Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Built-in Policy Release 4c6a4f6a #1357

Merged
merged 1 commit into from
Jul 24, 2024
Merged

Built-in Policy Release 4c6a4f6a #1357

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 77 additions & 0 deletions built-in-policies/policyDefinitions/Azure Ai Services/EnablePrivateEndpoints_Audit.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
{
"properties": {
"displayName": "Azure AI Services resources should use Azure Private Link",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform reduces data leakage risks by handling the connectivity between the consumer and services over the Azure backbone network. Learn more about private links at: https://aka.ms/AzurePrivateLink/Overview",
"metadata": {
"version": "1.0.0",
"category": "Azure Ai Services"
},
"version": "1.0.0",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.CognitiveServices/accounts"
},
{
"count": {
"field": "Microsoft.CognitiveServices/accounts/privateEndpointConnections[*]",
"where": {
"field": "Microsoft.CognitiveServices/accounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
"equals": "Approved"
}
},
"less": 1
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Search/searchServices"
},
{
"count": {
"field": "Microsoft.Search/searchServices/privateEndpointConnections[*]",
"where": {
"field": "Microsoft.Search/searchServices/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
"equals": "Approved"
}
},
"less": 1
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"versions": [
"1.0.0"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782",
"name": "d6759c02-b87f-42b7-892e-71b3f471d782"
}
10 changes: 6 additions & 4 deletions built-in-policies/policyDefinitions/Cognitive Services/EnablePrivateEndpoints_Audit.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
{
"properties": {
"displayName": "Cognitive Services should use private link",
"displayName": "[Deprecated]: Cognitive Services should use private link",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800.",
"metadata": {
"version": "3.0.0",
"category": "Cognitive Services"
"version": "3.0.1-deprecated",
"category": "Cognitive Services",
"deprecated": true
},
"version": "3.0.0",
"version": "3.0.1",
"parameters": {
"effect": {
"type": "String",
Expand Down Expand Up @@ -47,6 +48,7 @@
}
},
"versions": [
"3.0.1",
"3.0.0"
]
},
Expand Down
27 changes: 25 additions & 2 deletions built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VMSS_UAI_DINE.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@
"mode": "Indexed",
"description": "Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.",
"metadata": {
"version": "1.5.0",
"version": "1.6.0",
"category": "Monitoring"
},
"version": "1.5.0",
"version": "1.6.0",
"parameters": {
"effect": {
"type": "String",
Expand Down Expand Up @@ -101,32 +101,53 @@
"field": "location",
"in": [
"australiacentral",
"australiacentral2",
"australiaeast",
"australiasoutheast",
"brazilsouth",
"brazilsoutheast",
"canadacentral",
"canadaeast",
"centralindia",
"centralus",
"centraluseuap",
"eastasia",
"eastus2euap",
"eastus",
"eastus2",
"francecentral",
"francesouth",
"germanynorth",
"germanywestcentral",
"israelcentral",
"italynorth",
"japaneast",
"japanwest",
"jioindiacentral",
"jioindiawest",
"koreacentral",
"koreasouth",
"malaysiasouth",
"mexicocentral",
"northcentralus",
"northeurope",
"norwayeast",
"norwaywest",
"polandcentral",
"qatarcentral",
"southafricanorth",
"southafricawest",
"southcentralus",
"southeastasia",
"southindia",
"spaincentral",
"swedencentral",
"swedensouth",
"switzerlandnorth",
"switzerlandwest",
"taiwannorth",
"taiwannorthwest",
"uaecentral",
"uaenorth",
"uksouth",
"ukwest",
Expand All @@ -135,6 +156,7 @@
"westindia",
"westus",
"westus2",
"westus3",
"chinaeast",
"chinaeast2",
"chinaeast3",
Expand Down Expand Up @@ -436,6 +458,7 @@
}
},
"versions": [
"1.6.0",
"1.5.0",
"1.4.0"
]
Expand Down
27 changes: 25 additions & 2 deletions built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VM_UAI_DINE.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@
"mode": "Indexed",
"description": "Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.",
"metadata": {
"version": "1.5.0",
"version": "1.6.0",
"category": "Monitoring"
},
"version": "1.5.0",
"version": "1.6.0",
"parameters": {
"effect": {
"type": "String",
Expand Down Expand Up @@ -101,32 +101,53 @@
"field": "location",
"in": [
"australiacentral",
"australiacentral2",
"australiaeast",
"australiasoutheast",
"brazilsouth",
"brazilsoutheast",
"canadacentral",
"canadaeast",
"centralindia",
"centralus",
"centraluseuap",
"eastasia",
"eastus2euap",
"eastus",
"eastus2",
"francecentral",
"francesouth",
"germanynorth",
"germanywestcentral",
"israelcentral",
"italynorth",
"japaneast",
"japanwest",
"jioindiacentral",
"jioindiawest",
"koreacentral",
"koreasouth",
"malaysiasouth",
"mexicocentral",
"northcentralus",
"northeurope",
"norwayeast",
"norwaywest",
"polandcentral",
"qatarcentral",
"southafricanorth",
"southafricawest",
"southcentralus",
"southeastasia",
"southindia",
"spaincentral",
"swedencentral",
"swedensouth",
"switzerlandnorth",
"switzerlandwest",
"taiwannorth",
"taiwannorthwest",
"uaecentral",
"uaenorth",
"uksouth",
"ukwest",
Expand All @@ -135,6 +156,7 @@
"westindia",
"westus",
"westus2",
"westus3",
"chinaeast",
"chinaeast2",
"chinaeast3",
Expand Down Expand Up @@ -436,6 +458,7 @@
}
},
"versions": [
"1.6.0",
"1.5.0",
"1.4.0"
]
Expand Down
10 changes: 6 additions & 4 deletions built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
{
"properties": {
"displayName": "Azure Cognitive Search services should use private link",
"displayName": "[Deprecated]: Azure Cognitive Search services should use private link",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.",
"metadata": {
"version": "1.0.0",
"category": "Search"
"version": "1.0.1-deprecated",
"category": "Search",
"deprecated": true
},
"version": "1.0.0",
"version": "1.0.1",
"parameters": {
"effect": {
"type": "String",
Expand Down Expand Up @@ -47,6 +48,7 @@
}
},
"versions": [
"1.0.1",
"1.0.0"
]
},
Expand Down
51 changes: 19 additions & 32 deletions ...icies/policyDefinitions/Security Center/MDC_Microsoft_Defender_For_Storage_Full_DINE.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@
"policyType": "BuiltIn",
"mode": "All",
"description": "Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts.\nThis policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage.",
"version": "1.3.0",
"version": "1.4.0",
"metadata": {
"version": "1.3.0",
"version": "1.4.0",
"category": "Security Center"
},
"parameters": {
Expand Down Expand Up @@ -38,7 +38,7 @@
"type": "Integer",
"metadata": {
"displayName": "Cap GB Per Month Per Storage Account",
"description": "Limit the GB to be scanned per month for each storage account within the subscription. Set to -1 for unlimited GB scanning"
"description": "Limit the GB scanned per month for each storage account within the subscription.\nValue must be an integer, 10GB or higher\nSet to -1 for unlimited scanning"
},
"defaultValue": 5000
},
Expand Down Expand Up @@ -135,7 +135,7 @@
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.2.0.0",
"contentVersion": "1.3.0.0",
"parameters": {
"isOnUploadMalwareScanningEnabled": {
"type": "String"
Expand All @@ -147,44 +147,30 @@
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2023-01-01",
"name": "StorageAccounts",
"condition": "[equals(parameters('isOnUploadMalwareScanningEnabled'), 'true')]",
"properties": {
"subPlan": "DefenderForStorageV2",
"pricingTier": "Standard",
"extensions": [
{
"name": "OnUploadMalwareScanning",
"isEnabled": "[parameters('isOnUploadMalwareScanningEnabled')]",
"additionalExtensionProperties": {
"CapGBPerMonthPerStorageAccount": "[parameters('capGBPerMonthPerStorageAccount')]"
}
},
{
"name": "SensitiveDataDiscovery",
"isEnabled": "[parameters('isSensitiveDataDiscoveryEnabled')]"
}
]
"variables": {
"enabledMalwareScanningExtension": {
"name": "OnUploadMalwareScanning",
"isEnabled": "true",
"additionalExtensionProperties": {
"CapGBPerMonthPerStorageAccount": "[parameters('capGBPerMonthPerStorageAccount')]"
}
},
"disabledMalwareScanningExtension": {
"name": "OnUploadMalwareScanning",
"isEnabled": "false"
},
"malwareScanningExtension": "[if(equals(parameters('isOnUploadMalwareScanningEnabled'),'true'), variables('enabledMalwareScanningExtension'), variables('disabledMalwareScanningExtension'))]"
},
"resources": [
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2023-01-01",
"name": "StorageAccounts",
"condition": "[equals(parameters('isOnUploadMalwareScanningEnabled'), 'false')]",
"properties": {
"subPlan": "DefenderForStorageV2",
"pricingTier": "Standard",
"extensions": [
{
"name": "OnUploadMalwareScanning",
"isEnabled": "[parameters('isOnUploadMalwareScanningEnabled')]"
},
"[variables('malwareScanningExtension')]",
{
"name": "SensitiveDataDiscovery",
"isEnabled": "[parameters('isSensitiveDataDiscoveryEnabled')]"
Expand All @@ -201,6 +187,7 @@
}
},
"versions": [
"1.4.0",
"1.3.0",
"1.2.0",
"1.1.0"
Expand Down