diff --git a/.gitignore b/.gitignore index 294d030..f16217f 100644 --- a/.gitignore +++ b/.gitignore @@ -79,4 +79,5 @@ research.py params*.csv params*.md no-params*.md -no-params*.csv \ No newline at end of file +no-params*.csv +all_policies.csv \ No newline at end of file diff --git a/Makefile b/Makefile index ce8670c..6f0b38e 100644 --- a/Makefile +++ b/Makefile @@ -95,8 +95,8 @@ terraform-demo: install update-policy-table: install azure-guardrails --help azure-guardrails generate-terraform --service all --subscription example --no-params - azure-guardrails generate-terraform --service all --subscription example --params-optional - azure-guardrails generate-terraform --service all --subscription example --params-required + azure-guardrails generate-terraform --service all --exclude-services "Guest Configuration" --subscription example --params-optional + azure-guardrails generate-terraform --service all --exclude-services "Guest Configuration" --subscription example --params-required cp no-params-all-table.csv docs/no-params.csv cp no-params-all-table.md docs/no-params.md cp params-optional-all-table.csv docs/params-optional.csv diff --git a/azure_guardrails/command/generate_terraform.py b/azure_guardrails/command/generate_terraform.py index 36375b6..a99fc1c 100644 --- a/azure_guardrails/command/generate_terraform.py +++ b/azure_guardrails/command/generate_terraform.py @@ -8,7 +8,6 @@ from azure_guardrails import set_log_level from azure_guardrails.terraform.terraform import TerraformTemplateNoParams, TerraformTemplateWithParamsV2 from azure_guardrails.shared import utils, validate -from azure_guardrails.scrapers.compliance_data import ComplianceCoverage from azure_guardrails.shared.config import get_default_config, get_config_from_file from azure_guardrails.guardrails.services import Services @@ -160,7 +159,6 @@ def generate_terraform( if no_params: display_names = services.get_display_names_sorted_by_service_no_params() - display_names_list = services.display_names_no_params terraform_template = TerraformTemplateNoParams( policy_names=display_names, subscription_name=subscription, @@ -172,11 +170,6 @@ def generate_terraform( params_required=params_required ) - if params_required: - display_names_list = services.display_names_params_required - else: - display_names_list = services.display_names_params_optional - terraform_template = TerraformTemplateWithParamsV2( parameters=display_names, subscription_name=subscription, @@ -187,22 +180,27 @@ def generate_terraform( print(result) if not no_summary: - compliance_coverage = ComplianceCoverage(display_names=display_names_list) + + def markdown_summary(file_prefix: str) -> str: + # Write Markdown summary + markdown_table = services.markdown_table(no_params=no_params, params_optional=params_optional, params_required=params_required) + markdown_file_name = f"{file_prefix}.md" + if os.path.exists(markdown_file_name): + if verbosity >= 1: + utils.print_grey(f"Removing the previous file: {markdown_file_name}") + os.remove(markdown_file_name) + with open(markdown_file_name, "w") as f: + f.write(markdown_table) + return markdown_file_name + summary_file_prefix = f"{summary_file_prefix}-{service}-table" # Write Markdown summary - markdown_table = compliance_coverage.markdown_table() - markdown_file = f"{summary_file_prefix}.md" - if os.path.exists(markdown_file): - if verbosity >= 1: - utils.print_grey(f"Removing the previous file: {markdown_file}") - os.remove(markdown_file) - with open(markdown_file, "w") as f: - f.write(markdown_table) + markdown_file = markdown_summary(file_prefix=summary_file_prefix) if verbosity >= 1: - utils.print_grey(f"CSV file written to: {markdown_file}") + utils.print_grey(f"Markdown file written to: {markdown_file}") # Write CSV summary csv_file = f"{summary_file_prefix}.csv" - compliance_coverage.csv_table(csv_file, verbosity=verbosity) + services.csv_summary(csv_file, verbosity=verbosity, no_params=no_params, params_optional=params_optional, params_required=params_required) diff --git a/azure_guardrails/guardrails/services.py b/azure_guardrails/guardrails/services.py index 01a5d4d..195ae86 100644 --- a/azure_guardrails/guardrails/services.py +++ b/azure_guardrails/guardrails/services.py @@ -1,6 +1,9 @@ import os import json +import csv import logging +from tabulate import tabulate +from operator import itemgetter from azure_guardrails.shared import utils from azure_guardrails.shared.config import DEFAULT_CONFIG, Config from azure_guardrails.guardrails.policy_definition import PolicyDefinition @@ -8,6 +11,42 @@ logger = logging.getLogger(__name__) +def skip_display_names(policy_definition: PolicyDefinition, config: Config = DEFAULT_CONFIG) -> bool: + # Quality control + # First, if the display name starts with [Deprecated], skip it + if policy_definition.display_name.startswith("[Deprecated]: "): + logger.debug( + "Skipping Policy (Deprecated). Policy name: %s" + % policy_definition.display_name + ) + return True + # Some Policies with Modify capabilities don't have an Effect - only way to detect them is to see if the name starts with 'Deploy' + elif policy_definition.display_name.startswith("Deploy "): + logger.debug( + "Skipping Policy (Deploy). Policy name: %s" + % policy_definition.display_name + ) + return True + # If the policy is deprecated, skip it + elif policy_definition.is_deprecated: + logger.debug( + "Skipping Policy (Deprecated). Policy name: %s" + % policy_definition.display_name + ) + return True + # If we have specified it in the Config config, skip it + elif config.is_excluded( + service_name=policy_definition.service_name, display_name=policy_definition.display_name + ): + logger.debug( + "Skipping Policy (Excluded by user). Policy name: %s" + % policy_definition.display_name + ) + return True + else: + return False + + class Service: def __init__(self, service_name: str, config: Config = DEFAULT_CONFIG): self.service_name = service_name @@ -60,41 +99,6 @@ def _policy_definitions(self) -> dict: policy_definitions[policy_definition.display_name] = policy_definition return policy_definitions - def skip_display_names(self, policy_definition: PolicyDefinition) -> bool: - # Quality control - # First, if the display name starts with [Deprecated], skip it - if policy_definition.display_name.startswith("[Deprecated]: "): - logger.debug( - "Skipping Policy (Deprecated). Policy name: %s" - % policy_definition.display_name - ) - return True - # Some Policies with Modify capabilities don't have an Effect - only way to detect them is to see if the name starts with 'Deploy' - elif policy_definition.display_name.startswith("Deploy "): - logger.debug( - "Skipping Policy (Deploy). Policy name: %s" - % policy_definition.display_name - ) - return True - # If the policy is deprecated, skip it - elif policy_definition.is_deprecated: - logger.debug( - "Skipping Policy (Deprecated). Policy name: %s" - % policy_definition.display_name - ) - return True - # If we have specified it in the Config config, skip it - elif self.config.is_excluded( - service_name=self.service_name, display_name=policy_definition.display_name - ): - logger.debug( - "Skipping Policy (Excluded by user). Policy name: %s" - % policy_definition.display_name - ) - return True - else: - return False - @property def display_names(self) -> list: display_names = list(self.policy_definitions.keys()) @@ -105,7 +109,7 @@ def display_names(self) -> list: def display_names_no_params(self) -> list: display_names = [] for display_name, policy_definition in self.policy_definitions.items(): - if not self.skip_display_names(policy_definition=policy_definition): + if not skip_display_names(policy_definition=policy_definition, config=self.config): if policy_definition.no_params: display_names.append(display_name) display_names.sort() @@ -115,7 +119,7 @@ def display_names_no_params(self) -> list: def display_names_params_optional(self) -> list: display_names = [] for display_name, policy_definition in self.policy_definitions.items(): - if not self.skip_display_names(policy_definition=policy_definition): + if not skip_display_names(policy_definition=policy_definition, config=self.config): if policy_definition.params_optional: display_names.append(display_name) display_names.sort() @@ -125,7 +129,7 @@ def display_names_params_optional(self) -> list: def display_names_params_required(self) -> list: display_names = [] for display_name, policy_definition in self.policy_definitions.items(): - if not self.skip_display_names(policy_definition=policy_definition): + if not skip_display_names(policy_definition=policy_definition, config=self.config): if policy_definition.params_required: display_names.append(display_name) display_names.sort() @@ -184,6 +188,16 @@ def _services(self) -> dict: services[service_name] = service return services + def get_policy_definition(self, display_name) -> PolicyDefinition: + definitions_found = [] + policy_definition = None + for service_name, service_details in self.services.items(): + if service_details.policy_definitions.get(display_name, None): + definitions_found.append(f"{service_name}: {display_name}") + policy_definition = service_details.policy_definitions[display_name] + break + return policy_definition + @property def display_names_no_params(self) -> list: display_names = [] @@ -248,15 +262,204 @@ def get_display_names_sorted_by_service_with_params( results[service_name] = service_parameters return results - def get_all_display_names_sorted_by_service(self) -> dict: + def get_all_display_names_sorted_by_service(self, no_params: bool = True, params_optional: bool = True, params_required: bool = True) -> dict: results = {} for service_name, service_details in self.services.items(): service_results = [] - service_results.extend(service_details.display_names_no_params) - service_results.extend(service_details.display_names_params_optional) - service_results.extend(service_details.display_names_params_required) + if no_params: + service_results.extend(service_details.display_names_no_params) + if params_optional: + service_results.extend(service_details.display_names_params_optional) + if params_required: + service_results.extend(service_details.display_names_params_required) service_results.sort() service_results = list(dict.fromkeys(service_results)) # remove duplicates if service_results: results[service_name] = service_results return results + + def compliance_coverage_data(self, no_params: bool = True, params_optional: bool = True, params_required: bool = True) -> dict: + results = {} + compliance_data_file = os.path.abspath( + os.path.join( + os.path.dirname(__file__), os.path.pardir, "shared", "data", "compliance-data.json" + ) + ) + with open(compliance_data_file) as json_file: + compliance_data = json.load(json_file) + display_names_sorted = self.get_all_display_names_sorted_by_service(no_params=no_params, params_optional=params_optional, params_required=params_required) + definitions_found = [] + for service_name, display_names in display_names_sorted.items(): + for display_name in display_names: + policy_definition_compliance_metadata = compliance_data.get(display_name, None) + # If there are no results, skip + if not policy_definition_compliance_metadata: + continue + # Check if this is excluded by the config + policy_definition = self.get_policy_definition(display_name) + if skip_display_names(policy_definition=policy_definition, config=self.config): + continue + definitions_found.append(f"{service_name}: {display_name}") + service_results = {} + # if it exists in the display names + if policy_definition_compliance_metadata: + policy_def_results = dict( + description=policy_definition_compliance_metadata.get("description"), + effects=policy_definition_compliance_metadata.get("effects").lower(), + github_link=policy_definition_compliance_metadata.get("github_link"), + github_version=policy_definition_compliance_metadata.get("github_version"), + name=display_name, + policy_id=policy_definition_compliance_metadata.get("policy_id"), + service_name=policy_definition_compliance_metadata.get("service_name"), + benchmarks=policy_definition_compliance_metadata.get("benchmarks"), + ) + service_results[display_name] = policy_def_results + else: + continue + if not results.get(service_name): + results[service_name] = service_results + else: + results[service_name][display_name] = policy_def_results + # Address items that are not listed under the compliance benchmarks + for service_name, display_names in display_names_sorted.items(): + for display_name in display_names: + service_results = {} + if service_name in results.keys(): + if display_name in results[service_name].keys(): + continue + definitions_found.append(f"{service_name}: {display_name}") + # Check if this is excluded by the config + policy_definition = self.get_policy_definition(display_name) + if skip_display_names(policy_definition=policy_definition, config=self.config): + continue + if not policy_definition: + raise Exception(f"Policy definition with display name {display_name} not found") + policy_def_results = dict( + description=policy_definition.properties.description, + effects=','.join(policy_definition.allowed_effects), + github_link=None, + github_version=None, + name=display_name, + policy_id=policy_definition.id, + service_name=service_name, + benchmarks={}, + ) + service_results[display_name] = policy_def_results + if not results.get(service_name): + results[service_name] = service_results + else: + results[service_name][display_name] = policy_def_results + definitions_found.sort() + return results + + def table_summary(self, hyperlink_format: bool = True, no_params: bool = True, params_optional: bool = True, params_required: bool = True) -> list: + results = [] + + def get_benchmark_id(benchmark_name: str, this_policy_metadata: dict) -> str: + if this_policy_metadata["benchmarks"].get(benchmark_name, None): + benchmark_id = this_policy_metadata["benchmarks"][benchmark_name]["requirement_id"] + benchmark_id = benchmark_id.replace(f"{benchmark_name}: ", "") + benchmark_id = benchmark_id.replace(f"ID : ", "") + else: + benchmark_id = "" + return benchmark_id + + compliance_coverage_data = self.compliance_coverage_data(no_params=no_params, params_optional=params_optional, params_required=params_required) + for service_name, service_details in compliance_coverage_data.items(): + for display_name, policy_metadata in service_details.items(): + name = display_name.replace("[Preview]: ", "") + github_link = policy_metadata.get("github_link") + policy_definition_obj = self.get_policy_definition(display_name) + + # Get the string that we'll put in the name, depending on if we want to use Markdown hyperlink format or just the name itself + if hyperlink_format: + if github_link != "": + policy_definition_string = f"[{name}]({github_link})" + else: + policy_definition_string = name + else: + policy_definition_string = name + + azure_security_benchmark_id = get_benchmark_id( + "Azure Security Benchmark", policy_metadata + ) + cis_id = get_benchmark_id("CIS", policy_metadata) + ccmc_id = get_benchmark_id("CCMC L3", policy_metadata) + iso_id = get_benchmark_id("ISO 27001", policy_metadata) + nist_800_171_id = get_benchmark_id( + "NIST SP 800-171 R2", policy_metadata + ) + nist_800_53_id = get_benchmark_id( + "NIST SP 800-53 R4", policy_metadata + ) + hipaa_id = get_benchmark_id("HIPAA HITRUST 9.2", policy_metadata) + new_zealand_id = get_benchmark_id( + "NZISM Security Benchmark", policy_metadata + ) + parameter_requirements = None + if policy_definition_obj.no_params: + parameter_requirements = "None" + elif policy_definition_obj.params_optional: + parameter_requirements = "Optional" + elif policy_definition_obj.params_required: + parameter_requirements = "Required" + + parameter_names = policy_definition_obj.parameter_names + if "effect" in parameter_names: + parameter_names.remove("effect") + parameter_names = ", ".join(parameter_names) + result = { + "Service": service_name, + "Policy Definition": policy_definition_string, + "Parameter Requirements": parameter_requirements, + # "Name": policy_definition_name, + "Azure Security Benchmark": azure_security_benchmark_id, + "CIS": cis_id, + "CCMC L3": ccmc_id, + "ISO 27001": iso_id, + "NIST SP 800-171 R2": nist_800_171_id, + "NIST SP 800-53 R4": nist_800_53_id, + "HIPAA HITRUST 9.2": hipaa_id, + "New Zealand ISM": new_zealand_id, + "Parameters": parameter_names, + "Link": github_link, + } + results.append(result) + results = sorted(results, key=itemgetter("Service", "Policy Definition")) + return results + + def csv_summary(self, path: str, verbosity: int, no_params: bool = True, params_optional: bool = True, params_required: bool = True): + headers = [ + "Service", + "Policy Definition", + "Parameter Requirements", + "Azure Security Benchmark", + "CIS", + "CCMC L3", + "ISO 27001", + "NIST SP 800-53 R4", + "NIST SP 800-171 R2", + "HIPAA HITRUST 9.2", + "New Zealand ISM", + "Parameters", + "Link", + ] + + # results = headers.copy() + results = self.table_summary(hyperlink_format=False, no_params=no_params, params_optional=params_optional, params_required=params_required) + if os.path.exists(path): + os.remove(path) + if verbosity >= 1: + utils.print_grey(f"Removing the previous file: {path}") + + with open(path, "w", newline="") as csv_file: + writer = csv.DictWriter(csv_file, fieldnames=headers) + writer.writeheader() + for row in results: + writer.writerow(row) + if verbosity >= 1: + utils.print_grey(f"Wrote the new file to {path}") + + def markdown_table(self, no_params: bool = True, params_optional: bool = True, params_required: bool = True) -> str: + results = self.table_summary(no_params=no_params, params_optional=params_optional, params_required=params_required) + return tabulate(results, headers="keys", tablefmt="github") diff --git a/azure_guardrails/scrapers/compliance_data.py b/azure_guardrails/scrapers/compliance_data.py index 5a396bc..2b6b298 100644 --- a/azure_guardrails/scrapers/compliance_data.py +++ b/azure_guardrails/scrapers/compliance_data.py @@ -1,18 +1,4 @@ -from typing import Dict -import os -import csv import json -from operator import itemgetter -from tabulate import tabulate -from azure_guardrails.shared import utils - -COMPLIANCE_DATA_FILE = os.path.abspath( - os.path.join( - os.path.dirname(__file__), os.path.pardir, "shared", "data", "compliance-data.json" - ) -) -with open(COMPLIANCE_DATA_FILE) as json_file: - COMPLIANCE_DATA = json.load(json_file) class BenchmarkEntry: @@ -171,185 +157,3 @@ def _results(self) -> {PolicyDefinitionMetadata}: results[result.get("name")].benchmarks[benchmark] = benchmark_entry return results - -class PolicyComplianceData: - def __init__(self): - self.compliance_data = COMPLIANCE_DATA - self.policy_definition_metadata = self._policy_definition_metadata() - - def __repr__(self): - return json.dumps(COMPLIANCE_DATA) - - def __str__(self): - return json.dumps(COMPLIANCE_DATA) - - def json(self): - return COMPLIANCE_DATA - - def _policy_definition_metadata(self) -> {PolicyDefinitionMetadata}: - results = {} - for metadata_key, metadata_values in self.compliance_data.items(): - name = metadata_values.get("name") - policy_id = metadata_values.get("policy_id") - service_name = metadata_values.get("service_name") - effects = metadata_values.get("effects") - description = metadata_values.get("description") - github_link = metadata_values.get("github_link") - github_version = metadata_values.get("github_version") - for benchmark_key, benchmark_values in metadata_values.get( - "benchmarks" - ).items(): - benchmark = benchmark_key - category = benchmark_values.get("category") - requirement = benchmark_values.get("requirement") - requirement_id = benchmark_values.get("requirement_id") - policy_definition_metadata = PolicyDefinitionMetadata( - policy_id=policy_id, - service_name=service_name, - effects=effects, - description=description, - name=name, - benchmark=benchmark, - category=category, - requirement=requirement, - requirement_id=requirement_id, - github_link=github_link, - github_version=github_version, - ) - if not results.get(name, None): - results[name] = {} - results[name][benchmark] = policy_definition_metadata - else: - results[name][benchmark] = policy_definition_metadata - return results - - def policy_definition_names(self): - result = list(self.policy_definition_metadata.keys()) - result.sort() - return result - - def get_benchmark_data_matching_policy_definition( - self, policy_definition_name: str - ) -> dict: - results = {} - metadata = self.policy_definition_metadata.get(policy_definition_name) - for benchmark in metadata: - results[benchmark] = metadata[ - benchmark - ].get_compliance_data_matching_policy_definition() - return results - - -class ComplianceCoverage: - def __init__(self, display_names: list): - self.provided_display_names = display_names - self.policy_compliance_data = PolicyComplianceData() - self.matching_metadata = self._matching_metadata() - - def _matching_metadata(self) -> dict: - results = {} - policy_definition_names = self.policy_compliance_data.policy_definition_names() - for display_name in self.provided_display_names: - # Trim [Preview]: - name = display_name.replace("[Preview]: ", "") - if name in policy_definition_names: - benchmark_data = self.policy_compliance_data.get_benchmark_data_matching_policy_definition( - name - ) - results[display_name] = benchmark_data - return results - - def csv_table(self, path: str, verbosity: int): - headers = [ - "Service", - "Policy Definition", - "Azure Security Benchmark", - "CIS", - "CCMC L3", - "ISO 27001", - "NIST SP 800-53 R4", - "NIST SP 800-171 R2", - "HIPAA HITRUST 9.2", - "New Zealand ISM", - "Link", - ] - - # results = headers.copy() - results = self.table_summary(hyperlink_format=False) - if os.path.exists(path): - os.remove(path) - with open(path, "w", newline="") as csv_file: - writer = csv.DictWriter(csv_file, fieldnames=headers) - writer.writeheader() - for row in results: - writer.writerow(row) - if verbosity >= 1: - utils.print_grey(f"Removing the previous file: {path}") - - def markdown_table(self) -> str: - results = self.table_summary() - return tabulate(results, headers="keys", tablefmt="github") - - def table_summary(self, hyperlink_format: bool = True) -> list: - results = [] - - def get_benchmark_id(benchmark_name: str, this_policy_metadata: dict) -> str: - if this_policy_metadata.get(benchmark_name, None): - benchmark_id = this_policy_metadata[benchmark_name][benchmark_name] - benchmark_id = benchmark_id.replace(f"{benchmark_name}: ", "") - benchmark_id = benchmark_id.replace(f"ID : ", "") - else: - benchmark_id = "" - return benchmark_id - - # Loop through the matching metadata only, then look within the policy_compliance_data that holds the master details - for policy_definition_name, policy_definition_details in self.matching_metadata.items(): - name = policy_definition_name.replace("[Preview]: ", "") - - # for policy in self.matching_metadata[policy_definition_name]: - benchmarks = [] - github_link = "" - service_name = "" - for benchmark, benchmark_details in self.policy_compliance_data.policy_definition_metadata[name].items(): - benchmarks.append(benchmark) - service_name = benchmark_details.service_name - github_link = benchmark_details.github_link - if hyperlink_format: - policy_definition_string = f"[{policy_definition_name}]({github_link})" - else: - policy_definition_string = policy_definition_name - - azure_security_benchmark_id = get_benchmark_id( - "Azure Security Benchmark", policy_definition_details - ) - cis_id = get_benchmark_id("CIS", policy_definition_details) - ccmc_id = get_benchmark_id("CCMC L3", policy_definition_details) - iso_id = get_benchmark_id("ISO 27001", policy_definition_details) - nist_800_171_id = get_benchmark_id( - "NIST SP 800-171 R2", policy_definition_details - ) - nist_800_53_id = get_benchmark_id( - "NIST SP 800-53 R4", policy_definition_details - ) - hipaa_id = get_benchmark_id("HIPAA HITRUST 9.2", policy_definition_details) - new_zealand_id = get_benchmark_id( - "NZISM Security Benchmark", policy_definition_details - ) - - result = { - "Service": service_name, - "Policy Definition": policy_definition_string, - # "Name": policy_definition_name, - "Azure Security Benchmark": azure_security_benchmark_id, - "CIS": cis_id, - "CCMC L3": ccmc_id, - "ISO 27001": iso_id, - "NIST SP 800-171 R2": nist_800_171_id, - "NIST SP 800-53 R4": nist_800_53_id, - "HIPAA HITRUST 9.2": hipaa_id, - "New Zealand ISM": new_zealand_id, - "Link": github_link, - } - results.append(result) - results = sorted(results, key=itemgetter("Service", "Policy Definition")) - return results diff --git a/docs/all_policies.csv b/docs/all_policies.csv index 528dee3..eeb2523 100644 --- a/docs/all_policies.csv +++ b/docs/all_policies.csv @@ -1,277 +1,487 @@ -Service,Policy Definition,Azure Security Benchmark,CIS,CCMC L3,ISO 27001,NIST SP 800-53 R4,NIST SP 800-171 R2,HIPAA HITRUST 9.2,New Zealand ISM,Link -API for FHIR,Azure API for FHIR should use a customer-managed key to encrypt data at rest,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_EnableByok_Audit.json -API for FHIR,CORS should not allow every domain to access your API for FHIR,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_RestrictCORSAccess_Audit.json -App Configuration,App Configuration should use private link,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json -App Service,API App should only be accessible over HTTPS,DP-4,,,A.10.1.1,SC-8 (1),3.13.8,0949.09y2Organizational.5 - 09.y,SS-8,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json -App Service,Authentication should be enabled on your API app,,9.1,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_ApiApp_Audit.json -App Service,Authentication should be enabled on your Function app,,9.1,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_functionapp_Audit.json -App Service,Authentication should be enabled on your web app,,9.1,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_WebApp_Audit.json -App Service,CORS should not allow every resource to access your API App,PV-2,,,,,,0911.09s1Organizational.2 - 09.s,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_ApiApp_Audit.json -App Service,CORS should not allow every resource to access your Function Apps,PV-2,,,,,,0960.09sCSPOrganizational.1 - 09.s,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json -App Service,CORS should not allow every resource to access your Web Applications,PV-2,,,,AC-4,3.1.3,0916.09s2Organizational.4 - 09.s,SS-8,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json -App Service,Diagnostic logs in App Services should be enabled,LT-4,5.3,,,,,1209.09aa3System.2 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit.json -App Service,Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On',PV-2,9.4,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_ClientCert.json -App Service,Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On',PV-2,9.4,,,,,0915.09s2Organizational.2 - 09.s,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_ClientCert.json -App Service,"Ensure that 'HTTP Version' is the latest, if used to run the API app",,9.9,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_HTTP_Latest.json -App Service,"Ensure that 'HTTP Version' is the latest, if used to run the Function app",,9.9,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_HTTP_Latest.json -App Service,"Ensure that 'HTTP Version' is the latest, if used to run the Web app",,9.9,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_HTTP_Latest.json -App Service,"Ensure that 'Java version' is the latest, if used as a part of the API app",PV-7,9.8,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_java_Latest.json -App Service,"Ensure that 'Java version' is the latest, if used as a part of the Function app",PV-7,9.8,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_java_Latest.json -App Service,"Ensure that 'Java version' is the latest, if used as a part of the Web app",PV-7,9.8,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_java_Latest.json -App Service,"Ensure that 'PHP version' is the latest, if used as a part of the API app",PV-7,9.6,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_PHP_Latest.json -App Service,"Ensure that 'PHP version' is the latest, if used as a part of the WEB app",PV-7,9.6,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_PHP_Latest.json -App Service,"Ensure that 'Python version' is the latest, if used as a part of the API app",PV-7,9.7,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_python_Latest.json -App Service,"Ensure that 'Python version' is the latest, if used as a part of the Function app",PV-7,9.7,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_python_Latest.json -App Service,"Ensure that 'Python version' is the latest, if used as a part of the Web app",PV-7,9.7,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_python_Latest.json -App Service,FTPS only should be required in your API App,DP-4,9.10,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_ApiApp_Audit.json -App Service,FTPS only should be required in your Function App,DP-4,9.10,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_FunctionApp_Audit.json -App Service,FTPS should be required in your Web App,DP-4,9.10,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_WebApp_Audit.json -App Service,Function App should only be accessible over HTTPS,DP-4,,,A.10.1.1,SC-8 (1),3.13.8,0949.09y2Organizational.5 - 09.y,SS-8,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json -App Service,Function apps should have 'Client Certificates (Incoming client certificates)' enabled,PV-2,9.4,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_ClientCert.json -App Service,Latest TLS version should be used in your API App,DP-4,9.3,,,,3.14.1,0949.09y2Organizational.5 - 09.y,CR-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_ApiApp_Audit.json -App Service,Latest TLS version should be used in your Function App,DP-4,9.3,,,,3.14.1,0949.09y2Organizational.5 - 09.y,CR-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json -App Service,Latest TLS version should be used in your Web App,DP-4,9.3,,,,3.14.1,0949.09y2Organizational.5 - 09.y,CR-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json -App Service,Managed identity should be used in your API App,IM-2,9.5,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_ApiApp_Audit.json -App Service,Managed identity should be used in your Function App,IM-2,9.5,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json -App Service,Managed identity should be used in your Web App,IM-2,9.5,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json -App Service,Remote debugging should be turned off for API Apps,PV-2,,,,AC-17 (1),3.1.12,0914.09s1Organizational.6 - 09.s,AC-7,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_ApiApp_Audit.json -App Service,Remote debugging should be turned off for Function Apps,PV-2,,,,AC-17 (1),3.1.12,1325.09s1Organizational.3 - 09.s,AC-7,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json -App Service,Remote debugging should be turned off for Web Applications,PV-2,,,,AC-17 (1),3.1.12,0912.09s1Organizational.4 - 09.s,AC-7,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json -App Service,Web Application should only be accessible over HTTPS,DP-4,9.2,,A.10.1.1,SC-8 (1),3.13.8,0949.09y2Organizational.5 - 09.y,SS-8,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json -Automation,Automation account variables should be encrypted,DP-5,,,A.10.1.1,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json -Azure Data Explorer,Azure Data Explorer encryption at rest should use a customer-managed key,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_CMK.json -Azure Data Explorer,Disk encryption should be enabled on Azure Data Explorer,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_disk_encrypted.json -Azure Data Explorer,Double encryption should be enabled on Azure Data Explorer,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_doubleEncryption.json -Backup,Azure Backup should be enabled for Virtual Machines,BR-2,,,,,,1699.09l1Organizational.10 - 09.l,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachines_EnableAzureBackup_Audit.json -Batch,Resource logs in Batch accounts should be enabled,LT-4,5.3,,,,,1205.09aa2System.1 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json -Cache,Azure Cache for Redis should reside within a virtual network,NS-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_CacheInVnet_Audit.json -Cache,Only secure connections to your Azure Cache for Redis should be enabled,DP-4,,,A.13.2.1,SC-8 (1),3.13.8,0946.09y2Organizational.14 - 09.y,DM-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json -Cognitive Services,Cognitive Services accounts should enable data encryption,DP-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_Encryption_Audit.json -Cognitive Services,Cognitive Services accounts should enable data encryption with a customer-managed key,DP-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_CustomerManagedKey_Audit.json -Cognitive Services,Cognitive Services accounts should restrict network access,NS-1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json -Cognitive Services,Cognitive Services accounts should use customer owned storage or enable data encryption.,DP-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_BYOX_Audit.json -Compute,Audit VMs that do not use managed disks,,7.1,,A.9.1.2,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json -Compute,Audit virtual machines without disaster recovery configured,,,,,CP-7,,1638.12b2Organizational.345 - 12.b,ESS-3,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json -Compute,Microsoft Antimalware for Azure should be configured to automatically update protection signatures,,,,,,,0201.09j1Organizational.124 - 09.j,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_AntiMalwareAutoUpdate_AuditIfNotExists.json -Compute,Microsoft IaaSAntimalware extension should be deployed on Windows servers,,,,,,3.14.2,,SS-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/WindowsServers_AntiMalware_AuditIfNotExists.json -Compute,Only approved VM extensions should be installed,,7.4,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_ApprovedExtensions_Audit.json -Compute,Resource logs in Virtual Machine Scale Sets should be enabled,LT-4,5.3,,,,,1206.09aa2System.23 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ServiceFabric_and_VMSS_AuditVMSSDiagnostics.json -Compute,Unattached disks should be encrypted,,7.3,,,,,0303.09o2Organizational.2 - 09.o,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/UnattachedDisk_Encryption_Audit.json -Compute,Virtual machines should be migrated to new Azure Resource Manager resources,AM-3,,,A.9.1.2,,,0835.09n1Organizational.1 - 09.n,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json -Container Registry,Container registries should be encrypted with a customer-managed key,DP-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json -Container Registry,Container registries should not allow unrestricted network access,NS-1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_Audit.json -Container Registry,Container registries should use private link,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json -Cosmos DB,Azure Cosmos DB accounts should have firewall rules,NS-4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json -Cosmos DB,Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest,DP-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json -Data Box,Azure Data Box jobs should enable double encryption for data at rest on the device,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Box/DataBox_DoubleEncryption_Audit.json -Data Lake,Require encryption on Data Lake Store accounts,,,,,,,0304.09o3Organizational.1 - 09.o,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStoreEncryption_Deny.json -Data Lake,Resource logs in Azure Data Lake Store should be enabled,LT-4,5.3,,,,,1202.09aa1System.1 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json -Data Lake,Resource logs in Data Lake Analytics should be enabled,LT-4,5.3,,,,,1210.09aa3System.3 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeAnalytics_AuditDiagnosticLog_Audit.json -Event Grid,Azure Event Grid domains should use private link,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json -Event Grid,Azure Event Grid topics should use private link,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json -Event Hub,Resource logs in Event Hub should be enabled,LT-4,5.3,,,,,1207.09aa2System.4 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditDiagnosticLog_Audit.json -General,Allowed locations,,,,,,,,ESS-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/AllowedLocations_Deny.json -General,Allowed locations for resource groups,,,,,,,,ESS-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/ResourceGroupAllowedLocations_Deny.json -General,Audit usage of custom RBAC rules,PA-7,,,A.9.2.3,AC-2 (7),,1230.09c2Organizational.1 - 09.c,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json -General,Custom subscription owner roles should not exist,PA-7,1.21,,,,,1278.09c2Organizational.56 - 09.c,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/CustomSubscription_OwnerRole_Audit.json -Guest Configuration,Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity,,,,A.10.1.1,IA-5 (1),3.5.10,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json -Guest Configuration,Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,,,,A.10.1.1,IA-5 (1),3.5.10,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json -Guest Configuration,Audit Linux machines that allow remote connections from accounts without passwords,,,,A.9.1.2,AC-17 (1),3.1.12,,AC-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword110_AINE.json -Guest Configuration,Audit Linux machines that do not have the passwd file permissions set to 0644,,,,A.9.2.4,IA-5,3.5.10,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword121_AINE.json -Guest Configuration,Audit Linux machines that have accounts without passwords,,,,A.9.1.2,IA-5,3.5.7,,AC-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json -Guest Configuration,Audit Windows machines missing any of specified members in the Administrators group,,,,,AC-6 (7),3.1.4,1127.01q2System.3 - 01.q,AC-9,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToInclude_AINE.json -Guest Configuration,Audit Windows machines on which the Log Analytics agent is not connected as expected,,,,,,,1217.09ab3System.3 - 09.ab,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsLogAnalyticsAgentConnection_AINE.json -Guest Configuration,Audit Windows machines that allow re-use of the previous 24 passwords,,,,A.9.4.3,IA-5 (1),3.5.8,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEnforce_AINE.json -Guest Configuration,Audit Windows machines that do not contain the specified certificates in Trusted Root,,,,,,,0945.09y1Organizational.3 - 09.y,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsCertificateInTrustedRoot_AINE.json -Guest Configuration,Audit Windows machines that do not have a maximum password age of 70 days,,,,A.9.4.3,IA-5 (1),,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsMaximumPassword_AINE.json -Guest Configuration,Audit Windows machines that do not have a minimum password age of 1 day,,,,A.9.4.3,IA-5 (1),,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsMinimumPassword_AINE.json -Guest Configuration,Audit Windows machines that do not have the password complexity setting enabled,,,,A.9.4.3,IA-5 (1),3.5.7,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordComplexity_AINE.json -Guest Configuration,Audit Windows machines that do not restrict the minimum password length to 14 characters,,,,A.9.4.3,IA-5 (1),3.5.7,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordLength_AINE.json -Guest Configuration,Audit Windows machines that do not store passwords using reversible encryption,,,,A.10.1.1,IA-5 (1),3.5.10,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEncryption_AINE.json -Guest Configuration,Audit Windows machines that have extra accounts in the Administrators group,,,,,,,1123.01q1System.2 - 01.q,AC-9,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembers_AINE.json -Guest Configuration,Audit Windows machines that have the specified members in the Administrators group,,,,,AC-6 (7),3.1.4,1125.01q2System.1 - 01.q,AC-9,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json -Guest Configuration,Windows Defender Exploit Guard should be enabled on your machines,ES-2,,,,,,,DM-4,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsDefenderExploitGuard_AINE.json -Guest Configuration,Windows machines should meet requirements for 'Security Options - Accounts',,,,,,,1148.01c2System.78 - 01.c,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsAccounts_AINE.json -Guest Configuration,Windows machines should meet requirements for 'Security Options - Audit',,,,,,,0605.10h1System.12 - 10.h,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsAudit_AINE.json -Guest Configuration,Windows machines should meet requirements for 'Security Options - Microsoft Network Server',,,,,,,0709.10m1Organizational.1 - 10.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsMicrosoftNetworkServer_AINE.json -Guest Configuration,Windows machines should meet requirements for 'Security Options - Network Access',,,,,,,0861.09m2Organizational.67 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsNetworkAccess_AINE.json -Guest Configuration,Windows machines should meet requirements for 'Security Options - Network Security',,,,,,3.5.10,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsNetworkSecurity_AINE.json -Guest Configuration,Windows machines should meet requirements for 'Security Options - Recovery console',,,,,,,1637.12b2Organizational.2 - 12.b,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsRecoveryconsole_AINE.json -Guest Configuration,Windows machines should meet requirements for 'Security Options - User Account Control',,,,,,,1277.09c2Organizational.4 - 09.c,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsUserAccountControl_AINE.json -Guest Configuration,Windows machines should meet requirements for 'Security Settings - Account Policies',,,,,,,,AC-4,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecuritySettingsAccountPolicies_AINE.json -Guest Configuration,Windows machines should meet requirements for 'System Audit Policies - Account Management',,,,,,,0605.10h1System.12 - 10.h,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SystemAuditPoliciesAccountManagement_AINE.json -Guest Configuration,Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking',,,,,,,0644.10k3Organizational.4 - 10.k,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SystemAuditPoliciesDetailedTracking_AINE.json -Guest Configuration,Windows machines should meet requirements for 'System Audit Policies - Policy Change',,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SystemAuditPoliciesPolicyChange_AINE.json -Guest Configuration,Windows machines should meet requirements for 'System Audit Policies - Privilege Use',,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SystemAuditPoliciesPrivilegeUse_AINE.json -Guest Configuration,Windows machines should meet requirements for 'User Rights Assignment',,,,,,,1232.09c3Organizational.12 - 09.c,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_UserRightsAssignment_AINE.json -Guest Configuration,Windows machines should meet requirements for 'Windows Firewall Properties',,,,,,,0858.09m1Organizational.4 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsFirewallProperties_AINE.json -Guest Configuration,Windows web servers should be configured to use secure communication protocols,DP-4,,,,SC-8 (1),3.13.8,,DM-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json -Guest Configuration,[Preview]: Linux machines should meet requirements for the Azure security baseline,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AzureLinuxBaseline_AINE.json -Internet of Things,Resource logs in IoT Hub should be enabled,LT-4,5.3,,,,,1204.09aa1System.3 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_AuditDiagnosticLog_Audit.json -Key Vault,Azure Key Vault Managed HSM should have purge protection enabled,,,,,,,1635.12b1Organizational.2 - 12.b,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_Recoverable_Audit.json -Key Vault,Key vaults should have purge protection enabled,BR-4,8.4,,,,,1635.12b1Organizational.2 - 12.b,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json -Key Vault,Key vaults should have soft delete enabled,BR-4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_SoftDeleteMustBeEnabled_Audit.json -Key Vault,Resource logs in Azure Key Vault Managed HSM should be enabled,,,,,,,1211.09aa3System.4 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_AuditDiagnosticLog_Audit.json -Key Vault,Resource logs in Key Vault should be enabled,LT-4,5.3,,,,,1211.09aa3System.4 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_AuditDiagnosticLog_Audit.json -Key Vault,[Preview]: Certificates using RSA cryptography should have the specified minimum key size,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_RSA_MinimumKeySize.json -Key Vault,[Preview]: Firewall should be enabled on Key Vault,NS-4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json -Key Vault,[Preview]: Key Vault keys should have an expiration date,,8.1,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_ExpirationSet.json -Key Vault,[Preview]: Key Vault secrets should have an expiration date,,8.2,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Secrets_ExpirationSet.json -Key Vault,[Preview]: Keys should be the specified cryptographic type RSA or EC,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_AllowedKeyTypes.json -Key Vault,[Preview]: Keys using RSA cryptography should have a specified minimum key size,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_RSA_MinimumKeySize.json -Key Vault,[Preview]: Keys using elliptic curve cryptography should have the specified curve names,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_EC_AllowedCurveNames.json -Key Vault,[Preview]: Private endpoint should be configured for Key Vault,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultPrivateEndpointEnabled_Audit.json -Kubernetes,Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters,PV-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json -Kubernetes,Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_CMK_Deny.json -Kubernetes,Kubernetes cluster containers should not share host process ID or host IPC namespace,PV-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json -Kubernetes,Kubernetes cluster containers should only use allowed AppArmor profiles,PV-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json -Kubernetes,Kubernetes cluster containers should only use allowed capabilities,PV-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json -Kubernetes,Kubernetes cluster containers should run with a read only root file system,PV-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json -Kubernetes,Kubernetes cluster pod hostPath volumes should only use allowed host paths,PV-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json -Kubernetes,Kubernetes cluster pods and containers should only run with approved user and group IDs,PV-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json -Kubernetes,Kubernetes cluster pods should only use approved host network and port range,PV-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json -Kubernetes,Kubernetes clusters should be accessible only over HTTPS,DP-4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json -Kubernetes,Kubernetes clusters should not allow container privilege escalation,PV-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json -Logic Apps,Resource logs in Logic Apps should be enabled,LT-4,5.3,,,,,1203.09aa1System.2 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_AuditDiagnosticLog_Audit.json -Machine Learning,Azure Machine Learning workspaces should be encrypted with a customer-managed key,DP-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json -Machine Learning,Azure Machine Learning workspaces should use private link,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateLinkEnabled_Audit.json -Monitoring,Activity log should be retained for at least one year,,,,,,,,AC-15,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLogRetention_365orGreater.json -Monitoring,An activity log alert should exist for specific Administrative operations,,5.2.9,,,,,1271.09ad1System.1 - 09.ad,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_AdministrativeOperations_Audit.json -Monitoring,An activity log alert should exist for specific Policy operations,,5.2.2,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_PolicyOperations_Audit.json -Monitoring,An activity log alert should exist for specific Security operations,,5.2.8,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_SecurityOperations_Audit.json -Monitoring,Audit Log Analytics workspace for VM - Report Mismatch,,,,,SI-4,3.3.2,,AC-14,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_WorkspaceMismatch_VM_Audit.json -Monitoring,Audit diagnostic setting,,,,A.12.4.4,AU-12,3.3.4,1210.09aa3System.3 - 09.aa,DM-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json -Monitoring,"Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'",,,,,,,1219.09ab3System.10 - 09.ab,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllCategories.json -Monitoring,Azure Monitor should collect activity logs from all regions,,,,,,,1214.09ab2System.3456 - 09.ab,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllRegions.json -Monitoring,Azure subscriptions should have a log profile for Activity Log,,,,,,,,AC-13,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Logprofile_activityLogs_Audit.json -Monitoring,Storage account containing the container with activity logs must be encrypted with BYOK,,5.1.4,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json -Monitoring,The Log Analytics agent should be installed on Virtual Machine Scale Sets,,,,,,3.3.2,1216.09ab3System.12 - 09.ab,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VMSS_LogAnalyticsAgent_AuditIfNotExists.json -Monitoring,The Log Analytics agent should be installed on virtual machines,,,,,,3.3.2,1215.09ab2System.7 - 09.ab,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VirtualMachines_LogAnalyticsAgent_AuditIfNotExists.json -Monitoring,[Preview]: Log Analytics agent should be installed on your Linux Azure Arc machines,LT-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Linux_LogAnalytics_Audit.json -Monitoring,[Preview]: Log Analytics agent should be installed on your Windows Azure Arc machines,LT-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Windows_LogAnalytics_Audit.json -Monitoring,[Preview]: Network traffic data collection agent should be installed on Linux virtual machines,LT-3,,,,,,0885.09n2Organizational.3 - 09.n,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Linux.json -Monitoring,[Preview]: Network traffic data collection agent should be installed on Windows virtual machines,LT-3,,,,,,0887.09n2Organizational.5 - 09.n,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Windows.json -Network,App Service should use a virtual network service endpoint,,,,,,,0861.09m2Organizational.67 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json -Network,Cosmos DB should use a virtual network service endpoint,,,,,,,0864.09m2Organizational.12 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_CosmosDB_Audit.json -Network,Event Hub should use a virtual network service endpoint,,,,,,,0863.09m2Organizational.910 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_EventHub_AuditIfNotExists.json -Network,Gateway subnets should not be configured with a network security group,,,,,,,0894.01m2Organizational.7 - 01.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroupOnGatewaySubnet_Deny.json -Network,Key Vault should use a virtual network service endpoint,,,,,,,0865.09m2Organizational.13 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_KeyVault_Audit.json -Network,Network Watcher should be enabled,LT-3,6.5,,,,3.14.6,0888.09n2Organizational.6 - 09.n,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json -Network,RDP access from the Internet should be blocked,NS-4,6.1,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_RDPAccess_Audit.json -Network,SQL Server should use a virtual network service endpoint,,,,,,,0862.09m2Organizational.8 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_SQLServer_AuditIfNotExists.json -Network,SSH access from the Internet should be blocked,NS-4,6.2,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_SSHAccess_Audit.json -Network,Service Bus should use a virtual network service endpoint,,,,,,,0860.09m1Organizational.9 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ServiceBus_AuditIfNotExists.json -Network,Storage Accounts should use a virtual network service endpoint,,,,,,,0867.09m3Organizational.17 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_StorageAccount_Audit.json -Network,Virtual machines should be connected to an approved virtual network,,,,,,,0814.01n1Organizational.12 - 01.n,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ApprovedVirtualNetwork_Audit.json -Network,Web Application Firewall (WAF) should be enabled for Application Gateway,NS-4,,,,,,,NS-7,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json -Network,Web Application Firewall (WAF) should be enabled for Azure Front Door Service service,NS-4,,,,,,,NS-7,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json -Network,Web Application Firewall (WAF) should use the specified mode for Application Gateway,,,,,,,,NS-7,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayMode_Audit.json -Network,Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service,,,,,,,,NS-7,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Mode_Audit.json -Network,[Preview]: All Internet traffic should be routed via your deployed Azure Firewall,NS-5,,,,,,,NS-7,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json -Network,[Preview]: Container Registry should use a virtual network service endpoint,,,,,,,0871.09m3Organizational.22 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ContainerRegistry_Audit.json -SQL,Advanced data security should be enabled on SQL Managed Instance,IR-5,4.2.1,,,SI-4,3.14.6,,DM-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json -SQL,Advanced data security should be enabled on your SQL servers,,4.2.1,,,SI-4,3.14.6,,DM-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json -SQL,An Azure Active Directory administrator should be provisioned for SQL servers,IM-1,4.4,,A.9.2.3,AC-2 (7),,,DM-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json -SQL,Auditing on SQL server should be enabled,LT-4,4.1.1,,A.12.4.4,AU-12,3.3.4,1211.09aa3System.4 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json -SQL,Bring your own key data protection should be enabled for MySQL servers,DP-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableByok_Audit.json -SQL,Bring your own key data protection should be enabled for PostgreSQL servers,DP-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json -SQL,Connection throttling should be enabled for PostgreSQL database servers,,4.3.6,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_ConnectionThrottling_Enabled_Audit.json -SQL,Disconnections should be logged for PostgreSQL database servers.,,4.3.5,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogDisconnections_Audit.json -SQL,Enforce SSL connection should be enabled for MySQL database servers,DP-4,4.3.1,,,,,0948.09y2Organizational.3 - 09.y,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json -SQL,Enforce SSL connection should be enabled for PostgreSQL database servers,DP-4,4.3.2,,,,,0947.09y2Organizational.2 - 09.y,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json -SQL,Geo-redundant backup should be enabled for Azure Database for MariaDB,BR-2,,,,,,1627.09l3Organizational.6 - 09.l,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForMariaDB_Audit.json -SQL,Geo-redundant backup should be enabled for Azure Database for MySQL,BR-2,,,,,,1622.09l2Organizational.23 - 09.l,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForMySQL_Audit.json -SQL,Geo-redundant backup should be enabled for Azure Database for PostgreSQL,BR-2,,,,,,1626.09l3Organizational.5 - 09.l,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForPostgreSQL_Audit.json -SQL,Infrastructure encryption should be enabled for Azure Database for MySQL servers,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_InfrastructureEncryption_Audit.json -SQL,Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_InfrastructureEncryption_Audit.json -SQL,Log checkpoints should be enabled for PostgreSQL database servers,,4.3.3,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogCheckpoint_Audit.json -SQL,Log connections should be enabled for PostgreSQL database servers,,4.3.4,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogConnections_Audit.json -SQL,Long-term geo-redundant backup should be enabled for Azure SQL Databases,BR-2,,,,,,1621.09l2Organizational.1 - 09.l,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_SQLDatabase_AuditIfNotExists.json -SQL,Private endpoint connections on Azure SQL Database should be enabled,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json -SQL,Private endpoint should be enabled for MariaDB servers,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json -SQL,Private endpoint should be enabled for MySQL servers,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json -SQL,Private endpoint should be enabled for PostgreSQL servers,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json -SQL,Public network access on Azure SQL Database should be disabled,NS-1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PublicNetworkAccess_Audit.json -SQL,Public network access should be disabled for MariaDB servers,NS-1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_DisablePublicNetworkAccess_Audit.json -SQL,Public network access should be disabled for MySQL flexible servers,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json -SQL,Public network access should be disabled for MySQL servers,NS-1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_DisablePublicNetworkAccess_Audit.json -SQL,Public network access should be disabled for PostgreSQL flexible servers,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json -SQL,Public network access should be disabled for PostgreSQL servers,NS-1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_DisablePublicNetworkAccess_Audit.json -SQL,SQL managed instances should use customer-managed keys to encrypt data at rest,DP-5,4.5,,,,,0304.09o3Organizational.1 - 09.o,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json -SQL,SQL servers should use customer-managed keys to encrypt data at rest,DP-5,4.5,,,,,0304.09o3Organizational.1 - 09.o,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json -SQL,Transparent Data Encryption on SQL databases should be enabled,DP-5,4.1.2,,A.10.1.1,SC-28 (1),3.13.16,0301.09o1Organizational.123 - 09.o,DM-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json -SQL,Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports,,4.2.4,,,,,,ISM-3,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json -SQL,Vulnerability assessment should be enabled on SQL Managed Instance,PV-6,4.2.2,,,,,0719.10m3Organizational.5 - 10.m,ISM-3,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json -SQL,Vulnerability assessment should be enabled on your SQL servers,PV-6,4.2.2,,,,,0709.10m1Organizational.1 - 10.m,ISM-3,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json -Search,Resource logs in Search services should be enabled,LT-4,5.3,,,,,1208.09aa3System.1 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_AuditDiagnosticLog_Audit.json -Security Center,A maximum of 3 owners should be designated for your subscription,PA-1,,,A.6.1.2,AC-6 (7),3.1.4,11112.01q2Organizational.67 - 01.q,AC-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json -Security Center,A vulnerability assessment solution should be enabled on your virtual machines,PV-6,,,A.12.6.1,SI-2,3.14.1,0711.10m2Organizational.23 - 10.m,ISM-3,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json -Security Center,Adaptive application controls for defining safe applications should be enabled on your machines,AM-6,,,A.12.6.2,CM-11,3.4.9,0607.10h2System.23 - 10.h,SS-4,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json -Security Center,Adaptive network hardening recommendations should be applied on internet facing virtual machines,NS-4,,,,SC-7,3.13.5,0859.09m1Organizational.78 - 09.m,NS-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json -Security Center,All network ports should be restricted on network security groups associated to your virtual machine,,,,A.13.1.1,SC-7,3.13.5,0858.09m1Organizational.4 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json -Security Center,Allowlist rules in your adaptive application control policy should be updated,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json -Security Center,Authorized IP ranges should be defined on Kubernetes Services,NS-4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json -Security Center,Auto provisioning of the Log Analytics agent should be enabled on your subscription,LT-5,2.11,,,,,1220.09ab3System.56 - 09.ab,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json -Security Center,Azure DDoS Protection Standard should be enabled,NS-4,,,,SC-5,,,NS-5,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDDoSProtection_Audit.json -Security Center,Azure Defender for App Service should be enabled,IR-5,2.2,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json -Security Center,Azure Defender for Azure SQL Database servers should be enabled,IR-5,2.3,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json -Security Center,Azure Defender for Key Vault should be enabled,IR-5,2.8,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json -Security Center,Azure Defender for Kubernetes should be enabled,IR-5,2.6,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKubernetesService_Audit.json -Security Center,Azure Defender for SQL servers on machines should be enabled,IR-5,2.4,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json -Security Center,Azure Defender for Storage should be enabled,IR-5,2.5,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json -Security Center,Azure Defender for container registries should be enabled,IR-5,2.7,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainerRegistry_Audit.json -Security Center,Azure Defender for servers should be enabled,ES-1,2.1,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json -Security Center,Deprecated accounts should be removed from your subscription,PA-3,,,A.9.2.6,AC-2,3.1.1,,AC-5,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json -Security Center,Deprecated accounts with owner permissions should be removed from your subscription,PA-3,,,A.9.2.6,AC-2,3.1.1,1147.01c2System.456 - 01.c,AC-5,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json -Security Center,Disk encryption should be applied on virtual machines,DP-5,7.2,,A.10.1.1,SC-28 (1),3.13.16,0302.09o2Organizational.1 - 09.o,DM-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json -Security Center,Email notification for high severity alerts should be enabled,IR-2,2.14,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification.json -Security Center,Email notification to subscription owner for high severity alerts should be enabled,IR-2,,,,,3.14.6,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification_to_subscription_owner.json -Security Center,Endpoint protection solution should be installed on virtual machine scale sets,ES-3,,,,SI-3 (1),3.14.2,0201.09j1Organizational.124 - 09.j,DM-4,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json -Security Center,External accounts with owner permissions should be removed from your subscription,PA-3,1.3,,A.9.2.5,AC-2,3.1.1,1146.01c2System.23 - 01.c,PRS-5,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json -Security Center,External accounts with read permissions should be removed from your subscription,PA-3,1.3,,,AC-2,3.1.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json -Security Center,External accounts with write permissions should be removed from your subscription,PA-3,1.3,,A.9.2.5,AC-2,3.1.1,,PRS-5,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json -Security Center,Guest Configuration extension should be installed on your machines,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVm.json -Security Center,IP Forwarding on your virtual machine should be disabled,NS-4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json -Security Center,Internet-facing virtual machines should be protected with network security groups,NS-4,,,,,3.13.5,0814.01n1Organizational.12 - 01.n,NS-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json -Security Center,Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version,PV-7,,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UpgradeVersion_KubernetesService_Audit.json -Security Center,Log Analytics agent health issues should be resolved on your machines,LT-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ResolveLaHealthIssues.json -Security Center,Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring,LT-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVm.json -Security Center,Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring,LT-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json -Security Center,MFA should be enabled accounts with write permissions on your subscription,IM-4,1.1,,A.9.4.2,IA-2 (1),3.5.3,11110.01q1Organizational.6 - 01.q,AC-17,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json -Security Center,MFA should be enabled on accounts with owner permissions on your subscription,IM-4,1.1,,A.9.4.2,IA-2 (1),3.5.3,11109.01q1Organizational.57 - 01.q,AC-17,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json -Security Center,MFA should be enabled on accounts with read permissions on your subscription,IM-4,1.2,,A.9.4.2,IA-2 (2),3.5.3,11111.01q2System.4 - 01.q,AC-17,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json -Security Center,Management ports of virtual machines should be protected with just-in-time network access control,NS-4,,,,SC-7 (4) Ownership : Microsoft,,0858.09m1Organizational.4 - 09.m,AC-7,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json -Security Center,Management ports should be closed on your virtual machines,NS-1,,,,,,1193.01l2Organizational.13 - 01.l,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json -Security Center,Monitor missing Endpoint Protection in Azure Security Center,ES-3,7.6,,A.12.6.1,SI-3 (1),3.14.2,0201.09j1Organizational.124 - 09.j,DM-4,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json -Security Center,Non-internet-facing virtual machines should be protected with network security groups,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternalVirtualMachines_Audit.json -Security Center,Role-Based Access Control (RBAC) should be used on Kubernetes Services,PA-7,8.5,,,,,1229.09c1Organizational.1 - 09.c,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json -Security Center,Security Center standard pricing tier should be selected,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Standard_pricing_tier.json -Security Center,Service principals should be used to protect your subscriptions instead of management certificates,IM-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UseServicePrincipalToProtectSubscriptions.json -Security Center,Subnets should be associated with a Network Security Group,NS-4,,,,,,0814.01n1Organizational.12 - 01.n,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnSubnets_Audit.json -Security Center,Subscriptions should have a contact email address for security issues,IR-2,2.13,,,,3.14.6,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Security_contact_email.json -Security Center,System updates on virtual machine scale sets should be installed,PV-7,,,,SI-2,3.14.1,1202.09aa1System.1 - 09.aa,PRS-5,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json -Security Center,System updates should be installed on your machines,PV-7,7.5,,A.12.6.1,SI-2,3.14.1,0201.09j1Organizational.124 - 09.j,PRS-5,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json -Security Center,There should be more than one owner assigned to your subscription,PA-1,,,A.6.1.2,AC-6 (7),3.1.4,11208.01q1Organizational.8 - 01.q,AC-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json -Security Center,Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVmWithNoSAMI.json -Security Center,Vulnerabilities in Azure Container Registry images should be remediated,PV-6,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json -Security Center,Vulnerabilities in container security configurations should be remediated,PV-4,,,,,3.11.2,0715.10m2Organizational.8 - 10.m,ISM-3,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json -Security Center,Vulnerabilities in security configuration on your machines should be remediated,PV-4,,,A.12.6.1,SI-2,3.14.1,0718.10m3Organizational.34 - 10.m,ISM-3,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json -Security Center,Vulnerabilities in security configuration on your virtual machine scale sets should be remediated,PV-4,,,,SI-2,3.14.1,0717.10m3Organizational.2 - 10.m,ISM-3,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json -Security Center,Vulnerabilities on your SQL databases should be remediated,PV-6,,,A.12.6.1,SI-2,3.14.1,0716.10m3Organizational.1 - 10.m,ISM-3,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json -Security Center,[Preview]: Sensitive data in your SQL databases should be classified,DP-1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbDataClassification_Audit.json -Service Bus,Resource logs in Service Bus should be enabled,LT-4,5.3,,,,,1208.09aa3System.1 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditDiagnosticLog_Audit.json -Service Fabric,Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign,DP-5,,,A.10.1.1,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json -Service Fabric,Service Fabric clusters should only use Azure Active Directory for client authentication,IM-1,,,A.9.2.3,AC-2 (7),,,AC-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json -SignalR,Azure SignalR Service should use private link,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit.json -Storage,Secure transfer to storage accounts should be enabled,DP-4,3.1,,A.13.2.1,SC-8 (1),3.13.8,0943.09y1Organizational.1 - 09.y,DM-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json -Storage,Storage accounts should allow access from trusted Microsoft services,,3.7,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccess_TrustedMicrosoftServices_Audit.json -Storage,Storage accounts should be migrated to new Azure Resource Manager resources,AM-3,,,A.9.1.2,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json -Storage,Storage accounts should have infrastructure encryption,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountInfrastructureEncryptionEnabled_Audit.json -Storage,Storage accounts should restrict network access,NS-4,3.6,,A.13.1.1,SC-7,3.13.5,0866.09m3Organizational.1516 - 09.m,NS-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json -Storage,Storage accounts should restrict network access using virtual network rules,NS-1,3.6,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabled_Audit.json -Storage,Storage accounts should use customer-managed key for encryption,DP-5,3.9,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountCustomerManagedKeyEnabled_Audit.json -Storage,[Preview]: Storage account public access should be disallowed,DP-2,5.1.3,,,,,,NS-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/ASC_Storage_DisallowPublicBlobAccess_Audit.json -Stream Analytics,Azure Stream Analytics jobs should use customer-managed keys to encrypt data,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_CMK_Audit.json -Stream Analytics,Resource logs in Azure Stream Analytics should be enabled,LT-4,5.3,,,,,1207.09aa2System.4 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json -Synapse,Azure Synapse workspaces should use customer-managed keys to encrypt data at rest,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceCMK_Audit.json -VM Image Builder,VM Image Builder templates should use private link,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/VM%20Image%20Builder/PrivateLinkEnabled_Audit.json +Service,Policy Definition,Parameter Requirements,Azure Security Benchmark,CIS,CCMC L3,ISO 27001,NIST SP 800-53 R4,NIST SP 800-171 R2,HIPAA HITRUST 9.2,New Zealand ISM,Parameters,Link +API Management,API Management service should use a SKU that supports virtual networks,Optional,,,,,,,,,listOfAllowedSKUs, +API for FHIR,Azure API for FHIR should use a customer-managed key to encrypt data at rest,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_EnableByok_Audit.json +API for FHIR,Azure API for FHIR should use private link,None,,,,,,,,,, +API for FHIR,CORS should not allow every domain to access your API for FHIR,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_RestrictCORSAccess_Audit.json +App Configuration,App Configuration should disable public network access,None,,,,,,,,,, +App Configuration,App Configuration should use a SKU that supports private link,None,,,,,,,,,, +App Configuration,App Configuration should use a customer-managed key,None,,,,,,,,,, +App Configuration,App Configuration should use private link,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json +App Configuration,Configure App Configuration to disable public network access,None,,,,,,,,,, +App Configuration,Configure private DNS zones for private endpoints connected to App Configuration,Required,,,,,,,,,privateDnsZoneId, +App Configuration,Configure private endpoints for App Configuration,Required,,,,,,,,,privateEndpointSubnetId, +App Platform,Audit Azure Spring Cloud instances where distributed tracing is not enabled,None,,,,,,,,,, +App Service,API App should only be accessible over HTTPS,None,DP-4,,,A.10.1.1,SC-8 (1),3.13.8,0949.09y2Organizational.5 - 09.y,SS-8,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json +App Service,API apps should use an Azure file share for its content directory,None,,,,,,,,,, +App Service,Authentication should be enabled on your API app,None,,9.1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_ApiApp_Audit.json +App Service,Authentication should be enabled on your Function app,None,,9.1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_functionapp_Audit.json +App Service,Authentication should be enabled on your web app,None,,9.1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_WebApp_Audit.json +App Service,CORS should not allow every resource to access your API App,None,PV-2,,,,,,0911.09s1Organizational.2 - 09.s,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_ApiApp_Audit.json +App Service,CORS should not allow every resource to access your Function Apps,None,PV-2,,,,,,0960.09sCSPOrganizational.1 - 09.s,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json +App Service,CORS should not allow every resource to access your Web Applications,None,PV-2,,,,AC-4,3.1.3,0916.09s2Organizational.4 - 09.s,SS-8,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json +App Service,Diagnostic logs in App Services should be enabled,None,LT-4,5.3,,,,,1209.09aa3System.2 - 09.aa,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit.json +App Service,Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On',None,PV-2,9.4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_ClientCert.json +App Service,Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On',None,PV-2,9.4,,,,,0915.09s2Organizational.2 - 09.s,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_ClientCert.json +App Service,"Ensure that 'HTTP Version' is the latest, if used to run the API app",None,,9.9,,,,3.14.1,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_HTTP_Latest.json +App Service,"Ensure that 'HTTP Version' is the latest, if used to run the Function app",None,,9.9,,,,3.14.1,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_HTTP_Latest.json +App Service,"Ensure that 'HTTP Version' is the latest, if used to run the Web app",None,,9.9,,,,3.14.1,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_HTTP_Latest.json +App Service,"Ensure that 'Java version' is the latest, if used as a part of the API app",Optional,PV-7,9.8,,,,3.14.1,,,JavaLatestVersion,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_java_Latest.json +App Service,"Ensure that 'Java version' is the latest, if used as a part of the Function app",Optional,PV-7,9.8,,,,3.14.1,,,JavaLatestVersion,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_java_Latest.json +App Service,"Ensure that 'Java version' is the latest, if used as a part of the Web app",Optional,PV-7,9.8,,,,3.14.1,,,JavaLatestVersion,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_java_Latest.json +App Service,"Ensure that 'PHP version' is the latest, if used as a part of the API app",Optional,PV-7,9.6,,,,3.14.1,,,PHPLatestVersion,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_PHP_Latest.json +App Service,"Ensure that 'PHP version' is the latest, if used as a part of the WEB app",Optional,PV-7,9.6,,,,3.14.1,,,PHPLatestVersion,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_PHP_Latest.json +App Service,"Ensure that 'Python version' is the latest, if used as a part of the API app",Optional,PV-7,9.7,,,,3.14.1,,,"WindowsPythonLatestVersion, LinuxPythonLatestVersion",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_python_Latest.json +App Service,"Ensure that 'Python version' is the latest, if used as a part of the Function app",Optional,PV-7,9.7,,,,3.14.1,,,"WindowsPythonLatestVersion, LinuxPythonLatestVersion",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_python_Latest.json +App Service,"Ensure that 'Python version' is the latest, if used as a part of the Web app",Optional,PV-7,9.7,,,,3.14.1,,,"WindowsPythonLatestVersion, LinuxPythonLatestVersion",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_python_Latest.json +App Service,FTPS only should be required in your API App,None,DP-4,9.10,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_ApiApp_Audit.json +App Service,FTPS only should be required in your Function App,None,DP-4,9.10,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_FunctionApp_Audit.json +App Service,FTPS should be required in your Web App,None,DP-4,9.10,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_WebApp_Audit.json +App Service,Function App should only be accessible over HTTPS,None,DP-4,,,A.10.1.1,SC-8 (1),3.13.8,0949.09y2Organizational.5 - 09.y,SS-8,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json +App Service,Function apps should have 'Client Certificates (Incoming client certificates)' enabled,None,PV-2,9.4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_ClientCert.json +App Service,Function apps should use an Azure file share for its content directory,None,,,,,,,,,, +App Service,Latest TLS version should be used in your API App,None,DP-4,9.3,,,,3.14.1,0949.09y2Organizational.5 - 09.y,CR-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_ApiApp_Audit.json +App Service,Latest TLS version should be used in your Function App,None,DP-4,9.3,,,,3.14.1,0949.09y2Organizational.5 - 09.y,CR-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json +App Service,Latest TLS version should be used in your Web App,None,DP-4,9.3,,,,3.14.1,0949.09y2Organizational.5 - 09.y,CR-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json +App Service,Managed identity should be used in your API App,None,IM-2,9.5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_ApiApp_Audit.json +App Service,Managed identity should be used in your Function App,None,IM-2,9.5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json +App Service,Managed identity should be used in your Web App,None,IM-2,9.5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json +App Service,Remote debugging should be turned off for API Apps,None,PV-2,,,,AC-17 (1),3.1.12,0914.09s1Organizational.6 - 09.s,AC-7,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_ApiApp_Audit.json +App Service,Remote debugging should be turned off for Function Apps,None,PV-2,,,,AC-17 (1),3.1.12,1325.09s1Organizational.3 - 09.s,AC-7,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json +App Service,Remote debugging should be turned off for Web Applications,None,PV-2,,,,AC-17 (1),3.1.12,0912.09s1Organizational.4 - 09.s,AC-7,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json +App Service,Resource logs in App Services should be enabled,Optional,,,,,,,,,requiredRetentionDays, +App Service,Web Application should only be accessible over HTTPS,None,DP-4,9.2,,A.10.1.1,SC-8 (1),3.13.8,0949.09y2Organizational.5 - 09.y,SS-8,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json +App Service,Web apps should use an Azure file share for its content directory,None,,,,,,,,,, +Attestation,Azure Attestation providers should use private endpoints,None,,,,,,,,,, +Automanage,Configure virtual machines to be onboarded to Azure Automanage,Required,,,,,,,,,"automanageAccount, configurationProfileAssignment", +Automation,Automation account variables should be encrypted,None,DP-5,,,A.10.1.1,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json +Automation,Automation accounts should disable public network access,None,,,,,,,,,, +Automation,Azure Automation accounts should use customer-managed keys to encrypt data at rest,None,,,,,,,,,, +Automation,Configure Azure Automation accounts to disable public network access,None,,,,,,,,,, +Automation,Configure Azure Automation accounts with private DNS zones,Required,,,,,,,,,"privateDnsZoneId, privateEndpointGroupId", +Automation,Configure private endpoint connections on Azure Automation accounts,Required,,,,,,,,,privateEndpointSubnetId, +Automation,Private endpoint connections on Automation Accounts should be enabled,None,,,,,,,,,, +Azure Data Explorer,Azure Data Explorer encryption at rest should use a customer-managed key,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_CMK.json +Azure Data Explorer,Disk encryption should be enabled on Azure Data Explorer,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_disk_encrypted.json +Azure Data Explorer,Double encryption should be enabled on Azure Data Explorer,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_doubleEncryption.json +Azure Data Explorer,Virtual network injection should be enabled for Azure Data Explorer,None,,,,,,,,,, +Azure Stack Edge,Azure Stack Edge devices should use double-encryption,None,,,,,,,,,, +Backup,Azure Backup should be enabled for Virtual Machines,None,BR-2,,,,,,1699.09l1Organizational.10 - 09.l,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachines_EnableAzureBackup_Audit.json +Backup,Azure Recovery Services vaults should use private link,None,,,,,,,,,, +Backup,Configure backup on VMs with a given tag to a new recovery services vault with a default policy,Required,,,,,,,,,"inclusionTagName, inclusionTagValue", +Backup,Configure backup on VMs with a given tag to an existing recovery services vault in the same location,Required,,,,,,,,,"vaultLocation, inclusionTagName, inclusionTagValue, backupPolicyId", +Backup,Configure backup on VMs without a given tag to a new recovery services vault with a default policy,Required,,,,,,,,,"exclusionTagName, exclusionTagValue", +Backup,Configure backup on VMs without a given tag to an existing recovery services vault in the same location,Required,,,,,,,,,"vaultLocation, backupPolicyId, exclusionTagName, exclusionTagValue", +Batch,Azure Batch account should use customer-managed keys to encrypt data,None,,,,,,,,,, +Batch,Configure Batch accounts with private endpoints,Required,,,,,,,,,privateEndpointSubnetId, +Batch,Metric alert rules should be configured on Batch accounts,Required,,,,,,,,,metricName, +Batch,Private endpoint connections on Batch accounts should be enabled,None,,,,,,,,,, +Batch,Public network access should be disabled for Batch accounts,None,,,,,,,,,, +Batch,Resource logs in Batch accounts should be enabled,Optional,LT-4,5.3,,,,,1205.09aa2System.1 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json +Bot Service,Bot Service endpoint should be a valid HTTPS URI,None,,,,,,,,,, +Bot Service,Bot Service should be encrypted with a customer-managed key,None,,,,,,,,,, +Cache,Azure Cache for Redis should disable public network access,None,,,,,,,,,, +Cache,Azure Cache for Redis should reside within a virtual network,None,NS-2,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_CacheInVnet_Audit.json +Cache,Azure Cache for Redis should use private link,None,,,,,,,,,, +Cache,Configure Azure Cache for Redis to disable public network access,None,,,,,,,,,, +Cache,Configure Azure Cache for Redis to use private DNS zones,Required,,,,,,,,,privateDnsZoneId, +Cache,Only secure connections to your Azure Cache for Redis should be enabled,None,DP-4,,,A.13.2.1,SC-8 (1),3.13.8,0946.09y2Organizational.14 - 09.y,DM-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json +Cognitive Services,Cognitive Services accounts should disable public network access,None,,,,,,,,,, +Cognitive Services,Cognitive Services accounts should enable data encryption,None,DP-2,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_Encryption_Audit.json +Cognitive Services,Cognitive Services accounts should enable data encryption with a customer-managed key,None,DP-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_CustomerManagedKey_Audit.json +Cognitive Services,Cognitive Services accounts should restrict network access,None,NS-1,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json +Cognitive Services,Cognitive Services accounts should use a managed identity,None,,,,,,,,,, +Cognitive Services,Cognitive Services accounts should use customer owned storage,None,,,,,,,,,, +Cognitive Services,Cognitive Services accounts should use customer owned storage or enable data encryption.,None,DP-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_BYOX_Audit.json +Cognitive Services,Configure Cognitive Services accounts to disable public network access,None,,,,,,,,,, +Compute,Allowed virtual machine size SKUs,Required,,,,,,,,,listOfAllowedSKUs, +Compute,Audit VMs that do not use managed disks,None,,7.1,,A.9.1.2,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json +Compute,Audit virtual machines without disaster recovery configured,None,,,,,CP-7,,1638.12b2Organizational.345 - 12.b,ESS-3,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json +Compute,Managed disks should be double encrypted with both platform-managed and customer-managed keys,None,,,,,,,,,, +Compute,Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption,Required,,,,,,,,,allowedEncryptionSets, +Compute,Microsoft Antimalware for Azure should be configured to automatically update protection signatures,None,,,,,,,0201.09j1Organizational.124 - 09.j,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_AntiMalwareAutoUpdate_AuditIfNotExists.json +Compute,Microsoft IaaSAntimalware extension should be deployed on Windows servers,None,,,,,,3.14.2,,SS-2,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/WindowsServers_AntiMalware_AuditIfNotExists.json +Compute,OS and data disks should be encrypted with a customer-managed key,None,,,,,,,,,, +Compute,Only approved VM extensions should be installed,Required,,7.4,,,,,,,approvedExtensions,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_ApprovedExtensions_Audit.json +Compute,Require automatic OS image patching on Virtual Machine Scale Sets,None,,,,,,,,,, +Compute,Resource logs in Virtual Machine Scale Sets should be enabled,Required,LT-4,5.3,,,,,1206.09aa2System.23 - 09.aa,,includeAKSClusters,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ServiceFabric_and_VMSS_AuditVMSSDiagnostics.json +Compute,Unattached disks should be encrypted,None,,7.3,,,,,0303.09o2Organizational.2 - 09.o,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/UnattachedDisk_Encryption_Audit.json +Compute,Virtual machines and virtual machine scale sets should have encryption at host enabled,None,,,,,,,,,, +Compute,Virtual machines should be migrated to new Azure Resource Manager resources,None,AM-3,,,A.9.1.2,,,0835.09n1Organizational.1 - 09.n,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json +Container Instance,Azure Container Instance container group should deploy into a virtual network,None,,,,,,,,,, +Container Instance,Azure Container Instance container group should use customer-managed key for encryption,None,,,,,,,,,, +Container Registry,Container registries should be encrypted with a customer-managed key,None,DP-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json +Container Registry,Container registries should not allow unrestricted network access,None,NS-1,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_Audit.json +Container Registry,Container registries should use private link,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json +Cosmos DB,Azure Cosmos DB accounts should have firewall rules,None,NS-4,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json +Cosmos DB,Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest,None,DP-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json +Cosmos DB,Azure Cosmos DB allowed locations,Required,,,,,,,,,"listOfAllowedLocations, policyEffect", +Cosmos DB,Azure Cosmos DB key based metadata write access should be disabled,None,,,,,,,,,, +Cosmos DB,Azure Cosmos DB should disable public network access,None,,,,,,,,,, +Cosmos DB,Azure Cosmos DB throughput should be limited,Required,,,,,,,,,throughputMax, +Cosmos DB,Configure CosmosDB accounts to disable public network access ,None,,,,,,,,,, +Cosmos DB,Configure CosmosDB accounts to use private DNS zones,Required,,,,,,,,,"privateDnsZoneId, privateEndpointGroupId", +Cosmos DB,Configure CosmosDB accounts with private endpoints ,Required,,,,,,,,,"privateEndpointSubnetId, privateEndpointGroupId", +Cosmos DB,CosmosDB accounts should use private link,None,,,,,,,,,, +Data Box,Azure Data Box jobs should enable double encryption for data at rest on the device,Optional,,,,,,,,,supportedSKUs,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Box/DataBox_DoubleEncryption_Audit.json +Data Box,Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password,Optional,,,,,,,,,supportedSKUs, +Data Factory,Azure Data Factory integration runtime should have a limit for number of cores,Optional,,,,,,,,,maxCores, +Data Factory,Azure Data Factory linked service resource type should be in allow list,Required,,,,,,,,,allowedLinkedServiceResourceTypes, +Data Factory,Azure Data Factory linked services should use Key Vault for storing secrets,None,,,,,,,,,, +Data Factory,Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported,None,,,,,,,,,, +Data Factory,Azure Data Factory should use a Git repository for source control,None,,,,,,,,,, +Data Factory,Azure data factories should be encrypted with a customer-managed key,None,,,,,,,,,, +Data Factory,Public network access on Azure Data Factory should be disabled,None,,,,,,,,,, +Data Factory,SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network,None,,,,,,,,,, +Data Lake,Require encryption on Data Lake Store accounts,None,,,,,,,0304.09o3Organizational.1 - 09.o,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStoreEncryption_Deny.json +Data Lake,Resource logs in Azure Data Lake Store should be enabled,Optional,LT-4,5.3,,,,,1202.09aa1System.1 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json +Data Lake,Resource logs in Data Lake Analytics should be enabled,Optional,LT-4,5.3,,,,,1210.09aa3System.3 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeAnalytics_AuditDiagnosticLog_Audit.json +Event Grid,Azure Event Grid domains should disable public network access,None,,,,,,,,,, +Event Grid,Azure Event Grid domains should use private link,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json +Event Grid,Azure Event Grid topics should disable public network access,None,,,,,,,,,, +Event Grid,Azure Event Grid topics should use private link,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json +Event Grid,Modify - Configure Azure Event Grid domains to disable public network access,None,,,,,,,,,, +Event Grid,Modify - Configure Azure Event Grid topics to disable public network access,None,,,,,,,,,, +Event Hub,All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace,None,,,,,,,,,, +Event Hub,Authorization rules on the Event Hub instance should be defined,None,,,,,,,,,, +Event Hub,Configure Event Hub namespaces to use private DNS zones,Required,,,,,,,,,privateDnsZoneId, +Event Hub,Configure Event Hub namespaces with private endpoints,Required,,,,,,,,,privateEndpointSubnetId, +Event Hub,Event Hub namespaces should use a customer-managed key for encryption,None,,,,,,,,,, +Event Hub,Event Hub namespaces should use private link,None,,,,,,,,,, +Event Hub,Resource logs in Event Hub should be enabled,Optional,LT-4,5.3,,,,,1207.09aa2System.4 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditDiagnosticLog_Audit.json +General,Allowed locations,Required,,,,,,,,ESS-2,listOfAllowedLocations,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/AllowedLocations_Deny.json +General,Allowed locations for resource groups,Required,,,,,,,,ESS-2,listOfAllowedLocations,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/ResourceGroupAllowedLocations_Deny.json +General,Allowed resource types,Required,,,,,,,,,listOfResourceTypesAllowed, +General,Audit resource location matches resource group location,None,,,,,,,,,, +General,Audit usage of custom RBAC rules,None,PA-7,,,A.9.2.3,AC-2 (7),,1230.09c2Organizational.1 - 09.c,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json +General,Custom subscription owner roles should not exist,None,PA-7,1.21,,,,,1278.09c2Organizational.56 - 09.c,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/CustomSubscription_OwnerRole_Audit.json +General,Not allowed resource types,Required,,,,,,,,,listOfResourceTypesNotAllowed, +Guest Configuration,Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity,None,,,,A.10.1.1,IA-5 (1),3.5.10,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json +Guest Configuration,Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,None,,,,A.10.1.1,IA-5 (1),3.5.10,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json +HDInsight,Azure HDInsight clusters should be injected into a virtual network,None,,,,,,,,,, +HDInsight,Azure HDInsight clusters should use customer-managed keys to encrypt data at rest,None,,,,,,,,,, +HDInsight,Azure HDInsight clusters should use encryption at host to encrypt data at rest,None,,,,,,,,,, +HDInsight,Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes,None,,,,,,,,,, +Internet of Things,Azure IoT Hub should use customer-managed key to encrypt data at rest,None,,,,,,,,,, +Internet of Things,Configure IoT Hub device provisioning instances to use private DNS zones,Required,,,,,,,,,privateDnsZoneId, +Internet of Things,Configure IoT Hub device provisioning service instances to disable public network access,None,,,,,,,,,, +Internet of Things,Configure IoT Hub device provisioning service instances with private endpoints,Required,,,,,,,,,privateEndpointSubnetId, +Internet of Things,IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK),None,,,,,,,,,, +Internet of Things,IoT Hub device provisioning service instances should disable public network access,None,,,,,,,,,, +Internet of Things,IoT Hub device provisioning service instances should use private link,None,,,,,,,,,, +Internet of Things,Modify - Configure Azure IoT Hubs to disable public network access,None,,,,,,,,,, +Internet of Things,Private endpoint should be enabled for IoT Hub,None,,,,,,,,,, +Internet of Things,Public network access on Azure IoT Hub should be disabled,None,,,,,,,,,, +Internet of Things,Resource logs in IoT Hub should be enabled,Optional,LT-4,5.3,,,,,1204.09aa1System.3 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_AuditDiagnosticLog_Audit.json +Key Vault,Azure Key Vault Managed HSM should have purge protection enabled,None,,,,,,,1635.12b1Organizational.2 - 12.b,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_Recoverable_Audit.json +Key Vault,Certificates should be issued by the specified integrated certificate authority,Optional,,,,,,,,,allowedCAs, +Key Vault,Certificates should be issued by the specified non-integrated certificate authority,Required,,,,,,,,,caCommonName, +Key Vault,Certificates should have the specified lifetime action triggers,Required,,,,,,,,,"maximumPercentageLife, minimumDaysBeforeExpiry", +Key Vault,Certificates should have the specified maximum validity period,Optional,,,,,,,,,maximumValidityInMonths, +Key Vault,Certificates should not expire within the specified number of days,Required,,,,,,,,,daysToExpire, +Key Vault,Certificates should use allowed key types,Optional,,,,,,,,,allowedKeyTypes, +Key Vault,Certificates using RSA cryptography should have the specified minimum key size,Required,,,,,,,,,minimumRSAKeySize, +Key Vault,Certificates using elliptic curve cryptography should have allowed curve names,Optional,,,,,,,,,allowedECNames, +Key Vault,Firewall should be enabled on Key Vault,None,,,,,,,,,, +Key Vault,Key Vault keys should have an expiration date,None,,,,,,,,,, +Key Vault,Key Vault secrets should have an expiration date,None,,,,,,,,,, +Key Vault,Key vaults should have purge protection enabled,None,BR-4,8.4,,,,,1635.12b1Organizational.2 - 12.b,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json +Key Vault,Key vaults should have soft delete enabled,None,BR-4,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_SoftDeleteMustBeEnabled_Audit.json +Key Vault,Keys should be backed by a hardware security module (HSM),None,,,,,,,,,, +Key Vault,Keys should be the specified cryptographic type RSA or EC,Optional,,,,,,,,,allowedKeyTypes, +Key Vault,Keys should have more than the specified number of days before expiration,Required,,,,,,,,,minimumDaysBeforeExpiration, +Key Vault,Keys should have the specified maximum validity period,Required,,,,,,,,,maximumValidityInDays, +Key Vault,Keys should not be active for longer than the specified number of days,Required,,,,,,,,,maximumValidityInDays, +Key Vault,Keys using RSA cryptography should have a specified minimum key size,Required,,,,,,,,,minimumRSAKeySize, +Key Vault,Keys using elliptic curve cryptography should have the specified curve names,Optional,,,,,,,,,allowedECNames, +Key Vault,Private endpoint should be configured for Key Vault,None,,,,,,,,,, +Key Vault,Resource logs in Azure Key Vault Managed HSM should be enabled,Optional,,,,,,,1211.09aa3System.4 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_AuditDiagnosticLog_Audit.json +Key Vault,Resource logs in Key Vault should be enabled,Optional,LT-4,5.3,,,,,1211.09aa3System.4 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_AuditDiagnosticLog_Audit.json +Key Vault,Secrets should have content type set,None,,,,,,,,,, +Key Vault,Secrets should have more than the specified number of days before expiration,Required,,,,,,,,,minimumDaysBeforeExpiration, +Key Vault,Secrets should have the specified maximum validity period,Required,,,,,,,,,maximumValidityInDays, +Key Vault,Secrets should not be active for longer than the specified number of days,Required,,,,,,,,,maximumValidityInDays, +Kubernetes,Azure Kubernetes Service Private Clusters should be enabled,None,,,,,,,,,, +Kubernetes,Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters,None,PV-2,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json +Kubernetes,Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_CMK_Deny.json +Kubernetes,Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets,Required,,,,,,,,,"configurationResourceName, operatorInstanceName, operatorNamespace, operatorScope, operatorType, operatorParams, repositoryUrl, enableHelmOperator, chartVersion, chartValues, keyVaultResourceId, httpsUserKeyVaultSecretName, httpsKeyKeyVaultSecretName", +Kubernetes,Configure Kubernetes clusters with specified GitOps configuration using SSH secrets,Required,,,,,,,,,"configurationResourceName, operatorInstanceName, operatorNamespace, operatorScope, operatorType, operatorParams, repositoryUrl, enableHelmOperator, chartVersion, chartValues, sshKnownHostsContents, keyVaultResourceId, sshPrivateKeyKeyVaultSecretName", +Kubernetes,Configure Kubernetes clusters with specified GitOps configuration using no secrets,Required,,,,,,,,,"configurationResourceName, operatorInstanceName, operatorNamespace, operatorScope, operatorType, operatorParams, repositoryUrl, enableHelmOperator, chartVersion, chartValues", +Kubernetes,Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, cpuLimit, memoryLimit", +Kubernetes,Kubernetes cluster containers should not share host process ID or host IPC namespace,Required,PV-2,,,,,,,,"excludedNamespaces, namespaces, labelSelector",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json +Kubernetes,Kubernetes cluster containers should not use forbidden sysctl interfaces,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, forbiddenSysctls", +Kubernetes,Kubernetes cluster containers should only listen on allowed ports,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedContainerPortsList", +Kubernetes,Kubernetes cluster containers should only use allowed AppArmor profiles,Required,PV-2,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedProfiles",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json +Kubernetes,Kubernetes cluster containers should only use allowed ProcMountType,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, procMountType", +Kubernetes,Kubernetes cluster containers should only use allowed capabilities,Required,PV-2,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedCapabilities, requiredDropCapabilities",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json +Kubernetes,Kubernetes cluster containers should only use allowed images,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedContainerImagesRegex", +Kubernetes,Kubernetes cluster containers should only use allowed seccomp profiles,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedProfiles", +Kubernetes,Kubernetes cluster containers should run with a read only root file system,Required,PV-2,,,,,,,,"excludedNamespaces, namespaces, labelSelector",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json +Kubernetes,Kubernetes cluster pod FlexVolume volumes should only use allowed drivers,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedFlexVolumeDrivers", +Kubernetes,Kubernetes cluster pod hostPath volumes should only use allowed host paths,Required,PV-2,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedHostPaths",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json +Kubernetes,Kubernetes cluster pods and containers should only run with approved user and group IDs,Required,PV-2,,,,,,,,"excludedNamespaces, namespaces, labelSelector, runAsUserRule, runAsUserRanges, runAsGroupRule, runAsGroupRanges, supplementalGroupsRule, supplementalGroupsRanges, fsGroupRule, fsGroupRanges",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json +Kubernetes,Kubernetes cluster pods and containers should only use allowed SELinux options,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedSELinuxOptions", +Kubernetes,Kubernetes cluster pods should only use allowed volume types,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedVolumeTypes", +Kubernetes,Kubernetes cluster pods should only use approved host network and port range,Required,PV-2,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowHostNetwork, minPort, maxPort",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json +Kubernetes,Kubernetes cluster pods should use specified labels,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, labelsList", +Kubernetes,Kubernetes cluster services should listen only on allowed ports,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedServicePortsList", +Kubernetes,Kubernetes cluster services should only use allowed external IPs,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedExternalIPs", +Kubernetes,Kubernetes cluster should not allow privileged containers,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector", +Kubernetes,Kubernetes clusters should be accessible only over HTTPS,Required,DP-4,,,,,,,,"excludedNamespaces, namespaces, labelSelector",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json +Kubernetes,Kubernetes clusters should disable automounting API credentials,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector", +Kubernetes,Kubernetes clusters should not allow container privilege escalation,Required,PV-2,,,,,,,,"excludedNamespaces, namespaces, labelSelector",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json +Kubernetes,Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector", +Kubernetes,Kubernetes clusters should not use specific security capabilities,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, disallowedCapabilities", +Kubernetes,Kubernetes clusters should not use the default namespace,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector", +Kubernetes,Kubernetes clusters should use internal load balancers,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector", +Kubernetes,Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host,None,,,,,,,,,, +Lighthouse,Allow managing tenant ids to onboard through Azure Lighthouse,Required,,,,,,,,,listOfAllowedTenants, +Lighthouse,Audit delegation of scopes to a managing tenant,None,,,,,,,,,, +Logic Apps,Resource logs in Logic Apps should be enabled,Optional,LT-4,5.3,,,,,1203.09aa1System.2 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_AuditDiagnosticLog_Audit.json +Machine Learning,Azure Machine Learning workspaces should be encrypted with a customer-managed key,None,DP-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json +Machine Learning,Azure Machine Learning workspaces should use private link,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateLinkEnabled_Audit.json +Machine Learning,Azure Machine Learning workspaces should use user-assigned managed identity,None,,,,,,,,,, +Machine Learning,Configure allowed Python packages for specified Azure Machine Learning computes,Required,,,,,,,,,"computeNames, allowedPythonPackageChannels", +Machine Learning,Configure allowed module authors for specified Azure Machine Learning computes,Required,,,,,,,,,"computeNames, allowedModuleAuthors", +Machine Learning,Configure allowed registries for specified Azure Machine Learning computes,Required,,,,,,,,,"computeNames, allowedACRs", +Machine Learning,Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes,Required,,,,,,,,,"computeNames, approvalEndpoint", +Machine Learning,Configure code signing for training code for specified Azure Machine Learning computes,Required,,,,,,,,,"computeNames, signingKey", +Machine Learning,Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes,Required,,,,,,,,,"computeNames, logFilters, datastore", +Managed Application,Application definition for Managed Application should use customer provided storage account,None,,,,,,,,,, +Monitoring,Activity log should be retained for at least one year,None,,,,,,,,AC-15,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLogRetention_365orGreater.json +Monitoring,An activity log alert should exist for specific Administrative operations,Required,,5.2.9,,,,,1271.09ad1System.1 - 09.ad,,operationName,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_AdministrativeOperations_Audit.json +Monitoring,An activity log alert should exist for specific Policy operations,Required,,5.2.2,,,,,,,operationName,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_PolicyOperations_Audit.json +Monitoring,An activity log alert should exist for specific Security operations,Required,,5.2.8,,,,,,,operationName,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_SecurityOperations_Audit.json +Monitoring,Audit Log Analytics workspace for VM - Report Mismatch,Required,,,,,SI-4,3.3.2,,AC-14,logAnalyticsWorkspaceId,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_WorkspaceMismatch_VM_Audit.json +Monitoring,Audit diagnostic setting,Required,,,,A.12.4.4,AU-12,3.3.4,1210.09aa3System.3 - 09.aa,DM-6,listOfResourceTypes,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json +Monitoring,Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption),None,,,,,,,,,, +Monitoring,Azure Monitor Logs clusters should be encrypted with customer-managed key,None,,,,,,,,,, +Monitoring,Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace,None,,,,,,,,,, +Monitoring,"Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'",None,,,,,,,1219.09ab3System.10 - 09.ab,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllCategories.json +Monitoring,Azure Monitor should collect activity logs from all regions,None,,,,,,,1214.09ab2System.3456 - 09.ab,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllRegions.json +Monitoring,Azure Monitor solution 'Security and Audit' must be deployed,None,,,,,,,,,, +Monitoring,Azure subscriptions should have a log profile for Activity Log,None,,,,,,,,AC-13,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Logprofile_activityLogs_Audit.json +Monitoring,Dependency agent should be enabled for listed virtual machine images,Required,,,,,,,,,"listOfImageIdToInclude_windows, listOfImageIdToInclude_linux", +Monitoring,Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images,Required,,,,,,,,,"listOfImageIdToInclude_windows, listOfImageIdToInclude_linux", +Monitoring,Deploy - Configure Linux Azure Monitor agent to enable Azure Monitor assignments on Linux virtual machines,None,,,,,,,,,, +Monitoring,Deploy - Configure Windows Azure Monitor agent to enable Azure Monitor assignments on Windows virtual machines,None,,,,,,,,,, +Monitoring,Deploy Dependency agent to Windows Azure Arc machines,None,,,,,,,,,, +Monitoring,Deploy Dependency agent to hybrid Linux Azure Arc machines,None,,,,,,,,,, +Monitoring,Deploy Log Analytics agent to Linux Azure Arc machines,Required,,,,,,,,,logAnalytics, +Monitoring,Deploy Log Analytics agent to Windows Azure Arc machines,Required,,,,,,,,,logAnalytics, +Monitoring,Log Analytics Agent should be enabled for listed virtual machine images,Required,,,,,,,,,"listOfImageIdToInclude_windows, listOfImageIdToInclude_linux", +Monitoring,Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images,Required,,,,,,,,,"listOfImageIdToInclude_windows, listOfImageIdToInclude_linux", +Monitoring,Log Analytics agent should be installed on your Linux Azure Arc machines,None,,,,,,,,,, +Monitoring,Log Analytics agent should be installed on your Windows Azure Arc machines,None,,,,,,,,,, +Monitoring,Network traffic data collection agent should be installed on Linux virtual machines,None,,,,,,,,,, +Monitoring,Network traffic data collection agent should be installed on Windows virtual machines,None,,,,,,,,,, +Monitoring,Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption,None,,,,,,,,,, +Monitoring,Storage account containing the container with activity logs must be encrypted with BYOK,None,,5.1.4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json +Monitoring,The Log Analytics agent should be installed on Virtual Machine Scale Sets,None,,,,,,3.3.2,1216.09ab3System.12 - 09.ab,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VMSS_LogAnalyticsAgent_AuditIfNotExists.json +Monitoring,The Log Analytics agent should be installed on virtual machines,None,,,,,,3.3.2,1215.09ab2System.7 - 09.ab,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VirtualMachines_LogAnalyticsAgent_AuditIfNotExists.json +Monitoring,Workbooks should be saved to storage accounts that you control,None,,,,,,,,,, +Monitoring,[ASC Private Preview] Deploy - Configure system-assigned managed identity to enable Azure Monitor assignments on VMs,None,,,,,,,,,, +Network,A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections,Required,,,,,,,,,"IPsecEncryption, IPsecIntegrity, IKEEncryption, IKEIntegrity, DHGroup, PFSGroup", +Network,All Internet traffic should be routed via your deployed Azure Firewall,None,,,,,,,,,, +Network,App Service should use a virtual network service endpoint,None,,,,,,,0861.09m2Organizational.67 - 09.m,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json +Network,Azure VPN gateways should not use 'basic' SKU,None,,,,,,,,,, +Network,Container Registry should use a virtual network service endpoint,None,,,,,,,,,, +Network,Cosmos DB should use a virtual network service endpoint,None,,,,,,,0864.09m2Organizational.12 - 09.m,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_CosmosDB_Audit.json +Network,Event Hub should use a virtual network service endpoint,None,,,,,,,0863.09m2Organizational.910 - 09.m,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_EventHub_AuditIfNotExists.json +Network,Flow logs should be configured for every network security group,None,,,,,,,,,, +Network,Flow logs should be enabled for every network security group,None,,,,,,,,,, +Network,Gateway subnets should not be configured with a network security group,None,,,,,,,0894.01m2Organizational.7 - 01.m,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroupOnGatewaySubnet_Deny.json +Network,Key Vault should use a virtual network service endpoint,None,,,,,,,0865.09m2Organizational.13 - 09.m,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_KeyVault_Audit.json +Network,Network Watcher should be enabled,Required,LT-3,6.5,,,,3.14.6,0888.09n2Organizational.6 - 09.n,,"listOfLocations, resourceGroupName",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json +Network,Network interfaces should disable IP forwarding,None,,,,,,,,,, +Network,Network interfaces should not have public IPs,None,,,,,,,,,, +Network,RDP access from the Internet should be blocked,None,NS-4,6.1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_RDPAccess_Audit.json +Network,SQL Server should use a virtual network service endpoint,None,,,,,,,0862.09m2Organizational.8 - 09.m,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_SQLServer_AuditIfNotExists.json +Network,SSH access from the Internet should be blocked,None,NS-4,6.2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_SSHAccess_Audit.json +Network,Service Bus should use a virtual network service endpoint,None,,,,,,,0860.09m1Organizational.9 - 09.m,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ServiceBus_AuditIfNotExists.json +Network,Storage Accounts should use a virtual network service endpoint,None,,,,,,,0867.09m3Organizational.17 - 09.m,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_StorageAccount_Audit.json +Network,Virtual machines should be connected to an approved virtual network,Required,,,,,,,0814.01n1Organizational.12 - 01.n,,virtualNetworkId,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ApprovedVirtualNetwork_Audit.json +Network,Virtual networks should use specified virtual network gateway,Required,,,,,,,,,virtualNetworkGatewayId, +Network,Web Application Firewall (WAF) should be enabled for Application Gateway,None,NS-4,,,,,,,NS-7,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json +Network,Web Application Firewall (WAF) should be enabled for Azure Front Door Service service,None,NS-4,,,,,,,NS-7,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json +Network,Web Application Firewall (WAF) should use the specified mode for Application Gateway,Optional,,,,,,,,NS-7,modeRequirement,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayMode_Audit.json +Network,Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service,Optional,,,,,,,,NS-7,modeRequirement,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Mode_Audit.json +Portal,Shared dashboards should not have markdown tiles with inline content,None,,,,,,,,,, +SQL,Advanced data security should be enabled on SQL Managed Instance,None,IR-5,4.2.1,,,SI-4,3.14.6,,DM-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json +SQL,Advanced data security should be enabled on your SQL servers,None,,4.2.1,,,SI-4,3.14.6,,DM-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json +SQL,An Azure Active Directory administrator should be provisioned for SQL servers,None,IM-1,4.4,,A.9.2.3,AC-2 (7),,,DM-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json +SQL,Auditing on SQL server should be enabled,Optional,LT-4,4.1.1,,A.12.4.4,AU-12,3.3.4,1211.09aa3System.4 - 09.aa,,setting,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json +SQL,Azure SQL Database should have the minimal TLS version of 1.2,None,,,,,,,,,, +SQL,Bring your own key data protection should be enabled for MySQL servers,None,DP-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableByok_Audit.json +SQL,Bring your own key data protection should be enabled for PostgreSQL servers,None,DP-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json +SQL,Configure Azure SQL Server to disable public network access,None,,,,,,,,,, +SQL,Configure Azure SQL Server to enable private endpoint connections,Required,,,,,,,,,privateEndpointSubnetId, +SQL,Configure SQL servers to have auditing enabled,Required,,,,,,,,,"retentionDays, storageAccountsResourceGroup", +SQL,Connection throttling should be enabled for PostgreSQL database servers,None,,4.3.6,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_ConnectionThrottling_Enabled_Audit.json +SQL,Disconnections should be logged for PostgreSQL database servers.,None,,4.3.5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogDisconnections_Audit.json +SQL,Enforce SSL connection should be enabled for MySQL database servers,None,DP-4,4.3.1,,,,,0948.09y2Organizational.3 - 09.y,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json +SQL,Enforce SSL connection should be enabled for PostgreSQL database servers,None,DP-4,4.3.2,,,,,0947.09y2Organizational.2 - 09.y,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json +SQL,Geo-redundant backup should be enabled for Azure Database for MariaDB,None,BR-2,,,,,,1627.09l3Organizational.6 - 09.l,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForMariaDB_Audit.json +SQL,Geo-redundant backup should be enabled for Azure Database for MySQL,None,BR-2,,,,,,1622.09l2Organizational.23 - 09.l,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForMySQL_Audit.json +SQL,Geo-redundant backup should be enabled for Azure Database for PostgreSQL,None,BR-2,,,,,,1626.09l3Organizational.5 - 09.l,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForPostgreSQL_Audit.json +SQL,Infrastructure encryption should be enabled for Azure Database for MySQL servers,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_InfrastructureEncryption_Audit.json +SQL,Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_InfrastructureEncryption_Audit.json +SQL,Log checkpoints should be enabled for PostgreSQL database servers,None,,4.3.3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogCheckpoint_Audit.json +SQL,Log connections should be enabled for PostgreSQL database servers,None,,4.3.4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogConnections_Audit.json +SQL,Log duration should be enabled for PostgreSQL database servers,None,,,,,,,,,, +SQL,Long-term geo-redundant backup should be enabled for Azure SQL Databases,None,BR-2,,,,,,1621.09l2Organizational.1 - 09.l,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_SQLDatabase_AuditIfNotExists.json +SQL,MariaDB server should use a virtual network service endpoint,None,,,,,,,,,, +SQL,MySQL server should use a virtual network service endpoint,None,,,,,,,,,, +SQL,PostgreSQL server should use a virtual network service endpoint,None,,,,,,,,,, +SQL,Private endpoint connections on Azure SQL Database should be enabled,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json +SQL,Private endpoint should be enabled for MariaDB servers,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json +SQL,Private endpoint should be enabled for MySQL servers,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json +SQL,Private endpoint should be enabled for PostgreSQL servers,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json +SQL,Public network access on Azure SQL Database should be disabled,None,NS-1,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PublicNetworkAccess_Audit.json +SQL,Public network access should be disabled for MariaDB servers,None,NS-1,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_DisablePublicNetworkAccess_Audit.json +SQL,Public network access should be disabled for MySQL flexible servers,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json +SQL,Public network access should be disabled for MySQL servers,None,NS-1,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_DisablePublicNetworkAccess_Audit.json +SQL,Public network access should be disabled for PostgreSQL flexible servers,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json +SQL,Public network access should be disabled for PostgreSQL servers,None,NS-1,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_DisablePublicNetworkAccess_Audit.json +SQL,SQL Auditing settings should have Action-Groups configured to capture critical activities,None,,,,,,,,,, +SQL,SQL Database should avoid using GRS backup redundancy,None,,,,,,,,,, +SQL,SQL Managed Instance should have the minimal TLS version of 1.2,None,,,,,,,,,, +SQL,SQL Managed Instances should avoid using GRS backup redundancy,None,,,,,,,,,, +SQL,SQL managed instances should use customer-managed keys to encrypt data at rest,None,DP-5,4.5,,,,,0304.09o3Organizational.1 - 09.o,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json +SQL,SQL servers should retain audit data for at least 90 days,None,,,,,,,,,, +SQL,SQL servers should use customer-managed keys to encrypt data at rest,None,DP-5,4.5,,,,,0304.09o3Organizational.1 - 09.o,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json +SQL,Transparent Data Encryption on SQL databases should be enabled,None,DP-5,4.1.2,,A.10.1.1,SC-28 (1),3.13.16,0301.09o1Organizational.123 - 09.o,DM-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json +SQL,Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet,Required,,,,,,,,,subnetId, +SQL,Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports,None,,4.2.4,,,,,,ISM-3,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json +SQL,Vulnerability assessment should be enabled on SQL Managed Instance,None,PV-6,4.2.2,,,,,0719.10m3Organizational.5 - 10.m,ISM-3,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json +SQL,Vulnerability assessment should be enabled on your SQL servers,None,PV-6,4.2.2,,,,,0709.10m1Organizational.1 - 10.m,ISM-3,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json +Search,Azure Cognitive Search service should use a SKU that supports private link,None,,,,,,,,,, +Search,Azure Cognitive Search services should disable public network access,None,,,,,,,,,, +Search,Configure Azure Cognitive Search services to disable public network access,None,,,,,,,,,, +Search,Configure Azure Cognitive Search services to use private DNS zones,Required,,,,,,,,,privateDnsZoneId, +Search,Resource logs in Search services should be enabled,Optional,LT-4,5.3,,,,,1208.09aa3System.1 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_AuditDiagnosticLog_Audit.json +Security Center,A maximum of 3 owners should be designated for your subscription,None,PA-1,,,A.6.1.2,AC-6 (7),3.1.4,11112.01q2Organizational.67 - 01.q,AC-2,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json +Security Center,A vulnerability assessment solution should be enabled on your virtual machines,None,PV-6,,,A.12.6.1,SI-2,3.14.1,0711.10m2Organizational.23 - 10.m,ISM-3,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json +Security Center,Adaptive application controls for defining safe applications should be enabled on your machines,None,AM-6,,,A.12.6.2,CM-11,3.4.9,0607.10h2System.23 - 10.h,SS-4,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json +Security Center,Adaptive network hardening recommendations should be applied on internet facing virtual machines,None,NS-4,,,,SC-7,3.13.5,0859.09m1Organizational.78 - 09.m,NS-2,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json +Security Center,All network ports should be restricted on network security groups associated to your virtual machine,None,,,,A.13.1.1,SC-7,3.13.5,0858.09m1Organizational.4 - 09.m,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json +Security Center,Allowlist rules in your adaptive application control policy should be updated,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json +Security Center,Authorized IP ranges should be defined on Kubernetes Services,None,NS-4,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json +Security Center,Auto provisioning of the Log Analytics agent should be enabled on your subscription,None,LT-5,2.11,,,,,1220.09ab3System.56 - 09.ab,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json +Security Center,Azure DDoS Protection Standard should be enabled,None,NS-4,,,,SC-5,,,NS-5,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDDoSProtection_Audit.json +Security Center,Azure Defender for App Service should be enabled,None,IR-5,2.2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json +Security Center,Azure Defender for Azure SQL Database servers should be enabled,None,IR-5,2.3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json +Security Center,Azure Defender for DNS should be enabled,None,,,,,,,,,, +Security Center,Azure Defender for Key Vault should be enabled,None,IR-5,2.8,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json +Security Center,Azure Defender for Kubernetes should be enabled,None,IR-5,2.6,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKubernetesService_Audit.json +Security Center,Azure Defender for Resource Manager should be enabled,None,,,,,,,,,, +Security Center,Azure Defender for SQL servers on machines should be enabled,None,IR-5,2.4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json +Security Center,Azure Defender for Storage should be enabled,None,IR-5,2.5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json +Security Center,Azure Defender for container registries should be enabled,None,IR-5,2.7,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainerRegistry_Audit.json +Security Center,Azure Defender for servers should be enabled,None,ES-1,2.1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json +Security Center,Configure machines to receive the Qualys vulnerability assessment agent,None,,,,,,,,,, +Security Center,Deploy - Configure Linux machines to automatically install the Azure Security agent,None,,,,,,,,,, +Security Center,Deploy - Configure Windows machines to automatically install the Azure Security agent,None,,,,,,,,,, +Security Center,Deprecated accounts should be removed from your subscription,None,PA-3,,,A.9.2.6,AC-2,3.1.1,,AC-5,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json +Security Center,Deprecated accounts with owner permissions should be removed from your subscription,None,PA-3,,,A.9.2.6,AC-2,3.1.1,1147.01c2System.456 - 01.c,AC-5,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json +Security Center,Disk encryption should be applied on virtual machines,None,DP-5,7.2,,A.10.1.1,SC-28 (1),3.13.16,0302.09o2Organizational.1 - 09.o,DM-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json +Security Center,Email notification for high severity alerts should be enabled,None,IR-2,2.14,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification.json +Security Center,Email notification to subscription owner for high severity alerts should be enabled,None,IR-2,,,,,3.14.6,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification_to_subscription_owner.json +Security Center,Enable Azure Security Center on your subscription,None,,,,,,,,,, +Security Center,Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace.,Required,,,,,,,,,logAnalytics, +Security Center,Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace.,None,,,,,,,,,, +Security Center,Endpoint protection solution should be installed on virtual machine scale sets,None,ES-3,,,,SI-3 (1),3.14.2,0201.09j1Organizational.124 - 09.j,DM-4,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json +Security Center,External accounts with owner permissions should be removed from your subscription,None,PA-3,1.3,,A.9.2.5,AC-2,3.1.1,1146.01c2System.23 - 01.c,PRS-5,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json +Security Center,External accounts with read permissions should be removed from your subscription,None,PA-3,1.3,,,AC-2,3.1.1,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json +Security Center,External accounts with write permissions should be removed from your subscription,None,PA-3,1.3,,A.9.2.5,AC-2,3.1.1,,PRS-5,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json +Security Center,Guest Configuration extension should be installed on your machines,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVm.json +Security Center,IP Forwarding on your virtual machine should be disabled,None,NS-4,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json +Security Center,Internet-facing virtual machines should be protected with network security groups,None,NS-4,,,,,3.13.5,0814.01n1Organizational.12 - 01.n,NS-2,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json +Security Center,Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version,None,PV-7,,,,,3.14.1,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UpgradeVersion_KubernetesService_Audit.json +Security Center,Log Analytics agent health issues should be resolved on your machines,None,LT-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ResolveLaHealthIssues.json +Security Center,Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring,None,LT-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVm.json +Security Center,Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring,None,LT-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json +Security Center,MFA should be enabled accounts with write permissions on your subscription,None,IM-4,1.1,,A.9.4.2,IA-2 (1),3.5.3,11110.01q1Organizational.6 - 01.q,AC-17,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json +Security Center,MFA should be enabled on accounts with owner permissions on your subscription,None,IM-4,1.1,,A.9.4.2,IA-2 (1),3.5.3,11109.01q1Organizational.57 - 01.q,AC-17,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json +Security Center,MFA should be enabled on accounts with read permissions on your subscription,None,IM-4,1.2,,A.9.4.2,IA-2 (2),3.5.3,11111.01q2System.4 - 01.q,AC-17,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json +Security Center,Management ports of virtual machines should be protected with just-in-time network access control,None,NS-4,,,,SC-7 (4) Ownership : Microsoft,,0858.09m1Organizational.4 - 09.m,AC-7,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json +Security Center,Management ports should be closed on your virtual machines,None,NS-1,,,,,,1193.01l2Organizational.13 - 01.l,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json +Security Center,Monitor missing Endpoint Protection in Azure Security Center,None,ES-3,7.6,,A.12.6.1,SI-3 (1),3.14.2,0201.09j1Organizational.124 - 09.j,DM-4,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json +Security Center,Non-internet-facing virtual machines should be protected with network security groups,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternalVirtualMachines_Audit.json +Security Center,Operating system version should be the most current version for your cloud service roles,None,,,,,,,,,, +Security Center,Role-Based Access Control (RBAC) should be used on Kubernetes Services,None,PA-7,8.5,,,,,1229.09c1Organizational.1 - 09.c,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json +Security Center,Security Center standard pricing tier should be selected,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Standard_pricing_tier.json +Security Center,Sensitive data in your SQL databases should be classified,None,,,,,,,,,, +Security Center,Service principals should be used to protect your subscriptions instead of management certificates,None,IM-2,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UseServicePrincipalToProtectSubscriptions.json +Security Center,Subnets should be associated with a Network Security Group,None,NS-4,,,,,,0814.01n1Organizational.12 - 01.n,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnSubnets_Audit.json +Security Center,Subscriptions should have a contact email address for security issues,None,IR-2,2.13,,,,3.14.6,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Security_contact_email.json +Security Center,System updates on virtual machine scale sets should be installed,None,PV-7,,,,SI-2,3.14.1,1202.09aa1System.1 - 09.aa,PRS-5,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json +Security Center,System updates should be installed on your machines,None,PV-7,7.5,,A.12.6.1,SI-2,3.14.1,0201.09j1Organizational.124 - 09.j,PRS-5,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json +Security Center,There should be more than one owner assigned to your subscription,None,PA-1,,,A.6.1.2,AC-6 (7),3.1.4,11208.01q1Organizational.8 - 01.q,AC-2,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json +Security Center,Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVmWithNoSAMI.json +Security Center,Vulnerabilities in Azure Container Registry images should be remediated,None,PV-6,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json +Security Center,Vulnerabilities in container security configurations should be remediated,None,PV-4,,,,,3.11.2,0715.10m2Organizational.8 - 10.m,ISM-3,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json +Security Center,Vulnerabilities in security configuration on your machines should be remediated,None,PV-4,,,A.12.6.1,SI-2,3.14.1,0718.10m3Organizational.34 - 10.m,ISM-3,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json +Security Center,Vulnerabilities in security configuration on your virtual machine scale sets should be remediated,None,PV-4,,,,SI-2,3.14.1,0717.10m3Organizational.2 - 10.m,ISM-3,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json +Security Center,Vulnerabilities on your SQL databases should be remediated,None,PV-6,,,A.12.6.1,SI-2,3.14.1,0716.10m3Organizational.1 - 10.m,ISM-3,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json +Security Center,Vulnerabilities on your SQL servers on machine should be remediated,None,,,,,,,,,, +Service Bus,All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace,None,,,,,,,,,, +Service Bus,Azure Service Bus namespaces should use private link,None,,,,,,,,,, +Service Bus,Configure Service Bus namespaces to use private DNS zones,Required,,,,,,,,,privateDnsZoneId, +Service Bus,Configure Service Bus namespaces with private endpoints,Required,,,,,,,,,privateEndpointSubnetId, +Service Bus,Resource logs in Service Bus should be enabled,Optional,LT-4,5.3,,,,,1208.09aa3System.1 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditDiagnosticLog_Audit.json +Service Bus,Service Bus Premium namespaces should use a customer-managed key for encryption,None,,,,,,,,,, +Service Fabric,Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign,None,DP-5,,,A.10.1.1,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json +Service Fabric,Service Fabric clusters should only use Azure Active Directory for client authentication,None,IM-1,,,A.9.2.3,AC-2 (7),,,AC-2,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json +SignalR,Azure SignalR Service should use private link,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit.json +Storage,Azure File Sync should use private link,None,,,,,,,,,, +Storage,Configure Azure File Sync to use private DNS zones,Required,,,,,,,,,privateDnsZoneId, +Storage,Configure Azure File Sync with private endpoints,Required,,,,,,,,,privateEndpointSubnetId, +Storage,Configure Storage account to use a private link connection,Required,,,,,,,,,"privateEndpointSubnetId, targetSubResource", +Storage,Configure diagnostic settings for storage accounts to Log Analytics workspace,Required,,,,,,,,,"diagnosticsSettingNameToUse, logAnalytics, StorageDelete, StorageWrite, StorageRead, Transaction", +Storage,Geo-redundant storage should be enabled for Storage Accounts,None,,,,,,,,,, +Storage,HPC Cache accounts should use customer-managed key for encryption,None,,,,,,,,,, +Storage,Modify - Configure Azure File Sync to disable public network access,None,,,,,,,,,, +Storage,Public network access should be disabled for Azure File Sync,None,,,,,,,,,, +Storage,Secure transfer to storage accounts should be enabled,None,DP-4,3.1,,A.13.2.1,SC-8 (1),3.13.8,0943.09y1Organizational.1 - 09.y,DM-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json +Storage,Storage account public access should be disallowed,None,,,,,,,,,, +Storage,Storage accounts should allow access from trusted Microsoft services,None,,3.7,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccess_TrustedMicrosoftServices_Audit.json +Storage,Storage accounts should be limited by allowed SKUs,Required,,,,,,,,,listOfAllowedSKUs, +Storage,Storage accounts should be migrated to new Azure Resource Manager resources,None,AM-3,,,A.9.1.2,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json +Storage,Storage accounts should have infrastructure encryption,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountInfrastructureEncryptionEnabled_Audit.json +Storage,Storage accounts should restrict network access,None,NS-4,3.6,,A.13.1.1,SC-7,3.13.5,0866.09m3Organizational.1516 - 09.m,NS-2,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json +Storage,Storage accounts should restrict network access using virtual network rules,None,NS-1,3.6,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabled_Audit.json +Storage,Storage accounts should use customer-managed key for encryption,None,DP-5,3.9,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountCustomerManagedKeyEnabled_Audit.json +Storage,Storage accounts should use private link,None,,,,,,,,,, +Stream Analytics,Azure Stream Analytics jobs should use customer-managed keys to encrypt data,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_CMK_Audit.json +Stream Analytics,Resource logs in Azure Stream Analytics should be enabled,Optional,LT-4,5.3,,,,,1207.09aa2System.4 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json +Synapse,Auditing on Synapse workspace should be enabled,Optional,,,,,,,,,setting, +Synapse,Azure Synapse workspaces should allow outbound data traffic only to approved targets,None,,,,,,,,,, +Synapse,Azure Synapse workspaces should use customer-managed keys to encrypt data at rest,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceCMK_Audit.json +Synapse,Azure Synapse workspaces should use private link,None,,,,,,,,,, +Synapse,Configure Azure Synapse workspaces to use private DNS zones,Required,,,,,,,,,"privateDnsZoneId, targetSubResource", +Synapse,Configure Azure Synapse workspaces with private endpoints,Required,,,,,,,,,privateEndpointSubnetId, +Synapse,Configure Synapse workspaces to have auditing enabled,Required,,,,,,,,,"retentionDays, storageAccountsResourceGroup", +Synapse,IP firewall rules on Azure Synapse workspaces should be removed,None,,,,,,,,,, +Synapse,Managed workspace virtual network on Azure Synapse workspaces should be enabled,None,,,,,,,,,, +Synapse,Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants,Required,,,,,,,,,allowedTenantIds, +Synapse,Synapse workspace auditing settings should have action groups configured to capture critical activities,None,,,,,,,,,, +Synapse,Synapse workspaces should be configured with 90 days auditing retention or higher.,None,,,,,,,,,, +Synapse,Vulnerability assessment should be enabled on your Synapse workspaces,None,,,,,,,,,, +Tags,Add a tag to resource groups,Required,,,,,,,,,"tagName, tagValue", +Tags,Add a tag to resources,Required,,,,,,,,,"tagName, tagValue", +Tags,Add a tag to subscriptions,Required,,,,,,,,,"tagName, tagValue", +Tags,Add or replace a tag on resource groups,Required,,,,,,,,,"tagName, tagValue", +Tags,Add or replace a tag on resources,Required,,,,,,,,,"tagName, tagValue", +Tags,Add or replace a tag on subscriptions,Required,,,,,,,,,"tagName, tagValue", +Tags,Append a tag and its value from the resource group,Required,,,,,,,,,tagName, +Tags,Append a tag and its value to resource groups,Required,,,,,,,,,"tagName, tagValue", +Tags,Append a tag and its value to resources,Required,,,,,,,,,"tagName, tagValue", +Tags,Inherit a tag from the resource group,Required,,,,,,,,,tagName, +Tags,Inherit a tag from the resource group if missing,Required,,,,,,,,,tagName, +Tags,Inherit a tag from the subscription,Required,,,,,,,,,tagName, +Tags,Inherit a tag from the subscription if missing,Required,,,,,,,,,tagName, +Tags,Require a tag and its value on resource groups,Required,,,,,,,,,"tagName, tagValue", +Tags,Require a tag and its value on resources,Required,,,,,,,,,"tagName, tagValue", +Tags,Require a tag on resource groups,Required,,,,,,,,,tagName, +Tags,Require a tag on resources,Required,,,,,,,,,tagName, +VM Image Builder,VM Image Builder templates should use private link,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/VM%20Image%20Builder/PrivateLinkEnabled_Audit.json diff --git a/docs/no-params.csv b/docs/no-params.csv index d30d64d..5709ffa 100644 --- a/docs/no-params.csv +++ b/docs/no-params.csv @@ -1,199 +1,328 @@ -Service,Policy Definition,Azure Security Benchmark,CIS,CCMC L3,ISO 27001,NIST SP 800-53 R4,NIST SP 800-171 R2,HIPAA HITRUST 9.2,New Zealand ISM,Link -API for FHIR,Azure API for FHIR should use a customer-managed key to encrypt data at rest,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_EnableByok_Audit.json -API for FHIR,CORS should not allow every domain to access your API for FHIR,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_RestrictCORSAccess_Audit.json -App Configuration,App Configuration should use private link,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json -App Service,API App should only be accessible over HTTPS,DP-4,,,A.10.1.1,SC-8 (1),3.13.8,0949.09y2Organizational.5 - 09.y,SS-8,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json -App Service,Authentication should be enabled on your API app,,9.1,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_ApiApp_Audit.json -App Service,Authentication should be enabled on your Function app,,9.1,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_functionapp_Audit.json -App Service,Authentication should be enabled on your web app,,9.1,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_WebApp_Audit.json -App Service,CORS should not allow every resource to access your API App,PV-2,,,,,,0911.09s1Organizational.2 - 09.s,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_ApiApp_Audit.json -App Service,CORS should not allow every resource to access your Function Apps,PV-2,,,,,,0960.09sCSPOrganizational.1 - 09.s,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json -App Service,CORS should not allow every resource to access your Web Applications,PV-2,,,,AC-4,3.1.3,0916.09s2Organizational.4 - 09.s,SS-8,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json -App Service,Diagnostic logs in App Services should be enabled,LT-4,5.3,,,,,1209.09aa3System.2 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit.json -App Service,Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On',PV-2,9.4,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_ClientCert.json -App Service,Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On',PV-2,9.4,,,,,0915.09s2Organizational.2 - 09.s,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_ClientCert.json -App Service,"Ensure that 'HTTP Version' is the latest, if used to run the API app",,9.9,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_HTTP_Latest.json -App Service,"Ensure that 'HTTP Version' is the latest, if used to run the Function app",,9.9,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_HTTP_Latest.json -App Service,"Ensure that 'HTTP Version' is the latest, if used to run the Web app",,9.9,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_HTTP_Latest.json -App Service,FTPS only should be required in your API App,DP-4,9.10,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_ApiApp_Audit.json -App Service,FTPS only should be required in your Function App,DP-4,9.10,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_FunctionApp_Audit.json -App Service,FTPS should be required in your Web App,DP-4,9.10,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_WebApp_Audit.json -App Service,Function App should only be accessible over HTTPS,DP-4,,,A.10.1.1,SC-8 (1),3.13.8,0949.09y2Organizational.5 - 09.y,SS-8,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json -App Service,Function apps should have 'Client Certificates (Incoming client certificates)' enabled,PV-2,9.4,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_ClientCert.json -App Service,Latest TLS version should be used in your API App,DP-4,9.3,,,,3.14.1,0949.09y2Organizational.5 - 09.y,CR-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_ApiApp_Audit.json -App Service,Latest TLS version should be used in your Function App,DP-4,9.3,,,,3.14.1,0949.09y2Organizational.5 - 09.y,CR-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json -App Service,Latest TLS version should be used in your Web App,DP-4,9.3,,,,3.14.1,0949.09y2Organizational.5 - 09.y,CR-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json -App Service,Managed identity should be used in your API App,IM-2,9.5,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_ApiApp_Audit.json -App Service,Managed identity should be used in your Function App,IM-2,9.5,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json -App Service,Managed identity should be used in your Web App,IM-2,9.5,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json -App Service,Remote debugging should be turned off for API Apps,PV-2,,,,AC-17 (1),3.1.12,0914.09s1Organizational.6 - 09.s,AC-7,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_ApiApp_Audit.json -App Service,Remote debugging should be turned off for Function Apps,PV-2,,,,AC-17 (1),3.1.12,1325.09s1Organizational.3 - 09.s,AC-7,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json -App Service,Remote debugging should be turned off for Web Applications,PV-2,,,,AC-17 (1),3.1.12,0912.09s1Organizational.4 - 09.s,AC-7,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json -App Service,Web Application should only be accessible over HTTPS,DP-4,9.2,,A.10.1.1,SC-8 (1),3.13.8,0949.09y2Organizational.5 - 09.y,SS-8,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json -Automation,Automation account variables should be encrypted,DP-5,,,A.10.1.1,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json -Azure Data Explorer,Azure Data Explorer encryption at rest should use a customer-managed key,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_CMK.json -Azure Data Explorer,Disk encryption should be enabled on Azure Data Explorer,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_disk_encrypted.json -Azure Data Explorer,Double encryption should be enabled on Azure Data Explorer,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_doubleEncryption.json -Backup,Azure Backup should be enabled for Virtual Machines,BR-2,,,,,,1699.09l1Organizational.10 - 09.l,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachines_EnableAzureBackup_Audit.json -Cache,Azure Cache for Redis should reside within a virtual network,NS-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_CacheInVnet_Audit.json -Cache,Only secure connections to your Azure Cache for Redis should be enabled,DP-4,,,A.13.2.1,SC-8 (1),3.13.8,0946.09y2Organizational.14 - 09.y,DM-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json -Cognitive Services,Cognitive Services accounts should enable data encryption,DP-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_Encryption_Audit.json -Cognitive Services,Cognitive Services accounts should enable data encryption with a customer-managed key,DP-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_CustomerManagedKey_Audit.json -Cognitive Services,Cognitive Services accounts should restrict network access,NS-1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json -Cognitive Services,Cognitive Services accounts should use customer owned storage or enable data encryption.,DP-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_BYOX_Audit.json -Compute,Audit VMs that do not use managed disks,,7.1,,A.9.1.2,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json -Compute,Audit virtual machines without disaster recovery configured,,,,,CP-7,,1638.12b2Organizational.345 - 12.b,ESS-3,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json -Compute,Microsoft Antimalware for Azure should be configured to automatically update protection signatures,,,,,,,0201.09j1Organizational.124 - 09.j,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_AntiMalwareAutoUpdate_AuditIfNotExists.json -Compute,Microsoft IaaSAntimalware extension should be deployed on Windows servers,,,,,,3.14.2,,SS-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/WindowsServers_AntiMalware_AuditIfNotExists.json -Compute,Unattached disks should be encrypted,,7.3,,,,,0303.09o2Organizational.2 - 09.o,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/UnattachedDisk_Encryption_Audit.json -Compute,Virtual machines should be migrated to new Azure Resource Manager resources,AM-3,,,A.9.1.2,,,0835.09n1Organizational.1 - 09.n,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json -Container Registry,Container registries should be encrypted with a customer-managed key,DP-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json -Container Registry,Container registries should not allow unrestricted network access,NS-1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_Audit.json -Container Registry,Container registries should use private link,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json -Cosmos DB,Azure Cosmos DB accounts should have firewall rules,NS-4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json -Cosmos DB,Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest,DP-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json -Data Lake,Require encryption on Data Lake Store accounts,,,,,,,0304.09o3Organizational.1 - 09.o,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStoreEncryption_Deny.json -Event Grid,Azure Event Grid domains should use private link,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json -Event Grid,Azure Event Grid topics should use private link,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json -General,Audit usage of custom RBAC rules,PA-7,,,A.9.2.3,AC-2 (7),,1230.09c2Organizational.1 - 09.c,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json -General,Custom subscription owner roles should not exist,PA-7,1.21,,,,,1278.09c2Organizational.56 - 09.c,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/CustomSubscription_OwnerRole_Audit.json -Guest Configuration,Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity,,,,A.10.1.1,IA-5 (1),3.5.10,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json -Guest Configuration,Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,,,,A.10.1.1,IA-5 (1),3.5.10,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json -Key Vault,Azure Key Vault Managed HSM should have purge protection enabled,,,,,,,1635.12b1Organizational.2 - 12.b,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_Recoverable_Audit.json -Key Vault,Key vaults should have purge protection enabled,BR-4,8.4,,,,,1635.12b1Organizational.2 - 12.b,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json -Key Vault,Key vaults should have soft delete enabled,BR-4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_SoftDeleteMustBeEnabled_Audit.json -Key Vault,[Preview]: Firewall should be enabled on Key Vault,NS-4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json -Key Vault,[Preview]: Key Vault keys should have an expiration date,,8.1,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_ExpirationSet.json -Key Vault,[Preview]: Key Vault secrets should have an expiration date,,8.2,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Secrets_ExpirationSet.json -Key Vault,[Preview]: Private endpoint should be configured for Key Vault,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultPrivateEndpointEnabled_Audit.json -Kubernetes,Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters,PV-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json -Kubernetes,Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_CMK_Deny.json -Machine Learning,Azure Machine Learning workspaces should be encrypted with a customer-managed key,DP-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json -Machine Learning,Azure Machine Learning workspaces should use private link,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateLinkEnabled_Audit.json -Monitoring,Activity log should be retained for at least one year,,,,,,,,AC-15,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLogRetention_365orGreater.json -Monitoring,"Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'",,,,,,,1219.09ab3System.10 - 09.ab,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllCategories.json -Monitoring,Azure Monitor should collect activity logs from all regions,,,,,,,1214.09ab2System.3456 - 09.ab,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllRegions.json -Monitoring,Azure subscriptions should have a log profile for Activity Log,,,,,,,,AC-13,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Logprofile_activityLogs_Audit.json -Monitoring,Storage account containing the container with activity logs must be encrypted with BYOK,,5.1.4,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json -Monitoring,The Log Analytics agent should be installed on Virtual Machine Scale Sets,,,,,,3.3.2,1216.09ab3System.12 - 09.ab,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VMSS_LogAnalyticsAgent_AuditIfNotExists.json -Monitoring,The Log Analytics agent should be installed on virtual machines,,,,,,3.3.2,1215.09ab2System.7 - 09.ab,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VirtualMachines_LogAnalyticsAgent_AuditIfNotExists.json -Monitoring,[Preview]: Log Analytics agent should be installed on your Linux Azure Arc machines,LT-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Linux_LogAnalytics_Audit.json -Monitoring,[Preview]: Log Analytics agent should be installed on your Windows Azure Arc machines,LT-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Windows_LogAnalytics_Audit.json -Monitoring,[Preview]: Network traffic data collection agent should be installed on Linux virtual machines,LT-3,,,,,,0885.09n2Organizational.3 - 09.n,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Linux.json -Monitoring,[Preview]: Network traffic data collection agent should be installed on Windows virtual machines,LT-3,,,,,,0887.09n2Organizational.5 - 09.n,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Windows.json -Network,App Service should use a virtual network service endpoint,,,,,,,0861.09m2Organizational.67 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json -Network,Cosmos DB should use a virtual network service endpoint,,,,,,,0864.09m2Organizational.12 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_CosmosDB_Audit.json -Network,Event Hub should use a virtual network service endpoint,,,,,,,0863.09m2Organizational.910 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_EventHub_AuditIfNotExists.json -Network,Gateway subnets should not be configured with a network security group,,,,,,,0894.01m2Organizational.7 - 01.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroupOnGatewaySubnet_Deny.json -Network,Key Vault should use a virtual network service endpoint,,,,,,,0865.09m2Organizational.13 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_KeyVault_Audit.json -Network,RDP access from the Internet should be blocked,NS-4,6.1,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_RDPAccess_Audit.json -Network,SQL Server should use a virtual network service endpoint,,,,,,,0862.09m2Organizational.8 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_SQLServer_AuditIfNotExists.json -Network,SSH access from the Internet should be blocked,NS-4,6.2,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_SSHAccess_Audit.json -Network,Service Bus should use a virtual network service endpoint,,,,,,,0860.09m1Organizational.9 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ServiceBus_AuditIfNotExists.json -Network,Storage Accounts should use a virtual network service endpoint,,,,,,,0867.09m3Organizational.17 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_StorageAccount_Audit.json -Network,Web Application Firewall (WAF) should be enabled for Application Gateway,NS-4,,,,,,,NS-7,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json -Network,Web Application Firewall (WAF) should be enabled for Azure Front Door Service service,NS-4,,,,,,,NS-7,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json -Network,[Preview]: All Internet traffic should be routed via your deployed Azure Firewall,NS-5,,,,,,,NS-7,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json -Network,[Preview]: Container Registry should use a virtual network service endpoint,,,,,,,0871.09m3Organizational.22 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ContainerRegistry_Audit.json -SQL,Advanced data security should be enabled on SQL Managed Instance,IR-5,4.2.1,,,SI-4,3.14.6,,DM-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json -SQL,Advanced data security should be enabled on your SQL servers,,4.2.1,,,SI-4,3.14.6,,DM-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json -SQL,An Azure Active Directory administrator should be provisioned for SQL servers,IM-1,4.4,,A.9.2.3,AC-2 (7),,,DM-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json -SQL,Bring your own key data protection should be enabled for MySQL servers,DP-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableByok_Audit.json -SQL,Bring your own key data protection should be enabled for PostgreSQL servers,DP-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json -SQL,Connection throttling should be enabled for PostgreSQL database servers,,4.3.6,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_ConnectionThrottling_Enabled_Audit.json -SQL,Disconnections should be logged for PostgreSQL database servers.,,4.3.5,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogDisconnections_Audit.json -SQL,Enforce SSL connection should be enabled for MySQL database servers,DP-4,4.3.1,,,,,0948.09y2Organizational.3 - 09.y,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json -SQL,Enforce SSL connection should be enabled for PostgreSQL database servers,DP-4,4.3.2,,,,,0947.09y2Organizational.2 - 09.y,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json -SQL,Geo-redundant backup should be enabled for Azure Database for MariaDB,BR-2,,,,,,1627.09l3Organizational.6 - 09.l,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForMariaDB_Audit.json -SQL,Geo-redundant backup should be enabled for Azure Database for MySQL,BR-2,,,,,,1622.09l2Organizational.23 - 09.l,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForMySQL_Audit.json -SQL,Geo-redundant backup should be enabled for Azure Database for PostgreSQL,BR-2,,,,,,1626.09l3Organizational.5 - 09.l,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForPostgreSQL_Audit.json -SQL,Infrastructure encryption should be enabled for Azure Database for MySQL servers,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_InfrastructureEncryption_Audit.json -SQL,Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_InfrastructureEncryption_Audit.json -SQL,Log checkpoints should be enabled for PostgreSQL database servers,,4.3.3,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogCheckpoint_Audit.json -SQL,Log connections should be enabled for PostgreSQL database servers,,4.3.4,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogConnections_Audit.json -SQL,Long-term geo-redundant backup should be enabled for Azure SQL Databases,BR-2,,,,,,1621.09l2Organizational.1 - 09.l,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_SQLDatabase_AuditIfNotExists.json -SQL,Private endpoint connections on Azure SQL Database should be enabled,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json -SQL,Private endpoint should be enabled for MariaDB servers,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json -SQL,Private endpoint should be enabled for MySQL servers,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json -SQL,Private endpoint should be enabled for PostgreSQL servers,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json -SQL,Public network access on Azure SQL Database should be disabled,NS-1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PublicNetworkAccess_Audit.json -SQL,Public network access should be disabled for MariaDB servers,NS-1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_DisablePublicNetworkAccess_Audit.json -SQL,Public network access should be disabled for MySQL flexible servers,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json -SQL,Public network access should be disabled for MySQL servers,NS-1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_DisablePublicNetworkAccess_Audit.json -SQL,Public network access should be disabled for PostgreSQL flexible servers,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json -SQL,Public network access should be disabled for PostgreSQL servers,NS-1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_DisablePublicNetworkAccess_Audit.json -SQL,SQL managed instances should use customer-managed keys to encrypt data at rest,DP-5,4.5,,,,,0304.09o3Organizational.1 - 09.o,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json -SQL,SQL servers should use customer-managed keys to encrypt data at rest,DP-5,4.5,,,,,0304.09o3Organizational.1 - 09.o,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json -SQL,Transparent Data Encryption on SQL databases should be enabled,DP-5,4.1.2,,A.10.1.1,SC-28 (1),3.13.16,0301.09o1Organizational.123 - 09.o,DM-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json -SQL,Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports,,4.2.4,,,,,,ISM-3,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json -SQL,Vulnerability assessment should be enabled on SQL Managed Instance,PV-6,4.2.2,,,,,0719.10m3Organizational.5 - 10.m,ISM-3,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json -SQL,Vulnerability assessment should be enabled on your SQL servers,PV-6,4.2.2,,,,,0709.10m1Organizational.1 - 10.m,ISM-3,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json -Security Center,A maximum of 3 owners should be designated for your subscription,PA-1,,,A.6.1.2,AC-6 (7),3.1.4,11112.01q2Organizational.67 - 01.q,AC-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json -Security Center,A vulnerability assessment solution should be enabled on your virtual machines,PV-6,,,A.12.6.1,SI-2,3.14.1,0711.10m2Organizational.23 - 10.m,ISM-3,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json -Security Center,Adaptive application controls for defining safe applications should be enabled on your machines,AM-6,,,A.12.6.2,CM-11,3.4.9,0607.10h2System.23 - 10.h,SS-4,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json -Security Center,Adaptive network hardening recommendations should be applied on internet facing virtual machines,NS-4,,,,SC-7,3.13.5,0859.09m1Organizational.78 - 09.m,NS-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json -Security Center,All network ports should be restricted on network security groups associated to your virtual machine,,,,A.13.1.1,SC-7,3.13.5,0858.09m1Organizational.4 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json -Security Center,Allowlist rules in your adaptive application control policy should be updated,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json -Security Center,Authorized IP ranges should be defined on Kubernetes Services,NS-4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json -Security Center,Auto provisioning of the Log Analytics agent should be enabled on your subscription,LT-5,2.11,,,,,1220.09ab3System.56 - 09.ab,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json -Security Center,Azure DDoS Protection Standard should be enabled,NS-4,,,,SC-5,,,NS-5,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDDoSProtection_Audit.json -Security Center,Azure Defender for App Service should be enabled,IR-5,2.2,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json -Security Center,Azure Defender for Azure SQL Database servers should be enabled,IR-5,2.3,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json -Security Center,Azure Defender for Key Vault should be enabled,IR-5,2.8,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json -Security Center,Azure Defender for Kubernetes should be enabled,IR-5,2.6,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKubernetesService_Audit.json -Security Center,Azure Defender for SQL servers on machines should be enabled,IR-5,2.4,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json -Security Center,Azure Defender for Storage should be enabled,IR-5,2.5,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json -Security Center,Azure Defender for container registries should be enabled,IR-5,2.7,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainerRegistry_Audit.json -Security Center,Azure Defender for servers should be enabled,ES-1,2.1,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json -Security Center,Deprecated accounts should be removed from your subscription,PA-3,,,A.9.2.6,AC-2,3.1.1,,AC-5,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json -Security Center,Deprecated accounts with owner permissions should be removed from your subscription,PA-3,,,A.9.2.6,AC-2,3.1.1,1147.01c2System.456 - 01.c,AC-5,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json -Security Center,Disk encryption should be applied on virtual machines,DP-5,7.2,,A.10.1.1,SC-28 (1),3.13.16,0302.09o2Organizational.1 - 09.o,DM-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json -Security Center,Email notification for high severity alerts should be enabled,IR-2,2.14,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification.json -Security Center,Email notification to subscription owner for high severity alerts should be enabled,IR-2,,,,,3.14.6,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification_to_subscription_owner.json -Security Center,Endpoint protection solution should be installed on virtual machine scale sets,ES-3,,,,SI-3 (1),3.14.2,0201.09j1Organizational.124 - 09.j,DM-4,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json -Security Center,External accounts with owner permissions should be removed from your subscription,PA-3,1.3,,A.9.2.5,AC-2,3.1.1,1146.01c2System.23 - 01.c,PRS-5,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json -Security Center,External accounts with read permissions should be removed from your subscription,PA-3,1.3,,,AC-2,3.1.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json -Security Center,External accounts with write permissions should be removed from your subscription,PA-3,1.3,,A.9.2.5,AC-2,3.1.1,,PRS-5,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json -Security Center,Guest Configuration extension should be installed on your machines,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVm.json -Security Center,IP Forwarding on your virtual machine should be disabled,NS-4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json -Security Center,Internet-facing virtual machines should be protected with network security groups,NS-4,,,,,3.13.5,0814.01n1Organizational.12 - 01.n,NS-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json -Security Center,Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version,PV-7,,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UpgradeVersion_KubernetesService_Audit.json -Security Center,Log Analytics agent health issues should be resolved on your machines,LT-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ResolveLaHealthIssues.json -Security Center,Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring,LT-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVm.json -Security Center,Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring,LT-5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json -Security Center,MFA should be enabled accounts with write permissions on your subscription,IM-4,1.1,,A.9.4.2,IA-2 (1),3.5.3,11110.01q1Organizational.6 - 01.q,AC-17,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json -Security Center,MFA should be enabled on accounts with owner permissions on your subscription,IM-4,1.1,,A.9.4.2,IA-2 (1),3.5.3,11109.01q1Organizational.57 - 01.q,AC-17,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json -Security Center,MFA should be enabled on accounts with read permissions on your subscription,IM-4,1.2,,A.9.4.2,IA-2 (2),3.5.3,11111.01q2System.4 - 01.q,AC-17,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json -Security Center,Management ports of virtual machines should be protected with just-in-time network access control,NS-4,,,,SC-7 (4) Ownership : Microsoft,,0858.09m1Organizational.4 - 09.m,AC-7,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json -Security Center,Management ports should be closed on your virtual machines,NS-1,,,,,,1193.01l2Organizational.13 - 01.l,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json -Security Center,Monitor missing Endpoint Protection in Azure Security Center,ES-3,7.6,,A.12.6.1,SI-3 (1),3.14.2,0201.09j1Organizational.124 - 09.j,DM-4,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json -Security Center,Non-internet-facing virtual machines should be protected with network security groups,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternalVirtualMachines_Audit.json -Security Center,Role-Based Access Control (RBAC) should be used on Kubernetes Services,PA-7,8.5,,,,,1229.09c1Organizational.1 - 09.c,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json -Security Center,Security Center standard pricing tier should be selected,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Standard_pricing_tier.json -Security Center,Service principals should be used to protect your subscriptions instead of management certificates,IM-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UseServicePrincipalToProtectSubscriptions.json -Security Center,Subnets should be associated with a Network Security Group,NS-4,,,,,,0814.01n1Organizational.12 - 01.n,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnSubnets_Audit.json -Security Center,Subscriptions should have a contact email address for security issues,IR-2,2.13,,,,3.14.6,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Security_contact_email.json -Security Center,System updates on virtual machine scale sets should be installed,PV-7,,,,SI-2,3.14.1,1202.09aa1System.1 - 09.aa,PRS-5,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json -Security Center,System updates should be installed on your machines,PV-7,7.5,,A.12.6.1,SI-2,3.14.1,0201.09j1Organizational.124 - 09.j,PRS-5,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json -Security Center,There should be more than one owner assigned to your subscription,PA-1,,,A.6.1.2,AC-6 (7),3.1.4,11208.01q1Organizational.8 - 01.q,AC-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json -Security Center,Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVmWithNoSAMI.json -Security Center,Vulnerabilities in Azure Container Registry images should be remediated,PV-6,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json -Security Center,Vulnerabilities in container security configurations should be remediated,PV-4,,,,,3.11.2,0715.10m2Organizational.8 - 10.m,ISM-3,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json -Security Center,Vulnerabilities in security configuration on your machines should be remediated,PV-4,,,A.12.6.1,SI-2,3.14.1,0718.10m3Organizational.34 - 10.m,ISM-3,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json -Security Center,Vulnerabilities in security configuration on your virtual machine scale sets should be remediated,PV-4,,,,SI-2,3.14.1,0717.10m3Organizational.2 - 10.m,ISM-3,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json -Security Center,Vulnerabilities on your SQL databases should be remediated,PV-6,,,A.12.6.1,SI-2,3.14.1,0716.10m3Organizational.1 - 10.m,ISM-3,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json -Security Center,[Preview]: Sensitive data in your SQL databases should be classified,DP-1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbDataClassification_Audit.json -Service Fabric,Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign,DP-5,,,A.10.1.1,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json -Service Fabric,Service Fabric clusters should only use Azure Active Directory for client authentication,IM-1,,,A.9.2.3,AC-2 (7),,,AC-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json -SignalR,Azure SignalR Service should use private link,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit.json -Storage,Secure transfer to storage accounts should be enabled,DP-4,3.1,,A.13.2.1,SC-8 (1),3.13.8,0943.09y1Organizational.1 - 09.y,DM-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json -Storage,Storage accounts should allow access from trusted Microsoft services,,3.7,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccess_TrustedMicrosoftServices_Audit.json -Storage,Storage accounts should be migrated to new Azure Resource Manager resources,AM-3,,,A.9.1.2,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json -Storage,Storage accounts should have infrastructure encryption,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountInfrastructureEncryptionEnabled_Audit.json -Storage,Storage accounts should restrict network access,NS-4,3.6,,A.13.1.1,SC-7,3.13.5,0866.09m3Organizational.1516 - 09.m,NS-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json -Storage,Storage accounts should restrict network access using virtual network rules,NS-1,3.6,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabled_Audit.json -Storage,Storage accounts should use customer-managed key for encryption,DP-5,3.9,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountCustomerManagedKeyEnabled_Audit.json -Storage,[Preview]: Storage account public access should be disallowed,DP-2,5.1.3,,,,,,NS-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/ASC_Storage_DisallowPublicBlobAccess_Audit.json -Stream Analytics,Azure Stream Analytics jobs should use customer-managed keys to encrypt data,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_CMK_Audit.json -Synapse,Azure Synapse workspaces should use customer-managed keys to encrypt data at rest,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceCMK_Audit.json -VM Image Builder,VM Image Builder templates should use private link,NS-3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/VM%20Image%20Builder/PrivateLinkEnabled_Audit.json +Service,Policy Definition,Parameter Requirements,Azure Security Benchmark,CIS,CCMC L3,ISO 27001,NIST SP 800-53 R4,NIST SP 800-171 R2,HIPAA HITRUST 9.2,New Zealand ISM,Parameters,Link +API for FHIR,Azure API for FHIR should use a customer-managed key to encrypt data at rest,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_EnableByok_Audit.json +API for FHIR,Azure API for FHIR should use private link,None,,,,,,,,,, +API for FHIR,CORS should not allow every domain to access your API for FHIR,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_RestrictCORSAccess_Audit.json +App Configuration,App Configuration should disable public network access,None,,,,,,,,,, +App Configuration,App Configuration should use a SKU that supports private link,None,,,,,,,,,, +App Configuration,App Configuration should use a customer-managed key,None,,,,,,,,,, +App Configuration,App Configuration should use private link,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json +App Configuration,Configure App Configuration to disable public network access,None,,,,,,,,,, +App Platform,Audit Azure Spring Cloud instances where distributed tracing is not enabled,None,,,,,,,,,, +App Service,API App should only be accessible over HTTPS,None,DP-4,,,A.10.1.1,SC-8 (1),3.13.8,0949.09y2Organizational.5 - 09.y,SS-8,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json +App Service,API apps should use an Azure file share for its content directory,None,,,,,,,,,, +App Service,Authentication should be enabled on your API app,None,,9.1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_ApiApp_Audit.json +App Service,Authentication should be enabled on your Function app,None,,9.1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_functionapp_Audit.json +App Service,Authentication should be enabled on your web app,None,,9.1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_WebApp_Audit.json +App Service,CORS should not allow every resource to access your API App,None,PV-2,,,,,,0911.09s1Organizational.2 - 09.s,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_ApiApp_Audit.json +App Service,CORS should not allow every resource to access your Function Apps,None,PV-2,,,,,,0960.09sCSPOrganizational.1 - 09.s,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json +App Service,CORS should not allow every resource to access your Web Applications,None,PV-2,,,,AC-4,3.1.3,0916.09s2Organizational.4 - 09.s,SS-8,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json +App Service,Diagnostic logs in App Services should be enabled,None,LT-4,5.3,,,,,1209.09aa3System.2 - 09.aa,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit.json +App Service,Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On',None,PV-2,9.4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_ClientCert.json +App Service,Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On',None,PV-2,9.4,,,,,0915.09s2Organizational.2 - 09.s,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_ClientCert.json +App Service,"Ensure that 'HTTP Version' is the latest, if used to run the API app",None,,9.9,,,,3.14.1,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_HTTP_Latest.json +App Service,"Ensure that 'HTTP Version' is the latest, if used to run the Function app",None,,9.9,,,,3.14.1,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_HTTP_Latest.json +App Service,"Ensure that 'HTTP Version' is the latest, if used to run the Web app",None,,9.9,,,,3.14.1,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_HTTP_Latest.json +App Service,FTPS only should be required in your API App,None,DP-4,9.10,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_ApiApp_Audit.json +App Service,FTPS only should be required in your Function App,None,DP-4,9.10,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_FunctionApp_Audit.json +App Service,FTPS should be required in your Web App,None,DP-4,9.10,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_WebApp_Audit.json +App Service,Function App should only be accessible over HTTPS,None,DP-4,,,A.10.1.1,SC-8 (1),3.13.8,0949.09y2Organizational.5 - 09.y,SS-8,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json +App Service,Function apps should have 'Client Certificates (Incoming client certificates)' enabled,None,PV-2,9.4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_ClientCert.json +App Service,Function apps should use an Azure file share for its content directory,None,,,,,,,,,, +App Service,Latest TLS version should be used in your API App,None,DP-4,9.3,,,,3.14.1,0949.09y2Organizational.5 - 09.y,CR-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_ApiApp_Audit.json +App Service,Latest TLS version should be used in your Function App,None,DP-4,9.3,,,,3.14.1,0949.09y2Organizational.5 - 09.y,CR-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json +App Service,Latest TLS version should be used in your Web App,None,DP-4,9.3,,,,3.14.1,0949.09y2Organizational.5 - 09.y,CR-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json +App Service,Managed identity should be used in your API App,None,IM-2,9.5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_ApiApp_Audit.json +App Service,Managed identity should be used in your Function App,None,IM-2,9.5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json +App Service,Managed identity should be used in your Web App,None,IM-2,9.5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json +App Service,Remote debugging should be turned off for API Apps,None,PV-2,,,,AC-17 (1),3.1.12,0914.09s1Organizational.6 - 09.s,AC-7,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_ApiApp_Audit.json +App Service,Remote debugging should be turned off for Function Apps,None,PV-2,,,,AC-17 (1),3.1.12,1325.09s1Organizational.3 - 09.s,AC-7,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json +App Service,Remote debugging should be turned off for Web Applications,None,PV-2,,,,AC-17 (1),3.1.12,0912.09s1Organizational.4 - 09.s,AC-7,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json +App Service,Web Application should only be accessible over HTTPS,None,DP-4,9.2,,A.10.1.1,SC-8 (1),3.13.8,0949.09y2Organizational.5 - 09.y,SS-8,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json +App Service,Web apps should use an Azure file share for its content directory,None,,,,,,,,,, +Attestation,Azure Attestation providers should use private endpoints,None,,,,,,,,,, +Automation,Automation account variables should be encrypted,None,DP-5,,,A.10.1.1,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json +Automation,Automation accounts should disable public network access,None,,,,,,,,,, +Automation,Azure Automation accounts should use customer-managed keys to encrypt data at rest,None,,,,,,,,,, +Automation,Configure Azure Automation accounts to disable public network access,None,,,,,,,,,, +Automation,Private endpoint connections on Automation Accounts should be enabled,None,,,,,,,,,, +Azure Data Explorer,Azure Data Explorer encryption at rest should use a customer-managed key,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_CMK.json +Azure Data Explorer,Disk encryption should be enabled on Azure Data Explorer,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_disk_encrypted.json +Azure Data Explorer,Double encryption should be enabled on Azure Data Explorer,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_doubleEncryption.json +Azure Data Explorer,Virtual network injection should be enabled for Azure Data Explorer,None,,,,,,,,,, +Azure Stack Edge,Azure Stack Edge devices should use double-encryption,None,,,,,,,,,, +Backup,Azure Backup should be enabled for Virtual Machines,None,BR-2,,,,,,1699.09l1Organizational.10 - 09.l,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachines_EnableAzureBackup_Audit.json +Backup,Azure Recovery Services vaults should use private link,None,,,,,,,,,, +Batch,Azure Batch account should use customer-managed keys to encrypt data,None,,,,,,,,,, +Batch,Private endpoint connections on Batch accounts should be enabled,None,,,,,,,,,, +Batch,Public network access should be disabled for Batch accounts,None,,,,,,,,,, +Bot Service,Bot Service endpoint should be a valid HTTPS URI,None,,,,,,,,,, +Bot Service,Bot Service should be encrypted with a customer-managed key,None,,,,,,,,,, +Cache,Azure Cache for Redis should disable public network access,None,,,,,,,,,, +Cache,Azure Cache for Redis should reside within a virtual network,None,NS-2,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_CacheInVnet_Audit.json +Cache,Azure Cache for Redis should use private link,None,,,,,,,,,, +Cache,Configure Azure Cache for Redis to disable public network access,None,,,,,,,,,, +Cache,Only secure connections to your Azure Cache for Redis should be enabled,None,DP-4,,,A.13.2.1,SC-8 (1),3.13.8,0946.09y2Organizational.14 - 09.y,DM-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json +Cognitive Services,Cognitive Services accounts should disable public network access,None,,,,,,,,,, +Cognitive Services,Cognitive Services accounts should enable data encryption,None,DP-2,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_Encryption_Audit.json +Cognitive Services,Cognitive Services accounts should enable data encryption with a customer-managed key,None,DP-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_CustomerManagedKey_Audit.json +Cognitive Services,Cognitive Services accounts should restrict network access,None,NS-1,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json +Cognitive Services,Cognitive Services accounts should use a managed identity,None,,,,,,,,,, +Cognitive Services,Cognitive Services accounts should use customer owned storage,None,,,,,,,,,, +Cognitive Services,Cognitive Services accounts should use customer owned storage or enable data encryption.,None,DP-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_BYOX_Audit.json +Cognitive Services,Configure Cognitive Services accounts to disable public network access,None,,,,,,,,,, +Compute,Audit VMs that do not use managed disks,None,,7.1,,A.9.1.2,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json +Compute,Audit virtual machines without disaster recovery configured,None,,,,,CP-7,,1638.12b2Organizational.345 - 12.b,ESS-3,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json +Compute,Managed disks should be double encrypted with both platform-managed and customer-managed keys,None,,,,,,,,,, +Compute,Microsoft Antimalware for Azure should be configured to automatically update protection signatures,None,,,,,,,0201.09j1Organizational.124 - 09.j,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_AntiMalwareAutoUpdate_AuditIfNotExists.json +Compute,Microsoft IaaSAntimalware extension should be deployed on Windows servers,None,,,,,,3.14.2,,SS-2,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/WindowsServers_AntiMalware_AuditIfNotExists.json +Compute,OS and data disks should be encrypted with a customer-managed key,None,,,,,,,,,, +Compute,Require automatic OS image patching on Virtual Machine Scale Sets,None,,,,,,,,,, +Compute,Unattached disks should be encrypted,None,,7.3,,,,,0303.09o2Organizational.2 - 09.o,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/UnattachedDisk_Encryption_Audit.json +Compute,Virtual machines and virtual machine scale sets should have encryption at host enabled,None,,,,,,,,,, +Compute,Virtual machines should be migrated to new Azure Resource Manager resources,None,AM-3,,,A.9.1.2,,,0835.09n1Organizational.1 - 09.n,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json +Container Instance,Azure Container Instance container group should deploy into a virtual network,None,,,,,,,,,, +Container Instance,Azure Container Instance container group should use customer-managed key for encryption,None,,,,,,,,,, +Container Registry,Container registries should be encrypted with a customer-managed key,None,DP-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json +Container Registry,Container registries should not allow unrestricted network access,None,NS-1,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_Audit.json +Container Registry,Container registries should use private link,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json +Cosmos DB,Azure Cosmos DB accounts should have firewall rules,None,NS-4,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json +Cosmos DB,Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest,None,DP-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json +Cosmos DB,Azure Cosmos DB key based metadata write access should be disabled,None,,,,,,,,,, +Cosmos DB,Azure Cosmos DB should disable public network access,None,,,,,,,,,, +Cosmos DB,Configure CosmosDB accounts to disable public network access ,None,,,,,,,,,, +Cosmos DB,CosmosDB accounts should use private link,None,,,,,,,,,, +Data Factory,Azure Data Factory linked services should use Key Vault for storing secrets,None,,,,,,,,,, +Data Factory,Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported,None,,,,,,,,,, +Data Factory,Azure Data Factory should use a Git repository for source control,None,,,,,,,,,, +Data Factory,Azure data factories should be encrypted with a customer-managed key,None,,,,,,,,,, +Data Factory,Public network access on Azure Data Factory should be disabled,None,,,,,,,,,, +Data Factory,SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network,None,,,,,,,,,, +Data Lake,Require encryption on Data Lake Store accounts,None,,,,,,,0304.09o3Organizational.1 - 09.o,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStoreEncryption_Deny.json +Event Grid,Azure Event Grid domains should disable public network access,None,,,,,,,,,, +Event Grid,Azure Event Grid domains should use private link,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json +Event Grid,Azure Event Grid topics should disable public network access,None,,,,,,,,,, +Event Grid,Azure Event Grid topics should use private link,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json +Event Grid,Modify - Configure Azure Event Grid domains to disable public network access,None,,,,,,,,,, +Event Grid,Modify - Configure Azure Event Grid topics to disable public network access,None,,,,,,,,,, +Event Hub,All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace,None,,,,,,,,,, +Event Hub,Authorization rules on the Event Hub instance should be defined,None,,,,,,,,,, +Event Hub,Event Hub namespaces should use a customer-managed key for encryption,None,,,,,,,,,, +Event Hub,Event Hub namespaces should use private link,None,,,,,,,,,, +General,Audit resource location matches resource group location,None,,,,,,,,,, +General,Audit usage of custom RBAC rules,None,PA-7,,,A.9.2.3,AC-2 (7),,1230.09c2Organizational.1 - 09.c,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json +General,Custom subscription owner roles should not exist,None,PA-7,1.21,,,,,1278.09c2Organizational.56 - 09.c,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/CustomSubscription_OwnerRole_Audit.json +Guest Configuration,Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity,None,,,,A.10.1.1,IA-5 (1),3.5.10,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json +Guest Configuration,Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,None,,,,A.10.1.1,IA-5 (1),3.5.10,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json +HDInsight,Azure HDInsight clusters should be injected into a virtual network,None,,,,,,,,,, +HDInsight,Azure HDInsight clusters should use customer-managed keys to encrypt data at rest,None,,,,,,,,,, +HDInsight,Azure HDInsight clusters should use encryption at host to encrypt data at rest,None,,,,,,,,,, +HDInsight,Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes,None,,,,,,,,,, +Internet of Things,Azure IoT Hub should use customer-managed key to encrypt data at rest,None,,,,,,,,,, +Internet of Things,Configure IoT Hub device provisioning service instances to disable public network access,None,,,,,,,,,, +Internet of Things,IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK),None,,,,,,,,,, +Internet of Things,IoT Hub device provisioning service instances should disable public network access,None,,,,,,,,,, +Internet of Things,IoT Hub device provisioning service instances should use private link,None,,,,,,,,,, +Internet of Things,Modify - Configure Azure IoT Hubs to disable public network access,None,,,,,,,,,, +Internet of Things,Private endpoint should be enabled for IoT Hub,None,,,,,,,,,, +Internet of Things,Public network access on Azure IoT Hub should be disabled,None,,,,,,,,,, +Key Vault,Azure Key Vault Managed HSM should have purge protection enabled,None,,,,,,,1635.12b1Organizational.2 - 12.b,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_Recoverable_Audit.json +Key Vault,Firewall should be enabled on Key Vault,None,,,,,,,,,, +Key Vault,Key Vault keys should have an expiration date,None,,,,,,,,,, +Key Vault,Key Vault secrets should have an expiration date,None,,,,,,,,,, +Key Vault,Key vaults should have purge protection enabled,None,BR-4,8.4,,,,,1635.12b1Organizational.2 - 12.b,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json +Key Vault,Key vaults should have soft delete enabled,None,BR-4,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_SoftDeleteMustBeEnabled_Audit.json +Key Vault,Keys should be backed by a hardware security module (HSM),None,,,,,,,,,, +Key Vault,Private endpoint should be configured for Key Vault,None,,,,,,,,,, +Key Vault,Secrets should have content type set,None,,,,,,,,,, +Kubernetes,Azure Kubernetes Service Private Clusters should be enabled,None,,,,,,,,,, +Kubernetes,Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters,None,PV-2,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json +Kubernetes,Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_CMK_Deny.json +Kubernetes,Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host,None,,,,,,,,,, +Lighthouse,Audit delegation of scopes to a managing tenant,None,,,,,,,,,, +Machine Learning,Azure Machine Learning workspaces should be encrypted with a customer-managed key,None,DP-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json +Machine Learning,Azure Machine Learning workspaces should use private link,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateLinkEnabled_Audit.json +Machine Learning,Azure Machine Learning workspaces should use user-assigned managed identity,None,,,,,,,,,, +Managed Application,Application definition for Managed Application should use customer provided storage account,None,,,,,,,,,, +Monitoring,Activity log should be retained for at least one year,None,,,,,,,,AC-15,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLogRetention_365orGreater.json +Monitoring,Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption),None,,,,,,,,,, +Monitoring,Azure Monitor Logs clusters should be encrypted with customer-managed key,None,,,,,,,,,, +Monitoring,Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace,None,,,,,,,,,, +Monitoring,"Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'",None,,,,,,,1219.09ab3System.10 - 09.ab,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllCategories.json +Monitoring,Azure Monitor should collect activity logs from all regions,None,,,,,,,1214.09ab2System.3456 - 09.ab,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllRegions.json +Monitoring,Azure Monitor solution 'Security and Audit' must be deployed,None,,,,,,,,,, +Monitoring,Azure subscriptions should have a log profile for Activity Log,None,,,,,,,,AC-13,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Logprofile_activityLogs_Audit.json +Monitoring,Deploy - Configure Linux Azure Monitor agent to enable Azure Monitor assignments on Linux virtual machines,None,,,,,,,,,, +Monitoring,Deploy - Configure Windows Azure Monitor agent to enable Azure Monitor assignments on Windows virtual machines,None,,,,,,,,,, +Monitoring,Deploy Dependency agent to Windows Azure Arc machines,None,,,,,,,,,, +Monitoring,Deploy Dependency agent to hybrid Linux Azure Arc machines,None,,,,,,,,,, +Monitoring,Log Analytics agent should be installed on your Linux Azure Arc machines,None,,,,,,,,,, +Monitoring,Log Analytics agent should be installed on your Windows Azure Arc machines,None,,,,,,,,,, +Monitoring,Network traffic data collection agent should be installed on Linux virtual machines,None,,,,,,,,,, +Monitoring,Network traffic data collection agent should be installed on Windows virtual machines,None,,,,,,,,,, +Monitoring,Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption,None,,,,,,,,,, +Monitoring,Storage account containing the container with activity logs must be encrypted with BYOK,None,,5.1.4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json +Monitoring,The Log Analytics agent should be installed on Virtual Machine Scale Sets,None,,,,,,3.3.2,1216.09ab3System.12 - 09.ab,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VMSS_LogAnalyticsAgent_AuditIfNotExists.json +Monitoring,The Log Analytics agent should be installed on virtual machines,None,,,,,,3.3.2,1215.09ab2System.7 - 09.ab,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VirtualMachines_LogAnalyticsAgent_AuditIfNotExists.json +Monitoring,Workbooks should be saved to storage accounts that you control,None,,,,,,,,,, +Monitoring,[ASC Private Preview] Deploy - Configure system-assigned managed identity to enable Azure Monitor assignments on VMs,None,,,,,,,,,, +Network,All Internet traffic should be routed via your deployed Azure Firewall,None,,,,,,,,,, +Network,App Service should use a virtual network service endpoint,None,,,,,,,0861.09m2Organizational.67 - 09.m,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json +Network,Azure VPN gateways should not use 'basic' SKU,None,,,,,,,,,, +Network,Container Registry should use a virtual network service endpoint,None,,,,,,,,,, +Network,Cosmos DB should use a virtual network service endpoint,None,,,,,,,0864.09m2Organizational.12 - 09.m,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_CosmosDB_Audit.json +Network,Event Hub should use a virtual network service endpoint,None,,,,,,,0863.09m2Organizational.910 - 09.m,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_EventHub_AuditIfNotExists.json +Network,Flow logs should be configured for every network security group,None,,,,,,,,,, +Network,Flow logs should be enabled for every network security group,None,,,,,,,,,, +Network,Gateway subnets should not be configured with a network security group,None,,,,,,,0894.01m2Organizational.7 - 01.m,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroupOnGatewaySubnet_Deny.json +Network,Key Vault should use a virtual network service endpoint,None,,,,,,,0865.09m2Organizational.13 - 09.m,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_KeyVault_Audit.json +Network,Network interfaces should disable IP forwarding,None,,,,,,,,,, +Network,Network interfaces should not have public IPs,None,,,,,,,,,, +Network,RDP access from the Internet should be blocked,None,NS-4,6.1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_RDPAccess_Audit.json +Network,SQL Server should use a virtual network service endpoint,None,,,,,,,0862.09m2Organizational.8 - 09.m,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_SQLServer_AuditIfNotExists.json +Network,SSH access from the Internet should be blocked,None,NS-4,6.2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_SSHAccess_Audit.json +Network,Service Bus should use a virtual network service endpoint,None,,,,,,,0860.09m1Organizational.9 - 09.m,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ServiceBus_AuditIfNotExists.json +Network,Storage Accounts should use a virtual network service endpoint,None,,,,,,,0867.09m3Organizational.17 - 09.m,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_StorageAccount_Audit.json +Network,Web Application Firewall (WAF) should be enabled for Application Gateway,None,NS-4,,,,,,,NS-7,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json +Network,Web Application Firewall (WAF) should be enabled for Azure Front Door Service service,None,NS-4,,,,,,,NS-7,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json +Portal,Shared dashboards should not have markdown tiles with inline content,None,,,,,,,,,, +SQL,Advanced data security should be enabled on SQL Managed Instance,None,IR-5,4.2.1,,,SI-4,3.14.6,,DM-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json +SQL,Advanced data security should be enabled on your SQL servers,None,,4.2.1,,,SI-4,3.14.6,,DM-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json +SQL,An Azure Active Directory administrator should be provisioned for SQL servers,None,IM-1,4.4,,A.9.2.3,AC-2 (7),,,DM-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json +SQL,Azure SQL Database should have the minimal TLS version of 1.2,None,,,,,,,,,, +SQL,Bring your own key data protection should be enabled for MySQL servers,None,DP-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableByok_Audit.json +SQL,Bring your own key data protection should be enabled for PostgreSQL servers,None,DP-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json +SQL,Configure Azure SQL Server to disable public network access,None,,,,,,,,,, +SQL,Connection throttling should be enabled for PostgreSQL database servers,None,,4.3.6,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_ConnectionThrottling_Enabled_Audit.json +SQL,Disconnections should be logged for PostgreSQL database servers.,None,,4.3.5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogDisconnections_Audit.json +SQL,Enforce SSL connection should be enabled for MySQL database servers,None,DP-4,4.3.1,,,,,0948.09y2Organizational.3 - 09.y,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json +SQL,Enforce SSL connection should be enabled for PostgreSQL database servers,None,DP-4,4.3.2,,,,,0947.09y2Organizational.2 - 09.y,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json +SQL,Geo-redundant backup should be enabled for Azure Database for MariaDB,None,BR-2,,,,,,1627.09l3Organizational.6 - 09.l,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForMariaDB_Audit.json +SQL,Geo-redundant backup should be enabled for Azure Database for MySQL,None,BR-2,,,,,,1622.09l2Organizational.23 - 09.l,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForMySQL_Audit.json +SQL,Geo-redundant backup should be enabled for Azure Database for PostgreSQL,None,BR-2,,,,,,1626.09l3Organizational.5 - 09.l,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForPostgreSQL_Audit.json +SQL,Infrastructure encryption should be enabled for Azure Database for MySQL servers,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_InfrastructureEncryption_Audit.json +SQL,Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_InfrastructureEncryption_Audit.json +SQL,Log checkpoints should be enabled for PostgreSQL database servers,None,,4.3.3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogCheckpoint_Audit.json +SQL,Log connections should be enabled for PostgreSQL database servers,None,,4.3.4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogConnections_Audit.json +SQL,Log duration should be enabled for PostgreSQL database servers,None,,,,,,,,,, +SQL,Long-term geo-redundant backup should be enabled for Azure SQL Databases,None,BR-2,,,,,,1621.09l2Organizational.1 - 09.l,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_SQLDatabase_AuditIfNotExists.json +SQL,MariaDB server should use a virtual network service endpoint,None,,,,,,,,,, +SQL,MySQL server should use a virtual network service endpoint,None,,,,,,,,,, +SQL,PostgreSQL server should use a virtual network service endpoint,None,,,,,,,,,, +SQL,Private endpoint connections on Azure SQL Database should be enabled,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json +SQL,Private endpoint should be enabled for MariaDB servers,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json +SQL,Private endpoint should be enabled for MySQL servers,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json +SQL,Private endpoint should be enabled for PostgreSQL servers,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json +SQL,Public network access on Azure SQL Database should be disabled,None,NS-1,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PublicNetworkAccess_Audit.json +SQL,Public network access should be disabled for MariaDB servers,None,NS-1,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_DisablePublicNetworkAccess_Audit.json +SQL,Public network access should be disabled for MySQL flexible servers,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json +SQL,Public network access should be disabled for MySQL servers,None,NS-1,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_DisablePublicNetworkAccess_Audit.json +SQL,Public network access should be disabled for PostgreSQL flexible servers,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json +SQL,Public network access should be disabled for PostgreSQL servers,None,NS-1,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_DisablePublicNetworkAccess_Audit.json +SQL,SQL Auditing settings should have Action-Groups configured to capture critical activities,None,,,,,,,,,, +SQL,SQL Database should avoid using GRS backup redundancy,None,,,,,,,,,, +SQL,SQL Managed Instance should have the minimal TLS version of 1.2,None,,,,,,,,,, +SQL,SQL Managed Instances should avoid using GRS backup redundancy,None,,,,,,,,,, +SQL,SQL managed instances should use customer-managed keys to encrypt data at rest,None,DP-5,4.5,,,,,0304.09o3Organizational.1 - 09.o,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json +SQL,SQL servers should retain audit data for at least 90 days,None,,,,,,,,,, +SQL,SQL servers should use customer-managed keys to encrypt data at rest,None,DP-5,4.5,,,,,0304.09o3Organizational.1 - 09.o,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json +SQL,Transparent Data Encryption on SQL databases should be enabled,None,DP-5,4.1.2,,A.10.1.1,SC-28 (1),3.13.16,0301.09o1Organizational.123 - 09.o,DM-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json +SQL,Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports,None,,4.2.4,,,,,,ISM-3,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json +SQL,Vulnerability assessment should be enabled on SQL Managed Instance,None,PV-6,4.2.2,,,,,0719.10m3Organizational.5 - 10.m,ISM-3,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json +SQL,Vulnerability assessment should be enabled on your SQL servers,None,PV-6,4.2.2,,,,,0709.10m1Organizational.1 - 10.m,ISM-3,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json +Search,Azure Cognitive Search service should use a SKU that supports private link,None,,,,,,,,,, +Search,Azure Cognitive Search services should disable public network access,None,,,,,,,,,, +Search,Configure Azure Cognitive Search services to disable public network access,None,,,,,,,,,, +Security Center,A maximum of 3 owners should be designated for your subscription,None,PA-1,,,A.6.1.2,AC-6 (7),3.1.4,11112.01q2Organizational.67 - 01.q,AC-2,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json +Security Center,A vulnerability assessment solution should be enabled on your virtual machines,None,PV-6,,,A.12.6.1,SI-2,3.14.1,0711.10m2Organizational.23 - 10.m,ISM-3,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json +Security Center,Adaptive application controls for defining safe applications should be enabled on your machines,None,AM-6,,,A.12.6.2,CM-11,3.4.9,0607.10h2System.23 - 10.h,SS-4,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json +Security Center,Adaptive network hardening recommendations should be applied on internet facing virtual machines,None,NS-4,,,,SC-7,3.13.5,0859.09m1Organizational.78 - 09.m,NS-2,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json +Security Center,All network ports should be restricted on network security groups associated to your virtual machine,None,,,,A.13.1.1,SC-7,3.13.5,0858.09m1Organizational.4 - 09.m,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json +Security Center,Allowlist rules in your adaptive application control policy should be updated,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json +Security Center,Authorized IP ranges should be defined on Kubernetes Services,None,NS-4,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json +Security Center,Auto provisioning of the Log Analytics agent should be enabled on your subscription,None,LT-5,2.11,,,,,1220.09ab3System.56 - 09.ab,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json +Security Center,Azure DDoS Protection Standard should be enabled,None,NS-4,,,,SC-5,,,NS-5,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDDoSProtection_Audit.json +Security Center,Azure Defender for App Service should be enabled,None,IR-5,2.2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json +Security Center,Azure Defender for Azure SQL Database servers should be enabled,None,IR-5,2.3,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json +Security Center,Azure Defender for DNS should be enabled,None,,,,,,,,,, +Security Center,Azure Defender for Key Vault should be enabled,None,IR-5,2.8,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json +Security Center,Azure Defender for Kubernetes should be enabled,None,IR-5,2.6,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKubernetesService_Audit.json +Security Center,Azure Defender for Resource Manager should be enabled,None,,,,,,,,,, +Security Center,Azure Defender for SQL servers on machines should be enabled,None,IR-5,2.4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json +Security Center,Azure Defender for Storage should be enabled,None,IR-5,2.5,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json +Security Center,Azure Defender for container registries should be enabled,None,IR-5,2.7,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainerRegistry_Audit.json +Security Center,Azure Defender for servers should be enabled,None,ES-1,2.1,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json +Security Center,Configure machines to receive the Qualys vulnerability assessment agent,None,,,,,,,,,, +Security Center,Deploy - Configure Linux machines to automatically install the Azure Security agent,None,,,,,,,,,, +Security Center,Deploy - Configure Windows machines to automatically install the Azure Security agent,None,,,,,,,,,, +Security Center,Deprecated accounts should be removed from your subscription,None,PA-3,,,A.9.2.6,AC-2,3.1.1,,AC-5,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json +Security Center,Deprecated accounts with owner permissions should be removed from your subscription,None,PA-3,,,A.9.2.6,AC-2,3.1.1,1147.01c2System.456 - 01.c,AC-5,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json +Security Center,Disk encryption should be applied on virtual machines,None,DP-5,7.2,,A.10.1.1,SC-28 (1),3.13.16,0302.09o2Organizational.1 - 09.o,DM-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json +Security Center,Email notification for high severity alerts should be enabled,None,IR-2,2.14,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification.json +Security Center,Email notification to subscription owner for high severity alerts should be enabled,None,IR-2,,,,,3.14.6,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification_to_subscription_owner.json +Security Center,Enable Azure Security Center on your subscription,None,,,,,,,,,, +Security Center,Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace.,None,,,,,,,,,, +Security Center,Endpoint protection solution should be installed on virtual machine scale sets,None,ES-3,,,,SI-3 (1),3.14.2,0201.09j1Organizational.124 - 09.j,DM-4,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json +Security Center,External accounts with owner permissions should be removed from your subscription,None,PA-3,1.3,,A.9.2.5,AC-2,3.1.1,1146.01c2System.23 - 01.c,PRS-5,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json +Security Center,External accounts with read permissions should be removed from your subscription,None,PA-3,1.3,,,AC-2,3.1.1,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json +Security Center,External accounts with write permissions should be removed from your subscription,None,PA-3,1.3,,A.9.2.5,AC-2,3.1.1,,PRS-5,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json +Security Center,Guest Configuration extension should be installed on your machines,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVm.json +Security Center,IP Forwarding on your virtual machine should be disabled,None,NS-4,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json +Security Center,Internet-facing virtual machines should be protected with network security groups,None,NS-4,,,,,3.13.5,0814.01n1Organizational.12 - 01.n,NS-2,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json +Security Center,Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version,None,PV-7,,,,,3.14.1,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UpgradeVersion_KubernetesService_Audit.json +Security Center,Log Analytics agent health issues should be resolved on your machines,None,LT-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ResolveLaHealthIssues.json +Security Center,Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring,None,LT-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVm.json +Security Center,Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring,None,LT-5,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json +Security Center,MFA should be enabled accounts with write permissions on your subscription,None,IM-4,1.1,,A.9.4.2,IA-2 (1),3.5.3,11110.01q1Organizational.6 - 01.q,AC-17,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json +Security Center,MFA should be enabled on accounts with owner permissions on your subscription,None,IM-4,1.1,,A.9.4.2,IA-2 (1),3.5.3,11109.01q1Organizational.57 - 01.q,AC-17,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json +Security Center,MFA should be enabled on accounts with read permissions on your subscription,None,IM-4,1.2,,A.9.4.2,IA-2 (2),3.5.3,11111.01q2System.4 - 01.q,AC-17,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json +Security Center,Management ports of virtual machines should be protected with just-in-time network access control,None,NS-4,,,,SC-7 (4) Ownership : Microsoft,,0858.09m1Organizational.4 - 09.m,AC-7,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json +Security Center,Management ports should be closed on your virtual machines,None,NS-1,,,,,,1193.01l2Organizational.13 - 01.l,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json +Security Center,Monitor missing Endpoint Protection in Azure Security Center,None,ES-3,7.6,,A.12.6.1,SI-3 (1),3.14.2,0201.09j1Organizational.124 - 09.j,DM-4,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json +Security Center,Non-internet-facing virtual machines should be protected with network security groups,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternalVirtualMachines_Audit.json +Security Center,Operating system version should be the most current version for your cloud service roles,None,,,,,,,,,, +Security Center,Role-Based Access Control (RBAC) should be used on Kubernetes Services,None,PA-7,8.5,,,,,1229.09c1Organizational.1 - 09.c,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json +Security Center,Security Center standard pricing tier should be selected,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Standard_pricing_tier.json +Security Center,Sensitive data in your SQL databases should be classified,None,,,,,,,,,, +Security Center,Service principals should be used to protect your subscriptions instead of management certificates,None,IM-2,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UseServicePrincipalToProtectSubscriptions.json +Security Center,Subnets should be associated with a Network Security Group,None,NS-4,,,,,,0814.01n1Organizational.12 - 01.n,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnSubnets_Audit.json +Security Center,Subscriptions should have a contact email address for security issues,None,IR-2,2.13,,,,3.14.6,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Security_contact_email.json +Security Center,System updates on virtual machine scale sets should be installed,None,PV-7,,,,SI-2,3.14.1,1202.09aa1System.1 - 09.aa,PRS-5,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json +Security Center,System updates should be installed on your machines,None,PV-7,7.5,,A.12.6.1,SI-2,3.14.1,0201.09j1Organizational.124 - 09.j,PRS-5,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json +Security Center,There should be more than one owner assigned to your subscription,None,PA-1,,,A.6.1.2,AC-6 (7),3.1.4,11208.01q1Organizational.8 - 01.q,AC-2,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json +Security Center,Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVmWithNoSAMI.json +Security Center,Vulnerabilities in Azure Container Registry images should be remediated,None,PV-6,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json +Security Center,Vulnerabilities in container security configurations should be remediated,None,PV-4,,,,,3.11.2,0715.10m2Organizational.8 - 10.m,ISM-3,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json +Security Center,Vulnerabilities in security configuration on your machines should be remediated,None,PV-4,,,A.12.6.1,SI-2,3.14.1,0718.10m3Organizational.34 - 10.m,ISM-3,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json +Security Center,Vulnerabilities in security configuration on your virtual machine scale sets should be remediated,None,PV-4,,,,SI-2,3.14.1,0717.10m3Organizational.2 - 10.m,ISM-3,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json +Security Center,Vulnerabilities on your SQL databases should be remediated,None,PV-6,,,A.12.6.1,SI-2,3.14.1,0716.10m3Organizational.1 - 10.m,ISM-3,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json +Security Center,Vulnerabilities on your SQL servers on machine should be remediated,None,,,,,,,,,, +Service Bus,All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace,None,,,,,,,,,, +Service Bus,Azure Service Bus namespaces should use private link,None,,,,,,,,,, +Service Bus,Service Bus Premium namespaces should use a customer-managed key for encryption,None,,,,,,,,,, +Service Fabric,Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign,None,DP-5,,,A.10.1.1,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json +Service Fabric,Service Fabric clusters should only use Azure Active Directory for client authentication,None,IM-1,,,A.9.2.3,AC-2 (7),,,AC-2,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json +SignalR,Azure SignalR Service should use private link,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit.json +Storage,Azure File Sync should use private link,None,,,,,,,,,, +Storage,Geo-redundant storage should be enabled for Storage Accounts,None,,,,,,,,,, +Storage,HPC Cache accounts should use customer-managed key for encryption,None,,,,,,,,,, +Storage,Modify - Configure Azure File Sync to disable public network access,None,,,,,,,,,, +Storage,Public network access should be disabled for Azure File Sync,None,,,,,,,,,, +Storage,Secure transfer to storage accounts should be enabled,None,DP-4,3.1,,A.13.2.1,SC-8 (1),3.13.8,0943.09y1Organizational.1 - 09.y,DM-6,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json +Storage,Storage account public access should be disallowed,None,,,,,,,,,, +Storage,Storage accounts should allow access from trusted Microsoft services,None,,3.7,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccess_TrustedMicrosoftServices_Audit.json +Storage,Storage accounts should be migrated to new Azure Resource Manager resources,None,AM-3,,,A.9.1.2,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json +Storage,Storage accounts should have infrastructure encryption,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountInfrastructureEncryptionEnabled_Audit.json +Storage,Storage accounts should restrict network access,None,NS-4,3.6,,A.13.1.1,SC-7,3.13.5,0866.09m3Organizational.1516 - 09.m,NS-2,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json +Storage,Storage accounts should restrict network access using virtual network rules,None,NS-1,3.6,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabled_Audit.json +Storage,Storage accounts should use customer-managed key for encryption,None,DP-5,3.9,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountCustomerManagedKeyEnabled_Audit.json +Storage,Storage accounts should use private link,None,,,,,,,,,, +Stream Analytics,Azure Stream Analytics jobs should use customer-managed keys to encrypt data,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_CMK_Audit.json +Synapse,Azure Synapse workspaces should allow outbound data traffic only to approved targets,None,,,,,,,,,, +Synapse,Azure Synapse workspaces should use customer-managed keys to encrypt data at rest,None,,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceCMK_Audit.json +Synapse,Azure Synapse workspaces should use private link,None,,,,,,,,,, +Synapse,IP firewall rules on Azure Synapse workspaces should be removed,None,,,,,,,,,, +Synapse,Managed workspace virtual network on Azure Synapse workspaces should be enabled,None,,,,,,,,,, +Synapse,Synapse workspace auditing settings should have action groups configured to capture critical activities,None,,,,,,,,,, +Synapse,Synapse workspaces should be configured with 90 days auditing retention or higher.,None,,,,,,,,,, +Synapse,Vulnerability assessment should be enabled on your Synapse workspaces,None,,,,,,,,,, +VM Image Builder,VM Image Builder templates should use private link,None,NS-3,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/VM%20Image%20Builder/PrivateLinkEnabled_Audit.json diff --git a/docs/no-params.md b/docs/no-params.md index 6a285d8..b161e24 100644 --- a/docs/no-params.md +++ b/docs/no-params.md @@ -1,200 +1,329 @@ -| Service | Policy Definition | Azure Security Benchmark | CIS | CCMC L3 | ISO 27001 | NIST SP 800-171 R2 | NIST SP 800-53 R4 | HIPAA HITRUST 9.2 | New Zealand ISM | Link | -|---------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|-------|-----------|-------------|----------------------|--------------------------------|-------------------------------------|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| API for FHIR | [Azure API for FHIR should use a customer-managed key to encrypt data at rest](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_EnableByok_Audit.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_EnableByok_Audit.json | -| API for FHIR | [CORS should not allow every domain to access your API for FHIR](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_RestrictCORSAccess_Audit.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_RestrictCORSAccess_Audit.json | -| App Configuration | [App Configuration should use private link](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | NS-3 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json | -| App Service | [API App should only be accessible over HTTPS](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json) | DP-4 | | | A.10.1.1 | 3.13.8 | SC-8 (1) | 0949.09y2Organizational.5 - 09.y | SS-8 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json | -| App Service | [Authentication should be enabled on your API app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_ApiApp_Audit.json) | | 9.1 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_ApiApp_Audit.json | -| App Service | [Authentication should be enabled on your Function app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_functionapp_Audit.json) | | 9.1 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_functionapp_Audit.json | -| App Service | [Authentication should be enabled on your web app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_WebApp_Audit.json) | | 9.1 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_WebApp_Audit.json | -| App Service | [CORS should not allow every resource to access your API App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_ApiApp_Audit.json) | PV-2 | | | | | | 0911.09s1Organizational.2 - 09.s | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_ApiApp_Audit.json | -| App Service | [CORS should not allow every resource to access your Function Apps](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) | PV-2 | | | | | | 0960.09sCSPOrganizational.1 - 09.s | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json | -| App Service | [CORS should not allow every resource to access your Web Applications](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) | PV-2 | | | | 3.1.3 | AC-4 | 0916.09s2Organizational.4 - 09.s | SS-8 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json | -| App Service | [Diagnostic logs in App Services should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit.json) | LT-4 | 5.3 | | | | | 1209.09aa3System.2 - 09.aa | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit.json | -| App Service | [Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_ClientCert.json) | PV-2 | 9.4 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_ClientCert.json | -| App Service | [Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_ClientCert.json) | PV-2 | 9.4 | | | | | 0915.09s2Organizational.2 - 09.s | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_ClientCert.json | -| App Service | [Ensure that 'HTTP Version' is the latest, if used to run the API app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_HTTP_Latest.json) | | 9.9 | | | 3.14.1 | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_HTTP_Latest.json | -| App Service | [Ensure that 'HTTP Version' is the latest, if used to run the Function app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_HTTP_Latest.json) | | 9.9 | | | 3.14.1 | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_HTTP_Latest.json | -| App Service | [Ensure that 'HTTP Version' is the latest, if used to run the Web app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_HTTP_Latest.json) | | 9.9 | | | 3.14.1 | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_HTTP_Latest.json | -| App Service | [FTPS only should be required in your API App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_ApiApp_Audit.json) | DP-4 | 9.10 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_ApiApp_Audit.json | -| App Service | [FTPS only should be required in your Function App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_FunctionApp_Audit.json) | DP-4 | 9.10 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_FunctionApp_Audit.json | -| App Service | [FTPS should be required in your Web App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_WebApp_Audit.json) | DP-4 | 9.10 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_WebApp_Audit.json | -| App Service | [Function App should only be accessible over HTTPS](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) | DP-4 | | | A.10.1.1 | 3.13.8 | SC-8 (1) | 0949.09y2Organizational.5 - 09.y | SS-8 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json | -| App Service | [Function apps should have 'Client Certificates (Incoming client certificates)' enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_ClientCert.json) | PV-2 | 9.4 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_ClientCert.json | -| App Service | [Latest TLS version should be used in your API App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_ApiApp_Audit.json) | DP-4 | 9.3 | | | 3.14.1 | | 0949.09y2Organizational.5 - 09.y | CR-6 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_ApiApp_Audit.json | -| App Service | [Latest TLS version should be used in your Function App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) | DP-4 | 9.3 | | | 3.14.1 | | 0949.09y2Organizational.5 - 09.y | CR-6 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json | -| App Service | [Latest TLS version should be used in your Web App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) | DP-4 | 9.3 | | | 3.14.1 | | 0949.09y2Organizational.5 - 09.y | CR-6 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json | -| App Service | [Managed identity should be used in your API App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_ApiApp_Audit.json) | IM-2 | 9.5 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_ApiApp_Audit.json | -| App Service | [Managed identity should be used in your Function App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | IM-2 | 9.5 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json | -| App Service | [Managed identity should be used in your Web App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) | IM-2 | 9.5 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json | -| App Service | [Remote debugging should be turned off for API Apps](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_ApiApp_Audit.json) | PV-2 | | | | 3.1.12 | AC-17 (1) | 0914.09s1Organizational.6 - 09.s | AC-7 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_ApiApp_Audit.json | -| App Service | [Remote debugging should be turned off for Function Apps](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | PV-2 | | | | 3.1.12 | AC-17 (1) | 1325.09s1Organizational.3 - 09.s | AC-7 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json | -| App Service | [Remote debugging should be turned off for Web Applications](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json) | PV-2 | | | | 3.1.12 | AC-17 (1) | 0912.09s1Organizational.4 - 09.s | AC-7 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json | -| App Service | [Web Application should only be accessible over HTTPS](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) | DP-4 | 9.2 | | A.10.1.1 | 3.13.8 | SC-8 (1) | 0949.09y2Organizational.5 - 09.y | SS-8 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json | -| Automation | [Automation account variables should be encrypted](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json) | DP-5 | | | A.10.1.1 | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json | -| Azure Data Explorer | [Azure Data Explorer encryption at rest should use a customer-managed key](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_CMK.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_CMK.json | -| Azure Data Explorer | [Disk encryption should be enabled on Azure Data Explorer](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_disk_encrypted.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_disk_encrypted.json | -| Azure Data Explorer | [Double encryption should be enabled on Azure Data Explorer](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_doubleEncryption.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_doubleEncryption.json | -| Backup | [Azure Backup should be enabled for Virtual Machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachines_EnableAzureBackup_Audit.json) | BR-2 | | | | | | 1699.09l1Organizational.10 - 09.l | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachines_EnableAzureBackup_Audit.json | -| Cache | [Azure Cache for Redis should reside within a virtual network](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_CacheInVnet_Audit.json) | NS-2 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_CacheInVnet_Audit.json | -| Cache | [Only secure connections to your Azure Cache for Redis should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) | DP-4 | | | A.13.2.1 | 3.13.8 | SC-8 (1) | 0946.09y2Organizational.14 - 09.y | DM-6 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json | -| Cognitive Services | [Cognitive Services accounts should enable data encryption with a customer-managed key](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_CustomerManagedKey_Audit.json) | DP-5 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_CustomerManagedKey_Audit.json | -| Cognitive Services | [Cognitive Services accounts should enable data encryption](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_Encryption_Audit.json) | DP-2 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_Encryption_Audit.json | -| Cognitive Services | [Cognitive Services accounts should restrict network access](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | NS-1 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json | -| Cognitive Services | [Cognitive Services accounts should use customer owned storage or enable data encryption.](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_BYOX_Audit.json) | DP-5 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_BYOX_Audit.json | -| Compute | [Audit VMs that do not use managed disks](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json) | | 7.1 | | A.9.1.2 | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json | -| Compute | [Audit virtual machines without disaster recovery configured](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json) | | | | | | CP-7 | 1638.12b2Organizational.345 - 12.b | ESS-3 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json | -| Compute | [Microsoft Antimalware for Azure should be configured to automatically update protection signatures](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_AntiMalwareAutoUpdate_AuditIfNotExists.json) | | | | | | | 0201.09j1Organizational.124 - 09.j | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_AntiMalwareAutoUpdate_AuditIfNotExists.json | -| Compute | [Microsoft IaaSAntimalware extension should be deployed on Windows servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/WindowsServers_AntiMalware_AuditIfNotExists.json) | | | | | 3.14.2 | | | SS-2 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/WindowsServers_AntiMalware_AuditIfNotExists.json | -| Compute | [Unattached disks should be encrypted](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/UnattachedDisk_Encryption_Audit.json) | | 7.3 | | | | | 0303.09o2Organizational.2 - 09.o | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/UnattachedDisk_Encryption_Audit.json | -| Compute | [Virtual machines should be migrated to new Azure Resource Manager resources](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json) | AM-3 | | | A.9.1.2 | | | 0835.09n1Organizational.1 - 09.n | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json | -| Container Registry | [Container registries should be encrypted with a customer-managed key](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | DP-5 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json | -| Container Registry | [Container registries should not allow unrestricted network access](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_Audit.json) | NS-1 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_Audit.json | -| Container Registry | [Container registries should use private link](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | NS-3 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json | -| Cosmos DB | [Azure Cosmos DB accounts should have firewall rules](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json) | NS-4 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json | -| Cosmos DB | [Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) | DP-5 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json | -| Data Lake | [Require encryption on Data Lake Store accounts](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStoreEncryption_Deny.json) | | | | | | | 0304.09o3Organizational.1 - 09.o | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStoreEncryption_Deny.json | -| Event Grid | [Azure Event Grid domains should use private link](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json) | NS-3 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json | -| Event Grid | [Azure Event Grid topics should use private link](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json) | NS-3 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json | -| General | [Audit usage of custom RBAC rules](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) | PA-7 | | | A.9.2.3 | | AC-2 (7) | 1230.09c2Organizational.1 - 09.c | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json | -| General | [Custom subscription owner roles should not exist](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/CustomSubscription_OwnerRole_Audit.json) | PA-7 | 1.21 | | | | | 1278.09c2Organizational.56 - 09.c | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/CustomSubscription_OwnerRole_Audit.json | -| Guest Configuration | [Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) | | | | A.10.1.1 | 3.5.10 | IA-5 (1) | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json | -| Guest Configuration | [Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) | | | | A.10.1.1 | 3.5.10 | IA-5 (1) | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json | -| Key Vault | [Azure Key Vault Managed HSM should have purge protection enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_Recoverable_Audit.json) | | | | | | | 1635.12b1Organizational.2 - 12.b | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_Recoverable_Audit.json | -| Key Vault | [Key vaults should have purge protection enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json) | BR-4 | 8.4 | | | | | 1635.12b1Organizational.2 - 12.b | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json | -| Key Vault | [Key vaults should have soft delete enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_SoftDeleteMustBeEnabled_Audit.json) | BR-4 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_SoftDeleteMustBeEnabled_Audit.json | -| Key Vault | [[Preview]: Firewall should be enabled on Key Vault](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json) | NS-4 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json | -| Key Vault | [[Preview]: Key Vault keys should have an expiration date](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_ExpirationSet.json) | | 8.1 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_ExpirationSet.json | -| Key Vault | [[Preview]: Key Vault secrets should have an expiration date](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Secrets_ExpirationSet.json) | | 8.2 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Secrets_ExpirationSet.json | -| Key Vault | [[Preview]: Private endpoint should be configured for Key Vault](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultPrivateEndpointEnabled_Audit.json) | NS-3 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultPrivateEndpointEnabled_Audit.json | -| Kubernetes | [Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json) | PV-2 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json | -| Kubernetes | [Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_CMK_Deny.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_CMK_Deny.json | -| Machine Learning | [Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | DP-5 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json | -| Machine Learning | [Azure Machine Learning workspaces should use private link](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateLinkEnabled_Audit.json) | NS-3 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateLinkEnabled_Audit.json | -| Monitoring | [Activity log should be retained for at least one year](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLogRetention_365orGreater.json) | | | | | | | | AC-15 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLogRetention_365orGreater.json | -| Monitoring | [Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllCategories.json) | | | | | | | 1219.09ab3System.10 - 09.ab | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllCategories.json | -| Monitoring | [Azure Monitor should collect activity logs from all regions](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllRegions.json) | | | | | | | 1214.09ab2System.3456 - 09.ab | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllRegions.json | -| Monitoring | [Azure subscriptions should have a log profile for Activity Log](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Logprofile_activityLogs_Audit.json) | | | | | | | | AC-13 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Logprofile_activityLogs_Audit.json | -| Monitoring | [Storage account containing the container with activity logs must be encrypted with BYOK](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | | 5.1.4 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json | -| Monitoring | [The Log Analytics agent should be installed on Virtual Machine Scale Sets](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VMSS_LogAnalyticsAgent_AuditIfNotExists.json) | | | | | 3.3.2 | | 1216.09ab3System.12 - 09.ab | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VMSS_LogAnalyticsAgent_AuditIfNotExists.json | -| Monitoring | [The Log Analytics agent should be installed on virtual machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VirtualMachines_LogAnalyticsAgent_AuditIfNotExists.json) | | | | | 3.3.2 | | 1215.09ab2System.7 - 09.ab | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VirtualMachines_LogAnalyticsAgent_AuditIfNotExists.json | -| Monitoring | [[Preview]: Log Analytics agent should be installed on your Linux Azure Arc machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Linux_LogAnalytics_Audit.json) | LT-5 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Linux_LogAnalytics_Audit.json | -| Monitoring | [[Preview]: Log Analytics agent should be installed on your Windows Azure Arc machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Windows_LogAnalytics_Audit.json) | LT-5 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Windows_LogAnalytics_Audit.json | -| Monitoring | [[Preview]: Network traffic data collection agent should be installed on Linux virtual machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Linux.json) | LT-3 | | | | | | 0885.09n2Organizational.3 - 09.n | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Linux.json | -| Monitoring | [[Preview]: Network traffic data collection agent should be installed on Windows virtual machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Windows.json) | LT-3 | | | | | | 0887.09n2Organizational.5 - 09.n | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Windows.json | -| Network | [App Service should use a virtual network service endpoint](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json) | | | | | | | 0861.09m2Organizational.67 - 09.m | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json | -| Network | [Cosmos DB should use a virtual network service endpoint](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_CosmosDB_Audit.json) | | | | | | | 0864.09m2Organizational.12 - 09.m | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_CosmosDB_Audit.json | -| Network | [Event Hub should use a virtual network service endpoint](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_EventHub_AuditIfNotExists.json) | | | | | | | 0863.09m2Organizational.910 - 09.m | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_EventHub_AuditIfNotExists.json | -| Network | [Gateway subnets should not be configured with a network security group](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroupOnGatewaySubnet_Deny.json) | | | | | | | 0894.01m2Organizational.7 - 01.m | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroupOnGatewaySubnet_Deny.json | -| Network | [Key Vault should use a virtual network service endpoint](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_KeyVault_Audit.json) | | | | | | | 0865.09m2Organizational.13 - 09.m | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_KeyVault_Audit.json | -| Network | [RDP access from the Internet should be blocked](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_RDPAccess_Audit.json) | NS-4 | 6.1 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_RDPAccess_Audit.json | -| Network | [SQL Server should use a virtual network service endpoint](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_SQLServer_AuditIfNotExists.json) | | | | | | | 0862.09m2Organizational.8 - 09.m | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_SQLServer_AuditIfNotExists.json | -| Network | [SSH access from the Internet should be blocked](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_SSHAccess_Audit.json) | NS-4 | 6.2 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_SSHAccess_Audit.json | -| Network | [Service Bus should use a virtual network service endpoint](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ServiceBus_AuditIfNotExists.json) | | | | | | | 0860.09m1Organizational.9 - 09.m | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ServiceBus_AuditIfNotExists.json | -| Network | [Storage Accounts should use a virtual network service endpoint](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_StorageAccount_Audit.json) | | | | | | | 0867.09m3Organizational.17 - 09.m | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_StorageAccount_Audit.json | -| Network | [Web Application Firewall (WAF) should be enabled for Application Gateway](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json) | NS-4 | | | | | | | NS-7 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json | -| Network | [Web Application Firewall (WAF) should be enabled for Azure Front Door Service service](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | NS-4 | | | | | | | NS-7 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json | -| Network | [[Preview]: All Internet traffic should be routed via your deployed Azure Firewall](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json) | NS-5 | | | | | | | NS-7 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json | -| Network | [[Preview]: Container Registry should use a virtual network service endpoint](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ContainerRegistry_Audit.json) | | | | | | | 0871.09m3Organizational.22 - 09.m | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ContainerRegistry_Audit.json | -| SQL | [Advanced data security should be enabled on SQL Managed Instance](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | IR-5 | 4.2.1 | | | 3.14.6 | SI-4 | | DM-6 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json | -| SQL | [Advanced data security should be enabled on your SQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | | 4.2.1 | | | 3.14.6 | SI-4 | | DM-6 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json | -| SQL | [An Azure Active Directory administrator should be provisioned for SQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | IM-1 | 4.4 | | A.9.2.3 | | AC-2 (7) | | DM-6 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json | -| SQL | [Bring your own key data protection should be enabled for MySQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableByok_Audit.json) | DP-5 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableByok_Audit.json | -| SQL | [Bring your own key data protection should be enabled for PostgreSQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json) | DP-5 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json | -| SQL | [Connection throttling should be enabled for PostgreSQL database servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_ConnectionThrottling_Enabled_Audit.json) | | 4.3.6 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_ConnectionThrottling_Enabled_Audit.json | -| SQL | [Disconnections should be logged for PostgreSQL database servers.](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogDisconnections_Audit.json) | | 4.3.5 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogDisconnections_Audit.json | -| SQL | [Enforce SSL connection should be enabled for MySQL database servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json) | DP-4 | 4.3.1 | | | | | 0948.09y2Organizational.3 - 09.y | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json | -| SQL | [Enforce SSL connection should be enabled for PostgreSQL database servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json) | DP-4 | 4.3.2 | | | | | 0947.09y2Organizational.2 - 09.y | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json | -| SQL | [Geo-redundant backup should be enabled for Azure Database for MariaDB](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForMariaDB_Audit.json) | BR-2 | | | | | | 1627.09l3Organizational.6 - 09.l | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForMariaDB_Audit.json | -| SQL | [Geo-redundant backup should be enabled for Azure Database for MySQL](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForMySQL_Audit.json) | BR-2 | | | | | | 1622.09l2Organizational.23 - 09.l | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForMySQL_Audit.json | -| SQL | [Geo-redundant backup should be enabled for Azure Database for PostgreSQL](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForPostgreSQL_Audit.json) | BR-2 | | | | | | 1626.09l3Organizational.5 - 09.l | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForPostgreSQL_Audit.json | -| SQL | [Infrastructure encryption should be enabled for Azure Database for MySQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_InfrastructureEncryption_Audit.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_InfrastructureEncryption_Audit.json | -| SQL | [Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_InfrastructureEncryption_Audit.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_InfrastructureEncryption_Audit.json | -| SQL | [Log checkpoints should be enabled for PostgreSQL database servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogCheckpoint_Audit.json) | | 4.3.3 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogCheckpoint_Audit.json | -| SQL | [Log connections should be enabled for PostgreSQL database servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogConnections_Audit.json) | | 4.3.4 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogConnections_Audit.json | -| SQL | [Long-term geo-redundant backup should be enabled for Azure SQL Databases](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_SQLDatabase_AuditIfNotExists.json) | BR-2 | | | | | | 1621.09l2Organizational.1 - 09.l | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_SQLDatabase_AuditIfNotExists.json | -| SQL | [Private endpoint connections on Azure SQL Database should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json) | NS-3 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json | -| SQL | [Private endpoint should be enabled for MariaDB servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json) | NS-3 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json | -| SQL | [Private endpoint should be enabled for MySQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json) | NS-3 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json | -| SQL | [Private endpoint should be enabled for PostgreSQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json) | NS-3 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json | -| SQL | [Public network access on Azure SQL Database should be disabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PublicNetworkAccess_Audit.json) | NS-1 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PublicNetworkAccess_Audit.json | -| SQL | [Public network access should be disabled for MariaDB servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_DisablePublicNetworkAccess_Audit.json) | NS-1 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_DisablePublicNetworkAccess_Audit.json | -| SQL | [Public network access should be disabled for MySQL flexible servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json | -| SQL | [Public network access should be disabled for MySQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_DisablePublicNetworkAccess_Audit.json) | NS-1 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_DisablePublicNetworkAccess_Audit.json | -| SQL | [Public network access should be disabled for PostgreSQL flexible servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json | -| SQL | [Public network access should be disabled for PostgreSQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_DisablePublicNetworkAccess_Audit.json) | NS-1 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_DisablePublicNetworkAccess_Audit.json | -| SQL | [SQL managed instances should use customer-managed keys to encrypt data at rest](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json) | DP-5 | 4.5 | | | | | 0304.09o3Organizational.1 - 09.o | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json | -| SQL | [SQL servers should use customer-managed keys to encrypt data at rest](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json) | DP-5 | 4.5 | | | | | 0304.09o3Organizational.1 - 09.o | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json | -| SQL | [Transparent Data Encryption on SQL databases should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) | DP-5 | 4.1.2 | | A.10.1.1 | 3.13.16 | SC-28 (1) | 0301.09o1Organizational.123 - 09.o | DM-6 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json | -| SQL | [Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json) | | 4.2.4 | | | | | | ISM-3 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json | -| SQL | [Vulnerability assessment should be enabled on SQL Managed Instance](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) | PV-6 | 4.2.2 | | | | | 0719.10m3Organizational.5 - 10.m | ISM-3 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json | -| SQL | [Vulnerability assessment should be enabled on your SQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) | PV-6 | 4.2.2 | | | | | 0709.10m1Organizational.1 - 10.m | ISM-3 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json | -| Security Center | [A maximum of 3 owners should be designated for your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) | PA-1 | | | A.6.1.2 | 3.1.4 | AC-6 (7) | 11112.01q2Organizational.67 - 01.q | AC-2 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json | -| Security Center | [A vulnerability assessment solution should be enabled on your virtual machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) | PV-6 | | | A.12.6.1 | 3.14.1 | SI-2 | 0711.10m2Organizational.23 - 10.m | ISM-3 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json | -| Security Center | [Adaptive application controls for defining safe applications should be enabled on your machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json) | AM-6 | | | A.12.6.2 | 3.4.9 | CM-11 | 0607.10h2System.23 - 10.h | SS-4 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json | -| Security Center | [Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) | NS-4 | | | | 3.13.5 | SC-7 | 0859.09m1Organizational.78 - 09.m | NS-2 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json | -| Security Center | [All network ports should be restricted on network security groups associated to your virtual machine](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) | | | | A.13.1.1 | 3.13.5 | SC-7 | 0858.09m1Organizational.4 - 09.m | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json | -| Security Center | [Allowlist rules in your adaptive application control policy should be updated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json | -| Security Center | [Authorized IP ranges should be defined on Kubernetes Services](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | NS-4 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json | -| Security Center | [Auto provisioning of the Log Analytics agent should be enabled on your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json) | LT-5 | 2.11 | | | | | 1220.09ab3System.56 - 09.ab | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json | -| Security Center | [Azure DDoS Protection Standard should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDDoSProtection_Audit.json) | NS-4 | | | | | SC-5 | | NS-5 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDDoSProtection_Audit.json | -| Security Center | [Azure Defender for App Service should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json) | IR-5 | 2.2 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json | -| Security Center | [Azure Defender for Azure SQL Database servers should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) | IR-5 | 2.3 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json | -| Security Center | [Azure Defender for Key Vault should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json) | IR-5 | 2.8 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json | -| Security Center | [Azure Defender for Kubernetes should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKubernetesService_Audit.json) | IR-5 | 2.6 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKubernetesService_Audit.json | -| Security Center | [Azure Defender for SQL servers on machines should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | IR-5 | 2.4 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json | -| Security Center | [Azure Defender for Storage should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json) | IR-5 | 2.5 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json | -| Security Center | [Azure Defender for container registries should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainerRegistry_Audit.json) | IR-5 | 2.7 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainerRegistry_Audit.json | -| Security Center | [Azure Defender for servers should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) | ES-1 | 2.1 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json | -| Security Center | [Deprecated accounts should be removed from your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json) | PA-3 | | | A.9.2.6 | 3.1.1 | AC-2 | | AC-5 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json | -| Security Center | [Deprecated accounts with owner permissions should be removed from your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json) | PA-3 | | | A.9.2.6 | 3.1.1 | AC-2 | 1147.01c2System.456 - 01.c | AC-5 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json | -| Security Center | [Disk encryption should be applied on virtual machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) | DP-5 | 7.2 | | A.10.1.1 | 3.13.16 | SC-28 (1) | 0302.09o2Organizational.1 - 09.o | DM-6 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json | -| Security Center | [Email notification for high severity alerts should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification.json) | IR-2 | 2.14 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification.json | -| Security Center | [Email notification to subscription owner for high severity alerts should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification_to_subscription_owner.json) | IR-2 | | | | 3.14.6 | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification_to_subscription_owner.json | -| Security Center | [Endpoint protection solution should be installed on virtual machine scale sets](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) | ES-3 | | | | 3.14.2 | SI-3 (1) | 0201.09j1Organizational.124 - 09.j | DM-4 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json | -| Security Center | [External accounts with owner permissions should be removed from your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json) | PA-3 | 1.3 | | A.9.2.5 | 3.1.1 | AC-2 | 1146.01c2System.23 - 01.c | PRS-5 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json | -| Security Center | [External accounts with read permissions should be removed from your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json) | PA-3 | 1.3 | | | 3.1.1 | AC-2 | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json | -| Security Center | [External accounts with write permissions should be removed from your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json) | PA-3 | 1.3 | | A.9.2.5 | 3.1.1 | AC-2 | | PRS-5 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json | -| Security Center | [Guest Configuration extension should be installed on your machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVm.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVm.json | -| Security Center | [IP Forwarding on your virtual machine should be disabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json) | NS-4 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json | -| Security Center | [Internet-facing virtual machines should be protected with network security groups](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | NS-4 | | | | 3.13.5 | | 0814.01n1Organizational.12 - 01.n | NS-2 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json | -| Security Center | [Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UpgradeVersion_KubernetesService_Audit.json) | PV-7 | | | | 3.14.1 | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UpgradeVersion_KubernetesService_Audit.json | -| Security Center | [Log Analytics agent health issues should be resolved on your machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ResolveLaHealthIssues.json) | LT-5 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ResolveLaHealthIssues.json | -| Security Center | [Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVm.json) | LT-5 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVm.json | -| Security Center | [Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json) | LT-5 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json | -| Security Center | [MFA should be enabled accounts with write permissions on your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json) | IM-4 | 1.1 | | A.9.4.2 | 3.5.3 | IA-2 (1) | 11110.01q1Organizational.6 - 01.q | AC-17 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json | -| Security Center | [MFA should be enabled on accounts with owner permissions on your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) | IM-4 | 1.1 | | A.9.4.2 | 3.5.3 | IA-2 (1) | 11109.01q1Organizational.57 - 01.q | AC-17 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json | -| Security Center | [MFA should be enabled on accounts with read permissions on your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json) | IM-4 | 1.2 | | A.9.4.2 | 3.5.3 | IA-2 (2) | 11111.01q2System.4 - 01.q | AC-17 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json | -| Security Center | [Management ports of virtual machines should be protected with just-in-time network access control](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json) | NS-4 | | | | | SC-7 (4) Ownership : Microsoft | 0858.09m1Organizational.4 - 09.m | AC-7 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json | -| Security Center | [Management ports should be closed on your virtual machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json) | NS-1 | | | | | | 1193.01l2Organizational.13 - 01.l | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json | -| Security Center | [Monitor missing Endpoint Protection in Azure Security Center](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) | ES-3 | 7.6 | | A.12.6.1 | 3.14.2 | SI-3 (1) | 0201.09j1Organizational.124 - 09.j | DM-4 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json | -| Security Center | [Non-internet-facing virtual machines should be protected with network security groups](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternalVirtualMachines_Audit.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternalVirtualMachines_Audit.json | -| Security Center | [Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | PA-7 | 8.5 | | | | | 1229.09c1Organizational.1 - 09.c | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json | -| Security Center | [Security Center standard pricing tier should be selected](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Standard_pricing_tier.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Standard_pricing_tier.json | -| Security Center | [Service principals should be used to protect your subscriptions instead of management certificates](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UseServicePrincipalToProtectSubscriptions.json) | IM-2 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UseServicePrincipalToProtectSubscriptions.json | -| Security Center | [Subnets should be associated with a Network Security Group](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnSubnets_Audit.json) | NS-4 | | | | | | 0814.01n1Organizational.12 - 01.n | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnSubnets_Audit.json | -| Security Center | [Subscriptions should have a contact email address for security issues](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Security_contact_email.json) | IR-2 | 2.13 | | | 3.14.6 | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Security_contact_email.json | -| Security Center | [System updates on virtual machine scale sets should be installed](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) | PV-7 | | | | 3.14.1 | SI-2 | 1202.09aa1System.1 - 09.aa | PRS-5 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json | -| Security Center | [System updates should be installed on your machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) | PV-7 | 7.5 | | A.12.6.1 | 3.14.1 | SI-2 | 0201.09j1Organizational.124 - 09.j | PRS-5 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json | -| Security Center | [There should be more than one owner assigned to your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) | PA-1 | | | A.6.1.2 | 3.1.4 | AC-6 (7) | 11208.01q1Organizational.8 - 01.q | AC-2 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json | -| Security Center | [Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVmWithNoSAMI.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVmWithNoSAMI.json | -| Security Center | [Vulnerabilities in Azure Container Registry images should be remediated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | PV-6 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json | -| Security Center | [Vulnerabilities in container security configurations should be remediated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) | PV-4 | | | | 3.11.2 | | 0715.10m2Organizational.8 - 10.m | ISM-3 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json | -| Security Center | [Vulnerabilities in security configuration on your machines should be remediated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) | PV-4 | | | A.12.6.1 | 3.14.1 | SI-2 | 0718.10m3Organizational.34 - 10.m | ISM-3 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json | -| Security Center | [Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) | PV-4 | | | | 3.14.1 | SI-2 | 0717.10m3Organizational.2 - 10.m | ISM-3 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json | -| Security Center | [Vulnerabilities on your SQL databases should be remediated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | PV-6 | | | A.12.6.1 | 3.14.1 | SI-2 | 0716.10m3Organizational.1 - 10.m | ISM-3 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json | -| Security Center | [[Preview]: Sensitive data in your SQL databases should be classified](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbDataClassification_Audit.json) | DP-1 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbDataClassification_Audit.json | -| Service Fabric | [Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json) | DP-5 | | | A.10.1.1 | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json | -| Service Fabric | [Service Fabric clusters should only use Azure Active Directory for client authentication](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | IM-1 | | | A.9.2.3 | | AC-2 (7) | | AC-2 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json | -| SignalR | [Azure SignalR Service should use private link](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit.json) | NS-3 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit.json | -| Storage | [Secure transfer to storage accounts should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) | DP-4 | 3.1 | | A.13.2.1 | 3.13.8 | SC-8 (1) | 0943.09y1Organizational.1 - 09.y | DM-6 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json | -| Storage | [Storage accounts should allow access from trusted Microsoft services](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccess_TrustedMicrosoftServices_Audit.json) | | 3.7 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccess_TrustedMicrosoftServices_Audit.json | -| Storage | [Storage accounts should be migrated to new Azure Resource Manager resources](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json) | AM-3 | | | A.9.1.2 | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json | -| Storage | [Storage accounts should have infrastructure encryption](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountInfrastructureEncryptionEnabled_Audit.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountInfrastructureEncryptionEnabled_Audit.json | -| Storage | [Storage accounts should restrict network access using virtual network rules](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabled_Audit.json) | NS-1 | 3.6 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabled_Audit.json | -| Storage | [Storage accounts should restrict network access](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) | NS-4 | 3.6 | | A.13.1.1 | 3.13.5 | SC-7 | 0866.09m3Organizational.1516 - 09.m | NS-2 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json | -| Storage | [Storage accounts should use customer-managed key for encryption](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountCustomerManagedKeyEnabled_Audit.json) | DP-5 | 3.9 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountCustomerManagedKeyEnabled_Audit.json | -| Storage | [[Preview]: Storage account public access should be disallowed](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/ASC_Storage_DisallowPublicBlobAccess_Audit.json) | DP-2 | 5.1.3 | | | | | | NS-2 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/ASC_Storage_DisallowPublicBlobAccess_Audit.json | -| Stream Analytics | [Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_CMK_Audit.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_CMK_Audit.json | -| Synapse | [Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceCMK_Audit.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceCMK_Audit.json | -| VM Image Builder | [VM Image Builder templates should use private link](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/VM%20Image%20Builder/PrivateLinkEnabled_Audit.json) | NS-3 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/VM%20Image%20Builder/PrivateLinkEnabled_Audit.json | \ No newline at end of file +| Service | Policy Definition | Parameter Requirements | Azure Security Benchmark | CIS | CCMC L3 | ISO 27001 | NIST SP 800-171 R2 | NIST SP 800-53 R4 | HIPAA HITRUST 9.2 | New Zealand ISM | Parameters | Link | +|---------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------|----------------------------|-------|-----------|-------------|----------------------|--------------------------------|-------------------------------------|-------------------|--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| API for FHIR | [Azure API for FHIR should use a customer-managed key to encrypt data at rest](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_EnableByok_Audit.json) | None | | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_EnableByok_Audit.json | +| API for FHIR | [Azure API for FHIR should use private link](None) | None | | | | | | | | | | | +| API for FHIR | [CORS should not allow every domain to access your API for FHIR](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_RestrictCORSAccess_Audit.json) | None | | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_RestrictCORSAccess_Audit.json | +| App Configuration | [App Configuration should disable public network access](None) | None | | | | | | | | | | | +| App Configuration | [App Configuration should use a SKU that supports private link](None) | None | | | | | | | | | | | +| App Configuration | [App Configuration should use a customer-managed key](None) | None | | | | | | | | | | | +| App Configuration | [App Configuration should use private link](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | None | NS-3 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json | +| App Configuration | [Configure App Configuration to disable public network access](None) | None | | | | | | | | | | | +| App Platform | [Audit Azure Spring Cloud instances where distributed tracing is not enabled](None) | None | | | | | | | | | | | +| App Service | [API App should only be accessible over HTTPS](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json) | None | DP-4 | | | A.10.1.1 | 3.13.8 | SC-8 (1) | 0949.09y2Organizational.5 - 09.y | SS-8 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json | +| App Service | [API apps should use an Azure file share for its content directory](None) | None | | | | | | | | | | | +| App Service | [Authentication should be enabled on your API app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_ApiApp_Audit.json) | None | | 9.1 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_ApiApp_Audit.json | +| App Service | [Authentication should be enabled on your Function app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_functionapp_Audit.json) | None | | 9.1 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_functionapp_Audit.json | +| App Service | [Authentication should be enabled on your web app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_WebApp_Audit.json) | None | | 9.1 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_WebApp_Audit.json | +| App Service | [CORS should not allow every resource to access your API App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_ApiApp_Audit.json) | None | PV-2 | | | | | | 0911.09s1Organizational.2 - 09.s | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_ApiApp_Audit.json | +| App Service | [CORS should not allow every resource to access your Function Apps](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) | None | PV-2 | | | | | | 0960.09sCSPOrganizational.1 - 09.s | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json | +| App Service | [CORS should not allow every resource to access your Web Applications](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) | None | PV-2 | | | | 3.1.3 | AC-4 | 0916.09s2Organizational.4 - 09.s | SS-8 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json | +| App Service | [Diagnostic logs in App Services should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit.json) | None | LT-4 | 5.3 | | | | | 1209.09aa3System.2 - 09.aa | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit.json | +| App Service | [Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_ClientCert.json) | None | PV-2 | 9.4 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_ClientCert.json | +| App Service | [Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_ClientCert.json) | None | PV-2 | 9.4 | | | | | 0915.09s2Organizational.2 - 09.s | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_ClientCert.json | +| App Service | [Ensure that 'HTTP Version' is the latest, if used to run the API app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_HTTP_Latest.json) | None | | 9.9 | | | 3.14.1 | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_HTTP_Latest.json | +| App Service | [Ensure that 'HTTP Version' is the latest, if used to run the Function app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_HTTP_Latest.json) | None | | 9.9 | | | 3.14.1 | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_HTTP_Latest.json | +| App Service | [Ensure that 'HTTP Version' is the latest, if used to run the Web app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_HTTP_Latest.json) | None | | 9.9 | | | 3.14.1 | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_HTTP_Latest.json | +| App Service | [FTPS only should be required in your API App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_ApiApp_Audit.json) | None | DP-4 | 9.10 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_ApiApp_Audit.json | +| App Service | [FTPS only should be required in your Function App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_FunctionApp_Audit.json) | None | DP-4 | 9.10 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_FunctionApp_Audit.json | +| App Service | [FTPS should be required in your Web App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_WebApp_Audit.json) | None | DP-4 | 9.10 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_WebApp_Audit.json | +| App Service | [Function App should only be accessible over HTTPS](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) | None | DP-4 | | | A.10.1.1 | 3.13.8 | SC-8 (1) | 0949.09y2Organizational.5 - 09.y | SS-8 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json | +| App Service | [Function apps should have 'Client Certificates (Incoming client certificates)' enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_ClientCert.json) | None | PV-2 | 9.4 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_ClientCert.json | +| App Service | [Function apps should use an Azure file share for its content directory](None) | None | | | | | | | | | | | +| App Service | [Latest TLS version should be used in your API App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_ApiApp_Audit.json) | None | DP-4 | 9.3 | | | 3.14.1 | | 0949.09y2Organizational.5 - 09.y | CR-6 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_ApiApp_Audit.json | +| App Service | [Latest TLS version should be used in your Function App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) | None | DP-4 | 9.3 | | | 3.14.1 | | 0949.09y2Organizational.5 - 09.y | CR-6 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json | +| App Service | [Latest TLS version should be used in your Web App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) | None | DP-4 | 9.3 | | | 3.14.1 | | 0949.09y2Organizational.5 - 09.y | CR-6 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json | +| App Service | [Managed identity should be used in your API App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_ApiApp_Audit.json) | None | IM-2 | 9.5 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_ApiApp_Audit.json | +| App Service | [Managed identity should be used in your Function App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | None | IM-2 | 9.5 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json | +| App Service | [Managed identity should be used in your Web App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) | None | IM-2 | 9.5 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json | +| App Service | [Remote debugging should be turned off for API Apps](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_ApiApp_Audit.json) | None | PV-2 | | | | 3.1.12 | AC-17 (1) | 0914.09s1Organizational.6 - 09.s | AC-7 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_ApiApp_Audit.json | +| App Service | [Remote debugging should be turned off for Function Apps](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | None | PV-2 | | | | 3.1.12 | AC-17 (1) | 1325.09s1Organizational.3 - 09.s | AC-7 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json | +| App Service | [Remote debugging should be turned off for Web Applications](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json) | None | PV-2 | | | | 3.1.12 | AC-17 (1) | 0912.09s1Organizational.4 - 09.s | AC-7 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json | +| App Service | [Web Application should only be accessible over HTTPS](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) | None | DP-4 | 9.2 | | A.10.1.1 | 3.13.8 | SC-8 (1) | 0949.09y2Organizational.5 - 09.y | SS-8 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json | +| App Service | [Web apps should use an Azure file share for its content directory](None) | None | | | | | | | | | | | +| Attestation | [Azure Attestation providers should use private endpoints](None) | None | | | | | | | | | | | +| Automation | [Automation account variables should be encrypted](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json) | None | DP-5 | | | A.10.1.1 | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json | +| Automation | [Automation accounts should disable public network access](None) | None | | | | | | | | | | | +| Automation | [Azure Automation accounts should use customer-managed keys to encrypt data at rest](None) | None | | | | | | | | | | | +| Automation | [Configure Azure Automation accounts to disable public network access](None) | None | | | | | | | | | | | +| Automation | [Private endpoint connections on Automation Accounts should be enabled](None) | None | | | | | | | | | | | +| Azure Data Explorer | [Azure Data Explorer encryption at rest should use a customer-managed key](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_CMK.json) | None | | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_CMK.json | +| Azure Data Explorer | [Disk encryption should be enabled on Azure Data Explorer](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_disk_encrypted.json) | None | | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_disk_encrypted.json | +| Azure Data Explorer | [Double encryption should be enabled on Azure Data Explorer](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_doubleEncryption.json) | None | | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_doubleEncryption.json | +| Azure Data Explorer | [Virtual network injection should be enabled for Azure Data Explorer](None) | None | | | | | | | | | | | +| Azure Stack Edge | [Azure Stack Edge devices should use double-encryption](None) | None | | | | | | | | | | | +| Backup | [Azure Backup should be enabled for Virtual Machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachines_EnableAzureBackup_Audit.json) | None | BR-2 | | | | | | 1699.09l1Organizational.10 - 09.l | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachines_EnableAzureBackup_Audit.json | +| Backup | [Azure Recovery Services vaults should use private link](None) | None | | | | | | | | | | | +| Batch | [Azure Batch account should use customer-managed keys to encrypt data](None) | None | | | | | | | | | | | +| Batch | [Private endpoint connections on Batch accounts should be enabled](None) | None | | | | | | | | | | | +| Batch | [Public network access should be disabled for Batch accounts](None) | None | | | | | | | | | | | +| Bot Service | [Bot Service endpoint should be a valid HTTPS URI](None) | None | | | | | | | | | | | +| Bot Service | [Bot Service should be encrypted with a customer-managed key](None) | None | | | | | | | | | | | +| Cache | [Azure Cache for Redis should disable public network access](None) | None | | | | | | | | | | | +| Cache | [Azure Cache for Redis should reside within a virtual network](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_CacheInVnet_Audit.json) | None | NS-2 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_CacheInVnet_Audit.json | +| Cache | [Azure Cache for Redis should use private link](None) | None | | | | | | | | | | | +| Cache | [Configure Azure Cache for Redis to disable public network access](None) | None | | | | | | | | | | | +| Cache | [Only secure connections to your Azure Cache for Redis should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) | None | DP-4 | | | A.13.2.1 | 3.13.8 | SC-8 (1) | 0946.09y2Organizational.14 - 09.y | DM-6 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json | +| Cognitive Services | [Cognitive Services accounts should disable public network access](None) | None | | | | | | | | | | | +| Cognitive Services | [Cognitive Services accounts should enable data encryption with a customer-managed key](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_CustomerManagedKey_Audit.json) | None | DP-5 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_CustomerManagedKey_Audit.json | +| Cognitive Services | [Cognitive Services accounts should enable data encryption](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_Encryption_Audit.json) | None | DP-2 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_Encryption_Audit.json | +| Cognitive Services | [Cognitive Services accounts should restrict network access](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | None | NS-1 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json | +| Cognitive Services | [Cognitive Services accounts should use a managed identity](None) | None | | | | | | | | | | | +| Cognitive Services | [Cognitive Services accounts should use customer owned storage or enable data encryption.](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_BYOX_Audit.json) | None | DP-5 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_BYOX_Audit.json | +| Cognitive Services | [Cognitive Services accounts should use customer owned storage](None) | None | | | | | | | | | | | +| Cognitive Services | [Configure Cognitive Services accounts to disable public network access](None) | None | | | | | | | | | | | +| Compute | [Audit VMs that do not use managed disks](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json) | None | | 7.1 | | A.9.1.2 | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json | +| Compute | [Audit virtual machines without disaster recovery configured](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json) | None | | | | | | CP-7 | 1638.12b2Organizational.345 - 12.b | ESS-3 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json | +| Compute | [Managed disks should be double encrypted with both platform-managed and customer-managed keys](None) | None | | | | | | | | | | | +| Compute | [Microsoft Antimalware for Azure should be configured to automatically update protection signatures](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_AntiMalwareAutoUpdate_AuditIfNotExists.json) | None | | | | | | | 0201.09j1Organizational.124 - 09.j | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_AntiMalwareAutoUpdate_AuditIfNotExists.json | +| Compute | [Microsoft IaaSAntimalware extension should be deployed on Windows servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/WindowsServers_AntiMalware_AuditIfNotExists.json) | None | | | | | 3.14.2 | | | SS-2 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/WindowsServers_AntiMalware_AuditIfNotExists.json | +| Compute | [OS and data disks should be encrypted with a customer-managed key](None) | None | | | | | | | | | | | +| Compute | [Require automatic OS image patching on Virtual Machine Scale Sets](None) | None | | | | | | | | | | | +| Compute | [Unattached disks should be encrypted](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/UnattachedDisk_Encryption_Audit.json) | None | | 7.3 | | | | | 0303.09o2Organizational.2 - 09.o | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/UnattachedDisk_Encryption_Audit.json | +| Compute | [Virtual machines and virtual machine scale sets should have encryption at host enabled](None) | None | | | | | | | | | | | +| Compute | [Virtual machines should be migrated to new Azure Resource Manager resources](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json) | None | AM-3 | | | A.9.1.2 | | | 0835.09n1Organizational.1 - 09.n | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json | +| Container Instance | [Azure Container Instance container group should deploy into a virtual network](None) | None | | | | | | | | | | | +| Container Instance | [Azure Container Instance container group should use customer-managed key for encryption](None) | None | | | | | | | | | | | +| Container Registry | [Container registries should be encrypted with a customer-managed key](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | None | DP-5 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json | +| Container Registry | [Container registries should not allow unrestricted network access](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_Audit.json) | None | NS-1 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_Audit.json | +| Container Registry | [Container registries should use private link](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | None | NS-3 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json | +| Cosmos DB | [Azure Cosmos DB accounts should have firewall rules](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json) | None | NS-4 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json | +| Cosmos DB | [Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) | None | DP-5 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json | +| Cosmos DB | [Azure Cosmos DB key based metadata write access should be disabled](None) | None | | | | | | | | | | | +| Cosmos DB | [Azure Cosmos DB should disable public network access](None) | None | | | | | | | | | | | +| Cosmos DB | [Configure CosmosDB accounts to disable public network access ](None) | None | | | | | | | | | | | +| Cosmos DB | [CosmosDB accounts should use private link](None) | None | | | | | | | | | | | +| Data Factory | [Azure Data Factory linked services should use Key Vault for storing secrets](None) | None | | | | | | | | | | | +| Data Factory | [Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported](None) | None | | | | | | | | | | | +| Data Factory | [Azure Data Factory should use a Git repository for source control](None) | None | | | | | | | | | | | +| Data Factory | [Azure data factories should be encrypted with a customer-managed key](None) | None | | | | | | | | | | | +| Data Factory | [Public network access on Azure Data Factory should be disabled](None) | None | | | | | | | | | | | +| Data Factory | [SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network](None) | None | | | | | | | | | | | +| Data Lake | [Require encryption on Data Lake Store accounts](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStoreEncryption_Deny.json) | None | | | | | | | 0304.09o3Organizational.1 - 09.o | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStoreEncryption_Deny.json | +| Event Grid | [Azure Event Grid domains should disable public network access](None) | None | | | | | | | | | | | +| Event Grid | [Azure Event Grid domains should use private link](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json) | None | NS-3 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json | +| Event Grid | [Azure Event Grid topics should disable public network access](None) | None | | | | | | | | | | | +| Event Grid | [Azure Event Grid topics should use private link](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json) | None | NS-3 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json | +| Event Grid | [Modify - Configure Azure Event Grid domains to disable public network access](None) | None | | | | | | | | | | | +| Event Grid | [Modify - Configure Azure Event Grid topics to disable public network access](None) | None | | | | | | | | | | | +| Event Hub | [All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace](None) | None | | | | | | | | | | | +| Event Hub | [Authorization rules on the Event Hub instance should be defined](None) | None | | | | | | | | | | | +| Event Hub | [Event Hub namespaces should use a customer-managed key for encryption](None) | None | | | | | | | | | | | +| Event Hub | [Event Hub namespaces should use private link](None) | None | | | | | | | | | | | +| General | [Audit resource location matches resource group location](None) | None | | | | | | | | | | | +| General | [Audit usage of custom RBAC rules](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) | None | PA-7 | | | A.9.2.3 | | AC-2 (7) | 1230.09c2Organizational.1 - 09.c | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json | +| General | [Custom subscription owner roles should not exist](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/CustomSubscription_OwnerRole_Audit.json) | None | PA-7 | 1.21 | | | | | 1278.09c2Organizational.56 - 09.c | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/CustomSubscription_OwnerRole_Audit.json | +| Guest Configuration | [Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) | None | | | | A.10.1.1 | 3.5.10 | IA-5 (1) | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json | +| Guest Configuration | [Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) | None | | | | A.10.1.1 | 3.5.10 | IA-5 (1) | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json | +| HDInsight | [Azure HDInsight clusters should be injected into a virtual network](None) | None | | | | | | | | | | | +| HDInsight | [Azure HDInsight clusters should use customer-managed keys to encrypt data at rest](None) | None | | | | | | | | | | | +| HDInsight | [Azure HDInsight clusters should use encryption at host to encrypt data at rest](None) | None | | | | | | | | | | | +| HDInsight | [Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes](None) | None | | | | | | | | | | | +| Internet of Things | [Azure IoT Hub should use customer-managed key to encrypt data at rest](None) | None | | | | | | | | | | | +| Internet of Things | [Configure IoT Hub device provisioning service instances to disable public network access](None) | None | | | | | | | | | | | +| Internet of Things | [IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)](None) | None | | | | | | | | | | | +| Internet of Things | [IoT Hub device provisioning service instances should disable public network access](None) | None | | | | | | | | | | | +| Internet of Things | [IoT Hub device provisioning service instances should use private link](None) | None | | | | | | | | | | | +| Internet of Things | [Modify - Configure Azure IoT Hubs to disable public network access](None) | None | | | | | | | | | | | +| Internet of Things | [Private endpoint should be enabled for IoT Hub](None) | None | | | | | | | | | | | +| Internet of Things | [Public network access on Azure IoT Hub should be disabled](None) | None | | | | | | | | | | | +| Key Vault | [Azure Key Vault Managed HSM should have purge protection enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_Recoverable_Audit.json) | None | | | | | | | 1635.12b1Organizational.2 - 12.b | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_Recoverable_Audit.json | +| Key Vault | [Firewall should be enabled on Key Vault](None) | None | | | | | | | | | | | +| Key Vault | [Key Vault keys should have an expiration date](None) | None | | | | | | | | | | | +| Key Vault | [Key Vault secrets should have an expiration date](None) | None | | | | | | | | | | | +| Key Vault | [Key vaults should have purge protection enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json) | None | BR-4 | 8.4 | | | | | 1635.12b1Organizational.2 - 12.b | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json | +| Key Vault | [Key vaults should have soft delete enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_SoftDeleteMustBeEnabled_Audit.json) | None | BR-4 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_SoftDeleteMustBeEnabled_Audit.json | +| Key Vault | [Keys should be backed by a hardware security module (HSM)](None) | None | | | | | | | | | | | +| Key Vault | [Private endpoint should be configured for Key Vault](None) | None | | | | | | | | | | | +| Key Vault | [Secrets should have content type set](None) | None | | | | | | | | | | | +| Kubernetes | [Azure Kubernetes Service Private Clusters should be enabled](None) | None | | | | | | | | | | | +| Kubernetes | [Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json) | None | PV-2 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json | +| Kubernetes | [Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_CMK_Deny.json) | None | | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_CMK_Deny.json | +| Kubernetes | [Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host](None) | None | | | | | | | | | | | +| Lighthouse | [Audit delegation of scopes to a managing tenant](None) | None | | | | | | | | | | | +| Machine Learning | [Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) | None | DP-5 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json | +| Machine Learning | [Azure Machine Learning workspaces should use private link](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateLinkEnabled_Audit.json) | None | NS-3 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateLinkEnabled_Audit.json | +| Machine Learning | [Azure Machine Learning workspaces should use user-assigned managed identity](None) | None | | | | | | | | | | | +| Managed Application | [Application definition for Managed Application should use customer provided storage account](None) | None | | | | | | | | | | | +| Monitoring | [Activity log should be retained for at least one year](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLogRetention_365orGreater.json) | None | | | | | | | | AC-15 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLogRetention_365orGreater.json | +| Monitoring | [Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)](None) | None | | | | | | | | | | | +| Monitoring | [Azure Monitor Logs clusters should be encrypted with customer-managed key](None) | None | | | | | | | | | | | +| Monitoring | [Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace](None) | None | | | | | | | | | | | +| Monitoring | [Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllCategories.json) | None | | | | | | | 1219.09ab3System.10 - 09.ab | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllCategories.json | +| Monitoring | [Azure Monitor should collect activity logs from all regions](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllRegions.json) | None | | | | | | | 1214.09ab2System.3456 - 09.ab | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllRegions.json | +| Monitoring | [Azure Monitor solution 'Security and Audit' must be deployed](None) | None | | | | | | | | | | | +| Monitoring | [Azure subscriptions should have a log profile for Activity Log](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Logprofile_activityLogs_Audit.json) | None | | | | | | | | AC-13 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Logprofile_activityLogs_Audit.json | +| Monitoring | [Deploy - Configure Linux Azure Monitor agent to enable Azure Monitor assignments on Linux virtual machines](None) | None | | | | | | | | | | | +| Monitoring | [Deploy - Configure Windows Azure Monitor agent to enable Azure Monitor assignments on Windows virtual machines](None) | None | | | | | | | | | | | +| Monitoring | [Deploy Dependency agent to Windows Azure Arc machines](None) | None | | | | | | | | | | | +| Monitoring | [Deploy Dependency agent to hybrid Linux Azure Arc machines](None) | None | | | | | | | | | | | +| Monitoring | [Log Analytics agent should be installed on your Linux Azure Arc machines](None) | None | | | | | | | | | | | +| Monitoring | [Log Analytics agent should be installed on your Windows Azure Arc machines](None) | None | | | | | | | | | | | +| Monitoring | [Network traffic data collection agent should be installed on Linux virtual machines](None) | None | | | | | | | | | | | +| Monitoring | [Network traffic data collection agent should be installed on Windows virtual machines](None) | None | | | | | | | | | | | +| Monitoring | [Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption](None) | None | | | | | | | | | | | +| Monitoring | [Storage account containing the container with activity logs must be encrypted with BYOK](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | None | | 5.1.4 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json | +| Monitoring | [The Log Analytics agent should be installed on Virtual Machine Scale Sets](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VMSS_LogAnalyticsAgent_AuditIfNotExists.json) | None | | | | | 3.3.2 | | 1216.09ab3System.12 - 09.ab | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VMSS_LogAnalyticsAgent_AuditIfNotExists.json | +| Monitoring | [The Log Analytics agent should be installed on virtual machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VirtualMachines_LogAnalyticsAgent_AuditIfNotExists.json) | None | | | | | 3.3.2 | | 1215.09ab2System.7 - 09.ab | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VirtualMachines_LogAnalyticsAgent_AuditIfNotExists.json | +| Monitoring | [Workbooks should be saved to storage accounts that you control](None) | None | | | | | | | | | | | +| Monitoring | [[ASC Private Preview] Deploy - Configure system-assigned managed identity to enable Azure Monitor assignments on VMs](None) | None | | | | | | | | | | | +| Network | [All Internet traffic should be routed via your deployed Azure Firewall](None) | None | | | | | | | | | | | +| Network | [App Service should use a virtual network service endpoint](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json) | None | | | | | | | 0861.09m2Organizational.67 - 09.m | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json | +| Network | [Azure VPN gateways should not use 'basic' SKU](None) | None | | | | | | | | | | | +| Network | [Container Registry should use a virtual network service endpoint](None) | None | | | | | | | | | | | +| Network | [Cosmos DB should use a virtual network service endpoint](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_CosmosDB_Audit.json) | None | | | | | | | 0864.09m2Organizational.12 - 09.m | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_CosmosDB_Audit.json | +| Network | [Event Hub should use a virtual network service endpoint](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_EventHub_AuditIfNotExists.json) | None | | | | | | | 0863.09m2Organizational.910 - 09.m | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_EventHub_AuditIfNotExists.json | +| Network | [Flow logs should be configured for every network security group](None) | None | | | | | | | | | | | +| Network | [Flow logs should be enabled for every network security group](None) | None | | | | | | | | | | | +| Network | [Gateway subnets should not be configured with a network security group](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroupOnGatewaySubnet_Deny.json) | None | | | | | | | 0894.01m2Organizational.7 - 01.m | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroupOnGatewaySubnet_Deny.json | +| Network | [Key Vault should use a virtual network service endpoint](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_KeyVault_Audit.json) | None | | | | | | | 0865.09m2Organizational.13 - 09.m | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_KeyVault_Audit.json | +| Network | [Network interfaces should disable IP forwarding](None) | None | | | | | | | | | | | +| Network | [Network interfaces should not have public IPs](None) | None | | | | | | | | | | | +| Network | [RDP access from the Internet should be blocked](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_RDPAccess_Audit.json) | None | NS-4 | 6.1 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_RDPAccess_Audit.json | +| Network | [SQL Server should use a virtual network service endpoint](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_SQLServer_AuditIfNotExists.json) | None | | | | | | | 0862.09m2Organizational.8 - 09.m | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_SQLServer_AuditIfNotExists.json | +| Network | [SSH access from the Internet should be blocked](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_SSHAccess_Audit.json) | None | NS-4 | 6.2 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_SSHAccess_Audit.json | +| Network | [Service Bus should use a virtual network service endpoint](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ServiceBus_AuditIfNotExists.json) | None | | | | | | | 0860.09m1Organizational.9 - 09.m | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ServiceBus_AuditIfNotExists.json | +| Network | [Storage Accounts should use a virtual network service endpoint](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_StorageAccount_Audit.json) | None | | | | | | | 0867.09m3Organizational.17 - 09.m | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_StorageAccount_Audit.json | +| Network | [Web Application Firewall (WAF) should be enabled for Application Gateway](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json) | None | NS-4 | | | | | | | NS-7 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json | +| Network | [Web Application Firewall (WAF) should be enabled for Azure Front Door Service service](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | None | NS-4 | | | | | | | NS-7 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json | +| Portal | [Shared dashboards should not have markdown tiles with inline content](None) | None | | | | | | | | | | | +| SQL | [Advanced data security should be enabled on SQL Managed Instance](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | None | IR-5 | 4.2.1 | | | 3.14.6 | SI-4 | | DM-6 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json | +| SQL | [Advanced data security should be enabled on your SQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | None | | 4.2.1 | | | 3.14.6 | SI-4 | | DM-6 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json | +| SQL | [An Azure Active Directory administrator should be provisioned for SQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | None | IM-1 | 4.4 | | A.9.2.3 | | AC-2 (7) | | DM-6 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json | +| SQL | [Azure SQL Database should have the minimal TLS version of 1.2](None) | None | | | | | | | | | | | +| SQL | [Bring your own key data protection should be enabled for MySQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableByok_Audit.json) | None | DP-5 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableByok_Audit.json | +| SQL | [Bring your own key data protection should be enabled for PostgreSQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json) | None | DP-5 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json | +| SQL | [Configure Azure SQL Server to disable public network access](None) | None | | | | | | | | | | | +| SQL | [Connection throttling should be enabled for PostgreSQL database servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_ConnectionThrottling_Enabled_Audit.json) | None | | 4.3.6 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_ConnectionThrottling_Enabled_Audit.json | +| SQL | [Disconnections should be logged for PostgreSQL database servers.](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogDisconnections_Audit.json) | None | | 4.3.5 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogDisconnections_Audit.json | +| SQL | [Enforce SSL connection should be enabled for MySQL database servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json) | None | DP-4 | 4.3.1 | | | | | 0948.09y2Organizational.3 - 09.y | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json | +| SQL | [Enforce SSL connection should be enabled for PostgreSQL database servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json) | None | DP-4 | 4.3.2 | | | | | 0947.09y2Organizational.2 - 09.y | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json | +| SQL | [Geo-redundant backup should be enabled for Azure Database for MariaDB](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForMariaDB_Audit.json) | None | BR-2 | | | | | | 1627.09l3Organizational.6 - 09.l | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForMariaDB_Audit.json | +| SQL | [Geo-redundant backup should be enabled for Azure Database for MySQL](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForMySQL_Audit.json) | None | BR-2 | | | | | | 1622.09l2Organizational.23 - 09.l | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForMySQL_Audit.json | +| SQL | [Geo-redundant backup should be enabled for Azure Database for PostgreSQL](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForPostgreSQL_Audit.json) | None | BR-2 | | | | | | 1626.09l3Organizational.5 - 09.l | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForPostgreSQL_Audit.json | +| SQL | [Infrastructure encryption should be enabled for Azure Database for MySQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_InfrastructureEncryption_Audit.json) | None | | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_InfrastructureEncryption_Audit.json | +| SQL | [Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_InfrastructureEncryption_Audit.json) | None | | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_InfrastructureEncryption_Audit.json | +| SQL | [Log checkpoints should be enabled for PostgreSQL database servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogCheckpoint_Audit.json) | None | | 4.3.3 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogCheckpoint_Audit.json | +| SQL | [Log connections should be enabled for PostgreSQL database servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogConnections_Audit.json) | None | | 4.3.4 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogConnections_Audit.json | +| SQL | [Log duration should be enabled for PostgreSQL database servers](None) | None | | | | | | | | | | | +| SQL | [Long-term geo-redundant backup should be enabled for Azure SQL Databases](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_SQLDatabase_AuditIfNotExists.json) | None | BR-2 | | | | | | 1621.09l2Organizational.1 - 09.l | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_SQLDatabase_AuditIfNotExists.json | +| SQL | [MariaDB server should use a virtual network service endpoint](None) | None | | | | | | | | | | | +| SQL | [MySQL server should use a virtual network service endpoint](None) | None | | | | | | | | | | | +| SQL | [PostgreSQL server should use a virtual network service endpoint](None) | None | | | | | | | | | | | +| SQL | [Private endpoint connections on Azure SQL Database should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json) | None | NS-3 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json | +| SQL | [Private endpoint should be enabled for MariaDB servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json) | None | NS-3 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json | +| SQL | [Private endpoint should be enabled for MySQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json) | None | NS-3 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json | +| SQL | [Private endpoint should be enabled for PostgreSQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json) | None | NS-3 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json | +| SQL | [Public network access on Azure SQL Database should be disabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PublicNetworkAccess_Audit.json) | None | NS-1 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PublicNetworkAccess_Audit.json | +| SQL | [Public network access should be disabled for MariaDB servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_DisablePublicNetworkAccess_Audit.json) | None | NS-1 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_DisablePublicNetworkAccess_Audit.json | +| SQL | [Public network access should be disabled for MySQL flexible servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json) | None | | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json | +| SQL | [Public network access should be disabled for MySQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_DisablePublicNetworkAccess_Audit.json) | None | NS-1 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_DisablePublicNetworkAccess_Audit.json | +| SQL | [Public network access should be disabled for PostgreSQL flexible servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json) | None | | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json | +| SQL | [Public network access should be disabled for PostgreSQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_DisablePublicNetworkAccess_Audit.json) | None | NS-1 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_DisablePublicNetworkAccess_Audit.json | +| SQL | [SQL Auditing settings should have Action-Groups configured to capture critical activities](None) | None | | | | | | | | | | | +| SQL | [SQL Database should avoid using GRS backup redundancy](None) | None | | | | | | | | | | | +| SQL | [SQL Managed Instance should have the minimal TLS version of 1.2](None) | None | | | | | | | | | | | +| SQL | [SQL Managed Instances should avoid using GRS backup redundancy](None) | None | | | | | | | | | | | +| SQL | [SQL managed instances should use customer-managed keys to encrypt data at rest](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json) | None | DP-5 | 4.5 | | | | | 0304.09o3Organizational.1 - 09.o | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json | +| SQL | [SQL servers should retain audit data for at least 90 days](None) | None | | | | | | | | | | | +| SQL | [SQL servers should use customer-managed keys to encrypt data at rest](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json) | None | DP-5 | 4.5 | | | | | 0304.09o3Organizational.1 - 09.o | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json | +| SQL | [Transparent Data Encryption on SQL databases should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) | None | DP-5 | 4.1.2 | | A.10.1.1 | 3.13.16 | SC-28 (1) | 0301.09o1Organizational.123 - 09.o | DM-6 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json | +| SQL | [Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json) | None | | 4.2.4 | | | | | | ISM-3 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json | +| SQL | [Vulnerability assessment should be enabled on SQL Managed Instance](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) | None | PV-6 | 4.2.2 | | | | | 0719.10m3Organizational.5 - 10.m | ISM-3 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json | +| SQL | [Vulnerability assessment should be enabled on your SQL servers](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) | None | PV-6 | 4.2.2 | | | | | 0709.10m1Organizational.1 - 10.m | ISM-3 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json | +| Search | [Azure Cognitive Search service should use a SKU that supports private link](None) | None | | | | | | | | | | | +| Search | [Azure Cognitive Search services should disable public network access](None) | None | | | | | | | | | | | +| Search | [Configure Azure Cognitive Search services to disable public network access](None) | None | | | | | | | | | | | +| Security Center | [A maximum of 3 owners should be designated for your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) | None | PA-1 | | | A.6.1.2 | 3.1.4 | AC-6 (7) | 11112.01q2Organizational.67 - 01.q | AC-2 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json | +| Security Center | [A vulnerability assessment solution should be enabled on your virtual machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) | None | PV-6 | | | A.12.6.1 | 3.14.1 | SI-2 | 0711.10m2Organizational.23 - 10.m | ISM-3 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json | +| Security Center | [Adaptive application controls for defining safe applications should be enabled on your machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json) | None | AM-6 | | | A.12.6.2 | 3.4.9 | CM-11 | 0607.10h2System.23 - 10.h | SS-4 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json | +| Security Center | [Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) | None | NS-4 | | | | 3.13.5 | SC-7 | 0859.09m1Organizational.78 - 09.m | NS-2 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json | +| Security Center | [All network ports should be restricted on network security groups associated to your virtual machine](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) | None | | | | A.13.1.1 | 3.13.5 | SC-7 | 0858.09m1Organizational.4 - 09.m | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json | +| Security Center | [Allowlist rules in your adaptive application control policy should be updated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json) | None | | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json | +| Security Center | [Authorized IP ranges should be defined on Kubernetes Services](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) | None | NS-4 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json | +| Security Center | [Auto provisioning of the Log Analytics agent should be enabled on your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json) | None | LT-5 | 2.11 | | | | | 1220.09ab3System.56 - 09.ab | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json | +| Security Center | [Azure DDoS Protection Standard should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDDoSProtection_Audit.json) | None | NS-4 | | | | | SC-5 | | NS-5 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDDoSProtection_Audit.json | +| Security Center | [Azure Defender for App Service should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json) | None | IR-5 | 2.2 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json | +| Security Center | [Azure Defender for Azure SQL Database servers should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) | None | IR-5 | 2.3 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json | +| Security Center | [Azure Defender for DNS should be enabled](None) | None | | | | | | | | | | | +| Security Center | [Azure Defender for Key Vault should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json) | None | IR-5 | 2.8 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json | +| Security Center | [Azure Defender for Kubernetes should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKubernetesService_Audit.json) | None | IR-5 | 2.6 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKubernetesService_Audit.json | +| Security Center | [Azure Defender for Resource Manager should be enabled](None) | None | | | | | | | | | | | +| Security Center | [Azure Defender for SQL servers on machines should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | None | IR-5 | 2.4 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json | +| Security Center | [Azure Defender for Storage should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json) | None | IR-5 | 2.5 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json | +| Security Center | [Azure Defender for container registries should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainerRegistry_Audit.json) | None | IR-5 | 2.7 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainerRegistry_Audit.json | +| Security Center | [Azure Defender for servers should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) | None | ES-1 | 2.1 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json | +| Security Center | [Configure machines to receive the Qualys vulnerability assessment agent](None) | None | | | | | | | | | | | +| Security Center | [Deploy - Configure Linux machines to automatically install the Azure Security agent](None) | None | | | | | | | | | | | +| Security Center | [Deploy - Configure Windows machines to automatically install the Azure Security agent](None) | None | | | | | | | | | | | +| Security Center | [Deprecated accounts should be removed from your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json) | None | PA-3 | | | A.9.2.6 | 3.1.1 | AC-2 | | AC-5 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json | +| Security Center | [Deprecated accounts with owner permissions should be removed from your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json) | None | PA-3 | | | A.9.2.6 | 3.1.1 | AC-2 | 1147.01c2System.456 - 01.c | AC-5 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json | +| Security Center | [Disk encryption should be applied on virtual machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) | None | DP-5 | 7.2 | | A.10.1.1 | 3.13.16 | SC-28 (1) | 0302.09o2Organizational.1 - 09.o | DM-6 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json | +| Security Center | [Email notification for high severity alerts should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification.json) | None | IR-2 | 2.14 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification.json | +| Security Center | [Email notification to subscription owner for high severity alerts should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification_to_subscription_owner.json) | None | IR-2 | | | | 3.14.6 | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification_to_subscription_owner.json | +| Security Center | [Enable Azure Security Center on your subscription](None) | None | | | | | | | | | | | +| Security Center | [Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace.](None) | None | | | | | | | | | | | +| Security Center | [Endpoint protection solution should be installed on virtual machine scale sets](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) | None | ES-3 | | | | 3.14.2 | SI-3 (1) | 0201.09j1Organizational.124 - 09.j | DM-4 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json | +| Security Center | [External accounts with owner permissions should be removed from your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json) | None | PA-3 | 1.3 | | A.9.2.5 | 3.1.1 | AC-2 | 1146.01c2System.23 - 01.c | PRS-5 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json | +| Security Center | [External accounts with read permissions should be removed from your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json) | None | PA-3 | 1.3 | | | 3.1.1 | AC-2 | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json | +| Security Center | [External accounts with write permissions should be removed from your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json) | None | PA-3 | 1.3 | | A.9.2.5 | 3.1.1 | AC-2 | | PRS-5 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json | +| Security Center | [Guest Configuration extension should be installed on your machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVm.json) | None | | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVm.json | +| Security Center | [IP Forwarding on your virtual machine should be disabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json) | None | NS-4 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json | +| Security Center | [Internet-facing virtual machines should be protected with network security groups](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | None | NS-4 | | | | 3.13.5 | | 0814.01n1Organizational.12 - 01.n | NS-2 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json | +| Security Center | [Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UpgradeVersion_KubernetesService_Audit.json) | None | PV-7 | | | | 3.14.1 | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UpgradeVersion_KubernetesService_Audit.json | +| Security Center | [Log Analytics agent health issues should be resolved on your machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ResolveLaHealthIssues.json) | None | LT-5 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ResolveLaHealthIssues.json | +| Security Center | [Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVm.json) | None | LT-5 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVm.json | +| Security Center | [Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json) | None | LT-5 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json | +| Security Center | [MFA should be enabled accounts with write permissions on your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json) | None | IM-4 | 1.1 | | A.9.4.2 | 3.5.3 | IA-2 (1) | 11110.01q1Organizational.6 - 01.q | AC-17 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json | +| Security Center | [MFA should be enabled on accounts with owner permissions on your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) | None | IM-4 | 1.1 | | A.9.4.2 | 3.5.3 | IA-2 (1) | 11109.01q1Organizational.57 - 01.q | AC-17 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json | +| Security Center | [MFA should be enabled on accounts with read permissions on your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json) | None | IM-4 | 1.2 | | A.9.4.2 | 3.5.3 | IA-2 (2) | 11111.01q2System.4 - 01.q | AC-17 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json | +| Security Center | [Management ports of virtual machines should be protected with just-in-time network access control](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json) | None | NS-4 | | | | | SC-7 (4) Ownership : Microsoft | 0858.09m1Organizational.4 - 09.m | AC-7 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json | +| Security Center | [Management ports should be closed on your virtual machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json) | None | NS-1 | | | | | | 1193.01l2Organizational.13 - 01.l | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json | +| Security Center | [Monitor missing Endpoint Protection in Azure Security Center](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) | None | ES-3 | 7.6 | | A.12.6.1 | 3.14.2 | SI-3 (1) | 0201.09j1Organizational.124 - 09.j | DM-4 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json | +| Security Center | [Non-internet-facing virtual machines should be protected with network security groups](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternalVirtualMachines_Audit.json) | None | | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternalVirtualMachines_Audit.json | +| Security Center | [Operating system version should be the most current version for your cloud service roles](None) | None | | | | | | | | | | | +| Security Center | [Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | None | PA-7 | 8.5 | | | | | 1229.09c1Organizational.1 - 09.c | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json | +| Security Center | [Security Center standard pricing tier should be selected](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Standard_pricing_tier.json) | None | | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Standard_pricing_tier.json | +| Security Center | [Sensitive data in your SQL databases should be classified](None) | None | | | | | | | | | | | +| Security Center | [Service principals should be used to protect your subscriptions instead of management certificates](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UseServicePrincipalToProtectSubscriptions.json) | None | IM-2 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UseServicePrincipalToProtectSubscriptions.json | +| Security Center | [Subnets should be associated with a Network Security Group](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnSubnets_Audit.json) | None | NS-4 | | | | | | 0814.01n1Organizational.12 - 01.n | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnSubnets_Audit.json | +| Security Center | [Subscriptions should have a contact email address for security issues](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Security_contact_email.json) | None | IR-2 | 2.13 | | | 3.14.6 | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Security_contact_email.json | +| Security Center | [System updates on virtual machine scale sets should be installed](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) | None | PV-7 | | | | 3.14.1 | SI-2 | 1202.09aa1System.1 - 09.aa | PRS-5 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json | +| Security Center | [System updates should be installed on your machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) | None | PV-7 | 7.5 | | A.12.6.1 | 3.14.1 | SI-2 | 0201.09j1Organizational.124 - 09.j | PRS-5 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json | +| Security Center | [There should be more than one owner assigned to your subscription](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) | None | PA-1 | | | A.6.1.2 | 3.1.4 | AC-6 (7) | 11208.01q1Organizational.8 - 01.q | AC-2 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json | +| Security Center | [Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVmWithNoSAMI.json) | None | | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVmWithNoSAMI.json | +| Security Center | [Vulnerabilities in Azure Container Registry images should be remediated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | None | PV-6 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json | +| Security Center | [Vulnerabilities in container security configurations should be remediated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) | None | PV-4 | | | | 3.11.2 | | 0715.10m2Organizational.8 - 10.m | ISM-3 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json | +| Security Center | [Vulnerabilities in security configuration on your machines should be remediated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) | None | PV-4 | | | A.12.6.1 | 3.14.1 | SI-2 | 0718.10m3Organizational.34 - 10.m | ISM-3 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json | +| Security Center | [Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) | None | PV-4 | | | | 3.14.1 | SI-2 | 0717.10m3Organizational.2 - 10.m | ISM-3 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json | +| Security Center | [Vulnerabilities on your SQL databases should be remediated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | None | PV-6 | | | A.12.6.1 | 3.14.1 | SI-2 | 0716.10m3Organizational.1 - 10.m | ISM-3 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json | +| Security Center | [Vulnerabilities on your SQL servers on machine should be remediated](None) | None | | | | | | | | | | | +| Service Bus | [All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace](None) | None | | | | | | | | | | | +| Service Bus | [Azure Service Bus namespaces should use private link](None) | None | | | | | | | | | | | +| Service Bus | [Service Bus Premium namespaces should use a customer-managed key for encryption](None) | None | | | | | | | | | | | +| Service Fabric | [Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json) | None | DP-5 | | | A.10.1.1 | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json | +| Service Fabric | [Service Fabric clusters should only use Azure Active Directory for client authentication](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | None | IM-1 | | | A.9.2.3 | | AC-2 (7) | | AC-2 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json | +| SignalR | [Azure SignalR Service should use private link](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit.json) | None | NS-3 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit.json | +| Storage | [Azure File Sync should use private link](None) | None | | | | | | | | | | | +| Storage | [Geo-redundant storage should be enabled for Storage Accounts](None) | None | | | | | | | | | | | +| Storage | [HPC Cache accounts should use customer-managed key for encryption](None) | None | | | | | | | | | | | +| Storage | [Modify - Configure Azure File Sync to disable public network access](None) | None | | | | | | | | | | | +| Storage | [Public network access should be disabled for Azure File Sync](None) | None | | | | | | | | | | | +| Storage | [Secure transfer to storage accounts should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) | None | DP-4 | 3.1 | | A.13.2.1 | 3.13.8 | SC-8 (1) | 0943.09y1Organizational.1 - 09.y | DM-6 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json | +| Storage | [Storage account public access should be disallowed](None) | None | | | | | | | | | | | +| Storage | [Storage accounts should allow access from trusted Microsoft services](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccess_TrustedMicrosoftServices_Audit.json) | None | | 3.7 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccess_TrustedMicrosoftServices_Audit.json | +| Storage | [Storage accounts should be migrated to new Azure Resource Manager resources](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json) | None | AM-3 | | | A.9.1.2 | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json | +| Storage | [Storage accounts should have infrastructure encryption](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountInfrastructureEncryptionEnabled_Audit.json) | None | | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountInfrastructureEncryptionEnabled_Audit.json | +| Storage | [Storage accounts should restrict network access using virtual network rules](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabled_Audit.json) | None | NS-1 | 3.6 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabled_Audit.json | +| Storage | [Storage accounts should restrict network access](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) | None | NS-4 | 3.6 | | A.13.1.1 | 3.13.5 | SC-7 | 0866.09m3Organizational.1516 - 09.m | NS-2 | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json | +| Storage | [Storage accounts should use customer-managed key for encryption](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountCustomerManagedKeyEnabled_Audit.json) | None | DP-5 | 3.9 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountCustomerManagedKeyEnabled_Audit.json | +| Storage | [Storage accounts should use private link](None) | None | | | | | | | | | | | +| Stream Analytics | [Azure Stream Analytics jobs should use customer-managed keys to encrypt data](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_CMK_Audit.json) | None | | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_CMK_Audit.json | +| Synapse | [Azure Synapse workspaces should allow outbound data traffic only to approved targets](None) | None | | | | | | | | | | | +| Synapse | [Azure Synapse workspaces should use customer-managed keys to encrypt data at rest](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceCMK_Audit.json) | None | | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceCMK_Audit.json | +| Synapse | [Azure Synapse workspaces should use private link](None) | None | | | | | | | | | | | +| Synapse | [IP firewall rules on Azure Synapse workspaces should be removed](None) | None | | | | | | | | | | | +| Synapse | [Managed workspace virtual network on Azure Synapse workspaces should be enabled](None) | None | | | | | | | | | | | +| Synapse | [Synapse workspace auditing settings should have action groups configured to capture critical activities](None) | None | | | | | | | | | | | +| Synapse | [Synapse workspaces should be configured with 90 days auditing retention or higher.](None) | None | | | | | | | | | | | +| Synapse | [Vulnerability assessment should be enabled on your Synapse workspaces](None) | None | | | | | | | | | | | +| VM Image Builder | [VM Image Builder templates should use private link](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/VM%20Image%20Builder/PrivateLinkEnabled_Audit.json) | None | NS-3 | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/VM%20Image%20Builder/PrivateLinkEnabled_Audit.json | \ No newline at end of file diff --git a/docs/params-optional.csv b/docs/params-optional.csv index 6546847..c610344 100644 --- a/docs/params-optional.csv +++ b/docs/params-optional.csv @@ -1,53 +1,35 @@ -Service,Policy Definition,Azure Security Benchmark,CIS,CCMC L3,ISO 27001,NIST SP 800-53 R4,NIST SP 800-171 R2,HIPAA HITRUST 9.2,New Zealand ISM,Link -App Service,"Ensure that 'Java version' is the latest, if used as a part of the API app",PV-7,9.8,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_java_Latest.json -App Service,"Ensure that 'Java version' is the latest, if used as a part of the Function app",PV-7,9.8,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_java_Latest.json -App Service,"Ensure that 'Java version' is the latest, if used as a part of the Web app",PV-7,9.8,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_java_Latest.json -App Service,"Ensure that 'PHP version' is the latest, if used as a part of the API app",PV-7,9.6,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_PHP_Latest.json -App Service,"Ensure that 'PHP version' is the latest, if used as a part of the WEB app",PV-7,9.6,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_PHP_Latest.json -App Service,"Ensure that 'Python version' is the latest, if used as a part of the API app",PV-7,9.7,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_python_Latest.json -App Service,"Ensure that 'Python version' is the latest, if used as a part of the Function app",PV-7,9.7,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_python_Latest.json -App Service,"Ensure that 'Python version' is the latest, if used as a part of the Web app",PV-7,9.7,,,,3.14.1,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_python_Latest.json -Batch,Resource logs in Batch accounts should be enabled,LT-4,5.3,,,,,1205.09aa2System.1 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json -Data Box,Azure Data Box jobs should enable double encryption for data at rest on the device,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Box/DataBox_DoubleEncryption_Audit.json -Data Lake,Resource logs in Azure Data Lake Store should be enabled,LT-4,5.3,,,,,1202.09aa1System.1 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json -Data Lake,Resource logs in Data Lake Analytics should be enabled,LT-4,5.3,,,,,1210.09aa3System.3 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeAnalytics_AuditDiagnosticLog_Audit.json -Event Hub,Resource logs in Event Hub should be enabled,LT-4,5.3,,,,,1207.09aa2System.4 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditDiagnosticLog_Audit.json -Guest Configuration,Audit Linux machines that allow remote connections from accounts without passwords,,,,A.9.1.2,AC-17 (1),3.1.12,,AC-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword110_AINE.json -Guest Configuration,Audit Linux machines that do not have the passwd file permissions set to 0644,,,,A.9.2.4,IA-5,3.5.10,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword121_AINE.json -Guest Configuration,Audit Linux machines that have accounts without passwords,,,,A.9.1.2,IA-5,3.5.7,,AC-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json -Guest Configuration,Audit Windows machines that allow re-use of the previous 24 passwords,,,,A.9.4.3,IA-5 (1),3.5.8,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEnforce_AINE.json -Guest Configuration,Audit Windows machines that do not have a maximum password age of 70 days,,,,A.9.4.3,IA-5 (1),,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsMaximumPassword_AINE.json -Guest Configuration,Audit Windows machines that do not have a minimum password age of 1 day,,,,A.9.4.3,IA-5 (1),,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsMinimumPassword_AINE.json -Guest Configuration,Audit Windows machines that do not have the password complexity setting enabled,,,,A.9.4.3,IA-5 (1),3.5.7,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordComplexity_AINE.json -Guest Configuration,Audit Windows machines that do not restrict the minimum password length to 14 characters,,,,A.9.4.3,IA-5 (1),3.5.7,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordLength_AINE.json -Guest Configuration,Audit Windows machines that do not store passwords using reversible encryption,,,,A.10.1.1,IA-5 (1),3.5.10,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEncryption_AINE.json -Guest Configuration,Audit Windows machines that have extra accounts in the Administrators group,,,,,,,1123.01q1System.2 - 01.q,AC-9,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembers_AINE.json -Guest Configuration,Windows Defender Exploit Guard should be enabled on your machines,ES-2,,,,,,,DM-4,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsDefenderExploitGuard_AINE.json -Guest Configuration,Windows machines should meet requirements for 'Security Options - Accounts',,,,,,,1148.01c2System.78 - 01.c,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsAccounts_AINE.json -Guest Configuration,Windows machines should meet requirements for 'Security Options - Audit',,,,,,,0605.10h1System.12 - 10.h,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsAudit_AINE.json -Guest Configuration,Windows machines should meet requirements for 'Security Options - Microsoft Network Server',,,,,,,0709.10m1Organizational.1 - 10.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsMicrosoftNetworkServer_AINE.json -Guest Configuration,Windows machines should meet requirements for 'Security Options - Network Access',,,,,,,0861.09m2Organizational.67 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsNetworkAccess_AINE.json -Guest Configuration,Windows machines should meet requirements for 'Security Options - Network Security',,,,,,3.5.10,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsNetworkSecurity_AINE.json -Guest Configuration,Windows machines should meet requirements for 'Security Options - Recovery console',,,,,,,1637.12b2Organizational.2 - 12.b,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsRecoveryconsole_AINE.json -Guest Configuration,Windows machines should meet requirements for 'Security Options - User Account Control',,,,,,,1277.09c2Organizational.4 - 09.c,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsUserAccountControl_AINE.json -Guest Configuration,Windows machines should meet requirements for 'Security Settings - Account Policies',,,,,,,,AC-4,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecuritySettingsAccountPolicies_AINE.json -Guest Configuration,Windows machines should meet requirements for 'System Audit Policies - Account Management',,,,,,,0605.10h1System.12 - 10.h,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SystemAuditPoliciesAccountManagement_AINE.json -Guest Configuration,Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking',,,,,,,0644.10k3Organizational.4 - 10.k,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SystemAuditPoliciesDetailedTracking_AINE.json -Guest Configuration,Windows machines should meet requirements for 'System Audit Policies - Policy Change',,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SystemAuditPoliciesPolicyChange_AINE.json -Guest Configuration,Windows machines should meet requirements for 'System Audit Policies - Privilege Use',,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SystemAuditPoliciesPrivilegeUse_AINE.json -Guest Configuration,Windows machines should meet requirements for 'User Rights Assignment',,,,,,,1232.09c3Organizational.12 - 09.c,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_UserRightsAssignment_AINE.json -Guest Configuration,Windows machines should meet requirements for 'Windows Firewall Properties',,,,,,,0858.09m1Organizational.4 - 09.m,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsFirewallProperties_AINE.json -Guest Configuration,Windows web servers should be configured to use secure communication protocols,DP-4,,,,SC-8 (1),3.13.8,,DM-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json -Guest Configuration,[Preview]: Linux machines should meet requirements for the Azure security baseline,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AzureLinuxBaseline_AINE.json -Internet of Things,Resource logs in IoT Hub should be enabled,LT-4,5.3,,,,,1204.09aa1System.3 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_AuditDiagnosticLog_Audit.json -Key Vault,Resource logs in Azure Key Vault Managed HSM should be enabled,,,,,,,1211.09aa3System.4 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_AuditDiagnosticLog_Audit.json -Key Vault,Resource logs in Key Vault should be enabled,LT-4,5.3,,,,,1211.09aa3System.4 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_AuditDiagnosticLog_Audit.json -Key Vault,[Preview]: Keys should be the specified cryptographic type RSA or EC,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_AllowedKeyTypes.json -Key Vault,[Preview]: Keys using elliptic curve cryptography should have the specified curve names,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_EC_AllowedCurveNames.json -Logic Apps,Resource logs in Logic Apps should be enabled,LT-4,5.3,,,,,1203.09aa1System.2 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_AuditDiagnosticLog_Audit.json -Network,Web Application Firewall (WAF) should use the specified mode for Application Gateway,,,,,,,,NS-7,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayMode_Audit.json -Network,Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service,,,,,,,,NS-7,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Mode_Audit.json -SQL,Auditing on SQL server should be enabled,LT-4,4.1.1,,A.12.4.4,AU-12,3.3.4,1211.09aa3System.4 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json -Search,Resource logs in Search services should be enabled,LT-4,5.3,,,,,1208.09aa3System.1 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_AuditDiagnosticLog_Audit.json -Service Bus,Resource logs in Service Bus should be enabled,LT-4,5.3,,,,,1208.09aa3System.1 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditDiagnosticLog_Audit.json -Stream Analytics,Resource logs in Azure Stream Analytics should be enabled,LT-4,5.3,,,,,1207.09aa2System.4 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json +Service,Policy Definition,Parameter Requirements,Azure Security Benchmark,CIS,CCMC L3,ISO 27001,NIST SP 800-53 R4,NIST SP 800-171 R2,HIPAA HITRUST 9.2,New Zealand ISM,Parameters,Link +API Management,API Management service should use a SKU that supports virtual networks,Optional,,,,,,,,,listOfAllowedSKUs, +App Service,"Ensure that 'Java version' is the latest, if used as a part of the API app",Optional,PV-7,9.8,,,,3.14.1,,,JavaLatestVersion,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_java_Latest.json +App Service,"Ensure that 'Java version' is the latest, if used as a part of the Function app",Optional,PV-7,9.8,,,,3.14.1,,,JavaLatestVersion,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_java_Latest.json +App Service,"Ensure that 'Java version' is the latest, if used as a part of the Web app",Optional,PV-7,9.8,,,,3.14.1,,,JavaLatestVersion,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_java_Latest.json +App Service,"Ensure that 'PHP version' is the latest, if used as a part of the API app",Optional,PV-7,9.6,,,,3.14.1,,,PHPLatestVersion,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_PHP_Latest.json +App Service,"Ensure that 'PHP version' is the latest, if used as a part of the WEB app",Optional,PV-7,9.6,,,,3.14.1,,,PHPLatestVersion,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_PHP_Latest.json +App Service,"Ensure that 'Python version' is the latest, if used as a part of the API app",Optional,PV-7,9.7,,,,3.14.1,,,"WindowsPythonLatestVersion, LinuxPythonLatestVersion",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_python_Latest.json +App Service,"Ensure that 'Python version' is the latest, if used as a part of the Function app",Optional,PV-7,9.7,,,,3.14.1,,,"WindowsPythonLatestVersion, LinuxPythonLatestVersion",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_python_Latest.json +App Service,"Ensure that 'Python version' is the latest, if used as a part of the Web app",Optional,PV-7,9.7,,,,3.14.1,,,"WindowsPythonLatestVersion, LinuxPythonLatestVersion",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_python_Latest.json +App Service,Resource logs in App Services should be enabled,Optional,,,,,,,,,requiredRetentionDays, +Batch,Resource logs in Batch accounts should be enabled,Optional,LT-4,5.3,,,,,1205.09aa2System.1 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json +Data Box,Azure Data Box jobs should enable double encryption for data at rest on the device,Optional,,,,,,,,,supportedSKUs,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Box/DataBox_DoubleEncryption_Audit.json +Data Box,Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password,Optional,,,,,,,,,supportedSKUs, +Data Factory,Azure Data Factory integration runtime should have a limit for number of cores,Optional,,,,,,,,,maxCores, +Data Lake,Resource logs in Azure Data Lake Store should be enabled,Optional,LT-4,5.3,,,,,1202.09aa1System.1 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json +Data Lake,Resource logs in Data Lake Analytics should be enabled,Optional,LT-4,5.3,,,,,1210.09aa3System.3 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeAnalytics_AuditDiagnosticLog_Audit.json +Event Hub,Resource logs in Event Hub should be enabled,Optional,LT-4,5.3,,,,,1207.09aa2System.4 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditDiagnosticLog_Audit.json +Internet of Things,Resource logs in IoT Hub should be enabled,Optional,LT-4,5.3,,,,,1204.09aa1System.3 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_AuditDiagnosticLog_Audit.json +Key Vault,Certificates should be issued by the specified integrated certificate authority,Optional,,,,,,,,,allowedCAs, +Key Vault,Certificates should have the specified maximum validity period,Optional,,,,,,,,,maximumValidityInMonths, +Key Vault,Certificates should use allowed key types,Optional,,,,,,,,,allowedKeyTypes, +Key Vault,Certificates using elliptic curve cryptography should have allowed curve names,Optional,,,,,,,,,allowedECNames, +Key Vault,Keys should be the specified cryptographic type RSA or EC,Optional,,,,,,,,,allowedKeyTypes, +Key Vault,Keys using elliptic curve cryptography should have the specified curve names,Optional,,,,,,,,,allowedECNames, +Key Vault,Resource logs in Azure Key Vault Managed HSM should be enabled,Optional,,,,,,,1211.09aa3System.4 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_AuditDiagnosticLog_Audit.json +Key Vault,Resource logs in Key Vault should be enabled,Optional,LT-4,5.3,,,,,1211.09aa3System.4 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_AuditDiagnosticLog_Audit.json +Logic Apps,Resource logs in Logic Apps should be enabled,Optional,LT-4,5.3,,,,,1203.09aa1System.2 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_AuditDiagnosticLog_Audit.json +Network,Web Application Firewall (WAF) should use the specified mode for Application Gateway,Optional,,,,,,,,NS-7,modeRequirement,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayMode_Audit.json +Network,Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service,Optional,,,,,,,,NS-7,modeRequirement,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Mode_Audit.json +SQL,Auditing on SQL server should be enabled,Optional,LT-4,4.1.1,,A.12.4.4,AU-12,3.3.4,1211.09aa3System.4 - 09.aa,,setting,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json +Search,Resource logs in Search services should be enabled,Optional,LT-4,5.3,,,,,1208.09aa3System.1 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_AuditDiagnosticLog_Audit.json +Service Bus,Resource logs in Service Bus should be enabled,Optional,LT-4,5.3,,,,,1208.09aa3System.1 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditDiagnosticLog_Audit.json +Stream Analytics,Resource logs in Azure Stream Analytics should be enabled,Optional,LT-4,5.3,,,,,1207.09aa2System.4 - 09.aa,,requiredRetentionDays,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json +Synapse,Auditing on Synapse workspace should be enabled,Optional,,,,,,,,,setting, diff --git a/docs/params-optional.md b/docs/params-optional.md index dcadeab..571e95d 100644 --- a/docs/params-optional.md +++ b/docs/params-optional.md @@ -1,54 +1,36 @@ -| Service | Policy Definition | Azure Security Benchmark | CIS | CCMC L3 | ISO 27001 | NIST SP 800-171 R2 | NIST SP 800-53 R4 | HIPAA HITRUST 9.2 | New Zealand ISM | Link | -|---------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|-------|-----------|-------------|----------------------|---------------------|-----------------------------------|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| App Service | [Ensure that 'Java version' is the latest, if used as a part of the API app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_java_Latest.json) | PV-7 | 9.8 | | | 3.14.1 | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_java_Latest.json | -| App Service | [Ensure that 'Java version' is the latest, if used as a part of the Function app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_java_Latest.json) | PV-7 | 9.8 | | | 3.14.1 | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_java_Latest.json | -| App Service | [Ensure that 'Java version' is the latest, if used as a part of the Web app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_java_Latest.json) | PV-7 | 9.8 | | | 3.14.1 | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_java_Latest.json | -| App Service | [Ensure that 'PHP version' is the latest, if used as a part of the API app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_PHP_Latest.json) | PV-7 | 9.6 | | | 3.14.1 | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_PHP_Latest.json | -| App Service | [Ensure that 'PHP version' is the latest, if used as a part of the WEB app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_PHP_Latest.json) | PV-7 | 9.6 | | | 3.14.1 | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_PHP_Latest.json | -| App Service | [Ensure that 'Python version' is the latest, if used as a part of the API app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_python_Latest.json) | PV-7 | 9.7 | | | 3.14.1 | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_python_Latest.json | -| App Service | [Ensure that 'Python version' is the latest, if used as a part of the Function app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_python_Latest.json) | PV-7 | 9.7 | | | 3.14.1 | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_python_Latest.json | -| App Service | [Ensure that 'Python version' is the latest, if used as a part of the Web app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_python_Latest.json) | PV-7 | 9.7 | | | 3.14.1 | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_python_Latest.json | -| Batch | [Resource logs in Batch accounts should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) | LT-4 | 5.3 | | | | | 1205.09aa2System.1 - 09.aa | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json | -| Data Box | [Azure Data Box jobs should enable double encryption for data at rest on the device](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Box/DataBox_DoubleEncryption_Audit.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Box/DataBox_DoubleEncryption_Audit.json | -| Data Lake | [Resource logs in Azure Data Lake Store should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) | LT-4 | 5.3 | | | | | 1202.09aa1System.1 - 09.aa | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json | -| Data Lake | [Resource logs in Data Lake Analytics should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeAnalytics_AuditDiagnosticLog_Audit.json) | LT-4 | 5.3 | | | | | 1210.09aa3System.3 - 09.aa | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeAnalytics_AuditDiagnosticLog_Audit.json | -| Event Hub | [Resource logs in Event Hub should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditDiagnosticLog_Audit.json) | LT-4 | 5.3 | | | | | 1207.09aa2System.4 - 09.aa | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditDiagnosticLog_Audit.json | -| Guest Configuration | [Audit Linux machines that allow remote connections from accounts without passwords](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword110_AINE.json) | | | | A.9.1.2 | 3.1.12 | AC-17 (1) | | AC-2 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword110_AINE.json | -| Guest Configuration | [Audit Linux machines that do not have the passwd file permissions set to 0644](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword121_AINE.json) | | | | A.9.2.4 | 3.5.10 | IA-5 | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword121_AINE.json | -| Guest Configuration | [Audit Linux machines that have accounts without passwords](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json) | | | | A.9.1.2 | 3.5.7 | IA-5 | | AC-2 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json | -| Guest Configuration | [Audit Windows machines that allow re-use of the previous 24 passwords](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEnforce_AINE.json) | | | | A.9.4.3 | 3.5.8 | IA-5 (1) | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEnforce_AINE.json | -| Guest Configuration | [Audit Windows machines that do not have a maximum password age of 70 days](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsMaximumPassword_AINE.json) | | | | A.9.4.3 | | IA-5 (1) | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsMaximumPassword_AINE.json | -| Guest Configuration | [Audit Windows machines that do not have a minimum password age of 1 day](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsMinimumPassword_AINE.json) | | | | A.9.4.3 | | IA-5 (1) | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsMinimumPassword_AINE.json | -| Guest Configuration | [Audit Windows machines that do not have the password complexity setting enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordComplexity_AINE.json) | | | | A.9.4.3 | 3.5.7 | IA-5 (1) | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordComplexity_AINE.json | -| Guest Configuration | [Audit Windows machines that do not restrict the minimum password length to 14 characters](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordLength_AINE.json) | | | | A.9.4.3 | 3.5.7 | IA-5 (1) | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordLength_AINE.json | -| Guest Configuration | [Audit Windows machines that do not store passwords using reversible encryption](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEncryption_AINE.json) | | | | A.10.1.1 | 3.5.10 | IA-5 (1) | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEncryption_AINE.json | -| Guest Configuration | [Audit Windows machines that have extra accounts in the Administrators group](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembers_AINE.json) | | | | | | | 1123.01q1System.2 - 01.q | AC-9 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembers_AINE.json | -| Guest Configuration | [Windows Defender Exploit Guard should be enabled on your machines](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsDefenderExploitGuard_AINE.json) | ES-2 | | | | | | | DM-4 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsDefenderExploitGuard_AINE.json | -| Guest Configuration | [Windows machines should meet requirements for 'Security Options - Accounts'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsAccounts_AINE.json) | | | | | | | 1148.01c2System.78 - 01.c | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsAccounts_AINE.json | -| Guest Configuration | [Windows machines should meet requirements for 'Security Options - Audit'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsAudit_AINE.json) | | | | | | | 0605.10h1System.12 - 10.h | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsAudit_AINE.json | -| Guest Configuration | [Windows machines should meet requirements for 'Security Options - Microsoft Network Server'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsMicrosoftNetworkServer_AINE.json) | | | | | | | 0709.10m1Organizational.1 - 10.m | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsMicrosoftNetworkServer_AINE.json | -| Guest Configuration | [Windows machines should meet requirements for 'Security Options - Network Access'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsNetworkAccess_AINE.json) | | | | | | | 0861.09m2Organizational.67 - 09.m | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsNetworkAccess_AINE.json | -| Guest Configuration | [Windows machines should meet requirements for 'Security Options - Network Security'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsNetworkSecurity_AINE.json) | | | | | 3.5.10 | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsNetworkSecurity_AINE.json | -| Guest Configuration | [Windows machines should meet requirements for 'Security Options - Recovery console'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsRecoveryconsole_AINE.json) | | | | | | | 1637.12b2Organizational.2 - 12.b | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsRecoveryconsole_AINE.json | -| Guest Configuration | [Windows machines should meet requirements for 'Security Options - User Account Control'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsUserAccountControl_AINE.json) | | | | | | | 1277.09c2Organizational.4 - 09.c | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsUserAccountControl_AINE.json | -| Guest Configuration | [Windows machines should meet requirements for 'Security Settings - Account Policies'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecuritySettingsAccountPolicies_AINE.json) | | | | | | | | AC-4 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecuritySettingsAccountPolicies_AINE.json | -| Guest Configuration | [Windows machines should meet requirements for 'System Audit Policies - Account Management'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SystemAuditPoliciesAccountManagement_AINE.json) | | | | | | | 0605.10h1System.12 - 10.h | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SystemAuditPoliciesAccountManagement_AINE.json | -| Guest Configuration | [Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SystemAuditPoliciesDetailedTracking_AINE.json) | | | | | | | 0644.10k3Organizational.4 - 10.k | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SystemAuditPoliciesDetailedTracking_AINE.json | -| Guest Configuration | [Windows machines should meet requirements for 'System Audit Policies - Policy Change'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SystemAuditPoliciesPolicyChange_AINE.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SystemAuditPoliciesPolicyChange_AINE.json | -| Guest Configuration | [Windows machines should meet requirements for 'System Audit Policies - Privilege Use'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SystemAuditPoliciesPrivilegeUse_AINE.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SystemAuditPoliciesPrivilegeUse_AINE.json | -| Guest Configuration | [Windows machines should meet requirements for 'User Rights Assignment'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_UserRightsAssignment_AINE.json) | | | | | | | 1232.09c3Organizational.12 - 09.c | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_UserRightsAssignment_AINE.json | -| Guest Configuration | [Windows machines should meet requirements for 'Windows Firewall Properties'](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsFirewallProperties_AINE.json) | | | | | | | 0858.09m1Organizational.4 - 09.m | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsFirewallProperties_AINE.json | -| Guest Configuration | [Windows web servers should be configured to use secure communication protocols](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) | DP-4 | | | | 3.13.8 | SC-8 (1) | | DM-6 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json | -| Guest Configuration | [[Preview]: Linux machines should meet requirements for the Azure security baseline](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AzureLinuxBaseline_AINE.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AzureLinuxBaseline_AINE.json | -| Internet of Things | [Resource logs in IoT Hub should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_AuditDiagnosticLog_Audit.json) | LT-4 | 5.3 | | | | | 1204.09aa1System.3 - 09.aa | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_AuditDiagnosticLog_Audit.json | -| Key Vault | [Resource logs in Azure Key Vault Managed HSM should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_AuditDiagnosticLog_Audit.json) | | | | | | | 1211.09aa3System.4 - 09.aa | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_AuditDiagnosticLog_Audit.json | -| Key Vault | [Resource logs in Key Vault should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_AuditDiagnosticLog_Audit.json) | LT-4 | 5.3 | | | | | 1211.09aa3System.4 - 09.aa | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_AuditDiagnosticLog_Audit.json | -| Key Vault | [[Preview]: Keys should be the specified cryptographic type RSA or EC](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_AllowedKeyTypes.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_AllowedKeyTypes.json | -| Key Vault | [[Preview]: Keys using elliptic curve cryptography should have the specified curve names](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_EC_AllowedCurveNames.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_EC_AllowedCurveNames.json | -| Logic Apps | [Resource logs in Logic Apps should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_AuditDiagnosticLog_Audit.json) | LT-4 | 5.3 | | | | | 1203.09aa1System.2 - 09.aa | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_AuditDiagnosticLog_Audit.json | -| Network | [Web Application Firewall (WAF) should use the specified mode for Application Gateway](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayMode_Audit.json) | | | | | | | | NS-7 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayMode_Audit.json | -| Network | [Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Mode_Audit.json) | | | | | | | | NS-7 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Mode_Audit.json | -| SQL | [Auditing on SQL server should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) | LT-4 | 4.1.1 | | A.12.4.4 | 3.3.4 | AU-12 | 1211.09aa3System.4 - 09.aa | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json | -| Search | [Resource logs in Search services should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_AuditDiagnosticLog_Audit.json) | LT-4 | 5.3 | | | | | 1208.09aa3System.1 - 09.aa | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_AuditDiagnosticLog_Audit.json | -| Service Bus | [Resource logs in Service Bus should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditDiagnosticLog_Audit.json) | LT-4 | 5.3 | | | | | 1208.09aa3System.1 - 09.aa | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditDiagnosticLog_Audit.json | -| Stream Analytics | [Resource logs in Azure Stream Analytics should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) | LT-4 | 5.3 | | | | | 1207.09aa2System.4 - 09.aa | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json | \ No newline at end of file +| Service | Policy Definition | Parameter Requirements | Azure Security Benchmark | CIS | CCMC L3 | ISO 27001 | NIST SP 800-171 R2 | NIST SP 800-53 R4 | HIPAA HITRUST 9.2 | New Zealand ISM | Parameters | Link | +|--------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------|----------------------------|-------|-----------|-------------|----------------------|---------------------|----------------------------|-------------------|------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------| +| API Management | [API Management service should use a SKU that supports virtual networks](None) | Optional | | | | | | | | | listOfAllowedSKUs | | +| App Service | [Ensure that 'Java version' is the latest, if used as a part of the API app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_java_Latest.json) | Optional | PV-7 | 9.8 | | | 3.14.1 | | | | JavaLatestVersion | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_java_Latest.json | +| App Service | [Ensure that 'Java version' is the latest, if used as a part of the Function app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_java_Latest.json) | Optional | PV-7 | 9.8 | | | 3.14.1 | | | | JavaLatestVersion | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_java_Latest.json | +| App Service | [Ensure that 'Java version' is the latest, if used as a part of the Web app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_java_Latest.json) | Optional | PV-7 | 9.8 | | | 3.14.1 | | | | JavaLatestVersion | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_java_Latest.json | +| App Service | [Ensure that 'PHP version' is the latest, if used as a part of the API app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_PHP_Latest.json) | Optional | PV-7 | 9.6 | | | 3.14.1 | | | | PHPLatestVersion | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_PHP_Latest.json | +| App Service | [Ensure that 'PHP version' is the latest, if used as a part of the WEB app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_PHP_Latest.json) | Optional | PV-7 | 9.6 | | | 3.14.1 | | | | PHPLatestVersion | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_PHP_Latest.json | +| App Service | [Ensure that 'Python version' is the latest, if used as a part of the API app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_python_Latest.json) | Optional | PV-7 | 9.7 | | | 3.14.1 | | | | WindowsPythonLatestVersion, LinuxPythonLatestVersion | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_python_Latest.json | +| App Service | [Ensure that 'Python version' is the latest, if used as a part of the Function app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_python_Latest.json) | Optional | PV-7 | 9.7 | | | 3.14.1 | | | | WindowsPythonLatestVersion, LinuxPythonLatestVersion | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_python_Latest.json | +| App Service | [Ensure that 'Python version' is the latest, if used as a part of the Web app](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_python_Latest.json) | Optional | PV-7 | 9.7 | | | 3.14.1 | | | | WindowsPythonLatestVersion, LinuxPythonLatestVersion | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_python_Latest.json | +| App Service | [Resource logs in App Services should be enabled](None) | Optional | | | | | | | | | requiredRetentionDays | | +| Batch | [Resource logs in Batch accounts should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) | Optional | LT-4 | 5.3 | | | | | 1205.09aa2System.1 - 09.aa | | requiredRetentionDays | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json | +| Data Box | [Azure Data Box jobs should enable double encryption for data at rest on the device](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Box/DataBox_DoubleEncryption_Audit.json) | Optional | | | | | | | | | supportedSKUs | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Box/DataBox_DoubleEncryption_Audit.json | +| Data Box | [Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password](None) | Optional | | | | | | | | | supportedSKUs | | +| Data Factory | [Azure Data Factory integration runtime should have a limit for number of cores](None) | Optional | | | | | | | | | maxCores | | +| Data Lake | [Resource logs in Azure Data Lake Store should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) | Optional | LT-4 | 5.3 | | | | | 1202.09aa1System.1 - 09.aa | | requiredRetentionDays | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json | +| Data Lake | [Resource logs in Data Lake Analytics should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeAnalytics_AuditDiagnosticLog_Audit.json) | Optional | LT-4 | 5.3 | | | | | 1210.09aa3System.3 - 09.aa | | requiredRetentionDays | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeAnalytics_AuditDiagnosticLog_Audit.json | +| Event Hub | [Resource logs in Event Hub should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditDiagnosticLog_Audit.json) | Optional | LT-4 | 5.3 | | | | | 1207.09aa2System.4 - 09.aa | | requiredRetentionDays | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditDiagnosticLog_Audit.json | +| Internet of Things | [Resource logs in IoT Hub should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_AuditDiagnosticLog_Audit.json) | Optional | LT-4 | 5.3 | | | | | 1204.09aa1System.3 - 09.aa | | requiredRetentionDays | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_AuditDiagnosticLog_Audit.json | +| Key Vault | [Certificates should be issued by the specified integrated certificate authority](None) | Optional | | | | | | | | | allowedCAs | | +| Key Vault | [Certificates should have the specified maximum validity period](None) | Optional | | | | | | | | | maximumValidityInMonths | | +| Key Vault | [Certificates should use allowed key types](None) | Optional | | | | | | | | | allowedKeyTypes | | +| Key Vault | [Certificates using elliptic curve cryptography should have allowed curve names](None) | Optional | | | | | | | | | allowedECNames | | +| Key Vault | [Keys should be the specified cryptographic type RSA or EC](None) | Optional | | | | | | | | | allowedKeyTypes | | +| Key Vault | [Keys using elliptic curve cryptography should have the specified curve names](None) | Optional | | | | | | | | | allowedECNames | | +| Key Vault | [Resource logs in Azure Key Vault Managed HSM should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_AuditDiagnosticLog_Audit.json) | Optional | | | | | | | 1211.09aa3System.4 - 09.aa | | requiredRetentionDays | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_AuditDiagnosticLog_Audit.json | +| Key Vault | [Resource logs in Key Vault should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_AuditDiagnosticLog_Audit.json) | Optional | LT-4 | 5.3 | | | | | 1211.09aa3System.4 - 09.aa | | requiredRetentionDays | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_AuditDiagnosticLog_Audit.json | +| Logic Apps | [Resource logs in Logic Apps should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_AuditDiagnosticLog_Audit.json) | Optional | LT-4 | 5.3 | | | | | 1203.09aa1System.2 - 09.aa | | requiredRetentionDays | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_AuditDiagnosticLog_Audit.json | +| Network | [Web Application Firewall (WAF) should use the specified mode for Application Gateway](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayMode_Audit.json) | Optional | | | | | | | | NS-7 | modeRequirement | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayMode_Audit.json | +| Network | [Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Mode_Audit.json) | Optional | | | | | | | | NS-7 | modeRequirement | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Mode_Audit.json | +| SQL | [Auditing on SQL server should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) | Optional | LT-4 | 4.1.1 | | A.12.4.4 | 3.3.4 | AU-12 | 1211.09aa3System.4 - 09.aa | | setting | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json | +| Search | [Resource logs in Search services should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_AuditDiagnosticLog_Audit.json) | Optional | LT-4 | 5.3 | | | | | 1208.09aa3System.1 - 09.aa | | requiredRetentionDays | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_AuditDiagnosticLog_Audit.json | +| Service Bus | [Resource logs in Service Bus should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditDiagnosticLog_Audit.json) | Optional | LT-4 | 5.3 | | | | | 1208.09aa3System.1 - 09.aa | | requiredRetentionDays | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditDiagnosticLog_Audit.json | +| Stream Analytics | [Resource logs in Azure Stream Analytics should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) | Optional | LT-4 | 5.3 | | | | | 1207.09aa2System.4 - 09.aa | | requiredRetentionDays | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json | +| Synapse | [Auditing on Synapse workspace should be enabled](None) | Optional | | | | | | | | | setting | | \ No newline at end of file diff --git a/docs/params-required.csv b/docs/params-required.csv index 103c8a2..aadfe49 100644 --- a/docs/params-required.csv +++ b/docs/params-required.csv @@ -1,27 +1,126 @@ -Service,Policy Definition,Azure Security Benchmark,CIS,CCMC L3,ISO 27001,NIST SP 800-53 R4,NIST SP 800-171 R2,HIPAA HITRUST 9.2,New Zealand ISM,Link -Compute,Only approved VM extensions should be installed,,7.4,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_ApprovedExtensions_Audit.json -Compute,Resource logs in Virtual Machine Scale Sets should be enabled,LT-4,5.3,,,,,1206.09aa2System.23 - 09.aa,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ServiceFabric_and_VMSS_AuditVMSSDiagnostics.json -General,Allowed locations,,,,,,,,ESS-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/AllowedLocations_Deny.json -General,Allowed locations for resource groups,,,,,,,,ESS-2,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/ResourceGroupAllowedLocations_Deny.json -Guest Configuration,Audit Windows machines missing any of specified members in the Administrators group,,,,,AC-6 (7),3.1.4,1127.01q2System.3 - 01.q,AC-9,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToInclude_AINE.json -Guest Configuration,Audit Windows machines on which the Log Analytics agent is not connected as expected,,,,,,,1217.09ab3System.3 - 09.ab,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsLogAnalyticsAgentConnection_AINE.json -Guest Configuration,Audit Windows machines that do not contain the specified certificates in Trusted Root,,,,,,,0945.09y1Organizational.3 - 09.y,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsCertificateInTrustedRoot_AINE.json -Guest Configuration,Audit Windows machines that have the specified members in the Administrators group,,,,,AC-6 (7),3.1.4,1125.01q2System.1 - 01.q,AC-9,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json -Key Vault,[Preview]: Certificates using RSA cryptography should have the specified minimum key size,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_RSA_MinimumKeySize.json -Key Vault,[Preview]: Keys using RSA cryptography should have a specified minimum key size,,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_RSA_MinimumKeySize.json -Kubernetes,Kubernetes cluster containers should not share host process ID or host IPC namespace,PV-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json -Kubernetes,Kubernetes cluster containers should only use allowed AppArmor profiles,PV-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json -Kubernetes,Kubernetes cluster containers should only use allowed capabilities,PV-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json -Kubernetes,Kubernetes cluster containers should run with a read only root file system,PV-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json -Kubernetes,Kubernetes cluster pod hostPath volumes should only use allowed host paths,PV-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json -Kubernetes,Kubernetes cluster pods and containers should only run with approved user and group IDs,PV-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json -Kubernetes,Kubernetes cluster pods should only use approved host network and port range,PV-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json -Kubernetes,Kubernetes clusters should be accessible only over HTTPS,DP-4,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json -Kubernetes,Kubernetes clusters should not allow container privilege escalation,PV-2,,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json -Monitoring,An activity log alert should exist for specific Administrative operations,,5.2.9,,,,,1271.09ad1System.1 - 09.ad,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_AdministrativeOperations_Audit.json -Monitoring,An activity log alert should exist for specific Policy operations,,5.2.2,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_PolicyOperations_Audit.json -Monitoring,An activity log alert should exist for specific Security operations,,5.2.8,,,,,,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_SecurityOperations_Audit.json -Monitoring,Audit Log Analytics workspace for VM - Report Mismatch,,,,,SI-4,3.3.2,,AC-14,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_WorkspaceMismatch_VM_Audit.json -Monitoring,Audit diagnostic setting,,,,A.12.4.4,AU-12,3.3.4,1210.09aa3System.3 - 09.aa,DM-6,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json -Network,Network Watcher should be enabled,LT-3,6.5,,,,3.14.6,0888.09n2Organizational.6 - 09.n,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json -Network,Virtual machines should be connected to an approved virtual network,,,,,,,0814.01n1Organizational.12 - 01.n,,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ApprovedVirtualNetwork_Audit.json +Service,Policy Definition,Parameter Requirements,Azure Security Benchmark,CIS,CCMC L3,ISO 27001,NIST SP 800-53 R4,NIST SP 800-171 R2,HIPAA HITRUST 9.2,New Zealand ISM,Parameters,Link +App Configuration,Configure private DNS zones for private endpoints connected to App Configuration,Required,,,,,,,,,privateDnsZoneId, +App Configuration,Configure private endpoints for App Configuration,Required,,,,,,,,,privateEndpointSubnetId, +Automanage,Configure virtual machines to be onboarded to Azure Automanage,Required,,,,,,,,,"automanageAccount, configurationProfileAssignment", +Automation,Configure Azure Automation accounts with private DNS zones,Required,,,,,,,,,"privateDnsZoneId, privateEndpointGroupId", +Automation,Configure private endpoint connections on Azure Automation accounts,Required,,,,,,,,,privateEndpointSubnetId, +Backup,Configure backup on VMs with a given tag to a new recovery services vault with a default policy,Required,,,,,,,,,"inclusionTagName, inclusionTagValue", +Backup,Configure backup on VMs with a given tag to an existing recovery services vault in the same location,Required,,,,,,,,,"vaultLocation, inclusionTagName, inclusionTagValue, backupPolicyId", +Backup,Configure backup on VMs without a given tag to a new recovery services vault with a default policy,Required,,,,,,,,,"exclusionTagName, exclusionTagValue", +Backup,Configure backup on VMs without a given tag to an existing recovery services vault in the same location,Required,,,,,,,,,"vaultLocation, backupPolicyId, exclusionTagName, exclusionTagValue", +Batch,Configure Batch accounts with private endpoints,Required,,,,,,,,,privateEndpointSubnetId, +Batch,Metric alert rules should be configured on Batch accounts,Required,,,,,,,,,metricName, +Cache,Configure Azure Cache for Redis to use private DNS zones,Required,,,,,,,,,privateDnsZoneId, +Compute,Allowed virtual machine size SKUs,Required,,,,,,,,,listOfAllowedSKUs, +Compute,Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption,Required,,,,,,,,,allowedEncryptionSets, +Compute,Only approved VM extensions should be installed,Required,,7.4,,,,,,,approvedExtensions,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_ApprovedExtensions_Audit.json +Compute,Resource logs in Virtual Machine Scale Sets should be enabled,Required,LT-4,5.3,,,,,1206.09aa2System.23 - 09.aa,,includeAKSClusters,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ServiceFabric_and_VMSS_AuditVMSSDiagnostics.json +Cosmos DB,Azure Cosmos DB allowed locations,Required,,,,,,,,,"listOfAllowedLocations, policyEffect", +Cosmos DB,Azure Cosmos DB throughput should be limited,Required,,,,,,,,,throughputMax, +Cosmos DB,Configure CosmosDB accounts to use private DNS zones,Required,,,,,,,,,"privateDnsZoneId, privateEndpointGroupId", +Cosmos DB,Configure CosmosDB accounts with private endpoints ,Required,,,,,,,,,"privateEndpointSubnetId, privateEndpointGroupId", +Data Factory,Azure Data Factory linked service resource type should be in allow list,Required,,,,,,,,,allowedLinkedServiceResourceTypes, +Event Hub,Configure Event Hub namespaces to use private DNS zones,Required,,,,,,,,,privateDnsZoneId, +Event Hub,Configure Event Hub namespaces with private endpoints,Required,,,,,,,,,privateEndpointSubnetId, +General,Allowed locations,Required,,,,,,,,ESS-2,listOfAllowedLocations,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/AllowedLocations_Deny.json +General,Allowed locations for resource groups,Required,,,,,,,,ESS-2,listOfAllowedLocations,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/ResourceGroupAllowedLocations_Deny.json +General,Allowed resource types,Required,,,,,,,,,listOfResourceTypesAllowed, +General,Not allowed resource types,Required,,,,,,,,,listOfResourceTypesNotAllowed, +Internet of Things,Configure IoT Hub device provisioning instances to use private DNS zones,Required,,,,,,,,,privateDnsZoneId, +Internet of Things,Configure IoT Hub device provisioning service instances with private endpoints,Required,,,,,,,,,privateEndpointSubnetId, +Key Vault,Certificates should be issued by the specified non-integrated certificate authority,Required,,,,,,,,,caCommonName, +Key Vault,Certificates should have the specified lifetime action triggers,Required,,,,,,,,,"maximumPercentageLife, minimumDaysBeforeExpiry", +Key Vault,Certificates should not expire within the specified number of days,Required,,,,,,,,,daysToExpire, +Key Vault,Certificates using RSA cryptography should have the specified minimum key size,Required,,,,,,,,,minimumRSAKeySize, +Key Vault,Keys should have more than the specified number of days before expiration,Required,,,,,,,,,minimumDaysBeforeExpiration, +Key Vault,Keys should have the specified maximum validity period,Required,,,,,,,,,maximumValidityInDays, +Key Vault,Keys should not be active for longer than the specified number of days,Required,,,,,,,,,maximumValidityInDays, +Key Vault,Keys using RSA cryptography should have a specified minimum key size,Required,,,,,,,,,minimumRSAKeySize, +Key Vault,Secrets should have more than the specified number of days before expiration,Required,,,,,,,,,minimumDaysBeforeExpiration, +Key Vault,Secrets should have the specified maximum validity period,Required,,,,,,,,,maximumValidityInDays, +Key Vault,Secrets should not be active for longer than the specified number of days,Required,,,,,,,,,maximumValidityInDays, +Kubernetes,Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets,Required,,,,,,,,,"configurationResourceName, operatorInstanceName, operatorNamespace, operatorScope, operatorType, operatorParams, repositoryUrl, enableHelmOperator, chartVersion, chartValues, keyVaultResourceId, httpsUserKeyVaultSecretName, httpsKeyKeyVaultSecretName", +Kubernetes,Configure Kubernetes clusters with specified GitOps configuration using SSH secrets,Required,,,,,,,,,"configurationResourceName, operatorInstanceName, operatorNamespace, operatorScope, operatorType, operatorParams, repositoryUrl, enableHelmOperator, chartVersion, chartValues, sshKnownHostsContents, keyVaultResourceId, sshPrivateKeyKeyVaultSecretName", +Kubernetes,Configure Kubernetes clusters with specified GitOps configuration using no secrets,Required,,,,,,,,,"configurationResourceName, operatorInstanceName, operatorNamespace, operatorScope, operatorType, operatorParams, repositoryUrl, enableHelmOperator, chartVersion, chartValues", +Kubernetes,Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, cpuLimit, memoryLimit", +Kubernetes,Kubernetes cluster containers should not share host process ID or host IPC namespace,Required,PV-2,,,,,,,,"excludedNamespaces, namespaces, labelSelector",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json +Kubernetes,Kubernetes cluster containers should not use forbidden sysctl interfaces,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, forbiddenSysctls", +Kubernetes,Kubernetes cluster containers should only listen on allowed ports,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedContainerPortsList", +Kubernetes,Kubernetes cluster containers should only use allowed AppArmor profiles,Required,PV-2,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedProfiles",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json +Kubernetes,Kubernetes cluster containers should only use allowed ProcMountType,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, procMountType", +Kubernetes,Kubernetes cluster containers should only use allowed capabilities,Required,PV-2,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedCapabilities, requiredDropCapabilities",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json +Kubernetes,Kubernetes cluster containers should only use allowed images,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedContainerImagesRegex", +Kubernetes,Kubernetes cluster containers should only use allowed seccomp profiles,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedProfiles", +Kubernetes,Kubernetes cluster containers should run with a read only root file system,Required,PV-2,,,,,,,,"excludedNamespaces, namespaces, labelSelector",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json +Kubernetes,Kubernetes cluster pod FlexVolume volumes should only use allowed drivers,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedFlexVolumeDrivers", +Kubernetes,Kubernetes cluster pod hostPath volumes should only use allowed host paths,Required,PV-2,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedHostPaths",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json +Kubernetes,Kubernetes cluster pods and containers should only run with approved user and group IDs,Required,PV-2,,,,,,,,"excludedNamespaces, namespaces, labelSelector, runAsUserRule, runAsUserRanges, runAsGroupRule, runAsGroupRanges, supplementalGroupsRule, supplementalGroupsRanges, fsGroupRule, fsGroupRanges",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json +Kubernetes,Kubernetes cluster pods and containers should only use allowed SELinux options,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedSELinuxOptions", +Kubernetes,Kubernetes cluster pods should only use allowed volume types,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedVolumeTypes", +Kubernetes,Kubernetes cluster pods should only use approved host network and port range,Required,PV-2,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowHostNetwork, minPort, maxPort",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json +Kubernetes,Kubernetes cluster pods should use specified labels,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, labelsList", +Kubernetes,Kubernetes cluster services should listen only on allowed ports,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedServicePortsList", +Kubernetes,Kubernetes cluster services should only use allowed external IPs,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, allowedExternalIPs", +Kubernetes,Kubernetes cluster should not allow privileged containers,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector", +Kubernetes,Kubernetes clusters should be accessible only over HTTPS,Required,DP-4,,,,,,,,"excludedNamespaces, namespaces, labelSelector",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json +Kubernetes,Kubernetes clusters should disable automounting API credentials,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector", +Kubernetes,Kubernetes clusters should not allow container privilege escalation,Required,PV-2,,,,,,,,"excludedNamespaces, namespaces, labelSelector",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json +Kubernetes,Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector", +Kubernetes,Kubernetes clusters should not use specific security capabilities,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector, disallowedCapabilities", +Kubernetes,Kubernetes clusters should not use the default namespace,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector", +Kubernetes,Kubernetes clusters should use internal load balancers,Required,,,,,,,,,"excludedNamespaces, namespaces, labelSelector", +Lighthouse,Allow managing tenant ids to onboard through Azure Lighthouse,Required,,,,,,,,,listOfAllowedTenants, +Machine Learning,Configure allowed Python packages for specified Azure Machine Learning computes,Required,,,,,,,,,"computeNames, allowedPythonPackageChannels", +Machine Learning,Configure allowed module authors for specified Azure Machine Learning computes,Required,,,,,,,,,"computeNames, allowedModuleAuthors", +Machine Learning,Configure allowed registries for specified Azure Machine Learning computes,Required,,,,,,,,,"computeNames, allowedACRs", +Machine Learning,Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes,Required,,,,,,,,,"computeNames, approvalEndpoint", +Machine Learning,Configure code signing for training code for specified Azure Machine Learning computes,Required,,,,,,,,,"computeNames, signingKey", +Machine Learning,Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes,Required,,,,,,,,,"computeNames, logFilters, datastore", +Monitoring,An activity log alert should exist for specific Administrative operations,Required,,5.2.9,,,,,1271.09ad1System.1 - 09.ad,,operationName,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_AdministrativeOperations_Audit.json +Monitoring,An activity log alert should exist for specific Policy operations,Required,,5.2.2,,,,,,,operationName,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_PolicyOperations_Audit.json +Monitoring,An activity log alert should exist for specific Security operations,Required,,5.2.8,,,,,,,operationName,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_SecurityOperations_Audit.json +Monitoring,Audit Log Analytics workspace for VM - Report Mismatch,Required,,,,,SI-4,3.3.2,,AC-14,logAnalyticsWorkspaceId,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_WorkspaceMismatch_VM_Audit.json +Monitoring,Audit diagnostic setting,Required,,,,A.12.4.4,AU-12,3.3.4,1210.09aa3System.3 - 09.aa,DM-6,listOfResourceTypes,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json +Monitoring,Dependency agent should be enabled for listed virtual machine images,Required,,,,,,,,,"listOfImageIdToInclude_windows, listOfImageIdToInclude_linux", +Monitoring,Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images,Required,,,,,,,,,"listOfImageIdToInclude_windows, listOfImageIdToInclude_linux", +Monitoring,Deploy Log Analytics agent to Linux Azure Arc machines,Required,,,,,,,,,logAnalytics, +Monitoring,Deploy Log Analytics agent to Windows Azure Arc machines,Required,,,,,,,,,logAnalytics, +Monitoring,Log Analytics Agent should be enabled for listed virtual machine images,Required,,,,,,,,,"listOfImageIdToInclude_windows, listOfImageIdToInclude_linux", +Monitoring,Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images,Required,,,,,,,,,"listOfImageIdToInclude_windows, listOfImageIdToInclude_linux", +Network,A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections,Required,,,,,,,,,"IPsecEncryption, IPsecIntegrity, IKEEncryption, IKEIntegrity, DHGroup, PFSGroup", +Network,Network Watcher should be enabled,Required,LT-3,6.5,,,,3.14.6,0888.09n2Organizational.6 - 09.n,,"listOfLocations, resourceGroupName",https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json +Network,Virtual machines should be connected to an approved virtual network,Required,,,,,,,0814.01n1Organizational.12 - 01.n,,virtualNetworkId,https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ApprovedVirtualNetwork_Audit.json +Network,Virtual networks should use specified virtual network gateway,Required,,,,,,,,,virtualNetworkGatewayId, +SQL,Configure Azure SQL Server to enable private endpoint connections,Required,,,,,,,,,privateEndpointSubnetId, +SQL,Configure SQL servers to have auditing enabled,Required,,,,,,,,,"retentionDays, storageAccountsResourceGroup", +SQL,Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet,Required,,,,,,,,,subnetId, +Search,Configure Azure Cognitive Search services to use private DNS zones,Required,,,,,,,,,privateDnsZoneId, +Security Center,Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace.,Required,,,,,,,,,logAnalytics, +Service Bus,Configure Service Bus namespaces to use private DNS zones,Required,,,,,,,,,privateDnsZoneId, +Service Bus,Configure Service Bus namespaces with private endpoints,Required,,,,,,,,,privateEndpointSubnetId, +Storage,Configure Azure File Sync to use private DNS zones,Required,,,,,,,,,privateDnsZoneId, +Storage,Configure Azure File Sync with private endpoints,Required,,,,,,,,,privateEndpointSubnetId, +Storage,Configure Storage account to use a private link connection,Required,,,,,,,,,"privateEndpointSubnetId, targetSubResource", +Storage,Configure diagnostic settings for storage accounts to Log Analytics workspace,Required,,,,,,,,,"diagnosticsSettingNameToUse, logAnalytics, StorageDelete, StorageWrite, StorageRead, Transaction", +Storage,Storage accounts should be limited by allowed SKUs,Required,,,,,,,,,listOfAllowedSKUs, +Synapse,Configure Azure Synapse workspaces to use private DNS zones,Required,,,,,,,,,"privateDnsZoneId, targetSubResource", +Synapse,Configure Azure Synapse workspaces with private endpoints,Required,,,,,,,,,privateEndpointSubnetId, +Synapse,Configure Synapse workspaces to have auditing enabled,Required,,,,,,,,,"retentionDays, storageAccountsResourceGroup", +Synapse,Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants,Required,,,,,,,,,allowedTenantIds, +Tags,Add a tag to resource groups,Required,,,,,,,,,"tagName, tagValue", +Tags,Add a tag to resources,Required,,,,,,,,,"tagName, tagValue", +Tags,Add a tag to subscriptions,Required,,,,,,,,,"tagName, tagValue", +Tags,Add or replace a tag on resource groups,Required,,,,,,,,,"tagName, tagValue", +Tags,Add or replace a tag on resources,Required,,,,,,,,,"tagName, tagValue", +Tags,Add or replace a tag on subscriptions,Required,,,,,,,,,"tagName, tagValue", +Tags,Append a tag and its value from the resource group,Required,,,,,,,,,tagName, +Tags,Append a tag and its value to resource groups,Required,,,,,,,,,"tagName, tagValue", +Tags,Append a tag and its value to resources,Required,,,,,,,,,"tagName, tagValue", +Tags,Inherit a tag from the resource group,Required,,,,,,,,,tagName, +Tags,Inherit a tag from the resource group if missing,Required,,,,,,,,,tagName, +Tags,Inherit a tag from the subscription,Required,,,,,,,,,tagName, +Tags,Inherit a tag from the subscription if missing,Required,,,,,,,,,tagName, +Tags,Require a tag and its value on resource groups,Required,,,,,,,,,"tagName, tagValue", +Tags,Require a tag and its value on resources,Required,,,,,,,,,"tagName, tagValue", +Tags,Require a tag on resource groups,Required,,,,,,,,,tagName, +Tags,Require a tag on resources,Required,,,,,,,,,tagName, diff --git a/docs/params-required.md b/docs/params-required.md index 73570be..a6b1694 100644 --- a/docs/params-required.md +++ b/docs/params-required.md @@ -1,28 +1,127 @@ -| Service | Policy Definition | Azure Security Benchmark | CIS | CCMC L3 | ISO 27001 | NIST SP 800-171 R2 | NIST SP 800-53 R4 | HIPAA HITRUST 9.2 | New Zealand ISM | Link | -|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|-------|-----------|-------------|----------------------|---------------------|-----------------------------------|-------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Compute | [Only approved VM extensions should be installed](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_ApprovedExtensions_Audit.json) | | 7.4 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_ApprovedExtensions_Audit.json | -| Compute | [Resource logs in Virtual Machine Scale Sets should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ServiceFabric_and_VMSS_AuditVMSSDiagnostics.json) | LT-4 | 5.3 | | | | | 1206.09aa2System.23 - 09.aa | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ServiceFabric_and_VMSS_AuditVMSSDiagnostics.json | -| General | [Allowed locations for resource groups](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/ResourceGroupAllowedLocations_Deny.json) | | | | | | | | ESS-2 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/ResourceGroupAllowedLocations_Deny.json | -| General | [Allowed locations](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/AllowedLocations_Deny.json) | | | | | | | | ESS-2 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/AllowedLocations_Deny.json | -| Guest Configuration | [Audit Windows machines missing any of specified members in the Administrators group](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToInclude_AINE.json) | | | | | 3.1.4 | AC-6 (7) | 1127.01q2System.3 - 01.q | AC-9 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToInclude_AINE.json | -| Guest Configuration | [Audit Windows machines on which the Log Analytics agent is not connected as expected](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsLogAnalyticsAgentConnection_AINE.json) | | | | | | | 1217.09ab3System.3 - 09.ab | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsLogAnalyticsAgentConnection_AINE.json | -| Guest Configuration | [Audit Windows machines that do not contain the specified certificates in Trusted Root](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsCertificateInTrustedRoot_AINE.json) | | | | | | | 0945.09y1Organizational.3 - 09.y | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsCertificateInTrustedRoot_AINE.json | -| Guest Configuration | [Audit Windows machines that have the specified members in the Administrators group](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) | | | | | 3.1.4 | AC-6 (7) | 1125.01q2System.1 - 01.q | AC-9 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json | -| Key Vault | [[Preview]: Certificates using RSA cryptography should have the specified minimum key size](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_RSA_MinimumKeySize.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_RSA_MinimumKeySize.json | -| Key Vault | [[Preview]: Keys using RSA cryptography should have a specified minimum key size](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_RSA_MinimumKeySize.json) | | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_RSA_MinimumKeySize.json | -| Kubernetes | [Kubernetes cluster containers should not share host process ID or host IPC namespace](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json) | PV-2 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json | -| Kubernetes | [Kubernetes cluster containers should only use allowed AppArmor profiles](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json) | PV-2 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json | -| Kubernetes | [Kubernetes cluster containers should only use allowed capabilities](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json) | PV-2 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json | -| Kubernetes | [Kubernetes cluster containers should run with a read only root file system](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | PV-2 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json | -| Kubernetes | [Kubernetes cluster pod hostPath volumes should only use allowed host paths](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json) | PV-2 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json | -| Kubernetes | [Kubernetes cluster pods and containers should only run with approved user and group IDs](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json) | PV-2 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json | -| Kubernetes | [Kubernetes cluster pods should only use approved host network and port range](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json) | PV-2 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json | -| Kubernetes | [Kubernetes clusters should be accessible only over HTTPS](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json) | DP-4 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json | -| Kubernetes | [Kubernetes clusters should not allow container privilege escalation](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json) | PV-2 | | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json | -| Monitoring | [An activity log alert should exist for specific Administrative operations](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_AdministrativeOperations_Audit.json) | | 5.2.9 | | | | | 1271.09ad1System.1 - 09.ad | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_AdministrativeOperations_Audit.json | -| Monitoring | [An activity log alert should exist for specific Policy operations](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_PolicyOperations_Audit.json) | | 5.2.2 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_PolicyOperations_Audit.json | -| Monitoring | [An activity log alert should exist for specific Security operations](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_SecurityOperations_Audit.json) | | 5.2.8 | | | | | | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_SecurityOperations_Audit.json | -| Monitoring | [Audit Log Analytics workspace for VM - Report Mismatch](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_WorkspaceMismatch_VM_Audit.json) | | | | | 3.3.2 | SI-4 | | AC-14 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_WorkspaceMismatch_VM_Audit.json | -| Monitoring | [Audit diagnostic setting](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) | | | | A.12.4.4 | 3.3.4 | AU-12 | 1210.09aa3System.3 - 09.aa | DM-6 | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json | -| Network | [Network Watcher should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) | LT-3 | 6.5 | | | 3.14.6 | | 0888.09n2Organizational.6 - 09.n | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json | -| Network | [Virtual machines should be connected to an approved virtual network](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ApprovedVirtualNetwork_Audit.json) | | | | | | | 0814.01n1Organizational.12 - 01.n | | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ApprovedVirtualNetwork_Audit.json | \ No newline at end of file +| Service | Policy Definition | Parameter Requirements | Azure Security Benchmark | CIS | CCMC L3 | ISO 27001 | NIST SP 800-171 R2 | NIST SP 800-53 R4 | HIPAA HITRUST 9.2 | New Zealand ISM | Parameters | Link | +|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------|----------------------------|-------|-----------|-------------|----------------------|---------------------|-----------------------------------|-------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------| +| App Configuration | [Configure private DNS zones for private endpoints connected to App Configuration](None) | Required | | | | | | | | | privateDnsZoneId | | +| App Configuration | [Configure private endpoints for App Configuration](None) | Required | | | | | | | | | privateEndpointSubnetId | | +| Automanage | [Configure virtual machines to be onboarded to Azure Automanage](None) | Required | | | | | | | | | automanageAccount, configurationProfileAssignment | | +| Automation | [Configure Azure Automation accounts with private DNS zones](None) | Required | | | | | | | | | privateDnsZoneId, privateEndpointGroupId | | +| Automation | [Configure private endpoint connections on Azure Automation accounts](None) | Required | | | | | | | | | privateEndpointSubnetId | | +| Backup | [Configure backup on VMs with a given tag to a new recovery services vault with a default policy](None) | Required | | | | | | | | | inclusionTagName, inclusionTagValue | | +| Backup | [Configure backup on VMs with a given tag to an existing recovery services vault in the same location](None) | Required | | | | | | | | | vaultLocation, inclusionTagName, inclusionTagValue, backupPolicyId | | +| Backup | [Configure backup on VMs without a given tag to a new recovery services vault with a default policy](None) | Required | | | | | | | | | exclusionTagName, exclusionTagValue | | +| Backup | [Configure backup on VMs without a given tag to an existing recovery services vault in the same location](None) | Required | | | | | | | | | vaultLocation, backupPolicyId, exclusionTagName, exclusionTagValue | | +| Batch | [Configure Batch accounts with private endpoints](None) | Required | | | | | | | | | privateEndpointSubnetId | | +| Batch | [Metric alert rules should be configured on Batch accounts](None) | Required | | | | | | | | | metricName | | +| Cache | [Configure Azure Cache for Redis to use private DNS zones](None) | Required | | | | | | | | | privateDnsZoneId | | +| Compute | [Allowed virtual machine size SKUs](None) | Required | | | | | | | | | listOfAllowedSKUs | | +| Compute | [Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption](None) | Required | | | | | | | | | allowedEncryptionSets | | +| Compute | [Only approved VM extensions should be installed](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_ApprovedExtensions_Audit.json) | Required | | 7.4 | | | | | | | approvedExtensions | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_ApprovedExtensions_Audit.json | +| Compute | [Resource logs in Virtual Machine Scale Sets should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ServiceFabric_and_VMSS_AuditVMSSDiagnostics.json) | Required | LT-4 | 5.3 | | | | | 1206.09aa2System.23 - 09.aa | | includeAKSClusters | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ServiceFabric_and_VMSS_AuditVMSSDiagnostics.json | +| Cosmos DB | [Azure Cosmos DB allowed locations](None) | Required | | | | | | | | | listOfAllowedLocations, policyEffect | | +| Cosmos DB | [Azure Cosmos DB throughput should be limited](None) | Required | | | | | | | | | throughputMax | | +| Cosmos DB | [Configure CosmosDB accounts to use private DNS zones](None) | Required | | | | | | | | | privateDnsZoneId, privateEndpointGroupId | | +| Cosmos DB | [Configure CosmosDB accounts with private endpoints ](None) | Required | | | | | | | | | privateEndpointSubnetId, privateEndpointGroupId | | +| Data Factory | [Azure Data Factory linked service resource type should be in allow list](None) | Required | | | | | | | | | allowedLinkedServiceResourceTypes | | +| Event Hub | [Configure Event Hub namespaces to use private DNS zones](None) | Required | | | | | | | | | privateDnsZoneId | | +| Event Hub | [Configure Event Hub namespaces with private endpoints](None) | Required | | | | | | | | | privateEndpointSubnetId | | +| General | [Allowed locations for resource groups](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/ResourceGroupAllowedLocations_Deny.json) | Required | | | | | | | | ESS-2 | listOfAllowedLocations | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/ResourceGroupAllowedLocations_Deny.json | +| General | [Allowed locations](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/AllowedLocations_Deny.json) | Required | | | | | | | | ESS-2 | listOfAllowedLocations | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/AllowedLocations_Deny.json | +| General | [Allowed resource types](None) | Required | | | | | | | | | listOfResourceTypesAllowed | | +| General | [Not allowed resource types](None) | Required | | | | | | | | | listOfResourceTypesNotAllowed | | +| Internet of Things | [Configure IoT Hub device provisioning instances to use private DNS zones](None) | Required | | | | | | | | | privateDnsZoneId | | +| Internet of Things | [Configure IoT Hub device provisioning service instances with private endpoints](None) | Required | | | | | | | | | privateEndpointSubnetId | | +| Key Vault | [Certificates should be issued by the specified non-integrated certificate authority](None) | Required | | | | | | | | | caCommonName | | +| Key Vault | [Certificates should have the specified lifetime action triggers](None) | Required | | | | | | | | | maximumPercentageLife, minimumDaysBeforeExpiry | | +| Key Vault | [Certificates should not expire within the specified number of days](None) | Required | | | | | | | | | daysToExpire | | +| Key Vault | [Certificates using RSA cryptography should have the specified minimum key size](None) | Required | | | | | | | | | minimumRSAKeySize | | +| Key Vault | [Keys should have more than the specified number of days before expiration](None) | Required | | | | | | | | | minimumDaysBeforeExpiration | | +| Key Vault | [Keys should have the specified maximum validity period](None) | Required | | | | | | | | | maximumValidityInDays | | +| Key Vault | [Keys should not be active for longer than the specified number of days](None) | Required | | | | | | | | | maximumValidityInDays | | +| Key Vault | [Keys using RSA cryptography should have a specified minimum key size](None) | Required | | | | | | | | | minimumRSAKeySize | | +| Key Vault | [Secrets should have more than the specified number of days before expiration](None) | Required | | | | | | | | | minimumDaysBeforeExpiration | | +| Key Vault | [Secrets should have the specified maximum validity period](None) | Required | | | | | | | | | maximumValidityInDays | | +| Key Vault | [Secrets should not be active for longer than the specified number of days](None) | Required | | | | | | | | | maximumValidityInDays | | +| Kubernetes | [Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets](None) | Required | | | | | | | | | configurationResourceName, operatorInstanceName, operatorNamespace, operatorScope, operatorType, operatorParams, repositoryUrl, enableHelmOperator, chartVersion, chartValues, keyVaultResourceId, httpsUserKeyVaultSecretName, httpsKeyKeyVaultSecretName | | +| Kubernetes | [Configure Kubernetes clusters with specified GitOps configuration using SSH secrets](None) | Required | | | | | | | | | configurationResourceName, operatorInstanceName, operatorNamespace, operatorScope, operatorType, operatorParams, repositoryUrl, enableHelmOperator, chartVersion, chartValues, sshKnownHostsContents, keyVaultResourceId, sshPrivateKeyKeyVaultSecretName | | +| Kubernetes | [Configure Kubernetes clusters with specified GitOps configuration using no secrets](None) | Required | | | | | | | | | configurationResourceName, operatorInstanceName, operatorNamespace, operatorScope, operatorType, operatorParams, repositoryUrl, enableHelmOperator, chartVersion, chartValues | | +| Kubernetes | [Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](None) | Required | | | | | | | | | excludedNamespaces, namespaces, labelSelector, cpuLimit, memoryLimit | | +| Kubernetes | [Kubernetes cluster containers should not share host process ID or host IPC namespace](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json) | Required | PV-2 | | | | | | | | excludedNamespaces, namespaces, labelSelector | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json | +| Kubernetes | [Kubernetes cluster containers should not use forbidden sysctl interfaces](None) | Required | | | | | | | | | excludedNamespaces, namespaces, labelSelector, forbiddenSysctls | | +| Kubernetes | [Kubernetes cluster containers should only listen on allowed ports](None) | Required | | | | | | | | | excludedNamespaces, namespaces, labelSelector, allowedContainerPortsList | | +| Kubernetes | [Kubernetes cluster containers should only use allowed AppArmor profiles](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json) | Required | PV-2 | | | | | | | | excludedNamespaces, namespaces, labelSelector, allowedProfiles | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json | +| Kubernetes | [Kubernetes cluster containers should only use allowed ProcMountType](None) | Required | | | | | | | | | excludedNamespaces, namespaces, labelSelector, procMountType | | +| Kubernetes | [Kubernetes cluster containers should only use allowed capabilities](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json) | Required | PV-2 | | | | | | | | excludedNamespaces, namespaces, labelSelector, allowedCapabilities, requiredDropCapabilities | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json | +| Kubernetes | [Kubernetes cluster containers should only use allowed images](None) | Required | | | | | | | | | excludedNamespaces, namespaces, labelSelector, allowedContainerImagesRegex | | +| Kubernetes | [Kubernetes cluster containers should only use allowed seccomp profiles](None) | Required | | | | | | | | | excludedNamespaces, namespaces, labelSelector, allowedProfiles | | +| Kubernetes | [Kubernetes cluster containers should run with a read only root file system](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | Required | PV-2 | | | | | | | | excludedNamespaces, namespaces, labelSelector | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json | +| Kubernetes | [Kubernetes cluster pod FlexVolume volumes should only use allowed drivers](None) | Required | | | | | | | | | excludedNamespaces, namespaces, labelSelector, allowedFlexVolumeDrivers | | +| Kubernetes | [Kubernetes cluster pod hostPath volumes should only use allowed host paths](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json) | Required | PV-2 | | | | | | | | excludedNamespaces, namespaces, labelSelector, allowedHostPaths | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json | +| Kubernetes | [Kubernetes cluster pods and containers should only run with approved user and group IDs](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json) | Required | PV-2 | | | | | | | | excludedNamespaces, namespaces, labelSelector, runAsUserRule, runAsUserRanges, runAsGroupRule, runAsGroupRanges, supplementalGroupsRule, supplementalGroupsRanges, fsGroupRule, fsGroupRanges | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json | +| Kubernetes | [Kubernetes cluster pods and containers should only use allowed SELinux options](None) | Required | | | | | | | | | excludedNamespaces, namespaces, labelSelector, allowedSELinuxOptions | | +| Kubernetes | [Kubernetes cluster pods should only use allowed volume types](None) | Required | | | | | | | | | excludedNamespaces, namespaces, labelSelector, allowedVolumeTypes | | +| Kubernetes | [Kubernetes cluster pods should only use approved host network and port range](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json) | Required | PV-2 | | | | | | | | excludedNamespaces, namespaces, labelSelector, allowHostNetwork, minPort, maxPort | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json | +| Kubernetes | [Kubernetes cluster pods should use specified labels](None) | Required | | | | | | | | | excludedNamespaces, namespaces, labelSelector, labelsList | | +| Kubernetes | [Kubernetes cluster services should listen only on allowed ports](None) | Required | | | | | | | | | excludedNamespaces, namespaces, labelSelector, allowedServicePortsList | | +| Kubernetes | [Kubernetes cluster services should only use allowed external IPs](None) | Required | | | | | | | | | excludedNamespaces, namespaces, labelSelector, allowedExternalIPs | | +| Kubernetes | [Kubernetes cluster should not allow privileged containers](None) | Required | | | | | | | | | excludedNamespaces, namespaces, labelSelector | | +| Kubernetes | [Kubernetes clusters should be accessible only over HTTPS](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json) | Required | DP-4 | | | | | | | | excludedNamespaces, namespaces, labelSelector | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json | +| Kubernetes | [Kubernetes clusters should disable automounting API credentials](None) | Required | | | | | | | | | excludedNamespaces, namespaces, labelSelector | | +| Kubernetes | [Kubernetes clusters should not allow container privilege escalation](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json) | Required | PV-2 | | | | | | | | excludedNamespaces, namespaces, labelSelector | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json | +| Kubernetes | [Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities](None) | Required | | | | | | | | | excludedNamespaces, namespaces, labelSelector | | +| Kubernetes | [Kubernetes clusters should not use specific security capabilities](None) | Required | | | | | | | | | excludedNamespaces, namespaces, labelSelector, disallowedCapabilities | | +| Kubernetes | [Kubernetes clusters should not use the default namespace](None) | Required | | | | | | | | | excludedNamespaces, namespaces, labelSelector | | +| Kubernetes | [Kubernetes clusters should use internal load balancers](None) | Required | | | | | | | | | excludedNamespaces, namespaces, labelSelector | | +| Lighthouse | [Allow managing tenant ids to onboard through Azure Lighthouse](None) | Required | | | | | | | | | listOfAllowedTenants | | +| Machine Learning | [Configure allowed Python packages for specified Azure Machine Learning computes](None) | Required | | | | | | | | | computeNames, allowedPythonPackageChannels | | +| Machine Learning | [Configure allowed module authors for specified Azure Machine Learning computes](None) | Required | | | | | | | | | computeNames, allowedModuleAuthors | | +| Machine Learning | [Configure allowed registries for specified Azure Machine Learning computes](None) | Required | | | | | | | | | computeNames, allowedACRs | | +| Machine Learning | [Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes](None) | Required | | | | | | | | | computeNames, approvalEndpoint | | +| Machine Learning | [Configure code signing for training code for specified Azure Machine Learning computes](None) | Required | | | | | | | | | computeNames, signingKey | | +| Machine Learning | [Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes](None) | Required | | | | | | | | | computeNames, logFilters, datastore | | +| Monitoring | [An activity log alert should exist for specific Administrative operations](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_AdministrativeOperations_Audit.json) | Required | | 5.2.9 | | | | | 1271.09ad1System.1 - 09.ad | | operationName | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_AdministrativeOperations_Audit.json | +| Monitoring | [An activity log alert should exist for specific Policy operations](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_PolicyOperations_Audit.json) | Required | | 5.2.2 | | | | | | | operationName | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_PolicyOperations_Audit.json | +| Monitoring | [An activity log alert should exist for specific Security operations](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_SecurityOperations_Audit.json) | Required | | 5.2.8 | | | | | | | operationName | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_SecurityOperations_Audit.json | +| Monitoring | [Audit Log Analytics workspace for VM - Report Mismatch](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_WorkspaceMismatch_VM_Audit.json) | Required | | | | | 3.3.2 | SI-4 | | AC-14 | logAnalyticsWorkspaceId | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_WorkspaceMismatch_VM_Audit.json | +| Monitoring | [Audit diagnostic setting](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) | Required | | | | A.12.4.4 | 3.3.4 | AU-12 | 1210.09aa3System.3 - 09.aa | DM-6 | listOfResourceTypes | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json | +| Monitoring | [Dependency agent should be enabled for listed virtual machine images](None) | Required | | | | | | | | | listOfImageIdToInclude_windows, listOfImageIdToInclude_linux | | +| Monitoring | [Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images](None) | Required | | | | | | | | | listOfImageIdToInclude_windows, listOfImageIdToInclude_linux | | +| Monitoring | [Deploy Log Analytics agent to Linux Azure Arc machines](None) | Required | | | | | | | | | logAnalytics | | +| Monitoring | [Deploy Log Analytics agent to Windows Azure Arc machines](None) | Required | | | | | | | | | logAnalytics | | +| Monitoring | [Log Analytics Agent should be enabled for listed virtual machine images](None) | Required | | | | | | | | | listOfImageIdToInclude_windows, listOfImageIdToInclude_linux | | +| Monitoring | [Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images](None) | Required | | | | | | | | | listOfImageIdToInclude_windows, listOfImageIdToInclude_linux | | +| Network | [A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections](None) | Required | | | | | | | | | IPsecEncryption, IPsecIntegrity, IKEEncryption, IKEIntegrity, DHGroup, PFSGroup | | +| Network | [Network Watcher should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) | Required | LT-3 | 6.5 | | | 3.14.6 | | 0888.09n2Organizational.6 - 09.n | | listOfLocations, resourceGroupName | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json | +| Network | [Virtual machines should be connected to an approved virtual network](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ApprovedVirtualNetwork_Audit.json) | Required | | | | | | | 0814.01n1Organizational.12 - 01.n | | virtualNetworkId | https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ApprovedVirtualNetwork_Audit.json | +| Network | [Virtual networks should use specified virtual network gateway](None) | Required | | | | | | | | | virtualNetworkGatewayId | | +| SQL | [Configure Azure SQL Server to enable private endpoint connections](None) | Required | | | | | | | | | privateEndpointSubnetId | | +| SQL | [Configure SQL servers to have auditing enabled](None) | Required | | | | | | | | | retentionDays, storageAccountsResourceGroup | | +| SQL | [Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet](None) | Required | | | | | | | | | subnetId | | +| Search | [Configure Azure Cognitive Search services to use private DNS zones](None) | Required | | | | | | | | | privateDnsZoneId | | +| Security Center | [Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace.](None) | Required | | | | | | | | | logAnalytics | | +| Service Bus | [Configure Service Bus namespaces to use private DNS zones](None) | Required | | | | | | | | | privateDnsZoneId | | +| Service Bus | [Configure Service Bus namespaces with private endpoints](None) | Required | | | | | | | | | privateEndpointSubnetId | | +| Storage | [Configure Azure File Sync to use private DNS zones](None) | Required | | | | | | | | | privateDnsZoneId | | +| Storage | [Configure Azure File Sync with private endpoints](None) | Required | | | | | | | | | privateEndpointSubnetId | | +| Storage | [Configure Storage account to use a private link connection](None) | Required | | | | | | | | | privateEndpointSubnetId, targetSubResource | | +| Storage | [Configure diagnostic settings for storage accounts to Log Analytics workspace](None) | Required | | | | | | | | | diagnosticsSettingNameToUse, logAnalytics, StorageDelete, StorageWrite, StorageRead, Transaction | | +| Storage | [Storage accounts should be limited by allowed SKUs](None) | Required | | | | | | | | | listOfAllowedSKUs | | +| Synapse | [Configure Azure Synapse workspaces to use private DNS zones](None) | Required | | | | | | | | | privateDnsZoneId, targetSubResource | | +| Synapse | [Configure Azure Synapse workspaces with private endpoints](None) | Required | | | | | | | | | privateEndpointSubnetId | | +| Synapse | [Configure Synapse workspaces to have auditing enabled](None) | Required | | | | | | | | | retentionDays, storageAccountsResourceGroup | | +| Synapse | [Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants](None) | Required | | | | | | | | | allowedTenantIds | | +| Tags | [Add a tag to resource groups](None) | Required | | | | | | | | | tagName, tagValue | | +| Tags | [Add a tag to resources](None) | Required | | | | | | | | | tagName, tagValue | | +| Tags | [Add a tag to subscriptions](None) | Required | | | | | | | | | tagName, tagValue | | +| Tags | [Add or replace a tag on resource groups](None) | Required | | | | | | | | | tagName, tagValue | | +| Tags | [Add or replace a tag on resources](None) | Required | | | | | | | | | tagName, tagValue | | +| Tags | [Add or replace a tag on subscriptions](None) | Required | | | | | | | | | tagName, tagValue | | +| Tags | [Append a tag and its value from the resource group](None) | Required | | | | | | | | | tagName | | +| Tags | [Append a tag and its value to resource groups](None) | Required | | | | | | | | | tagName, tagValue | | +| Tags | [Append a tag and its value to resources](None) | Required | | | | | | | | | tagName, tagValue | | +| Tags | [Inherit a tag from the resource group if missing](None) | Required | | | | | | | | | tagName | | +| Tags | [Inherit a tag from the resource group](None) | Required | | | | | | | | | tagName | | +| Tags | [Inherit a tag from the subscription if missing](None) | Required | | | | | | | | | tagName | | +| Tags | [Inherit a tag from the subscription](None) | Required | | | | | | | | | tagName | | +| Tags | [Require a tag and its value on resource groups](None) | Required | | | | | | | | | tagName, tagValue | | +| Tags | [Require a tag and its value on resources](None) | Required | | | | | | | | | tagName, tagValue | | +| Tags | [Require a tag on resource groups](None) | Required | | | | | | | | | tagName | | +| Tags | [Require a tag on resources](None) | Required | | | | | | | | | tagName | | \ No newline at end of file diff --git a/test/guardrails/test_services_v2.py b/test/guardrails/test_services_v2.py index f243604..fd810c1 100644 --- a/test/guardrails/test_services_v2.py +++ b/test/guardrails/test_services_v2.py @@ -128,3 +128,26 @@ def test_get_all_display_names_sorted_by_service(self): import yaml results = yaml.dump(results) print(results) + + def test_services_compliance_coverage(self): + results = self.all_services.compliance_coverage_data() + # print(json.dumps(results, indent=4)) + + def test_services_table_summary(self): + results = self.all_services.table_summary(hyperlink_format=False) + # print(json.dumps(results, indent=4)) + + def test_services_csv_summary(self): + path = os.path.abspath(os.path.join(os.path.dirname(__file__), os.path.pardir, os.path.pardir, "all_policies.csv")) + if os.path.exists(path): + print("Removing") + os.remove(path) + # print(json.dumps(results, indent=4)) + + def test_services_markdown_summary(self): + path = os.path.abspath(os.path.join(os.path.dirname(__file__), os.path.pardir, os.path.pardir, "all_policies.md")) + if os.path.exists(path): + print("Removing") + os.remove(path) + results = self.all_services.markdown_table() + # print(results) diff --git a/test/shared/test_compliance_data.py b/test/shared/test_compliance_data.py deleted file mode 100644 index d46536d..0000000 --- a/test/shared/test_compliance_data.py +++ /dev/null @@ -1,83 +0,0 @@ -import os -import unittest -import json -from azure_guardrails.shared import utils -from azure_guardrails.scrapers.compliance_data import PolicyComplianceData, ComplianceCoverage, PolicyDefinitionMetadata, \ - BenchmarkEntry -import unittest -from azure_guardrails.shared import utils -from azure_guardrails.guardrails.services import Services, Service -from azure_guardrails.scrapers.compliance_data import ComplianceCoverage -from azure_guardrails.shared.config import get_default_config, get_config_from_file - - -class PolicyComplianceDataTestCase(unittest.TestCase): - def setUp(self): - self.policy_compliance_data = PolicyComplianceData() - - def test_policy_definition_names(self): - names = self.policy_compliance_data.policy_definition_names() - self.assertTrue(len(names) >= 300) - print(json.dumps(names, indent=4)) - - def test_get_benchmark_data_matching_policy_definition(self): - display_name = "A maximum of 3 owners should be designated for your subscription" - results = self.policy_compliance_data.get_benchmark_data_matching_policy_definition(display_name) - # print(json.dumps(results, indent=4)) - - -class ComplianceCoverageTestCase(unittest.TestCase): - def test_compliance_coverage_response(self): - display_names = [ - "Storage accounts should restrict network access using virtual network rules", - "Storage accounts should use customer-managed key for encryption", - "[Preview]: Storage account public access should be disallowed", - ] - compliance_coverage = ComplianceCoverage(display_names=display_names) - results = compliance_coverage.matching_metadata - # print(json.dumps(results, indent=4)) - markdown_table = compliance_coverage.markdown_table() - # print(markdown_table) - # print(tabulate(results, headers=headers, tablefmt="github")) - - def test_compliance_coverage_response_full(self): - policy_compliance_data = PolicyComplianceData() - display_names = policy_compliance_data.policy_definition_names() - compliance_coverage = ComplianceCoverage(display_names=display_names) - # results = compliance_coverage.matching_metadata - # print(json.dumps(results, indent=4)) - markdown_table = compliance_coverage.markdown_table() - # print(markdown_table) - # print(tabulate(results, headers=headers, tablefmt="github")) - - -# class OtherComplianceCoverageTestCase(unittest.TestCase): -# def setUp(self): -# service = "all" -# config = get_default_config(exclude_services=None) -# with_parameters = False -# if service == "all": -# self.services = Services(config=config) -# self.policy_names = self.services.di -# else: -# self.services = Service(service_name=service, config=config) -# self.policy_names = self.services.get_display_names(with_parameters=with_parameters) -# self.compliance_coverage = ComplianceCoverage(display_names=self.policy_names) -# -# def test_markdown_table(self): -# markdown_table = self.compliance_coverage.markdown_table() -# summary = self.compliance_coverage.table_summary() -# print(markdown_table) - - # def test_csv_table(self): - # path = os.path.join( - # os.path.pardir, - # os.path.pardir, - # "test.csv" - # ) - # if os.path.exists(path): - # print("Removing the previous file") - # os.remove(path) - # self.compliance_coverage.csv_table(path, verbosity=0) - # print(f"CSV updated! Path: {path}") -