Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Built-in Policy Release 2929652c #1278

Merged
merged 1 commit into from
Feb 6, 2024
Merged

Built-in Policy Release 2929652c #1278

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 4 additions & 4 deletions ...-in-policies/policyDefinitions/Azure Government/Kubernetes/CannotEditIndividualNodes.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@
"mode": "Microsoft.Kubernetes.Data",
"description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools.",
"metadata": {
"version": "1.0.2-preview",
"version": "1.0.3-preview",
"category": "Kubernetes",
"preview": true
},
"version": "1.0.2-preview",
"version": "1.0.3-preview",
"parameters": {
"effect": {
"type": "String",
Expand Down Expand Up @@ -107,14 +107,14 @@
"type": "Array",
"metadata": {
"displayName": "Allowed Users",
"description": "Users that are allowed by AKS Safeguards to modify node labels on individual nodes."
"description": "Users that are allowed by deployment safeguards to modify node labels on individual nodes."
}
},
"allowedGroups": {
"type": "Array",
"metadata": {
"displayName": "Allowed Groups",
"description": "Groups that are allowed by AKS Safeguards to modify node labels on individual nodes."
"description": "Groups that are allowed by deployment safeguards to modify node labels on individual nodes."
}
}
},
Expand Down
661 changes: 539 additions & 122 deletions ...s/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json
View file
Open in desktop

Large diffs are not rendered by default.

713 changes: 585 additions & 128 deletions ...icyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_CRP_AutoAssessmentMode_Modify.json
View file
Open in desktop

Large diffs are not rendered by default.

730 changes: 602 additions & 128 deletions ...s/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_ScheduledPatching_Deploy.json
View file
Open in desktop

Large diffs are not rendered by default.

47 changes: 47 additions & 0 deletions built-in-policies/policyDefinitions/Backup/AzBackupRecoveryServicesVault_MUA_Audit.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
{
"properties": {
"displayName": "[Preview]: Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults.",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "This policy audits if Multi-User Authorization (MUA) is enabled for Recovery Services Vaults. MUA helps in securing your Recovery Services Vaults by adding an additional layer of protection to critical operations. To learn more, visit https://aka.ms/MUAforRSV.",
"metadata": {
"version": "1.0.0-preview",
"preview": true,
"category": "Backup"
},
"version": "1.0.0-preview",
"parameters": {
"effect": {
"metadata": {
"description": "Enable or disable the execution of the policy.",
"displayName": "Effect"
},
"defaultValue": "Audit",
"type": "String",
"allowedValues": [
"Audit",
"Disabled"
]
}
},
"policyRule": {
"then": {
"effect": "[parameters('effect')]"
},
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.RecoveryServices/vaults"
},
{
"field": "Microsoft.RecoveryServices/vaults/securitySettings.multiUserAuthorization",
"notEquals": "Enabled"
}
]
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a",
"name": "c7031eab-0fc0-4cd9-acd0-4497bd66d91a"
}
62 changes: 62 additions & 0 deletions built-in-policies/policyDefinitions/Key Vault/Certificates_Issuers_AllowedCustomCAs.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
{
"properties": {
"displayName": "[Preview]: Certificates should be issued by one of the specified non-integrated certificate authorities",
"policyType": "BuiltIn",
"mode": "Microsoft.KeyVault.Data",
"description": "Manage your organizational compliance requirements by specifying custom or internal certificate authorities that can issue certificates in your key vault.",
"metadata": {
"version": "1.0.0-preview",
"category": "Key Vault",
"preview": true
},
"version": "1.0.0-preview",
"parameters": {
"caCommonNames": {
"type": "array",
"metadata": {
"displayName": "The common names of the certificate authorities which are allowed",
"description": "The common names (CN) of the Certificate Authority (CA) provider which are allowed. For example, if certificate create with Certificate Authority CN = Contoso, OU = .., DC and parameter caCommonNames is set as ['Contoso', 'AnotherCA'] then the certificate create will be allowed because the certificate authority contains Contoso which is one of the parameter values"
}
},
"effect": {
"type": "string",
"metadata": {
"displayName": "Effect",
"description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.KeyVault.Data/vaults/certificates"
},
{
"count": {
"value": "[parameters('caCommonNames')]",
"name": "caCommonName",
"where": {
"field": "Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName",
"contains": "[current('caCommonName')]"
}
},
"equals": 0
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/d3e82b87-6673-410b-8501-1896b688b9a3",
"name": "d3e82b87-6673-410b-8501-1896b688b9a3"
}
8 changes: 4 additions & 4 deletions built-in-policies/policyDefinitions/Kubernetes/CannotEditIndividualNodes.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@
"mode": "Microsoft.Kubernetes.Data",
"description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools.",
"metadata": {
"version": "1.0.2-preview",
"version": "1.0.3-preview",
"category": "Kubernetes",
"preview": true
},
"version": "1.0.2-preview",
"version": "1.0.3-preview",
"parameters": {
"effect": {
"type": "String",
Expand Down Expand Up @@ -107,14 +107,14 @@
"type": "Array",
"metadata": {
"displayName": "Allowed Users",
"description": "Users that are allowed by AKS Safeguards to modify node labels on individual nodes."
"description": "Users that are allowed by deployment safeguards to modify node labels on individual nodes."
}
},
"allowedGroups": {
"type": "Array",
"metadata": {
"displayName": "Allowed Groups",
"description": "Groups that are allowed by AKS Safeguards to modify node labels on individual nodes."
"description": "Groups that are allowed by deployment safeguards to modify node labels on individual nodes."
}
}
},
Expand Down
48 changes: 12 additions & 36 deletions built-in-policies/policyDefinitions/SQL/SqlManagedInstance_ADOnlyEnabled_Deny.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
{
"properties": {
"displayName": "Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled",
"description": "Disabling local authentication methods and allowing only Microsoft Entra authentication improves security by ensuring that Azure SQL Managed Instances can exclusively be accessed by Microsoft Entra identities. Learn more at: aka.ms/adonlycreate.",
"displayName": "Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation",
"description": "Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate.",
"policyType": "BuiltIn",
"mode": "Indexed",
"metadata": {
"version": "1.1.0",
"version": "1.2.0",
"category": "SQL"
},
"version": "1.1.0",
"version": "1.2.0",
"parameters": {
"effect": {
"type": "String",
Expand All @@ -26,44 +26,20 @@
},
"policyRule": {
"if": {
"anyOf": [
"allOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/managedInstances"
},
{
"anyOf": [
{
"field": "Microsoft.Sql/managedInstances/administrators.azureADOnlyAuthentication",
"exists": false
},
{
"field": "Microsoft.Sql/managedInstances/administrators.azureADOnlyAuthentication",
"equals": "false"
}
]
}
]
"field": "type",
"equals": "Microsoft.Sql/managedInstances"
},
{
"allOf": [
"anyOf": [
{
"field": "type",
"equals": "Microsoft.Sql/managedInstances/azureADOnlyAuthentications"
"field": "Microsoft.Sql/managedInstances/administrators.azureADOnlyAuthentication",
"exists": false
},
{
"anyOf": [
{
"field": "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/azureADOnlyAuthentication",
"exists": false
},
{
"field": "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/azureADOnlyAuthentication",
"equals": "false"
}
]
"field": "Microsoft.Sql/managedInstances/administrators.azureADOnlyAuthentication",
"equals": false
}
]
}
Expand Down
55 changes: 55 additions & 0 deletions ...n-policies/policyDefinitions/SQL/SqlManagedInstance_ADOnlyEnabled_DisableADAuth_Deny.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
{
"properties": {
"displayName": "Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled",
"description": "Require Azure SQL Managed Instance to use Microsoft Entra-only authentication. This policy doesn't block Azure SQL Managed instances from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate.",
"policyType": "BuiltIn",
"mode": "All",
"metadata": {
"version": "1.0.0",
"category": "SQL"
},
"version": "1.0.0",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/managedInstances/azureADOnlyAuthentications"
},
{
"anyOf": [
{
"field": "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/azureADOnlyAuthentication",
"exists": false
},
{
"field": "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/azureADOnlyAuthentication",
"equals": false
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/0c28c3fb-c244-42d5-a9bf-f35f2999577b",
"name": "0c28c3fb-c244-42d5-a9bf-f35f2999577b"
}
60 changes: 16 additions & 44 deletions built-in-policies/policyDefinitions/SQL/SqlServer_ADOnlyEnabled_Deny.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
{
"properties": {
"displayName": "Azure SQL Database should have Microsoft Entra-only authentication enabled",
"description": "Disabling local authentication methods and allowing only Microsoft Entra authentication improves security by ensuring that Azure SQL Databases can exclusively be accessed by Microsoft Entra identities. Learn more at: aka.ms/adonlycreate.",
"displayName": "Azure SQL Database should have Microsoft Entra-only authentication enabled during creation",
"description": "Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate.",
"policyType": "BuiltIn",
"mode": "Indexed",
"metadata": {
"version": "1.1.0",
"version": "1.2.0",
"category": "SQL"
},
"version": "1.1.0",
"version": "1.2.0",
"parameters": {
"effect": {
"type": "String",
Expand All @@ -26,52 +26,24 @@
},
"policyRule": {
"if": {
"anyOf": [
"allOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/servers"
},
{
"value": "[resourcegroup().managedBy]",
"notContains": "/providers/Microsoft.Synapse/"
},
{
"anyOf": [
{
"field": "Microsoft.Sql/servers/administrators.azureADOnlyAuthentication",
"exists": false
},
{
"field": "Microsoft.Sql/servers/administrators.azureADOnlyAuthentication",
"equals": "false"
}
]
}
]
"field": "type",
"equals": "Microsoft.Sql/servers"
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/servers/azureADOnlyAuthentications"
},
"value": "[resourcegroup().managedBy]",
"notContains": "/providers/Microsoft.Synapse/"
},
{
"anyOf": [
{
"value": "[resourcegroup().managedBy]",
"notContains": "/providers/Microsoft.Synapse/"
"field": "Microsoft.Sql/servers/administrators.azureADOnlyAuthentication",
"exists": false
},
{
"anyOf": [
{
"field": "Microsoft.Sql/servers/azureADOnlyAuthentications/azureADOnlyAuthentication",
"exists": false
},
{
"field": "Microsoft.Sql/servers/azureADOnlyAuthentications/azureADOnlyAuthentication",
"equals": "false"
}
]
"field": "Microsoft.Sql/servers/administrators.azureADOnlyAuthentication",
"equals": false
}
]
}
Expand Down