From 76c4df1f8b5fe52f6ff48c1dc82c841a5bb6799a Mon Sep 17 00:00:00 2001 From: Azure Policy Bot Date: Thu, 11 Apr 2024 03:29:42 +0000 Subject: [PATCH] Built-in Policy Release 42252151 --- .../DisablePublicNetworkAccess_Audit.json | 12 +- .../ContainerEnforcePreStopHook.json | 153 ++++++++++++++++++ .../Kubernetes/ImagesDoNotUseLatest.json | 153 ++++++++++++++++++ .../Kubernetes/MutateMaxUnavailablePods.json | 49 ++++++ .../MutateReadOnlyRootFilesystem.json | 49 ++++++ ...eReadOnlyRootFilesystemInitContainers.json | 49 ++++++ .../MutateReservedSystemPoolTaints.json | 49 ++++++ .../Kubernetes/MutateResourceCPULimits.json | 49 ++++++ .../MutateResourceMemoryLimits.json | 49 ++++++ .../DS_EH_eventhub-namespaces_DINE.json | 6 +- ...paccounts-capacitypools-volumes_DINE.json} | 0 .../DS_EH_network-publicipaddresses_DINE.json | 6 +- .../DS_EH_sql-servers-databases_DINE.json | 6 +- ...nfiguration-configurationstores_DINE.json} | 0 .../DS_LA_eventhub-namespaces_DINE.json | 6 +- ...hinelearningservices-workspaces_DINE.json} | 0 ...paccounts-capacitypools-volumes_DINE.json} | 0 .../DS_LA_network-publicipaddresses_DINE.json | 6 +- .../DS_LA_sql-servers-databases_DINE.json | 6 +- ...nfiguration-configurationstores_DINE.json} | 0 .../DS_ST_eventhub-namespaces_DINE.json | 6 +- ...hinelearningservices-workspaces_DINE.json} | 0 ...paccounts-capacitypools-volumes_DINE.json} | 0 .../DS_ST_network-publicipaddresses_DINE.json | 6 +- .../DS_ST_sql-servers-databases_DINE.json | 6 +- ...ttings_logAnalytics_app-service_DINE.json} | 0 ..._logAnalytics_application-group_DINE.json} | 0 ...gAnalytics_application-insights_DINE.json} | 0 ...gSettings_logAnalytics_cosmosdb_DINE.json} | 0 ...gSettings_logAnalytics_firewall_DINE.json} | 0 ...tings_logAnalytics_function-app_DINE.json} | 0 ...gSettings_logAnalytics_hostpool_DINE.json} | 0 ...Analytics_postgresql-flexserver_DINE.json} | 0 ...Settings_logAnalytics_workspace_DINE.json} | 0 .../ASC_Email_notification.json | 33 +++- ...il_notification_to_subscription_owner.json | 31 +++- .../Regulatory Compliance/CMMC_2_0_L2.json | 27 +--- .../Regulatory Compliance/CMMC_L3.json | 28 +--- .../Regulatory Compliance/DOD_IL4_audit.json | 25 +-- .../Regulatory Compliance/DOD_IL5_audit.json | 25 +-- .../FedRAMP_H_audit.json | 25 +-- .../FedRAMP_M_audit.json | 25 +-- .../NIST_SP_800-171_R2.json | 27 +--- .../NIST_SP_800-53_R4.json | 25 +-- .../NIST_SP_800-53_R5.json | 25 +-- .../Regulatory Compliance/asb_v2.json | 23 +-- .../Security Center/AzureSecurityCenter.json | 23 +-- .../Kubernetes/AKS_Safeguards.json | 110 ++++++++++++- .../Regulatory Compliance/CMMC_2_0_L2.json | 27 +--- .../Regulatory Compliance/CMMC_L3.json | 28 +--- .../FedRAMP_H_audit.json | 25 +-- .../FedRAMP_M_audit.json | 25 +-- .../NIST_SP_800-171_R2.json | 27 +--- .../NIST_SP_800-53_R4.json | 25 +-- .../NIST_SP_800-53_R5.json | 25 +-- .../NL_BIO_Cloud_Theme.json | 23 +-- .../NZ_ISM_Restricted_v3_5.json | 23 +-- .../RBI_ITF_Banks_v2016.json | 14 +- .../Regulatory Compliance/asb_v2.json | 23 +-- .../Regulatory Compliance/nz_ism.json | 23 +-- .../AuditPublicNetworkAccessInitiative.json | 20 +-- .../Security Center/AzureSecurityCenter.json | 23 +-- 62 files changed, 954 insertions(+), 495 deletions(-) create mode 100644 built-in-policies/policyDefinitions/Kubernetes/ContainerEnforcePreStopHook.json create mode 100644 built-in-policies/policyDefinitions/Kubernetes/ImagesDoNotUseLatest.json create mode 100644 built-in-policies/policyDefinitions/Kubernetes/MutateMaxUnavailablePods.json create mode 100644 built-in-policies/policyDefinitions/Kubernetes/MutateReadOnlyRootFilesystem.json create mode 100644 built-in-policies/policyDefinitions/Kubernetes/MutateReadOnlyRootFilesystemInitContainers.json create mode 100644 built-in-policies/policyDefinitions/Kubernetes/MutateReservedSystemPoolTaints.json create mode 100644 built-in-policies/policyDefinitions/Kubernetes/MutateResourceCPULimits.json create mode 100644 built-in-policies/policyDefinitions/Kubernetes/MutateResourceMemoryLimits.json rename built-in-policies/policyDefinitions/Monitoring/{DS_EH_netapp-netappaccounts_DINE.json => DS_EH_netapp-netappaccounts-capacitypools-volumes_DINE.json} (100%) rename built-in-policies/policyDefinitions/Monitoring/{DS_LA_appconfig-configstores_DINE.json => DS_LA_appconfiguration-configurationstores_DINE.json} (100%) rename built-in-policies/policyDefinitions/Monitoring/{DS_LA_machinelearningservices_DINE.json => DS_LA_machinelearningservices-workspaces_DINE.json} (100%) rename built-in-policies/policyDefinitions/Monitoring/{DS_LA_netapp-netappaccounts_DINE.json => DS_LA_netapp-netappaccounts-capacitypools-volumes_DINE.json} (100%) rename built-in-policies/policyDefinitions/Monitoring/{DS_ST_appconfig-configstores_DINE.json => DS_ST_appconfiguration-configurationstores_DINE.json} (100%) rename built-in-policies/policyDefinitions/Monitoring/{DS_ST_machinelearningservices_DINE.json => DS_ST_machinelearningservices-workspaces_DINE.json} (100%) rename built-in-policies/policyDefinitions/Monitoring/{DS_ST_netapp-netappaccounts_DINE.json => DS_ST_netapp-netappaccounts-capacitypools-volumes_DINE.json} (100%) rename built-in-policies/policyDefinitions/Monitoring/{DS_LA_app-service_DINE.json => DiagSettings_logAnalytics_app-service_DINE.json} (100%) rename built-in-policies/policyDefinitions/Monitoring/{DS_LA_application-group_DINE.json => DiagSettings_logAnalytics_application-group_DINE.json} (100%) rename built-in-policies/policyDefinitions/Monitoring/{DS_LA_application-insights_DINE.json => DiagSettings_logAnalytics_application-insights_DINE.json} (100%) rename built-in-policies/policyDefinitions/Monitoring/{DS_LA_cosmosdb_DINE.json => DiagSettings_logAnalytics_cosmosdb_DINE.json} (100%) rename built-in-policies/policyDefinitions/Monitoring/{DS_LA_firewall_DINE.json => DiagSettings_logAnalytics_firewall_DINE.json} (100%) rename built-in-policies/policyDefinitions/Monitoring/{DS_LA_function-app_DINE.json => DiagSettings_logAnalytics_function-app_DINE.json} (100%) rename built-in-policies/policyDefinitions/Monitoring/{DS_LA_hostpool_DINE.json => DiagSettings_logAnalytics_hostpool_DINE.json} (100%) rename built-in-policies/policyDefinitions/Monitoring/{DS_LA_postgresql-flexserver_DINE.json => DiagSettings_logAnalytics_postgresql-flexserver_DINE.json} (100%) rename built-in-policies/policyDefinitions/Monitoring/{DS_LA_workspace_DINE.json => DiagSettings_logAnalytics_workspace_DINE.json} (100%) diff --git a/built-in-policies/policyDefinitions/Cognitive Services/DisablePublicNetworkAccess_Audit.json b/built-in-policies/policyDefinitions/Cognitive Services/DisablePublicNetworkAccess_Audit.json index 19e2234dc..051909fc1 100644 --- a/built-in-policies/policyDefinitions/Cognitive Services/DisablePublicNetworkAccess_Audit.json +++ b/built-in-policies/policyDefinitions/Cognitive Services/DisablePublicNetworkAccess_Audit.json @@ -1,18 +1,19 @@ { "properties": { - "displayName": "Cognitive Services accounts should disable public network access", + "displayName": "[Deprecated]: Cognitive Services accounts should disable public network access", "policyType": "BuiltIn", "mode": "Indexed", "description": "To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.", "metadata": { - "version": "3.0.1", - "category": "Cognitive Services" + "version": "3.1.0-deprecated", + "category": "Cognitive Services", + "deprecated": true }, - "version": "3.0.1", + "version": "3.1.0", "parameters": { "effect": { "type": "string", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -42,6 +43,7 @@ } }, "versions": [ + "3.1.0", "3.0.1" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/ContainerEnforcePreStopHook.json b/built-in-policies/policyDefinitions/Kubernetes/ContainerEnforcePreStopHook.json new file mode 100644 index 000000000..68c3d512e --- /dev/null +++ b/built-in-policies/policyDefinitions/Kubernetes/ContainerEnforcePreStopHook.json @@ -0,0 +1,153 @@ +{ + "properties": { + "displayName": "[Preview]: Kubernetes cluster container images must include the preStop hook", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns.", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": false + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "excludedNamespaces": { + "type": "Array", + "metadata": { + "displayName": "Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system", + "azure-arc" + ] + }, + "namespaces": { + "type": "Array", + "metadata": { + "displayName": "Namespace inclusions", + "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." + }, + "defaultValue": [] + }, + "labelSelector": { + "type": "Object", + "metadata": { + "displayName": "Kubernetes label selector", + "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." + }, + "defaultValue": {}, + "schema": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.", + "type": "object", + "properties": { + "matchLabels": { + "description": "matchLabels is a map of {key,value} pairs.", + "type": "object", + "additionalProperties": { + "type": "string" + }, + "minProperties": 1 + }, + "matchExpressions": { + "description": "matchExpressions is a list of values, a key, and an operator.", + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values.", + "type": "string", + "enum": [ + "In", + "NotIn", + "Exists", + "DoesNotExist" + ] + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.", + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "key", + "operator" + ], + "additionalProperties": false + }, + "minItems": 1 + } + }, + "additionalProperties": false + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "warn": "[parameters('warn')]", + "templateInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.core.windows.net/kubernetes/container-enforce-pre-stop-hook/v1/template.yaml" + }, + "apiGroups": [ + "apps" + ], + "kinds": [ + "Deployment", + "StatefulSet", + "ReplicationController", + "ReplicaSet" + ], + "namespaces": "[parameters('namespaces')]", + "excludedNamespaces": "[parameters('excludedNamespaces')]", + "labelSelector": "[parameters('labelSelector')]" + } + } + }, + "versions": [ + "1.0.0-PREVIEW" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/1a3b9003-eac6-4d39-a184-4a567ace7645", + "name": "1a3b9003-eac6-4d39-a184-4a567ace7645" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Kubernetes/ImagesDoNotUseLatest.json b/built-in-policies/policyDefinitions/Kubernetes/ImagesDoNotUseLatest.json new file mode 100644 index 000000000..a09af669b --- /dev/null +++ b/built-in-policies/policyDefinitions/Kubernetes/ImagesDoNotUseLatest.json @@ -0,0 +1,153 @@ +{ + "properties": { + "displayName": "[Preview]: Kubernetes cluster container images should not include latest image tag", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images.", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": false + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "excludedNamespaces": { + "type": "Array", + "metadata": { + "displayName": "Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system", + "azure-arc" + ] + }, + "namespaces": { + "type": "Array", + "metadata": { + "displayName": "Namespace inclusions", + "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." + }, + "defaultValue": [] + }, + "labelSelector": { + "type": "Object", + "metadata": { + "displayName": "Kubernetes label selector", + "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." + }, + "defaultValue": {}, + "schema": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.", + "type": "object", + "properties": { + "matchLabels": { + "description": "matchLabels is a map of {key,value} pairs.", + "type": "object", + "additionalProperties": { + "type": "string" + }, + "minProperties": 1 + }, + "matchExpressions": { + "description": "matchExpressions is a list of values, a key, and an operator.", + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values.", + "type": "string", + "enum": [ + "In", + "NotIn", + "Exists", + "DoesNotExist" + ] + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.", + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "key", + "operator" + ], + "additionalProperties": false + }, + "minItems": 1 + } + }, + "additionalProperties": false + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "warn": "[parameters('warn')]", + "templateInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.core.windows.net/kubernetes/container-no-latest-image/v1/template.yaml" + }, + "apiGroups": [ + "apps" + ], + "kinds": [ + "Deployment", + "StatefulSet", + "ReplicationController", + "ReplicaSet" + ], + "namespaces": "[parameters('namespaces')]", + "excludedNamespaces": "[parameters('excludedNamespaces')]", + "labelSelector": "[parameters('labelSelector')]" + } + } + }, + "versions": [ + "1.0.0-PREVIEW" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/021f8078-41a0-40e6-81b6-c6597da9f3ee", + "name": "021f8078-41a0-40e6-81b6-c6597da9f3ee" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateMaxUnavailablePods.json b/built-in-policies/policyDefinitions/Kubernetes/MutateMaxUnavailablePods.json new file mode 100644 index 000000000..9af5e6069 --- /dev/null +++ b/built-in-policies/policyDefinitions/Kubernetes/MutateMaxUnavailablePods.json @@ -0,0 +1,49 @@ +{ + "properties": { + "displayName": "[Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "'Mutate' modifies a non-compliant resource be compliant when creating or updating. 'Disabled' turns off the policy.", + "portalReview": true + }, + "allowedValues": [ + "Mutate", + "Disabled" + ], + "defaultValue": "Mutate" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "mutationInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.core.windows.net/kubernetes/mutate-max-unavailable-pods/v1/mutation.yaml" + } + } + } + }, + "versions": [ + "1.0.0-PREVIEW" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/d77f191e-2338-45d0-b6d4-4ee1c586a192", + "name": "d77f191e-2338-45d0-b6d4-4ee1c586a192" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateReadOnlyRootFilesystem.json b/built-in-policies/policyDefinitions/Kubernetes/MutateReadOnlyRootFilesystem.json new file mode 100644 index 000000000..dbe66739d --- /dev/null +++ b/built-in-policies/policyDefinitions/Kubernetes/MutateReadOnlyRootFilesystem.json @@ -0,0 +1,49 @@ +{ + "properties": { + "displayName": "[Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set.", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "'Mutate' modifies a non-compliant resource be compliant when creating or updating. 'Disabled' turns off the policy.", + "portalReview": true + }, + "allowedValues": [ + "Mutate", + "Disabled" + ], + "defaultValue": "Mutate" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "mutationInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.core.windows.net/kubernetes/mutate-read-only-root-filesystem/v1/mutation.yaml" + } + } + } + }, + "versions": [ + "1.0.0-PREVIEW" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/8e875f96-2c56-40ca-86db-b9f6a0be7347", + "name": "8e875f96-2c56-40ca-86db-b9f6a0be7347" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateReadOnlyRootFilesystemInitContainers.json b/built-in-policies/policyDefinitions/Kubernetes/MutateReadOnlyRootFilesystemInitContainers.json new file mode 100644 index 000000000..564c0107e --- /dev/null +++ b/built-in-policies/policyDefinitions/Kubernetes/MutateReadOnlyRootFilesystemInitContainers.json @@ -0,0 +1,49 @@ +{ + "properties": { + "displayName": "[Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set.", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers.", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "'Mutate' modifies a non-compliant resource be compliant when creating or updating. 'Disabled' turns off the policy.", + "portalReview": true + }, + "allowedValues": [ + "Mutate", + "Disabled" + ], + "defaultValue": "Mutate" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "mutationInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.core.windows.net/kubernetes/mutate-read-only-root-filesystem-init-containers/v1/mutation.yaml" + } + } + } + }, + "versions": [ + "1.0.0-PREVIEW" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/2ae2f266-ecc3-4d26-82c5-8c3cb7774f45", + "name": "2ae2f266-ecc3-4d26-82c5-8c3cb7774f45" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateReservedSystemPoolTaints.json b/built-in-policies/policyDefinitions/Kubernetes/MutateReservedSystemPoolTaints.json new file mode 100644 index 000000000..001110278 --- /dev/null +++ b/built-in-policies/policyDefinitions/Kubernetes/MutateReservedSystemPoolTaints.json @@ -0,0 +1,49 @@ +{ + "properties": { + "displayName": "[Preview]: Restricts the CriticalAddonsOnly taint to just the system pool.", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools.", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "'Mutate' modifies a non-compliant resource be compliant when creating or updating. 'Disabled' turns off the policy.", + "portalReview": true + }, + "allowedValues": [ + "Mutate", + "Disabled" + ], + "defaultValue": "Mutate" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "mutationInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.core.windows.net/kubernetes/mutate-systempool-taints/v1/mutation.yaml" + } + } + } + }, + "versions": [ + "1.0.0-PREVIEW" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/e16d171b-bfe5-4d79-a525-19736b396e92", + "name": "e16d171b-bfe5-4d79-a525-19736b396e92" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateResourceCPULimits.json b/built-in-policies/policyDefinitions/Kubernetes/MutateResourceCPULimits.json new file mode 100644 index 000000000..762c1ed3e --- /dev/null +++ b/built-in-policies/policyDefinitions/Kubernetes/MutateResourceCPULimits.json @@ -0,0 +1,49 @@ +{ + "properties": { + "displayName": "[Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present or exceeding limits.", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster.", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.", + "portalReview": true + }, + "allowedValues": [ + "Mutate", + "Disabled" + ], + "defaultValue": "Mutate" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "mutationInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.core.windows.net/kubernetes/mutate-resource-cpu-limits/v1/mutation.yaml" + } + } + } + }, + "versions": [ + "1.0.0-PREVIEW" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/42ba1d72-e90f-42f8-bf99-5a1351eed2b1", + "name": "42ba1d72-e90f-42f8-bf99-5a1351eed2b1" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateResourceMemoryLimits.json b/built-in-policies/policyDefinitions/Kubernetes/MutateResourceMemoryLimits.json new file mode 100644 index 000000000..d18d43ad6 --- /dev/null +++ b/built-in-policies/policyDefinitions/Kubernetes/MutateResourceMemoryLimits.json @@ -0,0 +1,49 @@ +{ + "properties": { + "displayName": "[Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present or exceeding limits.", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster.", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.", + "portalReview": true + }, + "allowedValues": [ + "Mutate", + "Disabled" + ], + "defaultValue": "Mutate" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "mutationInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.core.windows.net/kubernetes/mutate-resource-memory-limits/v1/mutation.yaml" + } + } + } + }, + "versions": [ + "1.0.0-PREVIEW" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/5f86d473-38a8-46c9-bdfe-d7fa3b9836bf", + "name": "5f86d473-38a8-46c9-bdfe-d7fa3b9836bf" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_EH_eventhub-namespaces_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DS_EH_eventhub-namespaces_DINE.json index 7de344585..537d00cd7 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DS_EH_eventhub-namespaces_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/DS_EH_eventhub-namespaces_DINE.json @@ -4,10 +4,10 @@ "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces).", "mode": "Indexed", "policyType": "BuiltIn", - "version": "1.1.0", + "version": "1.2.0", "metadata": { "category": "Monitoring", - "version": "1.1.0" + "version": "1.2.0" }, "parameters": { "effect": { @@ -86,6 +86,7 @@ "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Insights/diagnosticSettings", + "evaluationDelay": "AfterProvisioning", "existenceCondition": { "allOf": [ { @@ -221,6 +222,7 @@ } }, "versions": [ + "1.2.0", "1.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_EH_netapp-netappaccounts_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DS_EH_netapp-netappaccounts-capacitypools-volumes_DINE.json similarity index 100% rename from built-in-policies/policyDefinitions/Monitoring/DS_EH_netapp-netappaccounts_DINE.json rename to built-in-policies/policyDefinitions/Monitoring/DS_EH_netapp-netappaccounts-capacitypools-volumes_DINE.json diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_EH_network-publicipaddresses_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DS_EH_network-publicipaddresses_DINE.json index 6acf59e0a..eeebca65e 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DS_EH_network-publicipaddresses_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/DS_EH_network-publicipaddresses_DINE.json @@ -4,10 +4,10 @@ "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses).", "mode": "Indexed", "policyType": "BuiltIn", - "version": "1.1.0", + "version": "1.2.0", "metadata": { "category": "Monitoring", - "version": "1.1.0" + "version": "1.2.0" }, "parameters": { "effect": { @@ -86,6 +86,7 @@ "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Insights/diagnosticSettings", + "evaluationDelay": "AfterProvisioning", "existenceCondition": { "allOf": [ { @@ -221,6 +222,7 @@ } }, "versions": [ + "1.2.0", "1.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_EH_sql-servers-databases_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DS_EH_sql-servers-databases_DINE.json index ab3e82d24..23652a7f2 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DS_EH_sql-servers-databases_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/DS_EH_sql-servers-databases_DINE.json @@ -4,10 +4,10 @@ "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases).", "mode": "Indexed", "policyType": "BuiltIn", - "version": "1.1.0", + "version": "1.2.0", "metadata": { "category": "Monitoring", - "version": "1.1.0" + "version": "1.2.0" }, "parameters": { "effect": { @@ -86,6 +86,7 @@ "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Insights/diagnosticSettings", + "evaluationDelay": "AfterProvisioning", "existenceCondition": { "allOf": [ { @@ -221,6 +222,7 @@ } }, "versions": [ + "1.2.0", "1.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_LA_appconfig-configstores_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DS_LA_appconfiguration-configurationstores_DINE.json similarity index 100% rename from built-in-policies/policyDefinitions/Monitoring/DS_LA_appconfig-configstores_DINE.json rename to built-in-policies/policyDefinitions/Monitoring/DS_LA_appconfiguration-configurationstores_DINE.json diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_LA_eventhub-namespaces_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DS_LA_eventhub-namespaces_DINE.json index 4b55345fd..c576f9594 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DS_LA_eventhub-namespaces_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/DS_LA_eventhub-namespaces_DINE.json @@ -4,10 +4,10 @@ "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Hubs Namespaces (microsoft.eventhub/namespaces).", "mode": "Indexed", "policyType": "BuiltIn", - "version": "1.0.0", + "version": "1.1.0", "metadata": { "category": "Monitoring", - "version": "1.0.0" + "version": "1.1.0" }, "parameters": { "effect": { @@ -88,6 +88,7 @@ "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Insights/diagnosticSettings", + "evaluationDelay": "AfterProvisioning", "existenceCondition": { "allOf": [ { @@ -204,6 +205,7 @@ } }, "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_LA_machinelearningservices_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DS_LA_machinelearningservices-workspaces_DINE.json similarity index 100% rename from built-in-policies/policyDefinitions/Monitoring/DS_LA_machinelearningservices_DINE.json rename to built-in-policies/policyDefinitions/Monitoring/DS_LA_machinelearningservices-workspaces_DINE.json diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_LA_netapp-netappaccounts_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DS_LA_netapp-netappaccounts-capacitypools-volumes_DINE.json similarity index 100% rename from built-in-policies/policyDefinitions/Monitoring/DS_LA_netapp-netappaccounts_DINE.json rename to built-in-policies/policyDefinitions/Monitoring/DS_LA_netapp-netappaccounts-capacitypools-volumes_DINE.json diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_LA_network-publicipaddresses_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DS_LA_network-publicipaddresses_DINE.json index c29a80dac..db89771cd 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DS_LA_network-publicipaddresses_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/DS_LA_network-publicipaddresses_DINE.json @@ -4,10 +4,10 @@ "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP addresses (microsoft.network/publicipaddresses).", "mode": "Indexed", "policyType": "BuiltIn", - "version": "1.0.0", + "version": "1.1.0", "metadata": { "category": "Monitoring", - "version": "1.0.0" + "version": "1.1.0" }, "parameters": { "effect": { @@ -88,6 +88,7 @@ "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Insights/diagnosticSettings", + "evaluationDelay": "AfterProvisioning", "existenceCondition": { "allOf": [ { @@ -204,6 +205,7 @@ } }, "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_LA_sql-servers-databases_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DS_LA_sql-servers-databases_DINE.json index 8b39c64d6..31863552b 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DS_LA_sql-servers-databases_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/DS_LA_sql-servers-databases_DINE.json @@ -4,10 +4,10 @@ "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL databases (microsoft.sql/servers/databases).", "mode": "Indexed", "policyType": "BuiltIn", - "version": "1.0.0", + "version": "1.1.0", "metadata": { "category": "Monitoring", - "version": "1.0.0" + "version": "1.1.0" }, "parameters": { "effect": { @@ -88,6 +88,7 @@ "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Insights/diagnosticSettings", + "evaluationDelay": "AfterProvisioning", "existenceCondition": { "allOf": [ { @@ -204,6 +205,7 @@ } }, "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_ST_appconfig-configstores_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DS_ST_appconfiguration-configurationstores_DINE.json similarity index 100% rename from built-in-policies/policyDefinitions/Monitoring/DS_ST_appconfig-configstores_DINE.json rename to built-in-policies/policyDefinitions/Monitoring/DS_ST_appconfiguration-configurationstores_DINE.json diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_ST_eventhub-namespaces_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DS_ST_eventhub-namespaces_DINE.json index 3dbe00ea4..b2cf301f5 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DS_ST_eventhub-namespaces_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/DS_ST_eventhub-namespaces_DINE.json @@ -4,10 +4,10 @@ "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Hubs Namespaces (microsoft.eventhub/namespaces).", "mode": "Indexed", "policyType": "BuiltIn", - "version": "1.0.0", + "version": "1.1.0", "metadata": { "category": "Monitoring", - "version": "1.0.0" + "version": "1.1.0" }, "parameters": { "effect": { @@ -77,6 +77,7 @@ "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Insights/diagnosticSettings", + "evaluationDelay": "AfterProvisioning", "existenceCondition": { "allOf": [ { @@ -200,6 +201,7 @@ } }, "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_ST_machinelearningservices_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DS_ST_machinelearningservices-workspaces_DINE.json similarity index 100% rename from built-in-policies/policyDefinitions/Monitoring/DS_ST_machinelearningservices_DINE.json rename to built-in-policies/policyDefinitions/Monitoring/DS_ST_machinelearningservices-workspaces_DINE.json diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_ST_netapp-netappaccounts_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DS_ST_netapp-netappaccounts-capacitypools-volumes_DINE.json similarity index 100% rename from built-in-policies/policyDefinitions/Monitoring/DS_ST_netapp-netappaccounts_DINE.json rename to built-in-policies/policyDefinitions/Monitoring/DS_ST_netapp-netappaccounts-capacitypools-volumes_DINE.json diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_ST_network-publicipaddresses_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DS_ST_network-publicipaddresses_DINE.json index 38dd8c562..3d0fadfe0 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DS_ST_network-publicipaddresses_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/DS_ST_network-publicipaddresses_DINE.json @@ -4,10 +4,10 @@ "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP addresses (microsoft.network/publicipaddresses).", "mode": "Indexed", "policyType": "BuiltIn", - "version": "1.0.0", + "version": "1.1.0", "metadata": { "category": "Monitoring", - "version": "1.0.0" + "version": "1.1.0" }, "parameters": { "effect": { @@ -77,6 +77,7 @@ "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Insights/diagnosticSettings", + "evaluationDelay": "AfterProvisioning", "existenceCondition": { "allOf": [ { @@ -200,6 +201,7 @@ } }, "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_ST_sql-servers-databases_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DS_ST_sql-servers-databases_DINE.json index 246a03f62..e8d66dc2f 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DS_ST_sql-servers-databases_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/DS_ST_sql-servers-databases_DINE.json @@ -4,10 +4,10 @@ "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL databases (microsoft.sql/servers/databases).", "mode": "Indexed", "policyType": "BuiltIn", - "version": "1.0.0", + "version": "1.1.0", "metadata": { "category": "Monitoring", - "version": "1.0.0" + "version": "1.1.0" }, "parameters": { "effect": { @@ -77,6 +77,7 @@ "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Insights/diagnosticSettings", + "evaluationDelay": "AfterProvisioning", "existenceCondition": { "allOf": [ { @@ -200,6 +201,7 @@ } }, "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_LA_app-service_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_app-service_DINE.json similarity index 100% rename from built-in-policies/policyDefinitions/Monitoring/DS_LA_app-service_DINE.json rename to built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_app-service_DINE.json diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_LA_application-group_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_application-group_DINE.json similarity index 100% rename from built-in-policies/policyDefinitions/Monitoring/DS_LA_application-group_DINE.json rename to built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_application-group_DINE.json diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_LA_application-insights_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_application-insights_DINE.json similarity index 100% rename from built-in-policies/policyDefinitions/Monitoring/DS_LA_application-insights_DINE.json rename to built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_application-insights_DINE.json diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_LA_cosmosdb_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_cosmosdb_DINE.json similarity index 100% rename from built-in-policies/policyDefinitions/Monitoring/DS_LA_cosmosdb_DINE.json rename to built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_cosmosdb_DINE.json diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_LA_firewall_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_firewall_DINE.json similarity index 100% rename from built-in-policies/policyDefinitions/Monitoring/DS_LA_firewall_DINE.json rename to built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_firewall_DINE.json diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_LA_function-app_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_function-app_DINE.json similarity index 100% rename from built-in-policies/policyDefinitions/Monitoring/DS_LA_function-app_DINE.json rename to built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_function-app_DINE.json diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_LA_hostpool_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_hostpool_DINE.json similarity index 100% rename from built-in-policies/policyDefinitions/Monitoring/DS_LA_hostpool_DINE.json rename to built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_hostpool_DINE.json diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_LA_postgresql-flexserver_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_postgresql-flexserver_DINE.json similarity index 100% rename from built-in-policies/policyDefinitions/Monitoring/DS_LA_postgresql-flexserver_DINE.json rename to built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_postgresql-flexserver_DINE.json diff --git a/built-in-policies/policyDefinitions/Monitoring/DS_LA_workspace_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_workspace_DINE.json similarity index 100% rename from built-in-policies/policyDefinitions/Monitoring/DS_LA_workspace_DINE.json rename to built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_workspace_DINE.json diff --git a/built-in-policies/policyDefinitions/Security Center/ASC_Email_notification.json b/built-in-policies/policyDefinitions/Security Center/ASC_Email_notification.json index 67e597dbd..fb825c844 100644 --- a/built-in-policies/policyDefinitions/Security Center/ASC_Email_notification.json +++ b/built-in-policies/policyDefinitions/Security Center/ASC_Email_notification.json @@ -5,10 +5,10 @@ "mode": "All", "description": "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.", "metadata": { - "version": "1.0.1", + "version": "1.1.0", "category": "Security Center" }, - "version": "1.0.1", + "version": "1.1.0", "parameters": { "effect": { "type": "string", @@ -33,13 +33,38 @@ "details": { "type": "Microsoft.Security/securityContacts", "existenceCondition": { - "field": "Microsoft.Security/securityContacts/alertNotifications", - "notEquals": "Off" + "not": { + "anyOf": [ + { + "field": "Microsoft.Security/securityContacts/alertNotifications", + "notEquals": "On" + }, + { + "allOf": [ + { + "field": "Microsoft.Security/securityContacts/isEnabled", + "notEquals": true + }, + { + "count": { + "field": "Microsoft.Security/securityContacts/notificationsSources[*]", + "where": { + "field": "Microsoft.Security/securityContacts/notificationsSources[*].sourceType", + "equals": "Alert" + } + }, + "equals": 1 + } + ] + } + ] + } } } } }, "versions": [ + "1.1.0", "1.0.1" ] }, diff --git a/built-in-policies/policyDefinitions/Security Center/ASC_Email_notification_to_subscription_owner.json b/built-in-policies/policyDefinitions/Security Center/ASC_Email_notification_to_subscription_owner.json index 556a14360..7d339f766 100644 --- a/built-in-policies/policyDefinitions/Security Center/ASC_Email_notification_to_subscription_owner.json +++ b/built-in-policies/policyDefinitions/Security Center/ASC_Email_notification_to_subscription_owner.json @@ -5,10 +5,10 @@ "mode": "All", "description": "To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.", "metadata": { - "version": "2.0.0", + "version": "2.1.0", "category": "Security Center" }, - "version": "2.0.0", + "version": "2.1.0", "parameters": { "effect": { "type": "string", @@ -41,8 +41,30 @@ "equals": "Off" }, { - "field": "Microsoft.Security/securityContacts/alertNotifications.minimalSeverity", - "equals": "High" + "anyOf": [ + { + "field": "Microsoft.Security/securityContacts/alertNotifications.minimalSeverity", + "equals": "High" + }, + { + "count": { + "field": "Microsoft.Security/securityContacts/notificationsSources[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Security/securityContacts/notificationsSources[*].sourceType", + "equals": "Alert" + }, + { + "field": "Microsoft.Security/securityContacts/notificationsSources[*].Alert.minimalSeverity", + "equals": "High" + } + ] + } + }, + "equals": 1 + } + ] } ] } @@ -51,6 +73,7 @@ } }, "versions": [ + "2.1.0", "2.0.0" ] }, diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CMMC_2_0_L2.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CMMC_2_0_L2.json index c61189568..3b8391fba 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CMMC_2_0_L2.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CMMC_2_0_L2.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of CMMC 2.0 Level 2 practices. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cmmc2l2-initiative.", "metadata": { - "version": "1.6.0-preview", + "version": "1.7.0-preview", "category": "Regulatory Compliance", "preview": true }, - "version": "1.6.0-preview", + "version": "1.7.0-preview", "policyDefinitionGroups": [ { "name": "CMMC_2.0_L2_AC.L1-3.1.1", @@ -969,14 +969,15 @@ "type": "string", "metadata": { "displayName": "Effect for policy: Cognitive Services accounts should disable public network access", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true }, "allowedValues": [ "Audit", "Deny", "Disabled" ], - "defaultValue": "Audit" + "defaultValue": "Disabled" }, "effect-037eea7a-bd0a-46c5-9a66-03aea78705d3": { "type": "string", @@ -3686,23 +3687,6 @@ "CMMC_2.0_L2_SC.L2-3.13.6" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "CMMC_2.0_L2_SC.L1-3.13.1", - "CMMC_2.0_L2_SC.L1-3.13.5", - "CMMC_2.0_L2_SC.L2-3.13.6", - "CMMC_2.0_L2_AC.L2-3.1.3", - "CMMC_2.0_L2_SC.L2-3.13.2" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", "definitionVersion": "1.*.*", @@ -4914,6 +4898,7 @@ } ], "versions": [ + "1.7.0-PREVIEW", "1.6.0-PREVIEW", "1.5.0-PREVIEW", "1.4.1-PREVIEW", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CMMC_L3.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CMMC_L3.json index e394b4906..cf80ab6c8 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CMMC_L3.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CMMC_L3.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of Cybersecurity Maturity Model Certification (CMMC) Level 3 requirements. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cmmc-initiative.", "metadata": { - "version": "9.3.1", + "version": "9.4.0", "category": "Regulatory Compliance" }, - "version": "9.3.1", + "version": "9.4.0", "policyDefinitionGroups": [ { "name": "CMMC_L3_AC.1.001", @@ -1783,7 +1783,7 @@ }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -1791,7 +1791,8 @@ ], "metadata": { "displayName": "Effect for policy: Public network access should be disabled for Cognitive Services accounts", - "description": "For more information about effects, visit https://aka.ms/policyeffects" + "description": "For more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5": { @@ -3568,24 +3569,6 @@ "CMMC_L3_SC.3.183" ] }, - { - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "CMMC_L3_AC.1.001", - "CMMC_L3_AC.1.002", - "CMMC_L3_AC.2.016", - "CMMC_L3_CM.3.068", - "CMMC_L3_SC.1.175", - "CMMC_L3_SC.3.183" - ] - }, { "policyDefinitionReferenceId": "0820b7b9-23aa-4725-a1ce-ae4558f718e5", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5", @@ -4330,6 +4313,7 @@ } ], "versions": [ + "9.4.0", "9.3.1", "9.3.0" ] diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/DOD_IL4_audit.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/DOD_IL4_audit.json index 14e0ed703..7bed99c03 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/DOD_IL4_audit.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/DOD_IL4_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of DoD Impact Level 4 (IL4) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/dodil4-initiative.", "metadata": { - "version": "22.6.1", + "version": "22.7.0", "category": "Regulatory Compliance" }, - "version": "22.6.1", + "version": "22.7.0", "policyDefinitionGroups": [ { "name": "DoD_IL4_R4_AC-1", @@ -3022,7 +3022,7 @@ }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -3030,7 +3030,8 @@ ], "metadata": { "displayName": "Effect for policy: Cognitive Services accounts should disable public network access", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-a049bf77-880b-470f-ba6d-9f21c530cf83": { @@ -5632,21 +5633,6 @@ "DoD_IL4_R4_SC-7(3)" ] }, - { - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "DoD_IL4_R4_AC-4", - "DoD_IL4_R4_SC-7", - "DoD_IL4_R4_SC-7(3)" - ] - }, { "policyDefinitionReferenceId": "a049bf77-880b-470f-ba6d-9f21c530cf83", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83", @@ -7181,6 +7167,7 @@ } ], "versions": [ + "22.7.0", "22.6.1", "22.5.0", "22.4.1", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/DOD_IL5_audit.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/DOD_IL5_audit.json index be7a0a7cc..c54b963e2 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/DOD_IL5_audit.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/DOD_IL5_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of DoD Impact Level 5 (IL5) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/dodil5-initiative.", "metadata": { - "version": "19.6.1", + "version": "19.7.0", "category": "Regulatory Compliance" }, - "version": "19.6.1", + "version": "19.7.0", "policyDefinitionGroups": [ { "name": "DoD_IL5_R4_AC-1", @@ -3046,7 +3046,7 @@ }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -3054,7 +3054,8 @@ ], "metadata": { "displayName": "Effect for policy: Cognitive Services accounts should disable public network access", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-a049bf77-880b-470f-ba6d-9f21c530cf83": { @@ -5656,21 +5657,6 @@ "DoD_IL5_R4_SC-7(3)" ] }, - { - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "DoD_IL5_R4_AC-4", - "DoD_IL5_R4_SC-7", - "DoD_IL5_R4_SC-7(3)" - ] - }, { "policyDefinitionReferenceId": "a049bf77-880b-470f-ba6d-9f21c530cf83", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83", @@ -7205,6 +7191,7 @@ } ], "versions": [ + "19.7.0", "19.6.1", "19.5.0", "19.4.0" diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/FedRAMP_H_audit.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/FedRAMP_H_audit.json index f426ad817..1353a9a86 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/FedRAMP_H_audit.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/FedRAMP_H_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "FedRAMP is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. FedRAMP defines a set of controls for Low, Moderate, or High security impact level systems based on NIST baseline controls. These policies address a subset of FedRAMP (High) controls. For more information, visit https://docs.microsoft.com/azure/compliance/offerings/offering-fedramp", "metadata": { - "version": "17.7.0", + "version": "17.8.0", "category": "Regulatory Compliance" }, - "version": "17.7.0", + "version": "17.8.0", "policyDefinitionGroups": [ { "name": "FedRAMP_High_R4_AC-1", @@ -2942,7 +2942,7 @@ }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -2950,7 +2950,8 @@ ], "metadata": { "displayName": "Effect for policy: Cognitive Services accounts should disable public network access", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-a049bf77-880b-470f-ba6d-9f21c530cf83": { @@ -4769,21 +4770,6 @@ "FedRAMP_High_R4_SC-7(3)" ] }, - { - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "FedRAMP_High_R4_AC-4", - "FedRAMP_High_R4_SC-7", - "FedRAMP_High_R4_SC-7(3)" - ] - }, { "policyDefinitionReferenceId": "a049bf77-880b-470f-ba6d-9f21c530cf83", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83", @@ -6195,6 +6181,7 @@ } ], "versions": [ + "17.8.0", "17.7.0", "17.6.0", "17.5.0", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/FedRAMP_M_audit.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/FedRAMP_M_audit.json index 089ab889d..0c54a06bb 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/FedRAMP_M_audit.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/FedRAMP_M_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. FedRAMP defines a set of controls for Low, Moderate, or High security impact level systems based on NIST baseline controls. These policies address a subset of FedRAMP (Moderate) controls. Additional policies will be added in upcoming releases. For more information, visit https://www.fedramp.gov/documents-templates/", "metadata": { - "version": "17.6.0", + "version": "17.7.0", "category": "Regulatory Compliance" }, - "version": "17.6.0", + "version": "17.7.0", "policyDefinitionGroups": [ { "name": "FedRAMP_Moderate_R4_AC-1", @@ -2558,7 +2558,7 @@ }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -2566,7 +2566,8 @@ ], "metadata": { "displayName": "Effect for policy: Cognitive Services accounts should disable public network access", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-a049bf77-880b-470f-ba6d-9f21c530cf83": { @@ -4122,21 +4123,6 @@ "FedRAMP_Moderate_R4_SC-7(3)" ] }, - { - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "FedRAMP_Moderate_R4_AC-4", - "FedRAMP_Moderate_R4_SC-7", - "FedRAMP_Moderate_R4_SC-7(3)" - ] - }, { "policyDefinitionReferenceId": "a049bf77-880b-470f-ba6d-9f21c530cf83", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83", @@ -5423,6 +5409,7 @@ } ], "versions": [ + "17.7.0", "17.6.0", "17.5.0", "17.4.0" diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-171_R2.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-171_R2.json index 8885ec88a..d2b654838 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-171_R2.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-171_R2.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The US National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidelines to help protect the information and information systems of federal agencies. In response to Executive Order 13556 on managing controlled unclassified information (CUI), it published NIST SP 800-171. These policies address a subset of NIST SP 800-171 Rev. 2 controls. For more information, visit https://docs.microsoft.com/azure/compliance/offerings/offering-nist-800-171", "metadata": { - "version": "15.6.0", + "version": "15.7.0", "category": "Regulatory Compliance" }, - "version": "15.6.0", + "version": "15.7.0", "policyDefinitionGroups": [ { "name": "NIST_SP_800-171_R2_3.1.1", @@ -761,7 +761,7 @@ }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -769,7 +769,8 @@ ], "metadata": { "displayName": "Effect for policy: Cognitive Services accounts should disable public network access", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-ee980b6d-0eca-4501-8d54-f6290fd512c3": { @@ -2744,23 +2745,6 @@ "NIST_SP_800-171_R2_3.13.6" ] }, - { - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "NIST_SP_800-171_R2_3.1.3", - "NIST_SP_800-171_R2_3.13.1", - "NIST_SP_800-171_R2_3.13.2", - "NIST_SP_800-171_R2_3.13.5", - "NIST_SP_800-171_R2_3.13.6" - ] - }, { "policyDefinitionReferenceId": "ee980b6d-0eca-4501-8d54-f6290fd512c3", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3", @@ -4918,6 +4902,7 @@ } ], "versions": [ + "15.7.0", "15.6.0", "15.5.0", "15.4.0" diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-53_R4.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-53_R4.json index 8165926a3..79c4ce6eb 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-53_R4.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-53_R4.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "National Institute of Standards and Technology (NIST) SP 800-53 R4 provides a standardized approach for assessing, monitoring and authorizing cloud computing products and services to manage information security risk.These policies address a subset of NIST SP 800-53 R4 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800-53r4-initiative", "metadata": { - "version": "18.6.0", + "version": "18.7.0", "category": "Regulatory Compliance" }, - "version": "18.6.0", + "version": "18.7.0", "policyDefinitionGroups": [ { "name": "NIST_SP_800-53_R4_AC-1", @@ -4561,7 +4561,7 @@ }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -4569,7 +4569,8 @@ ], "metadata": { "displayName": "Effect for policy: Cognitive Services accounts should disable public network access", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-a049bf77-880b-470f-ba6d-9f21c530cf83": { @@ -6159,21 +6160,6 @@ "NIST_SP_800-53_R4_SC-7(3)" ] }, - { - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "NIST_SP_800-53_R4_AC-4", - "NIST_SP_800-53_R4_SC-7", - "NIST_SP_800-53_R4_SC-7(3)" - ] - }, { "policyDefinitionReferenceId": "a049bf77-880b-470f-ba6d-9f21c530cf83", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83", @@ -14086,6 +14072,7 @@ } ], "versions": [ + "18.7.0", "18.6.0", "18.5.0", "18.4.0" diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-53_R5.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-53_R5.json index 86f0554b9..b94ab7f0f 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-53_R5.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-53_R5.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 provides a standardized approach for assessing, monitoring and authorizing cloud computing products and services to manage information security risk. These policies address a subset of NIST SP 800-53 R5 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800-53r5-initiative", "metadata": { - "version": "14.6.0", + "version": "14.7.0", "category": "Regulatory Compliance" }, - "version": "14.6.0", + "version": "14.7.0", "policyDefinitionGroups": [ { "name": "NIST_SP_800-53_R5_AC-1", @@ -5138,7 +5138,7 @@ }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -5146,7 +5146,8 @@ ], "metadata": { "displayName": "Effect for policy: Cognitive Services accounts should disable public network access", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-a049bf77-880b-470f-ba6d-9f21c530cf83": { @@ -6655,21 +6656,6 @@ "NIST_SP_800-53_R5_SC-7(3)" ] }, - { - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "NIST_SP_800-53_R5_AC-4", - "NIST_SP_800-53_R5_SC-7", - "NIST_SP_800-53_R5_SC-7(3)" - ] - }, { "policyDefinitionReferenceId": "a049bf77-880b-470f-ba6d-9f21c530cf83", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83", @@ -14408,6 +14394,7 @@ } ], "versions": [ + "14.7.0", "14.6.0", "14.5.0", "14.4.0" diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/asb_v2.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/asb_v2.json index aca387ddd..abba189f3 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/asb_v2.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/asb_v2.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative has been deprecated. The Azure Security Benchmark v2 policy set is now represented in the consolidated Azure Security Benchmark initiative, which also serves as the Azure Security Center default policy initiative. Please assign that initiative, or manage its policies and compliance results within Azure Security Center", "metadata": { - "version": "10.4.0-deprecated", + "version": "10.5.0-deprecated", "deprecated": true, "category": "Regulatory Compliance" }, - "version": "10.4.0", + "version": "10.5.0", "policyDefinitionGroups": [ { "name": "Azure_Security_Benchmark_v2.0_NS-1", @@ -405,7 +405,7 @@ }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -413,7 +413,8 @@ ], "metadata": { "displayName": "Effect for policy: Public network access should be disabled for Cognitive Services accounts", - "description": "For more information about effects, visit https://aka.ms/policyeffects" + "description": "For more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f": { @@ -2410,19 +2411,6 @@ "Azure_Security_Benchmark_v2.0_NS-1" ] }, - { - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "Azure_Security_Benchmark_v2.0_NS-1" - ] - }, { "policyDefinitionReferenceId": "1b8ca024-1d5c-4dec-8995-b1a932b41780", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", @@ -3925,6 +3913,7 @@ } ], "versions": [ + "10.5.0", "10.4.0", "10.3.1", "10.3.0" diff --git a/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json b/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json index 36b12b7f1..28b754daf 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.", "metadata": { - "version": "47.16.0", + "version": "47.17.0", "category": "Security Center" }, - "version": "47.16.0", + "version": "47.17.0", "policyDefinitionGroups": [ { "name": "Azure_Security_Benchmark_v3.0_NS-1", @@ -4523,7 +4523,7 @@ }, "publicNetworkAccessShouldBeDisabledForCognitiveServicesAccountsMonitoringEffect": { "type": "string", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -4531,7 +4531,8 @@ ], "metadata": { "displayName": "Public network access should be disabled for Cognitive Services accounts", - "description": "This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed." + "description": "This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed.", + "deprecated": true } }, "cognitiveServicesAccountsShouldEnableDataEncryptionMonitoringEffect": { @@ -6703,19 +6704,6 @@ "Azure_Security_Benchmark_v3.0_NS-2" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForCognitiveServicesAccountsMonitoringEffect", - "parameters": { - "effect": { - "value": "[parameters('publicNetworkAccessShouldBeDisabledForCognitiveServicesAccountsMonitoringEffect')]" - } - }, - "groupNames": [ - "Azure_Security_Benchmark_v3.0_NS-2" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b", "definitionVersion": "1.*.*", @@ -7118,6 +7106,7 @@ } ], "versions": [ + "47.17.0", "47.16.0", "47.15.0", "47.14.0", diff --git a/built-in-policies/policySetDefinitions/Kubernetes/AKS_Safeguards.json b/built-in-policies/policySetDefinitions/Kubernetes/AKS_Safeguards.json index bc8b33d53..8a90278fc 100644 --- a/built-in-policies/policySetDefinitions/Kubernetes/AKS_Safeguards.json +++ b/built-in-policies/policySetDefinitions/Kubernetes/AKS_Safeguards.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use deployment safeguards to assign this policy initiative: https://aka.ms/aks/deployment-safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc", "metadata": { - "version": "1.4.1-preview", + "version": "1.6.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.4.1-preview", + "version": "1.6.0-preview", "parameters": { "warn": { "type": "Boolean", @@ -123,6 +123,18 @@ "readinessProbe", "livenessProbe" ] + }, + "effectForMutationPolicies": { + "type": "String", + "metadata": { + "displayName": "Mutate Effect", + "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy." + }, + "allowedValues": [ + "Mutate", + "Disabled" + ], + "defaultValue": "Disabled" } }, "policyDefinitions": [ @@ -349,9 +361,103 @@ "value": "[parameters('excludedNamespaces')]" } } + }, + { + "policyDefinitionReferenceId": "readOnlyRootFileSystemInitContainers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2ae2f266-ecc3-4d26-82c5-8c3cb7774f45", + "definitionVersion": "1.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effectForMutationPolicies')]" + } + } + }, + { + "policyDefinitionReferenceId": "resourceCPULimits", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/42ba1d72-e90f-42f8-bf99-5a1351eed2b1", + "definitionVersion": "1.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effectForMutationPolicies')]" + } + } + }, + { + "policyDefinitionReferenceId": "resourceMemoryLimits", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f86d473-38a8-46c9-bdfe-d7fa3b9836bf", + "definitionVersion": "1.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effectForMutationPolicies')]" + } + } + }, + { + "policyDefinitionReferenceId": "imagesDoNotUseLatest", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/021f8078-41a0-40e6-81b6-c6597da9f3ee", + "definitionVersion": "1.*.*-preview", + "parameters": { + "warn": { + "value": "[parameters('warn')]" + }, + "effect": { + "value": "[parameters('effect')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + } + } + }, + { + "policyDefinitionReferenceId": "containerEnforcePreStopHook", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a3b9003-eac6-4d39-a184-4a567ace7645", + "definitionVersion": "1.*.*-preview", + "parameters": { + "warn": { + "value": "[parameters('warn')]" + }, + "effect": { + "value": "[parameters('effect')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + } + } + }, + { + "policyDefinitionReferenceId": "mutateMaxUnavailablePods", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d77f191e-2338-45d0-b6d4-4ee1c586a192", + "definitionVersion": "1.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effectForMutationPolicies')]" + } + } + }, + { + "policyDefinitionReferenceId": "mutateReadOnlyRootFilesystem", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e875f96-2c56-40ca-86db-b9f6a0be7347", + "definitionVersion": "1.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effectForMutationPolicies')]" + } + } + }, + { + "policyDefinitionReferenceId": "mutateReservedSystemPoolTaints", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e16d171b-bfe5-4d79-a525-19736b396e92", + "definitionVersion": "1.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effectForMutationPolicies')]" + } + } } ], "versions": [ + "1.6.0-PREVIEW", + "1.5.0-PREVIEW", "1.4.1-PREVIEW", "1.4.0-PREVIEW", "1.3.3-PREVIEW", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/CMMC_2_0_L2.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/CMMC_2_0_L2.json index 27f54ca50..36ba5fafe 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/CMMC_2_0_L2.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/CMMC_2_0_L2.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of CMMC 2.0 Level 2 practices. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cmmc2l2-initiative.", "metadata": { - "version": "2.9.0-preview", + "version": "2.10.0-preview", "category": "Regulatory Compliance", "preview": true }, - "version": "2.9.0-preview", + "version": "2.10.0-preview", "policyDefinitionGroups": [ { "name": "CMMC_2.0_L2_AC.L1-3.1.1", @@ -1163,14 +1163,15 @@ "type": "string", "metadata": { "displayName": "Effect for policy: Cognitive Services accounts should disable public network access", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true }, "allowedValues": [ "Audit", "Deny", "Disabled" ], - "defaultValue": "Audit" + "defaultValue": "Disabled" }, "effect-037eea7a-bd0a-46c5-9a66-03aea78705d3": { "type": "string", @@ -4356,23 +4357,6 @@ "CMMC_2.0_L2_SC.L2-3.13.6" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "CMMC_2.0_L2_SC.L1-3.13.1", - "CMMC_2.0_L2_SC.L1-3.13.5", - "CMMC_2.0_L2_SC.L2-3.13.6", - "CMMC_2.0_L2_AC.L2-3.1.3", - "CMMC_2.0_L2_SC.L2-3.13.2" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c", "definitionVersion": "2.*.*", @@ -5759,6 +5743,7 @@ } ], "versions": [ + "2.10.0-PREVIEW", "2.9.0-PREVIEW", "2.8.0-PREVIEW", "2.7.0-PREVIEW", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/CMMC_L3.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/CMMC_L3.json index 641e8c59b..6b112f4a6 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/CMMC_L3.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/CMMC_L3.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of Cybersecurity Maturity Model Certification (CMMC) Level 3 requirements. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cmmc-initiative.", "metadata": { - "version": "11.5.0", + "version": "11.6.0", "category": "Regulatory Compliance" }, - "version": "11.5.0", + "version": "11.6.0", "policyDefinitionGroups": [ { "name": "CMMC_L3_AC.1.001", @@ -2151,7 +2151,7 @@ }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -2159,7 +2159,8 @@ ], "metadata": { "displayName": "Effect for policy: Public network access should be disabled for Cognitive Services accounts", - "description": "For more information about effects, visit https://aka.ms/policyeffects" + "description": "For more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5": { @@ -5021,24 +5022,6 @@ "CMMC_L3_SC.3.183" ] }, - { - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "CMMC_L3_AC.1.001", - "CMMC_L3_AC.1.002", - "CMMC_L3_AC.2.016", - "CMMC_L3_CM.3.068", - "CMMC_L3_SC.1.175", - "CMMC_L3_SC.3.183" - ] - }, { "policyDefinitionReferenceId": "0820b7b9-23aa-4725-a1ce-ae4558f718e5", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5", @@ -6298,6 +6281,7 @@ } ], "versions": [ + "11.6.0", "11.5.0", "11.4.0", "11.3.0" diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/FedRAMP_H_audit.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/FedRAMP_H_audit.json index 338c82e2a..6fbe561f1 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/FedRAMP_H_audit.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/FedRAMP_H_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "FedRAMP is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. FedRAMP defines a set of controls for Low, Moderate, or High security impact level systems based on NIST baseline controls. These policies address a subset of FedRAMP (High) controls. For more information, visit https://docs.microsoft.com/azure/compliance/offerings/offering-fedramp", "metadata": { - "version": "17.10.0", + "version": "17.11.0", "category": "Regulatory Compliance" }, - "version": "17.10.0", + "version": "17.11.0", "policyDefinitionGroups": [ { "name": "FedRAMP_High_R4_AC-1", @@ -3041,7 +3041,7 @@ }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -3049,7 +3049,8 @@ ], "metadata": { "displayName": "Effect for policy: Cognitive Services accounts should disable public network access", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-5f0bc445-3935-4915-9981-011aa2b46147": { @@ -5114,21 +5115,6 @@ "FedRAMP_High_R4_SC-7(3)" ] }, - { - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "FedRAMP_High_R4_AC-4", - "FedRAMP_High_R4_SC-7", - "FedRAMP_High_R4_SC-7(3)" - ] - }, { "policyDefinitionReferenceId": "a6abeaec-4d90-4a02-805f-6b26c4d3fbe9", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6abeaec-4d90-4a02-805f-6b26c4d3fbe9", @@ -11598,6 +11584,7 @@ } ], "versions": [ + "17.11.0", "17.10.0", "17.9.0", "17.8.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/FedRAMP_M_audit.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/FedRAMP_M_audit.json index 89967be84..9346c1a5f 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/FedRAMP_M_audit.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/FedRAMP_M_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. FedRAMP defines a set of controls for Low, Moderate, or High security impact level systems based on NIST baseline controls. These policies address a subset of FedRAMP (Moderate) controls. Additional policies will be added in upcoming releases. For more information, visit https://www.fedramp.gov/documents-templates/", "metadata": { - "version": "17.9.0", + "version": "17.10.0", "category": "Regulatory Compliance" }, - "version": "17.9.0", + "version": "17.10.0", "policyDefinitionGroups": [ { "name": "FedRAMP_Moderate_R4_AC-1", @@ -2657,7 +2657,7 @@ }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -2665,7 +2665,8 @@ ], "metadata": { "displayName": "Effect for policy: Cognitive Services accounts should disable public network access", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-5f0bc445-3935-4915-9981-011aa2b46147": { @@ -4428,21 +4429,6 @@ "FedRAMP_Moderate_R4_SC-7(3)" ] }, - { - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "FedRAMP_Moderate_R4_AC-4", - "FedRAMP_Moderate_R4_SC-7", - "FedRAMP_Moderate_R4_SC-7(3)" - ] - }, { "policyDefinitionReferenceId": "a6abeaec-4d90-4a02-805f-6b26c4d3fbe9", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6abeaec-4d90-4a02-805f-6b26c4d3fbe9", @@ -10121,6 +10107,7 @@ } ], "versions": [ + "17.10.0", "17.9.0", "17.8.0", "17.7.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-171_R2.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-171_R2.json index 5dc248487..221cf2e33 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-171_R2.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-171_R2.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The US National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidelines to help protect the information and information systems of federal agencies. In response to Executive Order 13556 on managing controlled unclassified information (CUI), it published NIST SP 800-171. These policies address a subset of NIST SP 800-171 Rev. 2 controls. For more information, visit https://docs.microsoft.com/azure/compliance/offerings/offering-nist-800-171", "metadata": { - "version": "15.9.0", + "version": "15.10.0", "category": "Regulatory Compliance" }, - "version": "15.9.0", + "version": "15.10.0", "policyDefinitionGroups": [ { "name": "NIST_SP_800-171_R2_3.1.1", @@ -840,7 +840,7 @@ }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -848,7 +848,8 @@ ], "metadata": { "displayName": "Effect for policy: Cognitive Services accounts should disable public network access", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751": { @@ -3062,23 +3063,6 @@ "NIST_SP_800-171_R2_3.13.6" ] }, - { - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "NIST_SP_800-171_R2_3.1.3", - "NIST_SP_800-171_R2_3.13.1", - "NIST_SP_800-171_R2_3.13.2", - "NIST_SP_800-171_R2_3.13.5", - "NIST_SP_800-171_R2_3.13.6" - ] - }, { "policyDefinitionReferenceId": "4fa4b6c0-31ca-4c0d-b10d-24b96f62a751", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751", @@ -7644,6 +7628,7 @@ } ], "versions": [ + "15.10.0", "15.9.0", "15.8.0", "15.7.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-53_R4.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-53_R4.json index 08863061b..bf6373688 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-53_R4.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-53_R4.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "National Institute of Standards and Technology (NIST) SP 800-53 R4 provides a standardized approach for assessing, monitoring and authorizing cloud computing products and services to manage information security risk.These policies address a subset of NIST SP 800-53 R4 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800-53r4-initiative", "metadata": { - "version": "17.9.0", + "version": "17.10.0", "category": "Regulatory Compliance" }, - "version": "17.9.0", + "version": "17.10.0", "policyDefinitionGroups": [ { "name": "NIST_SP_800-53_R4_AC-1", @@ -3529,7 +3529,7 @@ }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -3537,7 +3537,8 @@ ], "metadata": { "displayName": "Effect for policy: Cognitive Services accounts should disable public network access", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-5f0bc445-3935-4915-9981-011aa2b46147": { @@ -5899,21 +5900,6 @@ "NIST_SP_800-53_R4_SC-7(3)" ] }, - { - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "NIST_SP_800-53_R4_AC-4", - "NIST_SP_800-53_R4_SC-7", - "NIST_SP_800-53_R4_SC-7(3)" - ] - }, { "policyDefinitionReferenceId": "a6abeaec-4d90-4a02-805f-6b26c4d3fbe9", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6abeaec-4d90-4a02-805f-6b26c4d3fbe9", @@ -12890,6 +12876,7 @@ } ], "versions": [ + "17.10.0", "17.9.0", "17.8.0", "17.7.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-53_R5.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-53_R5.json index 1e1e6437a..31761343b 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-53_R5.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-53_R5.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 provides a standardized approach for assessing, monitoring and authorizing cloud computing products and services to manage information security risk. These policies address a subset of NIST SP 800-53 R5 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800-53r5-initiative", "metadata": { - "version": "14.9.0", + "version": "14.10.0", "category": "Regulatory Compliance" }, - "version": "14.9.0", + "version": "14.10.0", "policyDefinitionGroups": [ { "name": "NIST_SP_800-53_R5_AC-1", @@ -5237,7 +5237,7 @@ }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -5245,7 +5245,8 @@ ], "metadata": { "displayName": "Effect for policy: Cognitive Services accounts should disable public network access", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-5f0bc445-3935-4915-9981-011aa2b46147": { @@ -6964,21 +6965,6 @@ "NIST_SP_800-53_R5_SC-7(3)" ] }, - { - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "NIST_SP_800-53_R5_AC-4", - "NIST_SP_800-53_R5_SC-7", - "NIST_SP_800-53_R5_SC-7(3)" - ] - }, { "policyDefinitionReferenceId": "a6abeaec-4d90-4a02-805f-6b26c4d3fbe9", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6abeaec-4d90-4a02-805f-6b26c4d3fbe9", @@ -13205,6 +13191,7 @@ } ], "versions": [ + "14.10.0", "14.9.0", "14.8.0", "14.7.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/NL_BIO_Cloud_Theme.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/NL_BIO_Cloud_Theme.json index b794b4d53..4bd069dda 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/NL_BIO_Cloud_Theme.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/NL_BIO_Cloud_Theme.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address the Dutch Baseline Informatiebeveiliging (BIO) controls specifically for the 'thema-uitwerking Clouddiensten' and include policies covered under the SOC2 and ISO 27001:2013 controls.", "metadata": { - "version": "1.3.0", + "version": "1.4.0", "category": "Regulatory Compliance" }, - "version": "1.3.0", + "version": "1.4.0", "policyDefinitionGroups": [ { "name": "B.01 - Laws and regulations", @@ -2204,7 +2204,7 @@ }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -2212,7 +2212,8 @@ ], "metadata": { "displayName": "Effect for policy: Cognitive Services accounts should disable public network access", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-0e246bcf-5f6f-4f87-bc6f-775d4712c7ea": { @@ -6202,19 +6203,6 @@ "U.07.1 - Isolated" ] }, - { - "policyDefinitionReferenceId": "CognitiveServicesAccountsShouldDisablePublicNetworkAccess", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "U.07.1 - Isolated" - ] - }, { "policyDefinitionReferenceId": "AuthorizedIPRangesShouldBeDefinedOnKubernetesServices", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea", @@ -8560,6 +8548,7 @@ } ], "versions": [ + "1.4.0", "1.3.0", "1.2.0", "1.1.1", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/NZ_ISM_Restricted_v3_5.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/NZ_ISM_Restricted_v3_5.json index e633b1dd7..2a2936df7 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/NZ_ISM_Restricted_v3_5.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/NZ_ISM_Restricted_v3_5.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of New Zealand Information Security Manual v3.5 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nzism-initiative. ", "metadata": { - "version": "2.9.0-deprecated", + "version": "2.10.0-deprecated", "category": "Regulatory Compliance", "deprecated": true }, - "version": "2.9.0", + "version": "2.10.0", "policyDefinitionGroups": [ { "name": "NZ_ISM_v3.5_AC-1", @@ -894,14 +894,15 @@ "type": "string", "metadata": { "displayName": "Effect for policy: Cognitive Services accounts should disable public network access", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true }, "allowedValues": [ "Audit", "Deny", "Disabled" ], - "defaultValue": "Audit" + "defaultValue": "Disabled" }, "effect-037eea7a-bd0a-46c5-9a66-03aea78705d3": { "type": "string", @@ -1491,19 +1492,6 @@ "NZ_ISM_v3.5_GS-2" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "NZ_ISM_v3.5_GS-2" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", "definitionVersion": "3.*.*", @@ -3199,6 +3187,7 @@ } ], "versions": [ + "2.10.0", "2.9.0", "2.8.1", "2.8.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/RBI_ITF_Banks_v2016.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/RBI_ITF_Banks_v2016.json index 26c32920e..af5dd0613 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/RBI_ITF_Banks_v2016.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/RBI_ITF_Banks_v2016.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of Reserve Bank of India IT Framework for Banks controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/rbiitfbanks-initiative.", "metadata": { - "version": "1.9.0-preview", + "version": "1.10.0-preview", "category": "Regulatory Compliance", "preview": true }, - "version": "1.9.0-preview", + "version": "1.10.0-preview", "policyDefinitionGroups": [ { "name": "RBI_CSF_Banks_v2016_9.1", @@ -2063,15 +2063,6 @@ "RBI_CSF_Banks_v2016_7.7" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "parameters": {}, - "groupNames": [ - "RBI_CSF_Banks_v2016_14.1" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2", "definitionVersion": "1.*.*", @@ -2739,6 +2730,7 @@ } ], "versions": [ + "1.10.0-PREVIEW", "1.9.0-PREVIEW", "1.8.0-PREVIEW", "1.7.0-PREVIEW", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/asb_v2.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/asb_v2.json index 95dcbc46c..5bfb33679 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/asb_v2.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/asb_v2.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative has been deprecated. The Azure Security Benchmark v2 policy set is now represented in the consolidated Azure Security Benchmark initiative, which also serves as the Azure Security Center default policy initiative. Please assign that initiative, or manage its policies and compliance results within Azure Security Center", "metadata": { - "version": "11.5.0-deprecated", + "version": "11.6.0-deprecated", "deprecated": true, "category": "Regulatory Compliance" }, - "version": "11.5.0", + "version": "11.6.0", "policyDefinitionGroups": [ { "name": "Azure_Security_Benchmark_v2.0_NS-1", @@ -441,7 +441,7 @@ }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -449,7 +449,8 @@ ], "metadata": { "displayName": "Effect for policy: Public network access should be disabled for Cognitive Services accounts", - "description": "For more information about effects, visit https://aka.ms/policyeffects" + "description": "For more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f": { @@ -3279,19 +3280,6 @@ "Azure_Security_Benchmark_v2.0_NS-1" ] }, - { - "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForCognitiveServicesAccounts", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "Azure_Security_Benchmark_v2.0_NS-1" - ] - }, { "policyDefinitionReferenceId": "1b8ca024-1d5c-4dec-8995-b1a932b41780", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", @@ -5394,6 +5382,7 @@ } ], "versions": [ + "11.6.0", "11.5.0", "11.4.0", "11.3.0" diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/nz_ism.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/nz_ism.json index 14503c933..e72f2a1b4 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/nz_ism.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/nz_ism.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of New Zealand Information Security Manual controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nzism-initiative.", "metadata": { - "version": "11.7.0-deprecated", + "version": "11.8.0-deprecated", "category": "Regulatory Compliance", "deprecated": true }, - "version": "11.7.0", + "version": "11.8.0", "policyDefinitionGroups": [ { "name": "NZISM_Security_Benchmark_v1.1_AC-1", @@ -2797,7 +2797,7 @@ }, "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { "type": "String", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -2805,7 +2805,8 @@ ], "metadata": { "displayName": "Effect for policy: Public network access should be disabled for Cognitive Services accounts", - "description": "For more information about effects, visit https://aka.ms/policyeffects" + "description": "For more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-037eea7a-bd0a-46c5-9a66-03aea78705d3": { @@ -4510,19 +4511,6 @@ "NZISM_Security_Benchmark_v1.1_INF-9" ] }, - { - "policyDefinitionReferenceId": "0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" - } - }, - "groupNames": [ - "NZISM_Security_Benchmark_v1.1_GS-2" - ] - }, { "policyDefinitionReferenceId": "037eea7a-bd0a-46c5-9a66-03aea78705d3", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", @@ -4746,6 +4734,7 @@ } ], "versions": [ + "11.8.0", "11.7.0", "11.6.2", "11.6.1", diff --git a/built-in-policies/policySetDefinitions/SDN/AuditPublicNetworkAccessInitiative.json b/built-in-policies/policySetDefinitions/SDN/AuditPublicNetworkAccessInitiative.json index 8fb889833..946548cd6 100644 --- a/built-in-policies/policySetDefinitions/SDN/AuditPublicNetworkAccessInitiative.json +++ b/built-in-policies/policySetDefinitions/SDN/AuditPublicNetworkAccessInitiative.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "Audit Azure resources that allow access from the public internet", "metadata": { - "version": "4.1.0", + "version": "4.2.0", "category": "SDN" }, - "version": "4.1.0", + "version": "4.2.0", "parameters": { "Effect-Microsoft.AppConfiguration-configurationStores": { "type": "String", @@ -104,14 +104,15 @@ "type": "String", "metadata": { "displayName": "Microsoft.CognitiveServices/accounts Effect", - "description": "Set an effect for this resource type" + "description": "Set an effect for this resource type", + "deprecated": true }, "allowedValues": [ "Audit", "Deny", "Disabled" ], - "defaultValue": "Audit" + "defaultValue": "Disabled" }, "Effect-Microsoft.Compute-disks": { "type": "String", @@ -548,16 +549,6 @@ } } }, - { - "policyDefinitionReferenceId": "AuditPublicNetworkAccessForMicrosoftCognitiveServicesAccounts", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('Effect-Microsoft.CognitiveServices-accounts')]" - } - } - }, { "policyDefinitionReferenceId": "AuditPublicNetworkAccessForMicrosoftContainerRegistry", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", @@ -840,6 +831,7 @@ } ], "versions": [ + "4.2.0", "4.1.0" ] }, diff --git a/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json b/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json index b8588a722..2274211a4 100644 --- a/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json +++ b/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.", "metadata": { - "version": "57.35.0", + "version": "57.36.0", "category": "Security Center" }, - "version": "57.35.0", + "version": "57.36.0", "policyDefinitionGroups": [ { "name": "Azure_Security_Benchmark_v3.0_NS-1", @@ -5027,7 +5027,7 @@ }, "publicNetworkAccessShouldBeDisabledForCognitiveServicesAccountsMonitoringEffect": { "type": "string", - "defaultValue": "Audit", + "defaultValue": "Disabled", "allowedValues": [ "Audit", "Deny", @@ -5035,7 +5035,8 @@ ], "metadata": { "displayName": "Public network access should be disabled for Cognitive Services accounts", - "description": "This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed." + "description": "This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed.", + "deprecated": true } }, "cognitiveServicesAccountsShouldEnableDataEncryptionMonitoringEffect": { @@ -8104,19 +8105,6 @@ "Azure_Security_Benchmark_v3.0_NS-2" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "definitionVersion": "3.*.*", - "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForCognitiveServicesAccountsMonitoringEffect", - "parameters": { - "effect": { - "value": "[parameters('publicNetworkAccessShouldBeDisabledForCognitiveServicesAccountsMonitoringEffect')]" - } - }, - "groupNames": [ - "Azure_Security_Benchmark_v3.0_NS-2" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b", "definitionVersion": "1.*.*", @@ -8802,6 +8790,7 @@ } ], "versions": [ + "57.36.0", "57.35.0", "57.34.0", "57.33.0",