| Policy DisplayName |
Policy Id |
Category |
Version |
Versioning |
Effect |
Roles# |
Roles |
State |
policy in AzUSGov |
| [Preview]: Secure Boot should be enabled on supported Windows virtual machines |
97566dd7-78ae-4997-8b36-1c7bfe0d8121 |
Security Center |
4.0.0-preview |
1x
4.0.0-preview |
Default
Audit
Allowed
Audit, Disabled |
0 |
|
Preview |
true |
| [Preview]: vTPM should be enabled on supported virtual machines |
1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 |
Security Center |
2.0.0-preview |
1x
2.0.0-preview |
Default
Audit
Allowed
Audit, Disabled |
0 |
|
Preview |
true |
| An activity log alert should exist for specific Administrative operations |
b954148f-4c11-4c38-8221-be76711e194a |
Monitoring |
1.0.0 |
1x
1.0.0 |
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled |
0 |
|
GA |
true |
| An activity log alert should exist for specific Policy operations |
c5447c04-a4d7-4ba8-a263-c9ee321a6858 |
Monitoring |
3.0.0 |
1x
3.0.0 |
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled |
0 |
|
GA |
true |
| App Service apps should only be accessible over HTTPS |
a4af4a39-4135-47fb-b175-47fbdf85311d |
App Service |
4.0.0 |
1x
4.0.0 |
Default
Audit
Allowed
Audit, Disabled, Deny |
0 |
|
GA |
true |
| App Service apps should require FTPS only |
4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b |
App Service |
3.0.0 |
1x
3.0.0 |
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled |
0 |
|
GA |
true |
| App Service apps should use latest 'HTTP Version' |
8c122334-9d20-4eb8-89ea-ac9a705b74ae |
App Service |
4.0.0 |
1x
4.0.0 |
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled |
0 |
|
GA |
true |
| App Service apps should use managed identity |
2b9ad585-36bc-4615-b300-fd4435808332 |
App Service |
3.0.0 |
1x
3.0.0 |
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled |
0 |
|
GA |
true |
| App Service apps should use the latest TLS version |
f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b |
App Service |
2.1.0 |
2x
2.1.0, 2.0.1 |
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled |
0 |
|
GA |
true |
| Audit VMs that do not use managed disks |
06a78e20-9358-41c9-923c-fb736d382a4d |
Compute |
1.0.0 |
1x
1.0.0 |
Fixed
audit |
0 |
|
GA |
true |
| Auditing on SQL server should be enabled |
a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 |
SQL |
2.0.0 |
1x
2.0.0 |
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled |
0 |
|
GA |
true |
| Email notification for high severity alerts should be enabled |
6e2593d9-add6-4083-9c9b-4b7d2188c899 |
Security Center |
1.2.0 |
3x
1.2.0, 1.1.0, 1.0.1 |
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled |
0 |
|
GA |
true |
| Enforce SSL connection should be enabled for MySQL database servers |
e802a67a-daf5-4436-9ea6-f6d821dd0c5d |
SQL |
1.0.1 |
1x
1.0.1 |
Default
Audit
Allowed
Audit, Disabled |
0 |
|
GA |
true |
| Enforce SSL connection should be enabled for PostgreSQL database servers |
d158790f-bfb0-486c-8631-2dc6b4e8e6af |
SQL |
1.0.1 |
1x
1.0.1 |
Default
Audit
Allowed
Audit, Disabled |
0 |
|
GA |
true |
| Function apps should require FTPS only |
399b2637-a50f-4f95-96f8-3a145476eb15 |
App Service |
3.0.0 |
1x
3.0.0 |
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled |
0 |
|
GA |
true |
| Function apps should use latest 'HTTP Version' |
e2c1c086-2d84-4019-bff3-c44ccd95113c |
App Service |
4.0.0 |
1x
4.0.0 |
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled |
0 |
|
GA |
true |
| Function apps should use the latest TLS version |
f9d614c5-c173-4d56-95a7-b4437057d193 |
App Service |
2.1.0 |
2x
2.1.0, 2.0.1 |
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled |
0 |
|
GA |
true |
| Generate internal security alerts |
171e377b-5224-4a97-1eaa-62a3b5231dac |
Regulatory Compliance |
1.1.0 |
1x
1.1.0 |
Default
Manual
Allowed
Manual, Disabled |
0 |
|
GA |
true |
| Key Vault keys should have an expiration date |
152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 |
Key Vault |
1.0.2 |
1x
1.0.2 |
Default
Audit
Allowed
Audit, Deny, Disabled |
0 |
|
GA |
true |
| Key Vault secrets should have an expiration date |
98728c90-32c7-4049-8429-847dc0f4fe37 |
Key Vault |
1.0.2 |
1x
1.0.2 |
Default
Audit
Allowed
Audit, Deny, Disabled |
0 |
|
GA |
true |
| Machines should be configured to periodically check for missing system updates |
bd876905-5b84-4f73-ab2d-2e7a7c4568d9 |
Azure Update Manager |
3.7.0 |
4x
3.7.0, 3.6.0, 3.5.0, 3.4.1 |
Default
Audit
Allowed
Audit, Deny, Disabled |
0 |
|
GA |
true |
| Management ports should be closed on your virtual machines |
22730e10-96f6-4aac-ad84-9383d35b5917 |
Security Center |
3.0.0 |
1x
3.0.0 |
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled |
0 |
|
GA |
true |
| Public network access on Azure SQL Database should be disabled |
1b8ca024-1d5c-4dec-8995-b1a932b41780 |
SQL |
1.1.0 |
1x
1.1.0 |
Default
Audit
Allowed
Audit, Deny, Disabled |
0 |
|
GA |
true |
| Public network access should be disabled for PostgreSQL flexible servers |
5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 |
SQL |
3.1.0 |
2x
3.1.0, 3.0.1 |
Default
Audit
Allowed
Audit, Deny, Disabled |
0 |
|
GA |
unknown |
| Public network access should be disabled for PostgreSQL servers |
b52376f7-9612-48a1-81cd-1ffe4b61032c |
SQL |
2.0.1 |
1x
2.0.1 |
Default
Audit
Allowed
Audit, Deny, Disabled |
0 |
|
GA |
true |
| Secure transfer to storage accounts should be enabled |
404c3081-a854-4457-ae30-26a93ef643f9 |
Storage |
2.0.0 |
1x
2.0.0 |
Default
Audit
Allowed
Audit, Deny, Disabled |
0 |
|
GA |
true |
| SQL servers with auditing to storage account destination should be configured with 90 days retention or higher |
89099bee-89e0-4b26-a5f4-165451757743 |
SQL |
3.0.0 |
1x
3.0.0 |
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled |
0 |
|
GA |
true |
| Storage account public access should be disallowed |
4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 |
Storage |
3.1.1 |
2x
3.1.1, 3.1.0-preview |
Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled |
0 |
|
GA |
unknown |
| Storage accounts should have the specified minimum TLS version |
fe83a0eb-a853-422d-aac2-1bffd182c5d0 |
Storage |
1.0.0 |
1x
1.0.0 |
Default
Audit
Allowed
Audit, Deny, Disabled |
0 |
|
GA |
true |
| Subscriptions should have a contact email address for security issues |
4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 |
Security Center |
1.0.1 |
1x
1.0.1 |
Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled |
0 |
|
GA |
true |
| Use automated mechanisms for security alerts |
b8689b2e-4308-a58b-a0b4-6f3343a000df |
Regulatory Compliance |
1.1.0 |
1x
1.1.0 |
Default
Manual
Allowed
Manual, Disabled |
0 |
|
GA |
unknown |