Built-in Policy Release b5d9fffe

built-in-policies/policyDefinitions/Kubernetes/AKS_DisableRunCommand_DINE.json

@@ -5,10 +5,10 @@
     "description": "Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster",
     "mode": "Indexed",
     "metadata": {
-      "version": "1.1.0",
+      "version": "1.2.0",
       "category": "Kubernetes"
     },
-    "version": "1.1.0",
+    "version": "1.2.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -74,7 +74,7 @@
                         "outputs": {
                           "aksCluster": {
                             "type": "object",
-                            "value": "[reference(resourceId(parameters('clusterResourceGroupName'), 'Microsoft.ContainerService/managedClusters', parameters('clusterName')), '2021-08-01', 'Full')]"
+                            "value": "[reference(resourceId(parameters('clusterResourceGroupName'), 'Microsoft.ContainerService/managedClusters', parameters('clusterName')), '2023-11-01', 'Full')]"
                           }
                         }
                       }
@@ -102,15 +102,14 @@
                         },
                         "resources": [
                           {
-                            "apiVersion": "2021-08-01",
+                            "apiVersion": "2023-11-01",
                             "type": "Microsoft.ContainerService/managedClusters",
                             "name": "[parameters('aksClusterName')]",
                             "location": "[parameters('aksClusterContent').location]",
                             "sku": "[parameters('aksClusterContent').sku]",
                             "tags": "[if(contains(parameters('aksClusterContent'), 'tags'), parameters('aksClusterContent').tags, json('null'))]",
                             "properties": {
                               "kubernetesVersion": "[parameters('aksClusterContent').properties.kubernetesVersion]",
-                              "agentPoolProfiles": "[if(contains(parameters('aksClusterContent').properties, 'agentPoolProfiles'), parameters('aksClusterContent').properties.agentPoolProfiles, json('null'))]",
                               "linuxProfile": "[if(contains(parameters('aksClusterContent').properties, 'linuxProfile'), parameters('aksClusterContent').properties.linuxProfile, json('null'))]",
                               "windowsProfile": "[if(contains(parameters('aksClusterContent').properties, 'windowsProfile'), parameters('aksClusterContent').properties.windowsProfile, json('null'))]",
                               "servicePrincipalProfile": "[if(contains(parameters('aksClusterContent').properties, 'servicePrincipalProfile'), parameters('aksClusterContent').properties.servicePrincipalProfile, json('null'))]",
@@ -121,17 +120,24 @@
                               "aadProfile": "[if(contains(parameters('aksClusterContent').properties, 'aadProfile'), parameters('aksClusterContent').properties.aadProfile, json('null'))]",
                               "autoScalerProfile": "[if(contains(parameters('aksClusterContent').properties, 'autoScalerProfile'), parameters('aksClusterContent').properties.autoScalerProfile, json('null'))]",
                               "autoUpgradeProfile": "[if(contains(parameters('aksClusterContent').properties, 'autoUpgradeProfile'), parameters('aksClusterContent').properties.autoUpgradeProfile, json('null'))]",
+                              "azureMonitorProfile": "[if(contains(parameters('aksClusterContent').properties, 'azureMonitorProfile'), parameters('aksClusterContent').properties.azureMonitorProfile, json('null'))]",
                               "apiServerAccessProfile": {
                                 "disableRunCommand": true
                               },
                               "diskEncryptionSetID": "[if(contains(parameters('aksClusterContent').properties, 'diskEncryptionSetID'), parameters('aksClusterContent').properties.diskEncryptionSetID, json('null'))]",
                               "disableLocalAccounts": "[if(contains(parameters('aksClusterContent').properties, 'disableLocalAccounts'), parameters('aksClusterContent').properties.disableLocalAccounts, json('null'))]",
                               "fqdnSubdomain": "[if(contains(parameters('aksClusterContent').properties, 'fqdnSubdomain'), parameters('aksClusterContent').properties.fqdnSubdomain, json('null'))]",
                               "httpProxyConfig": "[if(contains(parameters('aksClusterContent').properties, 'httpProxyConfig'), parameters('aksClusterContent').properties.httpProxyConfig, json('null'))]",
+                              "oidcIssuerProfile": "[if(contains(parameters('aksClusterContent').properties, 'oidcIssuerProfile'), parameters('aksClusterContent').properties.oidcIssuerProfile, json('null'))]",
                               "podIdentityProfile": "[if(contains(parameters('aksClusterContent').properties, 'podIdentityProfile'), parameters('aksClusterContent').properties.podIdentityProfile, json('null'))]",
                               "privateLinkResources": "[if(contains(parameters('aksClusterContent').properties, 'privateLinkResources'), parameters('aksClusterContent').properties.privateLinkResources, json('null'))]",
-                              "securityProfile": "[if(contains(parameters('aksClusterContent').properties, 'securityProfile'), parameters('aksClusterContent').properties.securityProfile, json('null'))]",
-                              "identityProfile": "[if(contains(parameters('aksClusterContent').properties, 'identityProfile'), parameters('aksClusterContent').properties.identityProfile, json('null'))]"
+                              "identityProfile": "[if(contains(parameters('aksClusterContent').properties, 'identityProfile'), parameters('aksClusterContent').properties.identityProfile, json('null'))]",
+                              "publicNetworkAccess": "[if(contains(parameters('aksClusterContent').properties, 'publicNetworkAccess'), parameters('aksClusterContent').properties.publicNetworkAccess, json('null'))]",
+                              "serviceMeshProfile": "[if(contains(parameters('aksClusterContent').properties, 'serviceMeshProfile'), parameters('aksClusterContent').properties.serviceMeshProfile, json('null'))]",
+                              "storageProfile": "[if(contains(parameters('aksClusterContent').properties, 'storageProfile'), parameters('aksClusterContent').properties.storageProfile, json('null'))]",
+                              "supportPlan": "[if(contains(parameters('aksClusterContent').properties, 'supportPlan'), parameters('aksClusterContent').properties.supportPlan, json('null'))]",
+                              "upgradeSettings": "[if(contains(parameters('aksClusterContent').properties, 'upgradeSettings'), parameters('aksClusterContent').properties.upgradeSettings, json('null'))]",
+                              "workloadAutoScalerProfile": "[if(contains(parameters('aksClusterContent').properties, 'workloadAutoScalerProfile'), parameters('aksClusterContent').properties.workloadAutoScalerProfile, json('null'))]"
                             }
                           }
                         ],
@@ -163,6 +169,7 @@
       }
     },
     "versions": [
+      "1.2.0",
       "1.1.0",
       "1.0.3"
     ]

built-in-policies/policyDefinitions/Mobile Network/ConfigurePacketCoreDiagnosticAccessWithMicrosoftEntraID_Audit.json

@@ -0,0 +1,50 @@
+{
+  "properties": {
+    "displayName": "Packet Core Control Plane diagnostic access should only use Microsoft EntraID authentication type",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Authenticaton type must be Microsoft EntraID for packet core diagnostic access over local APIs",
+    "metadata": {
+      "category": "Mobile Network",
+      "version": "1.0.0"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ],
+        "defaultValue": "Audit"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.MobileNetwork/packetCoreControlPlanes"
+          },
+          {
+            "field": "Microsoft.MobileNetwork/packetCoreControlPlanes/localDiagnosticsAccess.authenticationType",
+            "notEquals": "AAD"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/aec63c84-f9ea-46c7-9e66-ba567bae0f09",
+  "name": "aec63c84-f9ea-46c7-9e66-ba567bae0f09"
+}

built-in-policies/policyDefinitions/Mobile Network/ConfigurePacketCoreDiagnosticAccessWithMicrosoftEntraID_Modify.json

@@ -0,0 +1,63 @@
+{
+  "properties": {
+    "displayName": "Configure Packet Core Control Plane diagnostic access to use authentication type Microsoft EntraID",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Authenticaton type must be Microsoft EntraID for packet core diagnostic access over local APIs",
+    "metadata": {
+      "category": "Mobile Network",
+      "version": "1.0.0"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "Modify",
+          "Disabled"
+        ],
+        "defaultValue": "Modify"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.MobileNetwork/packetCoreControlPlanes"
+          },
+          {
+            "field": "Microsoft.MobileNetwork/packetCoreControlPlanes/localDiagnosticsAccess.authenticationType",
+            "notEquals": "AAD"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "roleDefinitionIds": [
+            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
+          ],
+          "conflictEffect": "audit",
+          "operations": [
+            {
+              "condition": "[greaterOrEquals(requestContext().apiVersion, '2022-11-01')]",
+              "operation": "addOrReplace",
+              "field": "Microsoft.MobileNetwork/packetCoreControlPlanes/localDiagnosticsAccess.authenticationType",
+              "value": "AAD"
+            }
+          ]
+        }
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/7508b186-60e2-4518-bf70-3d7fbaba1f3a",
+  "name": "7508b186-60e2-4518-bf70-3d7fbaba1f3a"
+}

built-in-policies/policyDefinitions/Mobile Network/ConfigureSIMGroupwithCMK_Audit.json

@@ -0,0 +1,50 @@
+{
+  "properties": {
+    "displayName": "SIM Group should use customer-managed keys to encrypt data at rest",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Use customer-managed keys to manage the encryption at rest of SIM secrets in a SIM Group. Customer-managed keys are commonly required to meet regulatory compliance standards and they enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.",
+    "metadata": {
+      "category": "Mobile Network",
+      "version": "1.0.0"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ],
+        "defaultValue": "Audit"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.MobileNetwork/simGroups"
+          },
+          {
+            "value": "[length(field('Microsoft.MobileNetwork/simGroups/encryptionKey.keyUrl'))]",
+            "equals": "0"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/45c4e9bd-ad6b-4634-9566-c2dad2f03cbf",
+  "name": "45c4e9bd-ad6b-4634-9566-c2dad2f03cbf"
+}

built-in-policies/policyDefinitions/Stack HCI/DataAtRestEncryptedAtCluster_Audit.json

@@ -0,0 +1,65 @@
+{
+  "properties": {
+    "displayName": "[Preview]: Azure Stack HCI systems should have encrypted volumes",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Use BitLocker to encrypt the OS and data volumes on Azure Stack HCI systems.",
+    "metadata": {
+      "version": "1.0.0-preview",
+      "category": "Stack HCI",
+      "preview": true
+    },
+    "version": "1.0.0-preview",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "defaultValue": "AuditIfNotExists",
+        "allowedValues": [
+          "Audit",
+          "Disabled",
+          "AuditIfNotExists"
+        ],
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.AzureStackHCI/clusters"
+          },
+          {
+            "field": "Microsoft.AzureStackHCI/clusters/reportedProperties.clusterVersion",
+            "greater": "10.0.20350"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "type": "Microsoft.AzureStackHCI/clusters/securitySettings",
+          "existenceCondition": {
+            "allOf": [
+              {
+                "field": "Microsoft.AzureStackHCI/clusters/securitySettings/securityComplianceStatus.dataAtRestEncrypted",
+                "in": [
+                  "Compliant",
+                  "Pending"
+                ]
+              }
+            ]
+          }
+        }
+      }
+    },
+    "versions": [
+      "1.0.0-PREVIEW"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/ee8ca833-1583-4d24-837e-96c2af9488a4",
+  "name": "ee8ca833-1583-4d24-837e-96c2af9488a4"
+}

built-in-policies/policyDefinitions/Stack HCI/DataAtRestEncrypted_Audit.json

@@ -1,19 +1,19 @@
 {
   "properties": {
-    "displayName": "[Preview]: Azure Stack HCI systems should have encrypted volumes",
+    "displayName": "[Deprecated]: Azure Stack HCI systems should have encrypted volumes",
     "policyType": "BuiltIn",
     "mode": "All",
-    "description": "Use BitLocker to encrypt the OS and data volumes on Azure Stack HCI systems.",
+    "description": "This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/ee8ca833-1583-4d24-837e-96c2af9488a4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.",
     "metadata": {
-      "version": "1.0.0-preview",
+      "version": "1.1.0-deprecated",
       "category": "Stack HCI",
-      "preview": true
+      "deprecated": true
     },
-    "version": "1.0.0-preview",
+    "version": "1.1.0",
     "parameters": {
       "effect": {
         "type": "String",
-        "defaultValue": "Audit",
+        "defaultValue": "Disabled",
         "allowedValues": [
           "Audit",
           "Disabled"
@@ -47,6 +47,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.0-PREVIEW"
     ]
   },