Parameters Optional

Service Policy Definition Parameter Requirements Audit Only Azure Security Benchmark CIS CCMC L3 ISO 27001 NIST SP 800-171 R2 NIST SP 800-53 R4 HIPAA HITRUST 9.2 New Zealand ISM Parameters Link ID
API Management API Management service should use a SKU that supports virtual networks Optional No listOfAllowedSKUs https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_AllowedVNETSkus_AuditDeny.json 73ef9241-5d81-4cd4-b483-8443d1730fe5
App Service Ensure that 'Java version' is the latest, if used as a part of the API app Optional Yes PV-7 9.8 3.14.1 JavaLatestVersion https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_java_Latest.json 88999f4c-376a-45c8-bcb3-4058f713cf39
App Service Ensure that 'Java version' is the latest, if used as a part of the Function app Optional Yes PV-7 9.8 3.14.1 JavaLatestVersion https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_java_Latest.json 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc
App Service Ensure that 'Java version' is the latest, if used as a part of the Web app Optional Yes PV-7 9.8 3.14.1 JavaLatestVersion https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_java_Latest.json 496223c3-ad65-4ecd-878a-bae78737e9ed
App Service Ensure that 'PHP version' is the latest, if used as a part of the API app Optional Yes PV-7 9.6 3.14.1 PHPLatestVersion https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_PHP_Latest.json 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba
App Service Ensure that 'PHP version' is the latest, if used as a part of the WEB app Optional Yes PV-7 9.6 3.14.1 PHPLatestVersion https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_PHP_Latest.json 7261b898-8a84-4db8-9e04-18527132abb3
App Service Ensure that 'Python version' is the latest, if used as a part of the API app Optional Yes PV-7 9.7 3.14.1 WindowsPythonLatestVersion, LinuxPythonLatestVersion https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_python_Latest.json 74c3584d-afae-46f7-a20a-6f8adba71a16
App Service Ensure that 'Python version' is the latest, if used as a part of the Function app Optional Yes PV-7 9.7 3.14.1 WindowsPythonLatestVersion, LinuxPythonLatestVersion https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_python_Latest.json 7238174a-fd10-4ef0-817e-fc820a951d73
App Service Ensure that 'Python version' is the latest, if used as a part of the Web app Optional Yes PV-7 9.7 3.14.1 WindowsPythonLatestVersion, LinuxPythonLatestVersion https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_python_Latest.json 7008174a-fd10-4ef0-817e-fc820a951d73
App Service Resource logs in App Services should be enabled Optional Yes requiredRetentionDays https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json 91a78b24-f231-4a8a-8da9-02c35b2b6510
Batch Resource logs in Batch accounts should be enabled Optional Yes LT-4 5.3 1205.09aa2System.1 - 09.aa requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json 428256e6-1fac-4f48-a757-df34c2b3336d
Data Box Azure Data Box jobs should enable double encryption for data at rest on the device Optional No supportedSKUs https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Box/DataBox_DoubleEncryption_Audit.json c349d81b-9985-44ae-a8da-ff98d108ede8
Data Box Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password Optional No supportedSKUs https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Data%20Box/DataBox_CMK_Audit.json 86efb160-8de7-451d-bc08-5d475b0aadae
Data Factory Azure Data Factory integration runtime should have a limit for number of cores Optional No maxCores https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Data%20Factory/IR_Core_Count_Exceeds_Audit.json 85bb39b5-2f66-49f8-9306-77da3ac5130f
Data Lake Resource logs in Azure Data Lake Store should be enabled Optional Yes LT-4 5.3 1202.09aa1System.1 - 09.aa requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json 057ef27e-665e-4328-8ea3-04b3122bd9fb
Data Lake Resource logs in Data Lake Analytics should be enabled Optional Yes LT-4 5.3 1210.09aa3System.3 - 09.aa requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeAnalytics_AuditDiagnosticLog_Audit.json c95c74d9-38fe-4f0d-af86-0c7d626a315c
Event Hub Resource logs in Event Hub should be enabled Optional Yes LT-4 5.3 1207.09aa2System.4 - 09.aa requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditDiagnosticLog_Audit.json 83a214f7-d01a-484b-91a9-ed54470c9a6a
Internet of Things Resource logs in IoT Hub should be enabled Optional Yes LT-4 5.3 1204.09aa1System.3 - 09.aa requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_AuditDiagnosticLog_Audit.json 383856f8-de7f-44a2-81fc-e5135b5c2aa4
Key Vault Certificates should be issued by the specified integrated certificate authority Optional No allowedCAs https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_Issuers_SupportedCAs.json 8e826246-c976-48f6-b03e-619bb92b3d82
Key Vault Certificates should have the specified maximum validity period Optional No maximumValidityInMonths https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json 0a075868-4c26-42ef-914c-5bc007359560
Key Vault Certificates should use allowed key types Optional No allowedKeyTypes https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_AllowedKeyTypes.json 1151cede-290b-4ba0-8b38-0ad145ac888f
Key Vault Certificates using elliptic curve cryptography should have allowed curve names Optional No allowedECNames https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_EC_AllowedCurveNames.json bd78111f-4953-4367-9fd5-7e08808b54bf
Key Vault Keys should be the specified cryptographic type RSA or EC Optional No allowedKeyTypes https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_AllowedKeyTypes.json 75c4f823-d65c-4f29-a733-01d0077fdbcb
Key Vault Keys using elliptic curve cryptography should have the specified curve names Optional No allowedECNames https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_EC_AllowedCurveNames.json ff25f3c8-b739-4538-9d07-3d6d25cfb255
Key Vault Resource logs in Azure Key Vault Managed HSM should be enabled Optional Yes 1211.09aa3System.4 - 09.aa requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_AuditDiagnosticLog_Audit.json a2a5b911-5617-447e-a49e-59dbe0e0434b
Key Vault Resource logs in Key Vault should be enabled Optional Yes LT-4 5.3 1211.09aa3System.4 - 09.aa requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_AuditDiagnosticLog_Audit.json cf820ca0-f99e-4f3e-84fb-66e913812d21
Logic Apps Resource logs in Logic Apps should be enabled Optional Yes LT-4 5.3 1203.09aa1System.2 - 09.aa requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_AuditDiagnosticLog_Audit.json 34f95f76-5386-4de7-b824-0d8478470c9d
Network Web Application Firewall (WAF) should use the specified mode for Application Gateway Optional No NS-7 modeRequirement https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayMode_Audit.json 12430be1-6cc8-4527-a9a8-e3d38f250096
Network Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service Optional No NS-7 modeRequirement https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Mode_Audit.json 425bea59-a659-4cbb-8d31-34499bd030b8
SQL Auditing on SQL server should be enabled Optional Yes LT-4 4.1.1 A.12.4.4 3.3.4 AU-12 1211.09aa3System.4 - 09.aa setting https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9
Search Resource logs in Search services should be enabled Optional Yes LT-4 5.3 1208.09aa3System.1 - 09.aa requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_AuditDiagnosticLog_Audit.json b4330a05-a843-4bc8-bf9a-cacce50c67f4
Service Bus Resource logs in Service Bus should be enabled Optional Yes LT-4 5.3 1208.09aa3System.1 - 09.aa requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditDiagnosticLog_Audit.json f8d36e2f-389b-4ee4-898d-21aeb69a0f45
Stream Analytics Resource logs in Azure Stream Analytics should be enabled Optional Yes LT-4 5.3 1207.09aa2System.4 - 09.aa requiredRetentionDays https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json f9be5368-9bf5-4b84-9e0a-7850da98bb46
Synapse Auditing on Synapse workspace should be enabled Optional Yes setting https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceSqlAuditing_Audit.json e04e5000-cd89-451d-bb21-a14d24ff9c73