Built-in Policy Release 26dc2cbd (#1296)

Co-authored-by: Azure Policy Bot <azgovpolicy@microsoft.com>

built-in-policies/policyDefinitions/Azure Ai Services/DiagnosticLogs_Audit.json

@@ -0,0 +1,56 @@
+{
+  "properties": {
+    "displayName": "Diagnostic logs in Azure AI services resources should be enabled",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Azure Ai Services"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "string",
+        "defaultValue": "AuditIfNotExists",
+        "allowedValues": [
+          "AuditIfNotExists",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "anyOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.CognitiveServices/accounts"
+          },
+          {
+            "field": "type",
+            "equals": "Microsoft.Search/searchServices"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "type": "Microsoft.Insights/diagnosticSettings",
+          "existenceCondition": {
+            "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
+            "exists": true
+          }
+        }
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb",
+  "name": "1b4d1c4e-934c-4703-944c-27c82c06bebb"
+}

built-in-policies/policyDefinitions/Azure Ai Services/NetworkAcls_Audit.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service.",
     "metadata": {
-      "version": "3.1.0",
+      "version": "3.2.0",
       "category": "Azure Ai Services"
     },
-    "version": "3.1.0",
+    "version": "3.2.0",
     "parameters": {
       "effect": {
         "type": "string",
@@ -50,8 +50,8 @@
                 "equals": "Microsoft.Search/searchServices"
               },
               {
-                "field": "Microsoft.Search/searchServices/networkRuleSet.ipRules[*]",
-                "exists": "false"
+                "field": "Microsoft.Search/searchServices/publicNetworkAccess",
+                "notEquals": "Disabled"
               }
             ]
           }
@@ -62,6 +62,7 @@
       }
     },
     "versions": [
+      "3.2.0",
       "3.1.0",
       "3.0.0"
     ]

built-in-policies/policyDefinitions/Azure Government/Kubernetes/AKS_AzurePolicyAddOn_DINE.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.",
     "metadata": {
-      "version": "4.0.1",
+      "version": "4.1.0",
       "category": "Kubernetes"
     },
-    "version": "4.0.1",
+    "version": "4.1.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -127,7 +127,8 @@
                               "autoScalerProfile": "[if(contains(parameters('aksClusterContent').properties, 'autoScalerProfile'), parameters('aksClusterContent').properties.autoScalerProfile, json('null'))]",
                               "apiServerAccessProfile": "[if(contains(parameters('aksClusterContent').properties, 'apiServerAccessProfile'), parameters('aksClusterContent').properties.apiServerAccessProfile, json('null'))]",
                               "diskEncryptionSetID": "[if(contains(parameters('aksClusterContent').properties, 'diskEncryptionSetID'), parameters('aksClusterContent').properties.diskEncryptionSetID, json('null'))]",
-                              "identityProfile": "[if(contains(parameters('aksClusterContent').properties, 'identityProfile'), parameters('aksClusterContent').properties.identityProfile, json('null'))]"
+                              "identityProfile": "[if(contains(parameters('aksClusterContent').properties, 'identityProfile'), parameters('aksClusterContent').properties.identityProfile, json('null'))]",
+                              "disableLocalAccounts": "[if(contains(parameters('aksClusterContent').properties, 'disableLocalAccounts'), parameters('aksClusterContent').properties.disableLocalAccounts, json('null'))]"
                             }
                           }
                         ],
@@ -159,6 +160,7 @@
       }
     },
     "versions": [
+      "4.1.0",
       "4.0.1"
     ]
   },

built-in-policies/policyDefinitions/Azure Government/Kubernetes/CannotEditIndividualNodes.json

@@ -3,13 +3,13 @@
     "displayName": "[Preview]: Cannot Edit Individual Nodes",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools.",
+    "description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks.",
     "metadata": {
-      "version": "1.0.3-preview",
+      "version": "1.0.4-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.0.3-preview",
+    "version": "1.0.4-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -147,8 +147,8 @@
       }
     },
     "versions": [
-      "1.0.3-PREVIEW",
-      "1.0.2-PREVIEW"
+      "1.0.4-PREVIEW",
+      "1.0.3-PREVIEW"
     ]
   },
   "id": "/providers/Microsoft.Authorization/policyDefinitions/53a4a537-990c-495a-92e0-7c21a465442c",

built-in-policies/policyDefinitions/Azure Government/Kubernetes/DisallowedBadPodDisruptionBudgets.json

@@ -3,13 +3,13 @@
     "displayName": "[Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Prevents customers from applying bad Pod Disruption Budgets. This policy relies on Gatekeeper data replication, and all ingress resources scoped to this policy will be synced into OPA. Please verify that the ingresses resources being synced won't overwhelm your memory capacity prior to assigning this policy. The policy parameters will evaluate only certain namespaces, but all resources of that kind in all namespaces will get synced. This policy is in preview for Kubernetes Service (AKS).",
+    "description": "Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS).",
     "metadata": {
-      "version": "1.0.0-preview",
+      "version": "1.0.1-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.0.0-preview",
+    "version": "1.0.1-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -133,6 +133,7 @@
       }
     },
     "versions": [
+      "1.0.1-PREVIEW",
       "1.0.0-PREVIEW"
     ]
   },

built-in-policies/policyDefinitions/Azure Government/Kubernetes/MustHaveAntiAffinityRulesSet.json

@@ -3,13 +3,13 @@
     "displayName": "[Preview]: Must Have Anti Affinity Rules Set",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Requires affinity rules to be set.",
+    "description": "This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience.",
     "metadata": {
-      "version": "1.0.1-preview",
+      "version": "1.0.2-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.0.1-preview",
+    "version": "1.0.2-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -132,6 +132,7 @@
       }
     },
     "versions": [
+      "1.0.2-PREVIEW",
       "1.0.1-PREVIEW"
     ]
   },

built-in-policies/policyDefinitions/Azure Government/Kubernetes/NoAKSSpecificLabels.json

@@ -3,13 +3,13 @@
     "displayName": "[Preview]: No AKS Specific Labels",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Prevents customers from applying AKS specific labels",
+    "description": "Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels.",
     "metadata": {
-      "version": "1.0.1-preview",
+      "version": "1.0.2-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.0.1-preview",
+    "version": "1.0.2-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -161,6 +161,7 @@
       }
     },
     "versions": [
+      "1.0.2-PREVIEW",
       "1.0.1-PREVIEW"
     ]
   },

built-in-policies/policyDefinitions/Azure Government/Kubernetes/ReservedSystemPoolTaints.json

@@ -3,13 +3,13 @@
     "displayName": "[Preview]: Reserved System Pool Taints",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Restricts the CriticalAddonsOnly taint to just the system pool",
+    "description": "Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint.",
     "metadata": {
-      "version": "1.0.1-preview",
+      "version": "1.0.2-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.0.1-preview",
+    "version": "1.0.2-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -139,6 +139,7 @@
       }
     },
     "versions": [
+      "1.0.2-PREVIEW",
       "1.0.1-PREVIEW"
     ]
   },

built-in-policies/policyDefinitions/Azure Government/Kubernetes/UniqueServiceSelectors.json

@@ -3,13 +3,13 @@
     "displayName": "[Preview]: Kubernetes cluster services should use unique selectors",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Ensure that Services in a namespace have unique selectors. This policy relies on Gatekeeper data replication and syncs all ingress resources into OPA. Prior to applying this policy, please confirm that syncing ingress resources won't exceed your memory capacity. The policy parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. This policy is currently in preview for Kubernetes Service (AKS)",
+    "description": "Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS).",
     "metadata": {
-      "version": "1.0.0-preview",
+      "version": "1.0.1-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.0.0-preview",
+    "version": "1.0.1-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -129,6 +129,7 @@
       }
     },
     "versions": [
+      "1.0.1-PREVIEW",
       "1.0.0-PREVIEW"
     ]
   },

built-in-policies/policyDefinitions/Azure Government/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json

@@ -1,18 +1,17 @@
 {
   "properties": {
-    "displayName": "[Deprecated]: Private endpoint should be enabled for PostgreSQL servers",
+    "displayName": "Private endpoint should be enabled for PostgreSQL servers",
     "policyType": "BuiltIn",
     "mode": "Indexed",
     "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.",
     "metadata": {
-      "version": "1.0.1-deprecated",
-      "category": "SQL",
-      "deprecated": true
+      "version": "1.0.2",
+      "category": "SQL"
     },
-    "version": "1.0.1",
+    "version": "1.0.2",
     "parameters": {
       "effect": {
-        "type": "string",
+        "type": "String",
         "defaultValue": "AuditIfNotExists",
         "allowedValues": [
           "AuditIfNotExists",
@@ -41,6 +40,7 @@
       }
     },
     "versions": [
+      "1.0.2",
       "1.0.1"
     ]
   },

built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json

@@ -1,14 +1,15 @@
 {
   "properties": {
-    "displayName": "Azure registry container images should have vulnerabilities resolved (powered by Qualys)",
+    "displayName": "[Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys)",
     "policyType": "BuiltIn",
     "mode": "Indexed",
-    "description": "Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.",
+    "description": "As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines.",
     "metadata": {
-      "version": "2.0.2",
-      "category": "Security Center"
+      "version": "2.1.0-deprecated",
+      "category": "Security Center",
+      "deprecated": true
     },
-    "version": "2.0.2",
+    "version": "2.1.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -20,7 +21,7 @@
           "AuditIfNotExists",
           "Disabled"
         ],
-        "defaultValue": "AuditIfNotExists"
+        "defaultValue": "Disabled"
       }
     },
     "policyRule": {
@@ -44,6 +45,7 @@
       }
     },
     "versions": [
+      "2.1.0",
       "2.0.2",
       "2.0.1"
     ]

built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.",
     "metadata": {
-      "version": "3.6.0",
+      "version": "3.7.0",
       "category": "Azure Update Manager"
     },
-    "version": "3.6.0",
+    "version": "3.7.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -64,6 +64,34 @@
                           }
                         ]
                       },
+                      {
+                        "allOf": [
+                          {
+                            "anyOf": [
+                              {
+                                "value": "[field('Microsoft.Compute/imageId')]",
+                                "contains": "Microsoft.Compute/galleries"
+                              },
+                              {
+                                "value": "[field('Microsoft.Compute/imageId')]",
+                                "contains": "Microsoft.Compute/images"
+                              },
+                              {
+                                "value": "[field('Microsoft.Compute/virtualMachines/storageProfile.osDisk.createOption')]",
+                                "equals": "Attach"
+                              }
+                            ]
+                          },
+                          {
+                            "field": "Microsoft.Compute/virtualMachines/osProfile.computerName",
+                            "exists": "false"
+                          },
+                          {
+                            "value": "[requestContext().apiVersion]",
+                            "greaterOrEquals": "2023-07-01"
+                          }
+                        ]
+                      },
                       {
                         "field": "Microsoft.Compute/imagePublisher",
                         "equals": "Canonical"
@@ -810,6 +838,7 @@
       }
     },
     "versions": [
+      "3.7.0",
       "3.6.0",
       "3.5.0",
       "3.4.1"