Built-in Policy Release edcb38fa

Azure · Dec 26, 2023 · 0d7285b · 0d7285b
1 parent 0d4848a
commit 0d7285b
Show file tree

Hide file tree

Showing 8 changed files with 252 additions and 12 deletions.
diff --git a/...in-policies/policyDefinitions/API Management/ApiManagement_PlatformVersion_AuditDeny.json b/...in-policies/policyDefinitions/API Management/ApiManagement_PlatformVersion_AuditDeny.json
@@ -0,0 +1,47 @@
+{
+  "properties": {
+    "displayName": "Azure API Management platform version should be stv2",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Azure API Management stv1 compute platform version will be retired effective 31 August 2024, and these instances should be migrated to stv2 compute platform for continued support. Learn more at https://learn.microsoft.com/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "API Management"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ],
+        "defaultValue": "Audit"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.ApiManagement/service"
+          },
+          {
+            "field": "Microsoft.ApiManagement/service/platformVersion",
+            "equals": "stv1"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    }
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/1dc2fc00-2245-4143-99f4-874c937f13ef",
+  "name": "1dc2fc00-2245-4143-99f4-874c937f13ef"
+}
diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerAllowedImages.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerAllowedImages.json
@@ -3,12 +3,12 @@
     "displayName": "Kubernetes cluster containers should only use allowed images",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
+    "description": "Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "10.1.0",
+      "version": "10.1.1",
       "category": "Kubernetes"
     },
-    "version": "10.1.0",
+    "version": "10.1.1",
     "parameters": {
       "effect": {
         "type": "String",

diff --git a/built-in-policies/policyDefinitions/ElasticSan/ElasticSan_VolumeGroup_Encryption_Audit.json b/built-in-policies/policyDefinitions/ElasticSan/ElasticSan_VolumeGroup_Encryption_Audit.json
@@ -0,0 +1,46 @@
+{
+  "properties": {
+    "displayName": "ElasticSan Volume Group should use customer-managed keys to encrypt data at rest",
+    "policyType": "BuiltIn",
+    "mode": "All",
+    "description": "Use customer-managed keys to manage the encryption at rest of your VolumeGroup. By default, customer data is encrypted with platform-managed keys, but CMKs are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you, with full control and responsibility, including rotation and management.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "ElasticSan"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "Audit",
+          "Disabled"
+        ],
+        "defaultValue": "Audit"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.ElasticSan/elasticSans/volumeGroups"
+          },
+          {
+            "field": "Microsoft.ElasticSan/elasticSans/volumeGroups/encryption",
+            "notEquals": "EncryptionAtRestWithCustomerManagedKey"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    }
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/7698f4ed-80ce-4e13-b408-ee135fa400a5",
+  "name": "7698f4ed-80ce-4e13-b408-ee135fa400a5"
+}
diff --git a/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json b/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json
@@ -3,12 +3,12 @@
     "displayName": "Kubernetes cluster containers should only use allowed images",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
+    "description": "Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "9.1.0",
+      "version": "9.1.1",
       "category": "Kubernetes"
     },
-    "version": "9.1.0",
+    "version": "9.1.1",
     "parameters": {
       "effect": {
         "type": "String",

diff --git a/...licies/policyDefinitions/Security Center/DeployAtpOnPostgreSqlFlexibleServers_Deploy.json b/...licies/policyDefinitions/Security Center/DeployAtpOnPostgreSqlFlexibleServers_Deploy.json
@@ -0,0 +1,80 @@
+{
+  "properties": {
+    "displayName": "Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL flexible servers",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Enable Advanced Threat Protection on your Azure database for PostgreSQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Security Center"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "string",
+        "defaultValue": "DeployIfNotExists",
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "Microsoft.DBforPostgreSQL/flexibleservers"
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "type": "Microsoft.DBforPostgreSQL/flexibleservers/advancedThreatProtectionSettings",
+          "name": "Default",
+          "evaluationDelay": "AfterProvisioning",
+          "existenceCondition": {
+            "field": "Microsoft.DBforPostgreSQL/flexibleServers/advancedThreatProtectionSettings/state",
+            "equals": "Enabled"
+          },
+          "roleDefinitionIds": [
+            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
+          ],
+          "deployment": {
+            "properties": {
+              "mode": "incremental",
+              "template": {
+                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+                "contentVersion": "1.0.0.0",
+                "parameters": {
+                  "serverName": {
+                    "type": "string"
+                  }
+                },
+                "variables": {},
+                "resources": [
+                  {
+                    "name": "[concat(parameters('serverName'), '/Default')]",
+                    "type": "Microsoft.DBforPostgreSQL/flexibleservers/advancedThreatProtectionSettings",
+                    "apiVersion": "2023-06-01-preview",
+                    "properties": {
+                      "state": "Enabled"
+                    }
+                  }
+                ]
+              },
+              "parameters": {
+                "serverName": {
+                  "value": "[field('name')]"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/2a6ae02f-7590-40d7-88ba-b18e205a32fd",
+  "name": "2a6ae02f-7590-40d7-88ba-b18e205a32fd"
+}
diff --git a/...n-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json b/...n-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json
@@ -4,10 +4,10 @@
     "policyType": "BuiltIn",
     "description": "The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.",
     "metadata": {
-      "version": "47.9.0",
+      "version": "47.10.0",
       "category": "Security Center"
     },
-    "version": "47.9.0",
+    "version": "47.10.0",
     "policyDefinitionGroups": [
       {
         "name": "Azure_Security_Benchmark_v3.0_NS-1",
@@ -4408,6 +4408,30 @@
           "description": "Enable or disable monitoring of Azure container registries by Microsoft Defender for Cloud vulnerability assessment (powered by Qualys)"
         }
       },
+      "azureContainerRegistryVulnerabilityAssessmentEffect": {
+        "type": "string",
+        "defaultValue": "AuditIfNotExists",
+        "allowedValues": [
+          "AuditIfNotExists",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Vulnerabilities in Azure Container Registry images should be remediated",
+          "description": "Enable or disable monitoring of Azure container registries by Microsoft Defender for Cloud vulnerability assessment (powered by Microsoft Defender Vulnerability Management)"
+        }
+      },
+      "kubernetesRunningImagesVulnerabilityMDVMAssessmentEffect": {
+        "type": "string",
+        "defaultValue": "AuditIfNotExists",
+        "allowedValues": [
+          "AuditIfNotExists",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Vulnerabilities in running images should be remediated",
+          "description": "Enable or disable monitoring of Kubernetes Service clusters by Defender for Containers running images vulnerability assessment"
+        }
+      },
       "privateEndpointConnectionsOnAzureSQLDatabaseShouldBeEnabledMonitoringEffect": {
         "type": "string",
         "defaultValue": "Audit",
@@ -4788,6 +4812,34 @@
           "Azure_Security_Benchmark_v3.0_DS-6"
         ]
       },
+      {
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/090c7b07-b4ed-4561-ad20-e9075f3ccaff",
+        "definitionVersion": "1.*.*",
+        "policyDefinitionReferenceId": "azureContainerRegistryVulnerabilityAssessment",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('azureContainerRegistryVulnerabilityAssessmentEffect')]"
+          }
+        },
+        "groupNames": [
+          "Azure_Security_Benchmark_v3.0_PV-6",
+          "Azure_Security_Benchmark_v3.0_DS-6"
+        ]
+      },
+      {
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17f4b1cc-c55c-4d94-b1f9-2978f6ac2957",
+        "definitionVersion": "1.*.*",
+        "policyDefinitionReferenceId": "kubernetesRunningImagesVulnerabilityMDVMAssessment",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('kubernetesRunningImagesVulnerabilityMDVMAssessmentEffect')]"
+          }
+        },
+        "groupNames": [
+          "Azure_Security_Benchmark_v3.0_PV-6",
+          "Azure_Security_Benchmark_v3.0_DS-6"
+        ]
+      },
       {
         "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
         "definitionVersion": "1.*.*",

diff --git a/built-in-policies/policySetDefinitions/Security Center/ASC_AtpForOssDatabases.json b/built-in-policies/policySetDefinitions/Security Center/ASC_AtpForOssDatabases.json
@@ -4,10 +4,10 @@
     "policyType": "BuiltIn",
     "description": "Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu.",
     "metadata": {
-      "version": "1.0.1",
+      "version": "1.1.0",
       "category": "Security Center"
     },
-    "version": "1.0.1",
+    "version": "1.1.0",
     "parameters": {},
     "policyDefinitions": [
       {
@@ -27,6 +27,12 @@
         "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6cf7411-da9e-49e2-aec0-cba0250eaf8c",
         "definitionVersion": "1.*.*",
         "parameters": {}
+      },
+      {
+        "policyDefinitionReferenceId": "deployAtpOnAzureDatabaseForPostgreSqlFlexibleServer",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a6ae02f-7590-40d7-88ba-b18e205a32fd",
+        "definitionVersion": "1.*.*",
+        "parameters": {}
       }
     ]
   },

diff --git a/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json b/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json
@@ -4,10 +4,10 @@
     "policyType": "BuiltIn",
     "description": "The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.",
     "metadata": {
-      "version": "57.26.0",
+      "version": "57.27.0",
       "category": "Security Center"
     },
-    "version": "57.26.0",
+    "version": "57.27.0",
     "policyDefinitionGroups": [
       {
         "name": "Azure_Security_Benchmark_v3.0_NS-1",
@@ -8743,6 +8743,15 @@
         "groupNames": [
           "Azure_Security_Benchmark_v3.0_IM-1"
         ]
+      },
+      {
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1dc2fc00-2245-4143-99f4-874c937f13ef",
+        "definitionVersion": "1.*.*",
+        "policyDefinitionReferenceId": "aPIManagementServicePlatformVersionShouldBeStv2",
+        "groupNames": [
+          "Azure_Security_Benchmark_v3.0_PV-2",
+          "Azure_Security_Benchmark_v3.0_AM-2"
+        ]
       }
     ]
   },