ad84-9383d35b5917')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1" ] }, { "policyDefinitionReferenceId": "managementPortsOfVirtualMachinesShouldBeProtectedWithJustInTimeNetworkAccessControl", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c", "parameters": { "effect": { "value": "[parameters('effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1", "Azure_Security_Benchmark_v2.0_NS-4" ] }, { "policyDefinitionReferenceId": "allInternetTrafficShouldBeRoutedViaYourDeployedAzureFirewall", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c", "parameters": { "effect": { "value": "[parameters('effect-fc5e4038-4584-4632-8c85-c0448d374b2c')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1", "Azure_Security_Benchmark_v2.0_NS-4", "Azure_Security_Benchmark_v2.0_NS-5" ] }, { "policyDefinitionReferenceId": "storageAccountsShouldRestrictNetworkAccess", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", "parameters": { "effect": { "value": "[parameters('effect-34c877ad-507e-4c82-993e-3452a6e0ad3c')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1", "Azure_Security_Benchmark_v2.0_NS-4" ] }, { "policyDefinitionReferenceId": "authorizedIPRangesShouldBeDefinedOnKubernetesServices", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea", "parameters": { "effect": { "value": "[parameters('effect-0e246bcf-5f6f-4f87-bc6f-775d4712c7ea')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1", "Azure_Security_Benchmark_v2.0_NS-4" ] }, { "policyDefinitionReferenceId": "adaptiveNetworkHardeningRecommendationsShouldBeAppliedOnInternetFacingVirtualMachines", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6", "parameters": { "effect": { "value": "[parameters('effect-08e6af2d-db70-460a-bfe9-d5bd474ba9d6')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1", "Azure_Security_Benchmark_v2.0_NS-4" ] }, { "policyDefinitionReferenceId": "firewallShouldBeEnabledOnKeyVault", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", "parameters": { "effect": { "value": "[parameters('effect-55615ac9-af46-4a59-874e-391cc3dfb490')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1", "Azure_Security_Benchmark_v2.0_NS-4" ] }, { "policyDefinitionReferenceId": "azureCosmosDBAccountsShouldHaveFirewallRules", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb", "parameters": { "effect": { "value": "[parameters('effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1", "Azure_Security_Benchmark_v2.0_NS-4" ] }, { "policyDefinitionReferenceId": "cognitiveServicesAccountsShouldRestrictNetworkAccess", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", "parameters": { "effect": { "value": "[parameters('effect-037eea7a-bd0a-46c5-9a66-03aea78705d3')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1" ] }, { "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForCognitiveServicesAccounts", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", "parameters": { "effect": { "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1" ] }, { "policyDefinitionReferenceId": "1b8ca024-1d5c-4dec-8995-b1a932b41780", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", "parameters": {}, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1" ] }, { "policyDefinitionReferenceId": "storageAccountsShouldRestrictNetworkAccessUsingVirtualNetworkRules", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f", "parameters": { "effect": { "value": "[parameters('effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1" ] }, { "policyDefinitionReferenceId": "containerRegistriesShouldNotAllowUnrestrictedNetworkAccess", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71", "parameters": { "effect": { "value": "[parameters('effect-d0793b48-0edc-4296-a390-4c75d1bdfd71')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1" ] }, { "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForPostgresqlServers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c", "parameters": { "effect": { "value": "[parameters('effect-b52376f7-9612-48a1-81cd-1ffe4b61032c')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1" ] }, { "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForMysqlServers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095", "parameters": { "effect": { "value": "[parameters('effect-d9844e8a-1437-4aeb-a32c-0c992f056095')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1" ] }, { "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForMariadbServers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077", "parameters": { "effect": { "value": "[parameters('effect-fdccbe47-f3e3-4213-ad5d-ea459b2fa077')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1" ] }, { "policyDefinitionReferenceId": "aPIManagementServicesShouldUseAVirtualNetwork", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b", "parameters": { "effect": { "value": "[parameters('effect-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b')]" }, "evaluatedSkuNames": { "value": "[parameters('evaluatedSkuNames-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-1" ] }, { "policyDefinitionReferenceId": "privateEndpointShouldBeEnabledForPostgresqlServers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b", "parameters": { "effect": { "value": "[parameters('effect-0564d078-92f5-4f97-8398-b9f58a51f70b')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-2", "Azure_Security_Benchmark_v2.0_NS-3" ] }, { "policyDefinitionReferenceId": "privateEndpointShouldBeEnabledForMariadbServers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990", "parameters": { "effect": { "value": "[parameters('effect-0a1302fb-a631-4106-9753-f3d494733990')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-2", "Azure_Security_Benchmark_v2.0_NS-3" ] }, { "policyDefinitionReferenceId": "privateEndpointShouldBeEnabledForMysqlServers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49", "parameters": { "effect": { "value": "[parameters('effect-7595c971-233d-4bcf-bd18-596129188c49')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-2", "Azure_Security_Benchmark_v2.0_NS-3" ] }, { "policyDefinitionReferenceId": "vMImageBuilderTemplatesShouldUsePrivateLink", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa", "parameters": { "effect": { "value": "[parameters('effect-2154edb9-244f-4741-9970-660785bccdaa')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-2", "Azure_Security_Benchmark_v2.0_NS-3" ] }, { "policyDefinitionReferenceId": "azureMachineLearningWorkspacesShouldUsePrivateLink", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab", "parameters": { "effect": { "value": "[parameters('effect-40cec1dd-a100-4920-b15b-3024fe8901ab')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-2", "Azure_Security_Benchmark_v2.0_NS-3" ] }, { "policyDefinitionReferenceId": "azureEventGridTopicsShouldUsePrivateLink", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f", "parameters": { "effect": { "value": "[parameters('effect-4b90e17e-8448-49db-875e-bd83fb6f804f')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-2", "Azure_Security_Benchmark_v2.0_NS-3" ] }, { "policyDefinitionReferenceId": "azureSignalrServiceShouldUsePrivateLink", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53503636-bcc9-4748-9663-5348217f160f", "parameters": { "effect": { "value": "[parameters('effect-53503636-bcc9-4748-9663-5348217f160f')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-2", "Azure_Security_Benchmark_v2.0_NS-3" ] }, { "policyDefinitionReferenceId": "privateEndpointShouldBeConfiguredForKeyVault", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0bc445-3935-4915-9981-011aa2b46147", "parameters": { "effect": { "value": "[parameters('effect-5f0bc445-3935-4915-9981-011aa2b46147')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-2", "Azure_Security_Benchmark_v2.0_NS-3" ] }, { "policyDefinitionReferenceId": "storageAccountShouldUseAPrivateLinkConnection", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9", "parameters": { "effect": { "value": "[parameters('effect-6edd7eda-6dd8-40f7-810d-67160c639cd9')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-2", "Azure_Security_Benchmark_v2.0_NS-3" ] }, { "policyDefinitionReferenceId": "7698e800-9299-47a6-b3b6-5a0fee576eed", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed", "parameters": {}, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-2", "Azure_Security_Benchmark_v2.0_NS-3" ] }, { "policyDefinitionReferenceId": "azureEventGridDomainsShouldUsePrivateLink", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca", "parameters": { "effect": { "value": "[parameters('effect-9830b652-8523-49cc-b1b3-e17dce1127ca')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-2", "Azure_Security_Benchmark_v2.0_NS-3" ] }, { "policyDefinitionReferenceId": "appConfigurationShouldUsePrivateLink", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7", "parameters": { "effect": { "value": "[parameters('effect-ca610c1d-041c-4332-9d88-7ed3094967c7')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-2", "Azure_Security_Benchmark_v2.0_NS-3" ] }, { "policyDefinitionReferenceId": "containerRegistriesShouldUsePrivateLink", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4", "parameters": { "effect": { "value": "[parameters('effect-e8eef0a8-67cf-4eb4-9386-14b0e78733d4')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-2", "Azure_Security_Benchmark_v2.0_NS-3" ] }, { "policyDefinitionReferenceId": "azureCacheForRedisShouldResideWithinAVirtualNetwork", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d092e0a-7acd-40d2-a975-dca21cae48c4", "parameters": { "effect": { "value": "[parameters('effect-7d092e0a-7acd-40d2-a975-dca21cae48c4')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-2" ] }, { "policyDefinitionReferenceId": "azureSpringCloudShouldUseNetworkInjection", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4", "parameters": { "effect": { "value": "[parameters('effect-af35e2a4-ef96-44e7-a9ae-853dd97032c4')]" }, "evaluatedSkuNames": { "value": "[parameters('evaluatedSkuNames-af35e2a4-ef96-44e7-a9ae-853dd97032c4')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-2" ] }, { "policyDefinitionReferenceId": "azureDdosProtectionStandardShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd", "parameters": { "effect": { "value": "[parameters('effect-a7aca53f-2ed4-4466-a25e-0b45ade68efd')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-4" ] }, { "policyDefinitionReferenceId": "sSHAccessFromTheInternetShouldBeBlocked", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab", "parameters": { "effect": { "value": "[parameters('effect-2c89a2e5-7285-40fe-afe0-ae8654b92fab')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-4" ] }, { "policyDefinitionReferenceId": "rDPAccessFromTheInternetShouldBeBlocked", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6", "parameters": { "effect": { "value": "[parameters('effect-e372f825-a257-4fb8-9175-797a8a8627d6')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-4" ] }, { "policyDefinitionReferenceId": "webApplicationFirewallWAFShouldBeEnabledForAzureFrontDoorServiceService", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c", "parameters": { "effect": { "value": "[parameters('effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-4" ] }, { "policyDefinitionReferenceId": "webApplicationFirewallWAFShouldBeEnabledForApplicationGateway", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", "parameters": { "effect": { "value": "[parameters('effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_NS-4" ] }, { "policyDefinitionReferenceId": "anAzureActiveDirectoryAdministratorShouldBeProvisionedForSQLServers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9", "parameters": { "effect": { "value": "[parameters('effect-1f314764-cb73-4fc9-b863-8eca98ac36e9')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_IM-1" ] }, { "policyDefinitionReferenceId": "serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0", "parameters": { "effect": { "value": "[parameters('effect-b54ed75b-3e1a-44ac-a333-05ba39b99ff0')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_IM-1" ] }, { "policyDefinitionReferenceId": "managedIdentityShouldBeUsedInYourFunctionApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f", "parameters": { "effect": { "value": "[parameters('effect-0da106f2-4ca3-48e8-bc85-c638fe6aea8f')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_IM-1", "Azure_Security_Benchmark_v2.0_IM-2" ] }, { "policyDefinitionReferenceId": "managedIdentityShouldBeUsedInYourWebApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332", "parameters": { "effect": { "value": "[parameters('effect-2b9ad585-36bc-4615-b300-fd4435808332')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_IM-1", "Azure_Security_Benchmark_v2.0_IM-2" ] }, { "policyDefinitionReferenceId": "managedIdentityShouldBeUsedInYourAPIApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef", "parameters": { "effect": { "value": "[parameters('effect-c4d441f8-f9d9-4a9e-9cef-e82117cb3eef')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_IM-1", "Azure_Security_Benchmark_v2.0_IM-2" ] }, { "policyDefinitionReferenceId": "servicePrincipalsShouldBeUsedToProtectYourSubscriptionsInsteadOfManagementCertificates", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414", "parameters": { "effect": { "value": "[parameters('effect-6646a0bd-e110-40ca-bb97-84fcee63c414')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_IM-2" ] }, { "policyDefinitionReferenceId": "mFAShouldBeEnabledOnAccountsWithOwnerPermissionsOnYourSubscription", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed", "parameters": { "effect": { "value": "[parameters('effect-aa633080-8b72-40c4-a2d7-d00c03e80bed')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_IM-4" ] }, { "policyDefinitionReferenceId": "mFAShouldBeEnabledAccountsWithWritePermissionsOnYourSubscription", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3", "parameters": { "effect": { "value": "[parameters('effect-9297c21d-2ed6-4474-b48f-163f75654ce3')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_IM-4" ] }, { "policyDefinitionReferenceId": "mFAShouldBeEnabledOnAccountsWithReadPermissionsOnYourSubscription", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64", "parameters": { "effect": { "value": "[parameters('effect-e3576e28-8b17-4677-84c3-db2990658d64')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_IM-4" ] }, { "policyDefinitionReferenceId": "aMaximumOf3OwnersShouldBeDesignatedForYourSubscription", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c", "parameters": { "effect": { "value": "[parameters('effect-4f11b553-d42e-4e3a-89be-32ca364cad4c')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PA-1" ] }, { "policyDefinitionReferenceId": "thereShouldBeMoreThanOneOwnerAssignedToYourSubscription", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b", "parameters": { "effect": { "value": "[parameters('effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PA-1" ] }, { "policyDefinitionReferenceId": "externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9", "parameters": { "effect": { "value": "[parameters('effect-f8456c1c-aa66-4dfb-861a-25d127b775c9')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PA-1", "Azure_Security_Benchmark_v2.0_PA-3" ] }, { "policyDefinitionReferenceId": "deprecatedAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad", "parameters": { "effect": { "value": "[parameters('effect-ebb62a0c-3560-49e1-89ed-27e074e9f8ad')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PA-1", "Azure_Security_Benchmark_v2.0_PA-3" ] }, { "policyDefinitionReferenceId": "deprecatedAccountsShouldBeRemovedFromYourSubscription", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474", "parameters": { "effect": { "value": "[parameters('effect-6b1cbf55-e8b6-442f-ba4c-7246b6381474')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PA-3" ] }, { "policyDefinitionReferenceId": "externalAccountsWithReadPermissionsShouldBeRemovedFromYourSubscription", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60", "parameters": { "effect": { "value": "[parameters('effect-5f76cf89-fbf2-47fd-a3f4-b891fa780b60')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PA-3" ] }, { "policyDefinitionReferenceId": "externalAccountsWithWritePermissionsShouldBeRemovedFromYourSubscription", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4", "parameters": { "effect": { "value": "[parameters('effect-5c607a2e-c700-4744-8254-d77e7c9eb5e4')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PA-3" ] }, { "policyDefinitionReferenceId": "roleBasedAccessControlRBACShouldBeUsedOnKubernetesServices", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457", "parameters": { "effect": { "value": "[parameters('effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PA-7" ] }, { "policyDefinitionReferenceId": "auditUsageOfCustomRBACRules", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5", "parameters": { "effect": { "value": "[parameters('effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PA-7" ] }, { "policyDefinitionReferenceId": "customSubscriptionOwnerRolesShouldNotExist", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9", "parameters": { "effect": { "value": "[parameters('effect-10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PA-7" ] }, { "policyDefinitionReferenceId": "sensitiveDataInYourSQLDatabasesShouldBeClassified", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349", "parameters": { "effect": { "value": "[parameters('effect-cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-1" ] }, { "policyDefinitionReferenceId": "storageAccountPublicAccessShouldBeDisallowed", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751", "parameters": { "effect": { "value": "[parameters('effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-2" ] }, { "policyDefinitionReferenceId": "azureDefenderForStorageShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa", "parameters": { "effect": { "value": "[parameters('effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-2", "Azure_Security_Benchmark_v2.0_DP-3", "Azure_Security_Benchmark_v2.0_LT-1", "Azure_Security_Benchmark_v2.0_LT-2", "Azure_Security_Benchmark_v2.0_IR-3", "Azure_Security_Benchmark_v2.0_IR-5" ] }, { "policyDefinitionReferenceId": "azureDefenderForSQLServersOnMachinesShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b", "parameters": { "effect": { "value": "[parameters('effect-6581d072-105e-4418-827f-bd446d56421b')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-2", "Azure_Security_Benchmark_v2.0_DP-3", "Azure_Security_Benchmark_v2.0_LT-1", "Azure_Security_Benchmark_v2.0_LT-2", "Azure_Security_Benchmark_v2.0_IR-3", "Azure_Security_Benchmark_v2.0_IR-5" ] }, { "policyDefinitionReferenceId": "azureDefenderForAzureSQLDatabaseServersShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2", "parameters": { "effect": { "value": "[parameters('effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-2", "Azure_Security_Benchmark_v2.0_DP-3", "Azure_Security_Benchmark_v2.0_LT-1", "Azure_Security_Benchmark_v2.0_LT-2", "Azure_Security_Benchmark_v2.0_IR-3", "Azure_Security_Benchmark_v2.0_IR-5" ] }, { "policyDefinitionReferenceId": "advancedDataSecurityShouldBeEnabledOnSQLManagedInstance", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9", "parameters": { "effect": { "value": "[parameters('effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-2", "Azure_Security_Benchmark_v2.0_DP-3", "Azure_Security_Benchmark_v2.0_LT-1", "Azure_Security_Benchmark_v2.0_LT-2", "Azure_Security_Benchmark_v2.0_IR-3", "Azure_Security_Benchmark_v2.0_IR-5" ] }, { "policyDefinitionReferenceId": "transparentDataEncryptionOnSQLDatabasesShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12", "parameters": { "effect": { "value": "[parameters('effect-17k78e20-9358-41c9-923c-fb736d382a12')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-2", "Azure_Security_Benchmark_v2.0_DP-5" ] }, { "policyDefinitionReferenceId": "diskEncryptionShouldBeAppliedOnVirtualMachines", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", "parameters": { "effect": { "value": "[parameters('effect-0961003e-5a0a-4549-abde-af6a37f2724d')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-2", "Azure_Security_Benchmark_v2.0_DP-5" ] }, { "policyDefinitionReferenceId": "secureTransferToStorageAccountsShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", "parameters": { "effect": { "value": "[parameters('effect-404c3081-a854-4457-ae30-26a93ef643f9')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-4" ] }, { "policyDefinitionReferenceId": "latestTLSVersionShouldBeUsedInYourAPIApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e", "parameters": { "effect": { "value": "[parameters('effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-4" ] }, { "policyDefinitionReferenceId": "latestTLSVersionShouldBeUsedInYourWebApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", "parameters": { "effect": { "value": "[parameters('effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-4" ] }, { "policyDefinitionReferenceId": "latestTLSVersionShouldBeUsedInYourFunctionApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", "parameters": { "effect": { "value": "[parameters('effect-f9d614c5-c173-4d56-95a7-b4437057d193')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-4" ] }, { "policyDefinitionReferenceId": "functionAppShouldOnlyBeAccessibleOverHTTPS", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab", "parameters": { "effect": { "value": "[parameters('effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-4" ] }, { "policyDefinitionReferenceId": "webApplicationShouldOnlyBeAccessibleOverHTTPS", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", "parameters": { "effect": { "value": "[parameters('effect-a4af4a39-4135-47fb-b175-47fbdf85311d')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-4" ] }, { "policyDefinitionReferenceId": "aPIAppShouldOnlyBeAccessibleOverHTTPS", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6", "parameters": { "effect": { "value": "[parameters('effect-b7ddfbdc-1260-477d-91fd-98bd9be789a6')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-4" ] }, { "policyDefinitionReferenceId": "enforceSSLConnectionShouldBeEnabledForMysqlDatabaseServers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d", "parameters": { "effect": { "value": "[parameters('effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-4" ] }, { "policyDefinitionReferenceId": "enforceSSLConnectionShouldBeEnabledForPostgresqlDatabaseServers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af", "parameters": { "effect": { "value": "[parameters('effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-4" ] }, { "policyDefinitionReferenceId": "onlySecureConnectionsToYourAzureCacheForRedisShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb", "parameters": { "effect": { "value": "[parameters('effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-4" ] }, { "policyDefinitionReferenceId": "fTPSOnlyShouldBeRequiredInYourFunctionApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15", "parameters": { "effect": { "value": "[parameters('effect-399b2637-a50f-4f95-96f8-3a145476eb15')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-4" ] }, { "policyDefinitionReferenceId": "fTPSShouldBeRequiredInYourWebApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b", "parameters": { "effect": { "value": "[parameters('effect-4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-4" ] }, { "policyDefinitionReferenceId": "fTPSOnlyShouldBeRequiredInYourAPIApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5", "parameters": { "effect": { "value": "[parameters('effect-9a1b8c48-453a-4044-86c3-d8bfd823e4f5')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-4" ] }, { "policyDefinitionReferenceId": "enforceHTTPSIngressInKubernetesCluster", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", "parameters": { "effect": { "value": "[parameters('effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d')]" }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-4" ] }, { "policyDefinitionReferenceId": "auditWindowsWebServersThatAreNotUsingSecureCommunicationProtocols", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112", "parameters": { "IncludeArcMachines": { "value": "[parameters('IncludeArcMachines-5752e6d6-1206-46d8-8ab1-ecc2f71a8112')]" }, "MinimumTLSVersion": { "value": "[parameters('MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-4" ] }, { "policyDefinitionReferenceId": "sQLServersShouldUseCustomerManagedKeysToEncryptDataAtRest", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd", "parameters": { "effect": { "value": "[parameters('effect-0d134df8-db83-46fb-ad72-fe0c9428c8dd')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-5" ] }, { "policyDefinitionReferenceId": "sQLManagedInstancesShouldUseCustomerManagedKeysToEncryptDataAtRest", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260", "parameters": { "effect": { "value": "[parameters('effect-048248b0-55cd-46da-b1ff-39efd52db260')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-5" ] }, { "policyDefinitionReferenceId": "automationAccountVariablesShouldBeEncrypted", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735", "parameters": { "effect": { "value": "[parameters('effect-3657f5a0-770e-44a3-b44e-9431ba1e9735')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-5" ] }, { "policyDefinitionReferenceId": "serviceFabricClustersShouldHaveTheClusterprotectionlevelPropertySetToEncryptandsign", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68", "parameters": { "effect": { "value": "[parameters('effect-617c02be-7f02-4efd-8836-3180d47b6c68')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-5" ] }, { "policyDefinitionReferenceId": "azureCosmosDBAccountsShouldUseCustomerManagedKeysToEncryptDataAtRest", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", "parameters": { "effect": { "value": "[parameters('effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-5" ] }, { "policyDefinitionReferenceId": "containerRegistriesShouldBeEncryptedWithACustomerManagedKeyCMK", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", "parameters": { "effect": { "value": "[parameters('effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-5" ] }, { "policyDefinitionReferenceId": "cognitiveServicesAccountsShouldEnableDataEncryptionWithACustomerManagedKeyCMK", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", "parameters": { "effect": { "value": "[parameters('effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-5" ] }, { "policyDefinitionReferenceId": "storageAccountsShouldUseCustomerManagedKeyCMKForEncryption", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", "parameters": { "effect": { "value": "[parameters('effect-6fac406b-40ca-413b-bf8e-0bf964659c25')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-5" ] }, { "policyDefinitionReferenceId": "azureMachineLearningWorkspacesShouldBeEncryptedWithACustomerManagedKeyCMK", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", "parameters": { "effect": { "value": "[parameters('effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-5" ] }, { "policyDefinitionReferenceId": "bringYourOwnKeyDataProtectionShouldBeEnabledForPostgresqlServers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", "parameters": { "effect": { "value": "[parameters('effect-18adea5e-f416-4d0f-8aa8-d24321e3e274')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-5" ] }, { "policyDefinitionReferenceId": "bringYourOwnKeyDataProtectionShouldBeEnabledForMysqlServers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", "parameters": { "effect": { "value": "[parameters('effect-83cef61d-dbd1-4b20-a4fc-5fbc7da10833')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_DP-5" ] }, { "policyDefinitionReferenceId": "virtualMachinesShouldBeMigratedToNewAzureResourceManagerResources", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d", "parameters": { "effect": { "value": "[parameters('effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_AM-3" ] }, { "policyDefinitionReferenceId": "storageAccountsShouldBeMigratedToNewAzureResourceManagerResources", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606", "parameters": { "effect": { "value": "[parameters('effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_AM-3" ] }, { "policyDefinitionReferenceId": "adaptiveApplicationControlsForDefiningSafeApplicationsShouldBeEnabledOnYourMachines", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc", "parameters": { "effect": { "value": "[parameters('effect-47a6b606-51aa-4496-8bb7-64b11cf66adc')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_AM-6" ] }, { "policyDefinitionReferenceId": "azureDefenderForKeyVaultShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047", "parameters": { "effect": { "value": "[parameters('effect-0e6763cc-5078-4e64-889d-ff4d9a839047')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-1", "Azure_Security_Benchmark_v2.0_LT-2", "Azure_Security_Benchmark_v2.0_IR-3", "Azure_Security_Benchmark_v2.0_IR-5" ] }, { "policyDefinitionReferenceId": "azureDefenderForAppServiceShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb", "parameters": { "effect": { "value": "[parameters('effect-2913021d-f2fd-4f3d-b958-22354e2bdbcb')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-1", "Azure_Security_Benchmark_v2.0_LT-2", "Azure_Security_Benchmark_v2.0_IR-3", "Azure_Security_Benchmark_v2.0_IR-5" ] }, { "policyDefinitionReferenceId": "azureDefenderForServersShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d", "parameters": { "effect": { "value": "[parameters('effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-1", "Azure_Security_Benchmark_v2.0_LT-2", "Azure_Security_Benchmark_v2.0_IR-3", "Azure_Security_Benchmark_v2.0_IR-5", "Azure_Security_Benchmark_v2.0_ES-1" ] }, { "policyDefinitionReferenceId": "azureDefenderForKubernetesShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a", "parameters": { "effect": { "value": "[parameters('effect-523b5cd1-3e23-492f-a539-13118b6d1e3a')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-1", "Azure_Security_Benchmark_v2.0_LT-2", "Azure_Security_Benchmark_v2.0_IR-3", "Azure_Security_Benchmark_v2.0_IR-5" ] }, { "policyDefinitionReferenceId": "azureDefenderForContainerRegistriesShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4", "parameters": { "effect": { "value": "[parameters('effect-c25d9a16-bc35-4e15-a7e5-9db606bf9ed4')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-1", "Azure_Security_Benchmark_v2.0_LT-2", "Azure_Security_Benchmark_v2.0_IR-3", "Azure_Security_Benchmark_v2.0_IR-5" ] }, { "policyDefinitionReferenceId": "networkTrafficDataCollectionAgentShouldBeInstalledOnWindowsVirtualMachines", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d", "parameters": { "effect": { "value": "[parameters('effect-2f2ee1de-44aa-4762-b6bd-0893fc3f306d')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-3" ] }, { "policyDefinitionReferenceId": "networkTrafficDataCollectionAgentShouldBeInstalledOnLinuxVirtualMachines", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602", "parameters": { "effect": { "value": "[parameters('effect-04c4380f-3fae-46e8-96c9-30193528f602')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-3" ] }, { "policyDefinitionReferenceId": "networkWatcherShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6", "parameters": { "resourceGroupName": { "value": "[parameters('resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-3" ] }, { "policyDefinitionReferenceId": "diagnosticLogsInAzureDataLakeStoreShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb", "parameters": { "effect": { "value": "[parameters('effect-057ef27e-665e-4328-8ea3-04b3122bd9fb')]" }, "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-057ef27e-665e-4328-8ea3-04b3122bd9fb')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-4" ] }, { "policyDefinitionReferenceId": "diagnosticLogsInLogicAppsShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d", "parameters": { "effect": { "value": "[parameters('effect-34f95f76-5386-4de7-b824-0d8478470c9d')]" }, "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-34f95f76-5386-4de7-b824-0d8478470c9d')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-4" ] }, { "policyDefinitionReferenceId": "diagnosticLogsInIotHubShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4", "parameters": { "effect": { "value": "[parameters('effect-383856f8-de7f-44a2-81fc-e5135b5c2aa4')]" }, "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-383856f8-de7f-44a2-81fc-e5135b5c2aa4')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-4" ] }, { "policyDefinitionReferenceId": "diagnosticLogsInBatchAccountsShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d", "parameters": { "effect": { "value": "[parameters('effect-428256e6-1fac-4f48-a757-df34c2b3336d')]" }, "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-428256e6-1fac-4f48-a757-df34c2b3336d')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-4" ] }, { "policyDefinitionReferenceId": "diagnosticLogsInVirtualMachineScaleSetsShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1", "parameters": { "effect": { "value": "[parameters('effect-7c1b1214-f927-48bf-8882-84f0af6588b1')]" }, "includeAKSClusters": { "value": "[parameters('includeAKSClusters-7c1b1214-f927-48bf-8882-84f0af6588b1')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-4" ] }, { "policyDefinitionReferenceId": "diagnosticLogsInEventHubShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a", "parameters": { "effect": { "value": "[parameters('effect-83a214f7-d01a-484b-91a9-ed54470c9a6a')]" }, "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-83a214f7-d01a-484b-91a9-ed54470c9a6a')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-4" ] }, { "policyDefinitionReferenceId": "diagnosticLogsInSearchServicesShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4", "parameters": { "effect": { "value": "[parameters('effect-b4330a05-a843-4bc8-bf9a-cacce50c67f4')]" }, "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-b4330a05-a843-4bc8-bf9a-cacce50c67f4')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-4" ] }, { "policyDefinitionReferenceId": "diagnosticLogsInAppServicesShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0", "parameters": { "effect": { "value": "[parameters('effect-b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-4" ] }, { "policyDefinitionReferenceId": "diagnosticLogsInDataLakeAnalyticsShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c", "parameters": { "effect": { "value": "[parameters('effect-c95c74d9-38fe-4f0d-af86-0c7d626a315c')]" }, "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-c95c74d9-38fe-4f0d-af86-0c7d626a315c')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-4" ] }, { "policyDefinitionReferenceId": "diagnosticLogsInKeyVaultShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21", "parameters": { "effect": { "value": "[parameters('effect-cf820ca0-f99e-4f3e-84fb-66e913812d21')]" }, "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-cf820ca0-f99e-4f3e-84fb-66e913812d21')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-4" ] }, { "policyDefinitionReferenceId": "diagnosticLogsInServiceBusShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45", "parameters": { "effect": { "value": "[parameters('effect-f8d36e2f-389b-4ee4-898d-21aeb69a0f45')]" }, "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-f8d36e2f-389b-4ee4-898d-21aeb69a0f45')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-4" ] }, { "policyDefinitionReferenceId": "diagnosticLogsInAzureStreamAnalyticsShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46", "parameters": { "effect": { "value": "[parameters('effect-f9be5368-9bf5-4b84-9e0a-7850da98bb46')]" }, "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-f9be5368-9bf5-4b84-9e0a-7850da98bb46')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-4" ] }, { "policyDefinitionReferenceId": "auditingOnSQLServerShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", "parameters": { "effect": { "value": "[parameters('effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9')]" }, "setting": { "value": "[parameters('setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-4" ] }, { "policyDefinitionReferenceId": "logAnalyticsAgentShouldBeInstalledOnYourVirtualMachineForAzureSecurityCenterMonitoring", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499", "parameters": { "effect": { "value": "[parameters('effect-a4fe33eb-e377-4efb-ab31-0784311bc499')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-5" ] }, { "policyDefinitionReferenceId": "logAnalyticsAgentShouldBeInstalledOnYourVirtualMachineScaleSetsForAzureSecurityCenterMonitoring", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b", "parameters": { "effect": { "value": "[parameters('effect-a3a6ea0c-e018-4933-9ef0-5aaa1501449b')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-5" ] }, { "policyDefinitionReferenceId": "autoProvisioningOfTheLogAnalyticsAgentShouldBeEnabledOnYourSubscription", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17", "parameters": { "effect": { "value": "[parameters('effect-475aae12-b88a-4572-8b36-9b712b2b3a17')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-5" ] }, { "policyDefinitionReferenceId": "logAnalyticsAgentHealthIssuesShouldBeResolvedOnYourMachines", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65", "parameters": { "effect": { "value": "[parameters('effect-d62cfe2b-3ab0-4d41-980d-76803b58ca65')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-5" ] }, { "policyDefinitionReferenceId": "logAnalyticsAgentShouldBeInstalledOnYourLinuxAzureArcMachines", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373", "parameters": { "effect": { "value": "[parameters('effect-842c54e8-c2f9-4d79-ae8d-38d8b8019373')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-5" ] }, { "policyDefinitionReferenceId": "logAnalyticsAgentShouldBeInstalledOnYourWindowsAzureArcMachines", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e", "parameters": { "effect": { "value": "[parameters('effect-d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_LT-5" ] }, { "policyDefinitionReferenceId": "subscriptionsShouldHaveAContactEmailAddressForSecurityIssues", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7", "parameters": { "effect": { "value": "[parameters('effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_IR-2" ] }, { "policyDefinitionReferenceId": "emailNotificationForHighSeverityAlertsShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899", "parameters": { "effect": { "value": "[parameters('effect-6e2593d9-add6-4083-9c9b-4b7d2188c899')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_IR-2" ] }, { "policyDefinitionReferenceId": "emailNotificationToSubscriptionOwnerForHighSeverityAlertsShouldBeEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d", "parameters": { "effect": { "value": "[parameters('effect-0b15565f-aa9e-48ba-8619-45960f2c314d')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_IR-2" ] }, { "policyDefinitionReferenceId": "cORSShouldNotAllowEveryResourceToAccessYourWebApplications", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9", "parameters": { "effect": { "value": "[parameters('effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "cORSShouldNotAllowEveryResourceToAccessYourFunctionApps", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5", "parameters": { "effect": { "value": "[parameters('effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "cORSShouldNotAllowEveryResourceToAccessYourAPIApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac", "parameters": { "effect": { "value": "[parameters('effect-358c20a6-3f9e-4f0e-97ff-c6ce485e2aac')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "remoteDebuggingShouldBeTurnedOffForWebApplications", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71", "parameters": { "effect": { "value": "[parameters('effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "remoteDebuggingShouldBeTurnedOffForFunctionApps", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9", "parameters": { "effect": { "value": "[parameters('effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "remoteDebuggingShouldBeTurnedOffForAPIApps", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e", "parameters": { "effect": { "value": "[parameters('effect-e9c8d085-d9cc-4b17-9cdc-059f1f01f19e')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "ensureAPIAppHasClientCertificatesIncomingClientCertificatesSetToOn", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886", "parameters": { "effect": { "value": "[parameters('effect-0c192fe8-9cbb-4516-85b3-0ade8bd03886')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "functionAppsShouldHaveClientCertificatesIncomingClientCertificatesEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c", "parameters": { "effect": { "value": "[parameters('effect-eaebaea7-8013-4ceb-9d14-7eb32271373c')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "ensureWEBAppHasClientCertificatesIncomingClientCertificatesSetToOn", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609", "parameters": { "effect": { "value": "[parameters('effect-5bb220d9-2698-4ee4-8404-b9c30c9df609')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "azurePolicyAddOnForKubernetesServiceAKSShouldBeInstalledAndEnabledOnYourClusters", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d", "parameters": { "effect": { "value": "[parameters('effect-0a15ec92-a229-4763-bb14-0ea34a568f8d')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "ensureOnlyAllowedContainerImagesInKubernetesCluster", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469", "parameters": { "allowedContainerImagesRegex": { "value": "[parameters('allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469')]" }, "effect": { "value": "[parameters('effect-febd0533-8e55-448f-b837-bd0e06f16469')]" }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces-febd0533-8e55-448f-b837-bd0e06f16469')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "doNotAllowPrivilegedContainersInKubernetesCluster", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", "parameters": { "effect": { "value": "[parameters('effect-95edb821-ddaf-4404-9732-666045e056b4')]" }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces-95edb821-ddaf-4404-9732-666045e056b4')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "ensureContainersListenOnlyOnAllowedPortsInKubernetesCluster", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc", "parameters": { "allowedContainerPortsList": { "value": "[parameters('allowedContainerPortsList-440b515e-a580-421e-abeb-b159a61ddcbc')]" }, "effect": { "value": "[parameters('effect-440b515e-a580-421e-abeb-b159a61ddcbc')]" }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces-440b515e-a580-421e-abeb-b159a61ddcbc')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "ensureServicesListenOnlyOnAllowedPortsInKubernetesCluster", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44", "parameters": { "allowedServicePortsList": { "value": "[parameters('allowedServicePortsList-233a2a17-77ca-4fb1-9b6b-69223d272a44')]" }, "effect": { "value": "[parameters('effect-233a2a17-77ca-4fb1-9b6b-69223d272a44')]" }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces-233a2a17-77ca-4fb1-9b6b-69223d272a44')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "kubernetesClustersShouldNotAllowContainerPrivilegeEscalation", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", "parameters": { "effect": { "value": "[parameters('effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99')]" }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "ensureContainerCPUAndMemoryResourceLimitsDoNotExceedTheSpecifiedLimitsInKubernetesCluster", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164", "parameters": { "cpuLimit": { "value": "[parameters('cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164')]" }, "memoryLimit": { "value": "[parameters('memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164')]" }, "effect": { "value": "[parameters('effect-e345eecc-fa47-480f-9e88-67dcc122b164')]" }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces-e345eecc-fa47-480f-9e88-67dcc122b164')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "kubernetesClusterPodsAndContainersShouldOnlyRunWithApprovedUserAndGroupIds", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042", "parameters": { "effect": { "value": "[parameters('effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]" }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]" }, "runAsUserRule": { "value": "MustRunAsNonRoot" }, "runAsUserRanges": { "value": { "ranges": [] } }, "runAsGroupRule": { "value": "MayRunAs" }, "runAsGroupRanges": { "value": { "ranges": [ { "min": 1, "max": 65535 } ] } }, "supplementalGroupsRule": { "value": "MayRunAs" }, "supplementalGroupsRanges": { "value": { "ranges": [ { "min": 1, "max": 65535 } ] } }, "fsGroupRule": { "value": "MayRunAs" }, "fsGroupRanges": { "value": { "ranges": [ { "min": 1, "max": 65535 } ] } } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "kubernetesClusterContainersShouldNotShareHostProcessIDOrHostIPCNamespace", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8", "parameters": { "effect": { "value": "[parameters('effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8')]" }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "kubernetesClusterContainersShouldRunWithAReadOnlyRootFileSystem", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80", "parameters": { "effect": { "value": "[parameters('effect-df49d893-a74c-421d-bc95-c663042e5b80')]" }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces-df49d893-a74c-421d-bc95-c663042e5b80')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "kubernetesClusterContainersShouldOnlyUseAllowedCapabilities", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c", "parameters": { "effect": { "value": "[parameters('effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]" }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]" }, "allowedCapabilities": { "value": "[parameters('allowedCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]" }, "requiredDropCapabilities": { "value": "[parameters('requiredDropCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "kubernetesClusterContainersShouldOnlyUseAllowedApparmorProfiles", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e", "parameters": { "effect": { "value": "[parameters('effect-511f5417-5d12-434d-ab2e-816901e72a5e')]" }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces-511f5417-5d12-434d-ab2e-816901e72a5e')]" }, "allowedProfiles": { "value": "[parameters('allowedProfiles-511f5417-5d12-434d-ab2e-816901e72a5e')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "kubernetesClusterPodsShouldOnlyUseApprovedHostNetworkAndPortRange", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe", "parameters": { "effect": { "value": "[parameters('effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]" }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]" }, "allowHostNetwork": { "value": "[parameters('allowHostNetwork-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]" }, "minPort": { "value": "[parameters('minPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]" }, "maxPort": { "value": "[parameters('maxPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "kubernetesClusterPodHostpathVolumesShouldOnlyUseAllowedHostPaths", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75", "parameters": { "effect": { "value": "[parameters('effect-098fc59e-46c7-4d99-9b16-64990e543d75')]" }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces-098fc59e-46c7-4d99-9b16-64990e543d75')]" }, "allowedHostPaths": { "value": "[parameters('allowedHostPaths-098fc59e-46c7-4d99-9b16-64990e543d75')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-2" ] }, { "policyDefinitionReferenceId": "vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", "parameters": { "effect": { "value": "[parameters('effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-4" ] }, { "policyDefinitionReferenceId": "vulnerabilitiesInContainerSecurityConfigurationsShouldBeRemediated", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933", "parameters": { "effect": { "value": "[parameters('effect-e8cbc669-f12d-49eb-93e7-9273119e9933')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-4" ] }, { "policyDefinitionReferenceId": "vulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4", "parameters": { "effect": { "value": "[parameters('effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-4" ] }, { "policyDefinitionReferenceId": "vulnerabilityAssessmentShouldBeEnabledOnYourSQLServers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9", "parameters": { "effect": { "value": "[parameters('effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-6" ] }, { "policyDefinitionReferenceId": "vulnerabilityAssessmentShouldBeEnabledOnSQLManagedInstance", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a", "parameters": { "effect": { "value": "[parameters('effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-6" ] }, { "policyDefinitionReferenceId": "aVulnerabilityAssessmentSolutionShouldBeEnabledOnYourVirtualMachines", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9", "parameters": { "effect": { "value": "[parameters('effect-501541f7-f7e7-4cd6-868c-4190fdad3ac9')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-6" ] }, { "policyDefinitionReferenceId": "vulnerabilitiesOnYourSQLDatabasesShouldBeRemediated", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc", "parameters": { "effect": { "value": "[parameters('effect-feedbf84-6b99-488c-acc2-71c829aa5ffc')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-6" ] }, { "policyDefinitionReferenceId": "vulnerabilitiesInAzureContainerRegistryImagesShouldBeRemediated", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562", "parameters": { "effect": { "value": "[parameters('effect-5f0f936f-2f01-4bf5-b6be-d423792fa562')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-6" ] }, { "policyDefinitionReferenceId": "systemUpdatesShouldBeInstalledOnYourMachines", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", "parameters": { "effect": { "value": "[parameters('effect-86b3d65f-7626-441e-b690-81a8b71cff60')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-7" ] }, { "policyDefinitionReferenceId": "systemUpdatesOnVirtualMachineScaleSetsShouldBeInstalled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", "parameters": { "effect": { "value": "[parameters('effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-7" ] }, { "policyDefinitionReferenceId": "ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheAPIApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba", "parameters": { "effect": { "value": "[parameters('effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba')]" }, "PHPLatestVersion": { "value": "[parameters('PHPLatestVersion')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-7" ] }, { "policyDefinitionReferenceId": "ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheWEBApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3", "parameters": { "effect": { "value": "[parameters('effect-7261b898-8a84-4db8-9e04-18527132abb3')]" }, "PHPLatestVersion": { "value": "[parameters('PHPLatestVersion')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-7" ] }, { "policyDefinitionReferenceId": "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheWebApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed", "parameters": { "effect": { "value": "[parameters('effect-496223c3-ad65-4ecd-878a-bae78737e9ed')]" }, "JavaLatestVersion": { "value": "[parameters('JavaLatestVersion')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-7" ] }, { "policyDefinitionReferenceId": "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheFunctionApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc", "parameters": { "effect": { "value": "[parameters('effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc')]" }, "JavaLatestVersion": { "value": "[parameters('JavaLatestVersion')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-7" ] }, { "policyDefinitionReferenceId": "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheAPIApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39", "parameters": { "effect": { "value": "[parameters('effect-88999f4c-376a-45c8-bcb3-4058f713cf39')]" }, "JavaLatestVersion": { "value": "[parameters('JavaLatestVersion')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-7" ] }, { "policyDefinitionReferenceId": "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheWebApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73", "parameters": { "effect": { "value": "[parameters('effect-7008174a-fd10-4ef0-817e-fc820a951d73')]" }, "LinuxPythonLatestVersion": { "value": "[parameters('LinuxPythonLatestVersion')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-7" ] }, { "policyDefinitionReferenceId": "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheFunctionApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73", "parameters": { "effect": { "value": "[parameters('effect-7238174a-fd10-4ef0-817e-fc820a951d73')]" }, "LinuxPythonLatestVersion": { "value": "[parameters('LinuxPythonLatestVersion')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-7" ] }, { "policyDefinitionReferenceId": "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheAPIApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16", "parameters": { "effect": { "value": "[parameters('effect-74c3584d-afae-46f7-a20a-6f8adba71a16')]" }, "LinuxPythonLatestVersion": { "value": "[parameters('LinuxPythonLatestVersion')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-7" ] }, { "policyDefinitionReferenceId": "kubernetesServicesShouldBeUpgradedToANonVulnerableKubernetesVersion", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c", "parameters": { "effect": { "value": "[parameters('effect-fb893a29-21bb-418c-a157-e99480ec364c')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_PV-7" ] }, { "policyDefinitionReferenceId": "monitorMissingEndpointProtectionInAzureSecurityCenter", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9", "parameters": { "effect": { "value": "[parameters('effect-af6cd1bd-1635-48cb-bde7-5b15693900b9')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_ES-2", "Azure_Security_Benchmark_v2.0_ES-3" ] }, { "policyDefinitionReferenceId": "endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de", "parameters": { "effect": { "value": "[parameters('effect-26a828e1-e88f-464e-bbb3-c134a282b9de')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_ES-2", "Azure_Security_Benchmark_v2.0_ES-3" ] }, { "policyDefinitionReferenceId": "auditWindowsMachinesOnWhichWindowsDefenderExploitGuardIsNotEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40", "parameters": { "IncludeArcMachines": { "value": "[parameters('IncludeArcMachines-bed48b13-6647-468e-aa2f-1af1d3f4dd40')]" }, "NotAvailableMachineState": { "value": "[parameters('NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40')]" }, "effect": { "value": "[parameters('effect-bed48b13-6647-468e-aa2f-1af1d3f4dd40')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_ES-2" ] }, { "policyDefinitionReferenceId": "longTermGeoRedundantBackupShouldBeEnabledForAzureSQLDatabases", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570", "parameters": { "effect": { "value": "[parameters('effect-d38fc420-0735-4ef3-ac11-c806f651a570')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_BR-1", "Azure_Security_Benchmark_v2.0_BR-2" ] }, { "policyDefinitionReferenceId": "geoRedundantBackupShouldBeEnabledForAzureDatabaseForMysql", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970", "parameters": { "effect": { "value": "[parameters('effect-82339799-d096-41ae-8538-b108becf0970')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_BR-1", "Azure_Security_Benchmark_v2.0_BR-2" ] }, { "policyDefinitionReferenceId": "geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgresql", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430", "parameters": { "effect": { "value": "[parameters('effect-48af4db5-9b8b-401c-8e74-076be876a430')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_BR-1", "Azure_Security_Benchmark_v2.0_BR-2" ] }, { "policyDefinitionReferenceId": "geoRedundantBackupShouldBeEnabledForAzureDatabaseForMariadb", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0", "parameters": { "effect": { "value": "[parameters('effect-0ec47710-77ff-4a3d-9181-6aa50af424d0')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_BR-1", "Azure_Security_Benchmark_v2.0_BR-2" ] }, { "policyDefinitionReferenceId": "azureBackupShouldBeEnabledForVirtualMachines", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d", "parameters": { "effect": { "value": "[parameters('effect-013e242c-8828-4970-87b3-ab247555486d')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_BR-1", "Azure_Security_Benchmark_v2.0_BR-2" ] }, { "policyDefinitionReferenceId": "keyVaultsShouldHaveSoftDeleteEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d", "parameters": { "effect": { "value": "[parameters('effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_BR-4" ] }, { "policyDefinitionReferenceId": "keyVaultsShouldHavePurgeProtectionEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53", "parameters": { "effect": { "value": "[parameters('effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53')]" } }, "groupNames": [ "Azure_Security_Benchmark_v2.0_BR-4" ] } ], "policyDefinitionGroups": [ { "name": "Azure_Security_Benchmark_v2.0_NS-1", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-1" }, { "name": "Azure_Security_Benchmark_v2.0_NS-2", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-2" }, { "name": "Azure_Security_Benchmark_v2.0_NS-3", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-3" }, { "name": "Azure_Security_Benchmark_v2.0_NS-4", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-4" }, { "name": "Azure_Security_Benchmark_v2.0_NS-5", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-5" }, { "name": "Azure_Security_Benchmark_v2.0_NS-6", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-6" }, { "name": "Azure_Security_Benchmark_v2.0_NS-7", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-7" }, { "name": "Azure_Security_Benchmark_v2.0_IM-1", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-1" }, { "name": "Azure_Security_Benchmark_v2.0_IM-2", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-2" }, { "name": "Azure_Security_Benchmark_v2.0_IM-3", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-3" }, { "name": "Azure_Security_Benchmark_v2.0_IM-4", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-4" }, { "name": "Azure_Security_Benchmark_v2.0_IM-5", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-5" }, { "name": "Azure_Security_Benchmark_v2.0_IM-6", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-6" }, { "name": "Azure_Security_Benchmark_v2.0_IM-7", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-7" }, { "name": "Azure_Security_Benchmark_v2.0_IM-8", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-8" }, { "name": "Azure_Security_Benchmark_v2.0_PA-1", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-1" }, { "name": "Azure_Security_Benchmark_v2.0_PA-2", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-2" }, { "name": "Azure_Security_Benchmark_v2.0_PA-3", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-3" }, { "name": "Azure_Security_Benchmark_v2.0_PA-4", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-4" }, { "name": "Azure_Security_Benchmark_v2.0_PA-5", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-5" }, { "name": "Azure_Security_Benchmark_v2.0_PA-6", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-6" }, { "name": "Azure_Security_Benchmark_v2.0_PA-7", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-7" }, { "name": "Azure_Security_Benchmark_v2.0_PA-8", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-8" }, { "name": "Azure_Security_Benchmark_v2.0_DP-1", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-1" }, { "name": "Azure_Security_Benchmark_v2.0_DP-2", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-2" }, { "name": "Azure_Security_Benchmark_v2.0_DP-3", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-3" }, { "name": "Azure_Security_Benchmark_v2.0_DP-4", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-4" }, { "name": "Azure_Security_Benchmark_v2.0_DP-5", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-5" }, { "name": "Azure_Security_Benchmark_v2.0_AM-1", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-1" }, { "name": "Azure_Security_Benchmark_v2.0_AM-2", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-2" }, { "name": "Azure_Security_Benchmark_v2.0_AM-3", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-3" }, { "name": "Azure_Security_Benchmark_v2.0_AM-4", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-4" }, { "name": "Azure_Security_Benchmark_v2.0_AM-5", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-5" }, { "name": "Azure_Security_Benchmark_v2.0_AM-6", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-6" }, { "name": "Azure_Security_Benchmark_v2.0_LT-1", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-1" }, { "name": "Azure_Security_Benchmark_v2.0_LT-2", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-2" }, { "name": "Azure_Security_Benchmark_v2.0_LT-3", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-3" }, { "name": "Azure_Security_Benchmark_v2.0_LT-4", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-4" }, { "name": "Azure_Security_Benchmark_v2.0_LT-5", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-5" }, { "name": "Azure_Security_Benchmark_v2.0_LT-6", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-6" }, { "name": "Azure_Security_Benchmark_v2.0_LT-7", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-7" }, { "name": "Azure_Security_Benchmark_v2.0_IR-1", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-1" }, { "name": "Azure_Security_Benchmark_v2.0_IR-2", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-2" }, { "name": "Azure_Security_Benchmark_v2.0_IR-3", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-3" }, { "name": "Azure_Security_Benchmark_v2.0_IR-4", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-4" }, { "name": "Azure_Security_Benchmark_v2.0_IR-5", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-5" }, { "name": "Azure_Security_Benchmark_v2.0_IR-6", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-6" }, { "name": "Azure_Security_Benchmark_v2.0_PV-1", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-1" }, { "name": "Azure_Security_Benchmark_v2.0_PV-2", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-2" }, { "name": "Azure_Security_Benchmark_v2.0_PV-3", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-3" }, { "name": "Azure_Security_Benchmark_v2.0_PV-4", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-4" }, { "name": "Azure_Security_Benchmark_v2.0_PV-5", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-5" }, { "name": "Azure_Security_Benchmark_v2.0_PV-6", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-6" }, { "name": "Azure_Security_Benchmark_v2.0_PV-7", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-7" }, { "name": "Azure_Security_Benchmark_v2.0_PV-8", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-8" }, { "name": "Azure_Security_Benchmark_v2.0_ES-1", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_ES-1" }, { "name": "Azure_Security_Benchmark_v2.0_ES-2", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_ES-2" }, { "name": "Azure_Security_Benchmark_v2.0_ES-3", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_ES-3" }, { "name": "Azure_Security_Benchmark_v2.0_BR-1", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_BR-1" }, { "name": "Azure_Security_Benchmark_v2.0_BR-2", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_BR-2" }, { "name": "Azure_Security_Benchmark_v2.0_BR-3", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_BR-3" }, { "name": "Azure_Security_Benchmark_v2.0_BR-4", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_BR-4" }, { "name": "Azure_Security_Benchmark_v2.0_GS-1", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-1" }, { "name": "Azure_Security_Benchmark_v2.0_GS-2", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-2" }, { "name": "Azure_Security_Benchmark_v2.0_GS-3", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-3" }, { "name": "Azure_Security_Benchmark_v2.0_GS-4", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-4" }, { "name": "Azure_Security_Benchmark_v2.0_GS-5", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-5" }, { "name": "Azure_Security_Benchmark_v2.0_GS-6", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-6" }, { "name": "Azure_Security_Benchmark_v2.0_GS-7", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-7" }, { "name": "Azure_Security_Benchmark_v2.0_GS-8", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-8" } ] }