Backup |
Azure Recovery Services vaults should use customer-managed keys for encrypting backup data |
Required |
No |
|
|
|
|
|
|
|
|
enableDoubleEncryption |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Backup/AzBackupRSVault_CMKEnabled_Audit.json |
2e94d99a-8a36-4563-bc77-810d8893b671 |
Batch |
Metric alert rules should be configured on Batch accounts |
Required |
Yes |
|
|
|
|
|
|
|
|
metricName |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Batch/Batch_AuditMetricAlerts_Audit.json |
26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7 |
Compute |
Allowed virtual machine size SKUs |
Required |
No |
|
|
|
|
|
|
|
|
listOfAllowedSKUs |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Compute/VMSkusAllowed_Deny.json |
cccc23c7-8427-4f53-ad12-b6a63eb452b3 |
Compute |
Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption |
Required |
No |
|
|
|
|
|
|
|
|
allowedEncryptionSets |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Compute/ManagedDiskEncryptionSetsAllowed_Deny.json |
d461a302-a187-421a-89ac-84acdb4edc04 |
Compute |
Only approved VM extensions should be installed |
Required |
No |
|
7.4 |
|
|
|
|
|
|
approvedExtensions |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_ApprovedExtensions_Audit.json |
c0e996f8-39cf-4af9-9f45-83fbde810432 |
Compute |
Resource logs in Virtual Machine Scale Sets should be enabled |
Required |
Yes |
LT-4 |
5.3 |
|
|
|
|
1206.09aa2System.23 - 09.aa |
|
includeAKSClusters |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ServiceFabric_and_VMSS_AuditVMSSDiagnostics.json |
7c1b1214-f927-48bf-8882-84f0af6588b1 |
Cosmos DB |
Azure Cosmos DB allowed locations |
Required |
Yes |
|
|
|
|
|
|
|
|
listOfAllowedLocations, policyEffect |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_Locations_Deny.json |
0473574d-2d43-4217-aefe-941fcdf7e684 |
Cosmos DB |
Azure Cosmos DB throughput should be limited |
Required |
No |
|
|
|
|
|
|
|
|
throughputMax |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_MaxThroughput_Deny.json |
0b7ef78e-a035-4f23-b9bd-aff122a1b1cf |
Data Factory |
Azure Data Factory linked service resource type should be in allow list |
Required |
No |
|
|
|
|
|
|
|
|
allowedLinkedServiceResourceTypes |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Data%20Factory/LinkedService_ResourceType_Audit.json |
6809a3d0-d354-42fb-b955-783d207c62a8 |
General |
Allowed locations for resource groups |
Required |
No |
|
|
|
|
|
|
|
ESS-2 |
listOfAllowedLocations |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/ResourceGroupAllowedLocations_Deny.json |
e765b5de-1225-4ba3-bd56-1ac6695af988 |
General |
Allowed locations |
Required |
No |
|
|
|
|
|
|
|
ESS-2 |
listOfAllowedLocations |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/AllowedLocations_Deny.json |
e56962a6-4747-49cd-b67b-bf8b01975c4c |
General |
Allowed resource types |
Required |
No |
|
|
|
|
|
|
|
|
listOfResourceTypesAllowed |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/General/AllowedResourceTypes_Deny.json |
a08ec900-254a-4555-9bf5-e42af04b5c5c |
General |
Not allowed resource types |
Required |
No |
|
|
|
|
|
|
|
|
listOfResourceTypesNotAllowed |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/General/InvalidResourceTypes_Deny.json |
6c112d4e-5bc7-47ae-a041-ea2d9dccd749 |
Key Vault |
Certificates should be issued by the specified non-integrated certificate authority |
Required |
No |
|
|
|
|
|
|
|
|
caCommonName |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_Issuers_CustomCAs.json |
a22f4a40-01d3-4c7d-8071-da157eeff341 |
Key Vault |
Certificates should have the specified lifetime action triggers |
Required |
No |
|
|
|
|
|
|
|
|
maximumPercentageLife, minimumDaysBeforeExpiry |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_LifetimeAction.json |
12ef42cb-9903-4e39-9c26-422d29570417 |
Key Vault |
Certificates should not expire within the specified number of days |
Required |
No |
|
|
|
|
|
|
|
|
daysToExpire |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_Expiry_ByDays.json |
f772fb64-8e40-40ad-87bc-7706e1949427 |
Key Vault |
Certificates using RSA cryptography should have the specified minimum key size |
Required |
No |
|
|
|
|
|
|
|
|
minimumRSAKeySize |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_RSA_MinimumKeySize.json |
cee51871-e572-4576-855c-047c820360f0 |
Key Vault |
Keys should have more than the specified number of days before expiration |
Required |
No |
|
|
|
|
|
|
|
|
minimumDaysBeforeExpiration |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_Expiry_ByDays.json |
5ff38825-c5d8-47c5-b70e-069a21955146 |
Key Vault |
Keys should have the specified maximum validity period |
Required |
No |
|
|
|
|
|
|
|
|
maximumValidityInDays |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_ValidityPeriod.json |
49a22571-d204-4c91-a7b6-09b1a586fbc9 |
Key Vault |
Keys should not be active for longer than the specified number of days |
Required |
No |
|
|
|
|
|
|
|
|
maximumValidityInDays |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_ActivePeriod.json |
c26e4b24-cf98-4c67-b48b-5a25c4c69eb9 |
Key Vault |
Keys using RSA cryptography should have a specified minimum key size |
Required |
No |
|
|
|
|
|
|
|
|
minimumRSAKeySize |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_RSA_MinimumKeySize.json |
82067dbb-e53b-4e06-b631-546d197452d9 |
Key Vault |
Secrets should have more than the specified number of days before expiration |
Required |
No |
|
|
|
|
|
|
|
|
minimumDaysBeforeExpiration |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Secrets_Expiry_ByDays.json |
b0eb591a-5e70-4534-a8bf-04b9c489584a |
Key Vault |
Secrets should have the specified maximum validity period |
Required |
No |
|
|
|
|
|
|
|
|
maximumValidityInDays |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Secrets_ValidityPeriod.json |
342e8053-e12e-4c44-be01-c3c2f318400f |
Key Vault |
Secrets should not be active for longer than the specified number of days |
Required |
No |
|
|
|
|
|
|
|
|
maximumValidityInDays |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Secrets_ActivePeriod.json |
e8d99835-8a06-45ae-a8e0-87a91941ccfe |
Kubernetes |
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits |
Required |
No |
|
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, cpuLimit, memoryLimit |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json |
e345eecc-fa47-480f-9e88-67dcc122b164 |
Kubernetes |
Kubernetes cluster containers should not share host process ID or host IPC namespace |
Required |
No |
PV-2 |
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json |
47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 |
Kubernetes |
Kubernetes cluster containers should not use forbidden sysctl interfaces |
Required |
No |
|
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, forbiddenSysctls |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ForbiddenSysctlInterfaces.json |
56d0a13f-712f-466b-8416-56fb354fb823 |
Kubernetes |
Kubernetes cluster containers should only listen on allowed ports |
Required |
No |
|
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, allowedContainerPortsList |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedPorts.json |
440b515e-a580-421e-abeb-b159a61ddcbc |
Kubernetes |
Kubernetes cluster containers should only use allowed AppArmor profiles |
Required |
No |
PV-2 |
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, allowedProfiles |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json |
511f5417-5d12-434d-ab2e-816901e72a5e |
Kubernetes |
Kubernetes cluster containers should only use allowed ProcMountType |
Required |
No |
|
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, procMountType |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/AllowedProcMountType.json |
f85eb0dd-92ee-40e9-8a76-db25a507d6d3 |
Kubernetes |
Kubernetes cluster containers should only use allowed capabilities |
Required |
No |
PV-2 |
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, allowedCapabilities, requiredDropCapabilities |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json |
c26596ff-4d70-4e6a-9a30-c2506bd2f80c |
Kubernetes |
Kubernetes cluster containers should only use allowed images |
Required |
No |
|
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, allowedContainerImagesRegex |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json |
febd0533-8e55-448f-b837-bd0e06f16469 |
Kubernetes |
Kubernetes cluster containers should only use allowed seccomp profiles |
Required |
No |
|
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, allowedProfiles |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/AllowedSeccompProfile.json |
975ce327-682c-4f2e-aa46-b9598289b86c |
Kubernetes |
Kubernetes cluster containers should run with a read only root file system |
Required |
No |
PV-2 |
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json |
df49d893-a74c-421d-bc95-c663042e5b80 |
Kubernetes |
Kubernetes cluster pod FlexVolume volumes should only use allowed drivers |
Required |
No |
|
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, allowedFlexVolumeDrivers |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/FlexVolumeDrivers.json |
f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 |
Kubernetes |
Kubernetes cluster pod hostPath volumes should only use allowed host paths |
Required |
No |
PV-2 |
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, allowedHostPaths |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json |
098fc59e-46c7-4d99-9b16-64990e543d75 |
Kubernetes |
Kubernetes cluster pods and containers should only run with approved user and group IDs |
Required |
No |
PV-2 |
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, runAsUserRule, runAsUserRanges, runAsGroupRule, runAsGroupRanges, supplementalGroupsRule, supplementalGroupsRanges, fsGroupRule, fsGroupRanges |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json |
f06ddb64-5fa3-4b77-b166-acb36f7f6042 |
Kubernetes |
Kubernetes cluster pods and containers should only use allowed SELinux options |
Required |
No |
|
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, allowedSELinuxOptions |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/SELinux.json |
e1e6c427-07d9-46ab-9689-bfa85431e636 |
Kubernetes |
Kubernetes cluster pods should only use allowed volume types |
Required |
No |
|
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, allowedVolumeTypes |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/AllowedVolumeTypes.json |
16697877-1118-4fb1-9b65-9898ec2509ec |
Kubernetes |
Kubernetes cluster pods should only use approved host network and port range |
Required |
No |
PV-2 |
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, allowHostNetwork, minPort, maxPort |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json |
82985f06-dc18-4a48-bc1c-b9f4f0098cfe |
Kubernetes |
Kubernetes cluster pods should use specified labels |
Required |
No |
|
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, labelsList |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/PodEnforceLabels.json |
46592696-4c7b-4bf3-9e45-6c2763bdc0a6 |
Kubernetes |
Kubernetes cluster services should listen only on allowed ports |
Required |
No |
|
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, allowedServicePortsList |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ServiceAllowedPorts.json |
233a2a17-77ca-4fb1-9b6b-69223d272a44 |
Kubernetes |
Kubernetes cluster services should only use allowed external IPs |
Required |
No |
|
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, allowedExternalIPs |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/AllowedExternalIPs.json |
d46c275d-1680-448d-b2ec-e495a3b6cc89 |
Kubernetes |
Kubernetes cluster should not allow privileged containers |
Required |
No |
|
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, excludedContainers |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilege.json |
95edb821-ddaf-4404-9732-666045e056b4 |
Kubernetes |
Kubernetes clusters should be accessible only over HTTPS |
Required |
No |
DP-4 |
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json |
1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d |
Kubernetes |
Kubernetes clusters should disable automounting API credentials |
Required |
No |
|
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/BlockAutomountToken.json |
423dd1ba-798e-40e4-9c4d-b6902674b423 |
Kubernetes |
Kubernetes clusters should not allow container privilege escalation |
Required |
No |
PV-2 |
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json |
1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 |
Kubernetes |
Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities |
Required |
No |
|
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ContainerDisallowedSysAdminCapability.json |
d2e7ea85-6b44-4317-a0be-1b951587f626 |
Kubernetes |
Kubernetes clusters should not use specific security capabilities |
Required |
No |
|
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector, disallowedCapabilities |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ContainerDisallowedCapabilities.json |
a27c700f-8a22-44ec-961c-41625264370b |
Kubernetes |
Kubernetes clusters should not use the default namespace |
Required |
No |
|
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/BlockDefaultNamespace.json |
9f061a12-e40d-4183-a00e-171812443373 |
Kubernetes |
Kubernetes clusters should use internal load balancers |
Required |
No |
|
|
|
|
|
|
|
|
excludedNamespaces, namespaces, labelSelector |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/LoadbalancerNoPublicIPs.json |
3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e |
Lighthouse |
Allow managing tenant ids to onboard through Azure Lighthouse |
Required |
No |
|
|
|
|
|
|
|
|
listOfAllowedTenants |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Lighthouse/AllowCertainManagingTenantIds_Deny.json |
7a8a51a3-ad87-4def-96f3-65a1839242b6 |
Machine Learning |
Configure allowed Python packages for specified Azure Machine Learning computes |
Required |
No |
|
|
|
|
|
|
|
|
computeNames, computeType, isIsolatedNetwork, allowedPythonPackageChannels |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/AllowedPythonPackageChannels_EnforceSetting.json |
77eeea86-7e81-4a7d-9067-de844d096752 |
Machine Learning |
Configure allowed module authors for specified Azure Machine Learning computes |
Required |
No |
|
|
|
|
|
|
|
|
computeNames, computeType, isIsolatedNetwork, allowedModuleAuthors |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/AllowedModuleAuthors_EnforceSetting.json |
53c70b02-63dd-11ea-bc55-0242ac130003 |
Machine Learning |
Configure allowed registries for specified Azure Machine Learning computes |
Required |
No |
|
|
|
|
|
|
|
|
computeNames, computeType, isIsolatedNetwork, allowedACRs |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/AllowedACRs_EnforceSetting.json |
5853517a-63de-11ea-bc55-0242ac130003 |
Machine Learning |
Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes |
Required |
No |
|
|
|
|
|
|
|
|
computeNames, computeType, isIsolatedNetwork, approvalEndpoint |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/ApprovalEndpoint_EnforceSetting.json |
3948394e-63de-11ea-bc55-0242ac130003 |
Machine Learning |
Configure code signing for training code for specified Azure Machine Learning computes |
Required |
No |
|
|
|
|
|
|
|
|
computeNames, computeType, isIsolatedNetwork, signingKey |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/AllowedSigningKey_EnforceSetting.json |
6a6f7384-63de-11ea-bc55-0242ac130003 |
Machine Learning |
Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes |
Required |
No |
|
|
|
|
|
|
|
|
computeNames, computeType, isIsolatedNetwork, logFilters, datastore |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/AllowedLogFilter_EnforceSetting.json |
1d413020-63de-11ea-bc55-0242ac130003 |
Media Services |
Azure Media Services content key policies should use token authentication |
Required |
No |
|
|
|
|
|
|
|
|
openIdConnectDiscoveryDocument, issuer, audience |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Media%20Services/ContentKeyPolicies_RequireTokenAuth_Audit.json |
daccf7e4-9808-470c-a848-1c5b582a1afb |
Media Services |
Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns |
Required |
No |
|
|
|
|
|
|
|
|
allowedJobInputHttpUriPatterns |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Media%20Services/Jobs_RestrictHttpInputs.json |
e9914afe-31cd-4b8a-92fa-c887f847d477 |
Monitoring |
An activity log alert should exist for specific Administrative operations |
Required |
Yes |
|
5.2.9 |
|
|
|
|
1271.09ad1System.1 - 09.ad |
|
operationName |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_AdministrativeOperations_Audit.json |
b954148f-4c11-4c38-8221-be76711e194a |
Monitoring |
An activity log alert should exist for specific Policy operations |
Required |
Yes |
|
5.2.2 |
|
|
|
|
|
|
operationName |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_PolicyOperations_Audit.json |
c5447c04-a4d7-4ba8-a263-c9ee321a6858 |
Monitoring |
An activity log alert should exist for specific Security operations |
Required |
Yes |
|
5.2.8 |
|
|
|
|
|
|
operationName |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_SecurityOperations_Audit.json |
3b980d31-7904-4bb7-8575-5665739a8052 |
Monitoring |
Audit diagnostic setting |
Required |
Yes |
|
|
|
A.12.4.4 |
3.3.4 |
AU-12 |
1210.09aa3System.3 - 09.aa |
DM-6 |
listOfResourceTypes |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json |
7f89b1eb-583c-429a-8828-af049802c1d9 |
Monitoring |
Dependency agent should be enabled for listed virtual machine images |
Required |
Yes |
|
|
|
|
|
|
|
|
listOfImageIdToInclude_windows, listOfImageIdToInclude_linux |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_Audit.json |
11ac78e3-31bc-4f0c-8434-37ab963cea07 |
Monitoring |
Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images |
Required |
Yes |
|
|
|
|
|
|
|
|
listOfImageIdToInclude_windows, listOfImageIdToInclude_linux |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_VMSS_Audit.json |
e2dd799a-a932-4e9d-ac17-d473bc3c6c10 |
Monitoring |
Log Analytics Agent should be enabled for listed virtual machine images |
Required |
Yes |
|
|
|
|
|
|
|
|
listOfImageIdToInclude_windows, listOfImageIdToInclude_linux |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_Audit.json |
32133ab0-ee4b-4b44-98d6-042180979d50 |
Monitoring |
Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images |
Required |
Yes |
|
|
|
|
|
|
|
|
listOfImageIdToInclude_windows, listOfImageIdToInclude_linux |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_VMSS_Audit.json |
5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 |
Monitoring |
Virtual machines should be connected to a specified workspace |
Required |
Yes |
|
|
|
|
|
|
|
|
logAnalyticsWorkspaceId |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_WorkspaceMismatch_VM_Audit.json |
f47b5582-33ec-4c5c-87c0-b010a6b2e917 |
Network |
A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections |
Required |
Yes |
|
|
|
|
|
|
|
|
IPsecEncryption, IPsecIntegrity, IKEEncryption, IKEIntegrity, DHGroup, PFSGroup |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VPNGateways_CustomIpSecPolicies_Audit.json |
50b83b09-03da-41c1-b656-c293c914862b |
Network |
Network Watcher should be enabled |
Required |
Yes |
LT-3 |
6.5 |
|
|
3.14.6 |
|
0888.09n2Organizational.6 - 09.n |
|
listOfLocations, resourceGroupName |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json |
b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 |
Network |
Virtual machines should be connected to an approved virtual network |
Required |
No |
|
|
|
|
|
|
0814.01n1Organizational.12 - 01.n |
|
virtualNetworkId |
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ApprovedVirtualNetwork_Audit.json |
d416745a-506c-48b6-8ab1-83cb814bcaa3 |
Network |
Virtual networks should use specified virtual network gateway |
Required |
Yes |
|
|
|
|
|
|
|
|
virtualNetworkGatewayId |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VirtualNetwork_ApprovedVirtualNetworkGateway_AuditIfNotExists.json |
f1776c76-f58c-4245-a8d0-2b207198dc8b |
SQL |
Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet |
Required |
Yes |
|
|
|
|
|
|
|
|
subnetId |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/SQL/SqlServer_VNetRules_Audit.json |
77e8b146-0078-4fb2-b002-e112381199f0 |
Storage |
Storage accounts should be limited by allowed SKUs |
Required |
No |
|
|
|
|
|
|
|
|
listOfAllowedSKUs |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/AllowedStorageSkus_Audit.json |
7433c107-6db4-4ad1-b57a-a76dce0154a1 |
Synapse |
Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants |
Required |
No |
|
|
|
|
|
|
|
|
allowedTenantIds |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Synapse/Workspace_DataExfiltrationPrevention_Deny.json |
3a003702-13d2-4679-941b-937e58c443f0 |
Tags |
Require a tag and its value on resource groups |
Required |
No |
|
|
|
|
|
|
|
|
tagName, tagValue |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Tags/ResourceGroupRequireTagAndValue_Deny.json |
8ce3da23-7156-49e4-b145-24f95f9dcb46 |
Tags |
Require a tag and its value on resources |
Required |
No |
|
|
|
|
|
|
|
|
tagName, tagValue |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Tags/RequireTagAndValue_Deny.json |
1e30110a-5ceb-460c-a204-c1c3969c6d62 |
Tags |
Require a tag on resource groups |
Required |
No |
|
|
|
|
|
|
|
|
tagName |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Tags/ResourceGroupRequireTag_Deny.json |
96670d01-0a4d-4649-9c89-2d3abc0a5025 |
Tags |
Require a tag on resources |
Required |
No |
|
|
|
|
|
|
|
|
tagName |
https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Tags/RequireTag_Deny.json |
871b6d14-10aa-478d-b590-94f262ecfa99 |