Built-in Policy Release 4809d93f

Azure · Aug 15, 2024 · a9808b8 · a9808b8
1 parent 1216b4b
commit a9808b8
Show file tree

Hide file tree

Showing 21 changed files with 584 additions and 48 deletions.
diff --git a/...yDefinitions/Azure Government/Kubernetes/ASC_Azure_Defender_AKS_SecurityProfile_DINE.json b/...yDefinitions/Azure Government/Kubernetes/ASC_Azure_Defender_AKS_SecurityProfile_DINE.json
@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks.",
     "metadata": {
-      "version": "4.2.0",
+      "version": "4.3.0",
       "category": "Kubernetes"
     },
-    "version": "4.2.0",
+    "version": "4.3.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -50,8 +50,8 @@
             "equals": "true"
           },
           "roleDefinitionIds": [
-            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
-            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
+            "/providers/microsoft.authorization/roleDefinitions/5e93ba01-8f92-4c7a-b12a-801e3df23824",
+            "/providers/microsoft.authorization/roleDefinitions/8bb6f106-b146-4ee6-a3f9-b9c5a96e0ae5"
           ],
           "deployment": {
             "location": "usgovvirginia",
@@ -250,6 +250,7 @@
       }
     },
     "versions": [
+      "4.3.0",
       "4.2.0",
       "4.1.0"
     ]

diff --git a/.../policyDefinitions/Azure Government/Kubernetes/ASC_Azure_Defender_Arc_Extension_DINE.json b/.../policyDefinitions/Azure Government/Kubernetes/ASC_Azure_Defender_Arc_Extension_DINE.json
@@ -5,11 +5,11 @@
     "mode": "Indexed",
     "description": "Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc.",
     "metadata": {
-      "version": "6.0.0-preview",
+      "version": "6.1.0-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "6.0.0-preview",
+    "version": "6.1.0-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -78,8 +78,8 @@
             ]
           },
           "roleDefinitionIds": [
-            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
-            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
+            "/providers/microsoft.authorization/roleDefinitions/5e93ba01-8f92-4c7a-b12a-801e3df23824",
+            "/providers/microsoft.authorization/roleDefinitions/8bb6f106-b146-4ee6-a3f9-b9c5a96e0ae5"
           ],
           "deployment": {
             "location": "usgovvirginia",
@@ -266,6 +266,7 @@
       }
     },
     "versions": [
+      "6.1.0-PREVIEW",
       "6.0.0-PREVIEW"
     ]
   },

diff --git a/.../policyDefinitions/Azure Government/Security Center/ASC_MissingSystemUpdatesV2_Audit.json b/.../policyDefinitions/Azure Government/Security Center/ASC_MissingSystemUpdatesV2_Audit.json
@@ -0,0 +1,55 @@
+{
+  "properties": {
+    "displayName": "System updates should be installed on your machines (powered by Update Center)",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Security Center"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "string",
+        "defaultValue": "AuditIfNotExists",
+        "allowedValues": [
+          "AuditIfNotExists",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "in": [
+          "Microsoft.Compute/virtualMachines",
+          "Microsoft.HybridCompute/machines"
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "type": "Microsoft.Security/assessments",
+          "name": "e1145ab1-eb4f-43d8-911b-36ddf771d13f",
+          "existenceCondition": {
+            "field": "Microsoft.Security/assessments/status.code",
+            "in": [
+              "NotApplicable",
+              "Healthy"
+            ]
+          }
+        }
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b",
+  "name": "f85bf3e0-d513-442e-89c3-1784ad63382b"
+}
diff --git a/built-in-policies/policyDefinitions/Cache/RedisCacheEnterprise_CMKEnabled_Audit.json b/built-in-policies/policyDefinitions/Cache/RedisCacheEnterprise_CMKEnabled_Audit.json
@@ -0,0 +1,50 @@
+{
+  "properties": {
+    "displayName": "Azure Cache for Redis Enterprise should use customer-managed keys for encrypting disk data",
+    "description": "Use customer-managed keys (CMK) to manage the encryption at rest of your on-disk data. By default, customer data is encrypted with platform-managed keys (PMK), but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/RedisCMK.",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "metadata": {
+      "category": "Cache",
+      "version": "1.0.0"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "defaultValue": "Audit",
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Cache/redisEnterprise"
+          },
+          {
+            "field": "Microsoft.Cache/redisEnterprise/encryption.customerManagedKeyEncryption",
+            "exists": "false"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/09aa11bb-87ec-409f-bf0b-49b7c1561a87",
+  "name": "09aa11bb-87ec-409f-bf0b-49b7c1561a87"
+}
diff --git a/built-in-policies/policyDefinitions/Cache/RedisCacheEnterprise_PrivateDNSZone_DINE.json b/built-in-policies/policyDefinitions/Cache/RedisCacheEnterprise_PrivateDNSZone_DINE.json
@@ -0,0 +1,118 @@
+{
+  "properties": {
+    "displayName": "Configure Azure Cache for Redis Enterprise to use private DNS zones",
+    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis Enterprise. Learn more at: https://aka.ms/privatednszone.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Cache"
+    },
+    "version": "1.0.0",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "parameters": {
+      "privateDnsZoneId": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Private DNS Zone Id",
+          "strongType": "Microsoft.Network/privateDnsZones",
+          "description": "The resource id of the private DNS zone"
+        }
+      },
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ],
+        "defaultValue": "DeployIfNotExists"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Network/privateEndpoints"
+          },
+          {
+            "count": {
+              "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
+              "where": {
+                "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
+                "equals": "redisEnterprise"
+              }
+            },
+            "greaterOrEquals": 1
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
+          "roleDefinitionIds": [
+            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
+          ],
+          "deployment": {
+            "properties": {
+              "mode": "incremental",
+              "template": {
+                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+                "contentVersion": "1.0.0.0",
+                "parameters": {
+                  "privateDnsZoneId": {
+                    "type": "string"
+                  },
+                  "privateEndpointName": {
+                    "type": "string"
+                  },
+                  "location": {
+                    "type": "string"
+                  }
+                },
+                "resources": [
+                  {
+                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
+                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
+                    "apiVersion": "2020-03-01",
+                    "location": "[parameters('location')]",
+                    "properties": {
+                      "privateDnsZoneConfigs": [
+                        {
+                          "name": "privatelink-redisenterprise-cache-azure-net",
+                          "properties": {
+                            "privateDnsZoneId": "[parameters('privateDnsZoneId')]"
+                          }
+                        }
+                      ]
+                    }
+                  }
+                ]
+              },
+              "parameters": {
+                "privateDnsZoneId": {
+                  "value": "[parameters('privateDnsZoneId')]"
+                },
+                "privateEndpointName": {
+                  "value": "[field('name')]"
+                },
+                "location": {
+                  "value": "[field('location')]"
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/7473e756-98d9-4d10-9a22-8101ef32cd74",
+  "name": "7473e756-98d9-4d10-9a22-8101ef32cd74"
+}
diff --git a/built-in-policies/policyDefinitions/Cache/RedisCacheEnterprise_PrivateEndpoint_AINE.json b/built-in-policies/policyDefinitions/Cache/RedisCacheEnterprise_PrivateEndpoint_AINE.json
@@ -0,0 +1,48 @@
+{
+  "properties": {
+    "displayName": "Azure Cache for Redis Enterprise should use private link",
+    "description": "Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Cache"
+    },
+    "version": "1.0.0",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "AuditIfNotExists",
+          "Disabled"
+        ],
+        "defaultValue": "AuditIfNotExists"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "Microsoft.Cache/redisEnterprise"
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "type": "Microsoft.Cache/redisEnterprise/privateEndpointConnections",
+          "existenceCondition": {
+            "field": "Microsoft.Cache/redisEnterprise/privateEndpointConnections/privateLinkServiceConnectionState.status",
+            "equals": "Approved"
+          }
+        }
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/960e650e-9ce3-4316-9590-8ee2c016ca2f",
+  "name": "960e650e-9ce3-4316-9590-8ee2c016ca2f"
+}