API Management |
API Management service should use a SKU that supports virtual networks |
Optional |
No |
|
|
|
|
|
|
|
|
listOfAllowedSKUs |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_AllowedVNETSkus_AuditDeny.json |
73ef9241-5d81-4cd4-b483-8443d1730fe5 |
App Service |
Ensure that 'Java version' is the latest, if used as a part of the API app |
Optional |
Yes |
PV-7 |
9.8 |
|
|
3.14.1 |
|
|
|
JavaLatestVersion |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_java_Latest.json |
88999f4c-376a-45c8-bcb3-4058f713cf39 |
App Service |
Ensure that 'Java version' is the latest, if used as a part of the Function app |
Optional |
Yes |
PV-7 |
9.8 |
|
|
3.14.1 |
|
|
|
JavaLatestVersion |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_java_Latest.json |
9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc |
App Service |
Ensure that 'Java version' is the latest, if used as a part of the Web app |
Optional |
Yes |
PV-7 |
9.8 |
|
|
3.14.1 |
|
|
|
JavaLatestVersion |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_java_Latest.json |
496223c3-ad65-4ecd-878a-bae78737e9ed |
App Service |
Ensure that 'PHP version' is the latest, if used as a part of the API app |
Optional |
Yes |
PV-7 |
9.6 |
|
|
3.14.1 |
|
|
|
PHPLatestVersion |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_PHP_Latest.json |
1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba |
App Service |
Ensure that 'PHP version' is the latest, if used as a part of the WEB app |
Optional |
Yes |
PV-7 |
9.6 |
|
|
3.14.1 |
|
|
|
PHPLatestVersion |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_PHP_Latest.json |
7261b898-8a84-4db8-9e04-18527132abb3 |
App Service |
Ensure that 'Python version' is the latest, if used as a part of the API app |
Optional |
Yes |
PV-7 |
9.7 |
|
|
3.14.1 |
|
|
|
WindowsPythonLatestVersion, LinuxPythonLatestVersion |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_python_Latest.json |
74c3584d-afae-46f7-a20a-6f8adba71a16 |
App Service |
Ensure that 'Python version' is the latest, if used as a part of the Function app |
Optional |
Yes |
PV-7 |
9.7 |
|
|
3.14.1 |
|
|
|
WindowsPythonLatestVersion, LinuxPythonLatestVersion |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_python_Latest.json |
7238174a-fd10-4ef0-817e-fc820a951d73 |
App Service |
Ensure that 'Python version' is the latest, if used as a part of the Web app |
Optional |
Yes |
PV-7 |
9.7 |
|
|
3.14.1 |
|
|
|
WindowsPythonLatestVersion, LinuxPythonLatestVersion |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_python_Latest.json |
7008174a-fd10-4ef0-817e-fc820a951d73 |
App Service |
Resource logs in App Services should be enabled |
Optional |
Yes |
|
|
|
|
|
|
|
|
requiredRetentionDays |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json |
91a78b24-f231-4a8a-8da9-02c35b2b6510 |
Batch |
Resource logs in Batch accounts should be enabled |
Optional |
Yes |
LT-4 |
5.3 |
|
|
|
|
1205.09aa2System.1 - 09.aa |
|
requiredRetentionDays |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json |
428256e6-1fac-4f48-a757-df34c2b3336d |
Data Box |
Azure Data Box jobs should enable double encryption for data at rest on the device |
Optional |
No |
|
|
|
|
|
|
|
|
supportedSKUs |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Box/DataBox_DoubleEncryption_Audit.json |
c349d81b-9985-44ae-a8da-ff98d108ede8 |
Data Box |
Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password |
Optional |
No |
|
|
|
|
|
|
|
|
supportedSKUs |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Data%20Box/DataBox_CMK_Audit.json |
86efb160-8de7-451d-bc08-5d475b0aadae |
Data Factory |
Azure Data Factory integration runtime should have a limit for number of cores |
Optional |
No |
|
|
|
|
|
|
|
|
maxCores |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Data%20Factory/IR_Core_Count_Exceeds_Audit.json |
85bb39b5-2f66-49f8-9306-77da3ac5130f |
Data Lake |
Resource logs in Azure Data Lake Store should be enabled |
Optional |
Yes |
LT-4 |
5.3 |
|
|
|
|
1202.09aa1System.1 - 09.aa |
|
requiredRetentionDays |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json |
057ef27e-665e-4328-8ea3-04b3122bd9fb |
Data Lake |
Resource logs in Data Lake Analytics should be enabled |
Optional |
Yes |
LT-4 |
5.3 |
|
|
|
|
1210.09aa3System.3 - 09.aa |
|
requiredRetentionDays |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeAnalytics_AuditDiagnosticLog_Audit.json |
c95c74d9-38fe-4f0d-af86-0c7d626a315c |
Event Hub |
Resource logs in Event Hub should be enabled |
Optional |
Yes |
LT-4 |
5.3 |
|
|
|
|
1207.09aa2System.4 - 09.aa |
|
requiredRetentionDays |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditDiagnosticLog_Audit.json |
83a214f7-d01a-484b-91a9-ed54470c9a6a |
Internet of Things |
Resource logs in IoT Hub should be enabled |
Optional |
Yes |
LT-4 |
5.3 |
|
|
|
|
1204.09aa1System.3 - 09.aa |
|
requiredRetentionDays |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_AuditDiagnosticLog_Audit.json |
383856f8-de7f-44a2-81fc-e5135b5c2aa4 |
Key Vault |
Certificates should be issued by the specified integrated certificate authority |
Optional |
No |
|
|
|
|
|
|
|
|
allowedCAs |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_Issuers_SupportedCAs.json |
8e826246-c976-48f6-b03e-619bb92b3d82 |
Key Vault |
Certificates should have the specified maximum validity period |
Optional |
No |
|
|
|
|
|
|
|
|
maximumValidityInMonths |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json |
0a075868-4c26-42ef-914c-5bc007359560 |
Key Vault |
Certificates should use allowed key types |
Optional |
No |
|
|
|
|
|
|
|
|
allowedKeyTypes |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_AllowedKeyTypes.json |
1151cede-290b-4ba0-8b38-0ad145ac888f |
Key Vault |
Certificates using elliptic curve cryptography should have allowed curve names |
Optional |
No |
|
|
|
|
|
|
|
|
allowedECNames |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_EC_AllowedCurveNames.json |
bd78111f-4953-4367-9fd5-7e08808b54bf |
Key Vault |
Keys should be the specified cryptographic type RSA or EC |
Optional |
No |
|
|
|
|
|
|
|
|
allowedKeyTypes |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_AllowedKeyTypes.json |
75c4f823-d65c-4f29-a733-01d0077fdbcb |
Key Vault |
Keys using elliptic curve cryptography should have the specified curve names |
Optional |
No |
|
|
|
|
|
|
|
|
allowedECNames |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_EC_AllowedCurveNames.json |
ff25f3c8-b739-4538-9d07-3d6d25cfb255 |
Key Vault |
Resource logs in Azure Key Vault Managed HSM should be enabled |
Optional |
Yes |
|
|
|
|
|
|
1211.09aa3System.4 - 09.aa |
|
requiredRetentionDays |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_AuditDiagnosticLog_Audit.json |
a2a5b911-5617-447e-a49e-59dbe0e0434b |
Key Vault |
Resource logs in Key Vault should be enabled |
Optional |
Yes |
LT-4 |
5.3 |
|
|
|
|
1211.09aa3System.4 - 09.aa |
|
requiredRetentionDays |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_AuditDiagnosticLog_Audit.json |
cf820ca0-f99e-4f3e-84fb-66e913812d21 |
Logic Apps |
Resource logs in Logic Apps should be enabled |
Optional |
Yes |
LT-4 |
5.3 |
|
|
|
|
1203.09aa1System.2 - 09.aa |
|
requiredRetentionDays |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_AuditDiagnosticLog_Audit.json |
34f95f76-5386-4de7-b824-0d8478470c9d |
Network |
Web Application Firewall (WAF) should use the specified mode for Application Gateway |
Optional |
No |
|
|
|
|
|
|
|
NS-7 |
modeRequirement |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayMode_Audit.json |
12430be1-6cc8-4527-a9a8-e3d38f250096 |
Network |
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service |
Optional |
No |
|
|
|
|
|
|
|
NS-7 |
modeRequirement |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Mode_Audit.json |
425bea59-a659-4cbb-8d31-34499bd030b8 |
SQL |
Auditing on SQL server should be enabled |
Optional |
Yes |
LT-4 |
4.1.1 |
|
A.12.4.4 |
3.3.4 |
AU-12 |
1211.09aa3System.4 - 09.aa |
|
setting |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json |
a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 |
Search |
Resource logs in Search services should be enabled |
Optional |
Yes |
LT-4 |
5.3 |
|
|
|
|
1208.09aa3System.1 - 09.aa |
|
requiredRetentionDays |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_AuditDiagnosticLog_Audit.json |
b4330a05-a843-4bc8-bf9a-cacce50c67f4 |
Service Bus |
Resource logs in Service Bus should be enabled |
Optional |
Yes |
LT-4 |
5.3 |
|
|
|
|
1208.09aa3System.1 - 09.aa |
|
requiredRetentionDays |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditDiagnosticLog_Audit.json |
f8d36e2f-389b-4ee4-898d-21aeb69a0f45 |
Stream Analytics |
Resource logs in Azure Stream Analytics should be enabled |
Optional |
Yes |
LT-4 |
5.3 |
|
|
|
|
1207.09aa2System.4 - 09.aa |
|
requiredRetentionDays |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json |
f9be5368-9bf5-4b84-9e0a-7850da98bb46 |
Synapse |
Auditing on Synapse workspace should be enabled |
Optional |
Yes |
|
|
|
|
|
|
|
|
setting |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceSqlAuditing_Audit.json |
e04e5000-cd89-451d-bb21-a14d24ff9c73 |