Built-in Policy Release 5ee9af9d (#1364)

Co-authored-by: Azure Policy Bot <azgovpolicy@microsoft.com>
Azure · Aug 9, 2024 · 181ac23 · 181ac23
1 parent f5783b7
commit 181ac23
Show file tree

Hide file tree

Showing 7 changed files with 240 additions and 19 deletions.
diff --git a/built-in-policies/policyDefinitions/Cache/RedisCache_DisableAccessKeysAuth_Audit.json b/built-in-policies/policyDefinitions/Cache/RedisCache_DisableAccessKeysAuth_Audit.json
@@ -0,0 +1,50 @@
+{
+  "properties": {
+    "displayName": "Azure Cache for Redis should not use access keys for authentication",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Not using local authentication methods like access keys and using more secure alternatives like Microsoft Entra ID (recommended) improves security for your Azure Cache for Redis. Learn more at aka.ms/redis/disableAccessKeyAuthentication",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Cache"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "defaultValue": "Audit",
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Cache/Redis"
+          },
+          {
+            "field": "Microsoft.Cache/Redis/disableAccessKeyAuthentication",
+            "equals": "false"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/3827af20-8f80-4b15-8300-6db0873ec901",
+  "name": "3827af20-8f80-4b15-8300-6db0873ec901"
+}
diff --git a/built-in-policies/policyDefinitions/Cognitive Services/CustomerManagedKey_Audit.json b/built-in-policies/policyDefinitions/Cognitive Services/CustomerManagedKey_Audit.json
@@ -1,14 +1,14 @@
 {
   "properties": {
-    "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key",
+    "displayName": "Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)",
     "policyType": "BuiltIn",
     "mode": "Indexed",
-    "description": "Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321.",
+    "description": "Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope.",
     "metadata": {
-      "version": "2.1.0",
+      "version": "2.2.0",
       "category": "Cognitive Services"
     },
-    "version": "2.1.0",
+    "version": "2.2.0",
     "parameters": {
       "effect": {
         "type": "string",
@@ -31,13 +31,21 @@
         },
         "defaultValue": [
           "CognitiveServices",
-          "Knowledge",
+          "ContentSafety",
+          "ImmersiveReader",
+          "HealthInsights",
+          "LUIS.Authoring",
           "LUIS",
           "QnAMaker",
-          "TextAnalytics",
-          "ComputerVision",
-          "HealthDecisionSupport",
-          "ImmersiveReader"
+          "QnAMaker.V2",
+          "AIServices",
+          "MetricsAdvisor",
+          "SpeechTranslation",
+          "Internal.AllInOne",
+          "ConversationalLanguageUnderstanding",
+          "knowledge",
+          "TranscriptionIntelligence",
+          "HealthDecisionSupport"
         ]
       }
     },
@@ -63,6 +71,7 @@
       }
     },
     "versions": [
+      "2.2.0",
       "2.1.0"
     ]
   },

diff --git a/built-in-policies/policyDefinitions/Security Center/ASC_Azure_Defender_AI_DINE.json b/built-in-policies/policyDefinitions/Security Center/ASC_Azure_Defender_AI_DINE.json
@@ -0,0 +1,78 @@
+{
+  "properties": {
+    "displayName": "Enable threat protection for AI workloads",
+    "policyType": "BuiltIn",
+    "mode": "All",
+    "description": "Microsoft threat protection for AI workloads provides contextualized, evidence-based security alerts aimed at protecting home grown Generative AI powered applications",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Security Center"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "string",
+        "defaultValue": "DeployIfNotExists",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ]
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "Microsoft.Resources/subscriptions"
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "type": "Microsoft.Security/pricings",
+          "name": "AI",
+          "deploymentScope": "subscription",
+          "existenceScope": "subscription",
+          "roleDefinitionIds": [
+            "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
+          ],
+          "existenceCondition": {
+            "field": "Microsoft.Security/pricings/pricingTier",
+            "equals": "Standard"
+          },
+          "deployment": {
+            "location": "westeurope",
+            "properties": {
+              "mode": "incremental",
+              "parameters": {},
+              "template": {
+                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                "contentVersion": "1.0.0.0",
+                "parameters": {},
+                "variables": {},
+                "resources": [
+                  {
+                    "type": "Microsoft.Security/pricings",
+                    "apiVersion": "2023-01-01",
+                    "name": "AI",
+                    "properties": {
+                      "pricingTier": "Standard"
+                    }
+                  }
+                ],
+                "outputs": {}
+              }
+            }
+          }
+        }
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/7e92882a-2f8a-4991-9bc4-d3147d40abb0",
+  "name": "7e92882a-2f8a-4991-9bc4-d3147d40abb0"
+}
diff --git a/...n-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json b/...n-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json
@@ -4,10 +4,10 @@
     "policyType": "BuiltIn",
     "description": "The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.",
     "metadata": {
-      "version": "47.22.0",
+      "version": "47.24.0",
       "category": "Security Center"
     },
-    "version": "47.22.0",
+    "version": "47.24.0",
     "policyDefinitionGroups": [
       {
         "name": "Azure_Security_Benchmark_v3.0_NS-1",
@@ -513,6 +513,18 @@
           "description": "Enable or disable reporting of system updates"
         }
       },
+      "systemUpdatesAutoAssessmentModeEffect": {
+        "type": "string",
+        "defaultValue": "Audit",
+        "allowedValues": [
+          "Audit",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Machines should be configured to periodically check for missing system updates",
+          "description": "Enable or disable monitoring of assessment mode"
+        }
+      },
       "systemConfigurationsMonitoringEffect": {
         "type": "string",
         "defaultValue": "AuditIfNotExists",
@@ -5159,6 +5171,19 @@
           "Azure_Security_Benchmark_v3.0_PV-6"
         ]
       },
+      {
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9",
+        "definitionVersion": "3.*.*-preview",
+        "policyDefinitionReferenceId": "systemUpdatesAutoAssessmentMode",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('systemUpdatesAutoAssessmentModeEffect')]"
+          }
+        },
+        "groupNames": [
+          "Azure_Security_Benchmark_v3.0_PV-6"
+        ]
+      },
       {
         "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
         "definitionVersion": "3.*.*",
@@ -6705,6 +6730,22 @@
           "Azure_Security_Benchmark_v3.0_NS-2"
         ]
       },
+      {
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb",
+        "definitionVersion": "1.*.*",
+        "policyDefinitionReferenceId": "diagnosticLogsInAzureAIServicesResourcesShouldBeEnabledMonitoring",
+        "groupNames": [
+          "Azure_Security_Benchmark_v3.0_LT-3"
+        ]
+      },
+      {
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782",
+        "definitionVersion": "1.*.*",
+        "policyDefinitionReferenceId": "azureAIServicesResourcesShouldUseAzurePrivateLinkMonitoring",
+        "groupNames": [
+          "Azure_Security_Benchmark_v3.0_NS-2"
+        ]
+      },
       {
         "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b",
         "definitionVersion": "1.*.*",
@@ -7115,6 +7156,8 @@
       }
     ],
     "versions": [
+      "47.24.0",
+      "47.23.0",
       "47.22.0",
       "47.21.0",
       "47.20.0",

diff --git a/...SetDefinitions/Regulatory Compliance/MCfS_Sovereignty_Baseline_Confidential_Policies.json b/...SetDefinitions/Regulatory Compliance/MCfS_Sovereignty_Baseline_Confidential_Policies.json
@@ -4,11 +4,11 @@
     "policyType": "BuiltIn",
     "description": "The Microsoft Cloud for Sovereignty recommends confidential policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions, denying resources that are not backed by Azure Confidential Computing, and denying data storage resources that are not using Customer-Managed Keys. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies",
     "metadata": {
-      "version": "1.0.0-preview",
+      "version": "1.0.1-preview",
       "category": "Regulatory Compliance",
       "preview": true
     },
-    "version": "1.0.0-preview",
+    "version": "1.0.1-preview",
     "policyDefinitionGroups": [
       {
         "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/MCfS_Sovereignty_Baseline_Policy_SO.1",
@@ -360,7 +360,7 @@
         ],
         "defaultValue": [],
         "metadata": {
-          "description": "Any non-global resources attempted to be deployed outsize of this region will be",
+          "description": "Any non-global resources attempted to be deployed outsize of this region will be blocked by default.",
           "displayName": "The list of Azure regions that are approved for usage",
           "strongType": "location"
         },
@@ -579,6 +579,7 @@
       }
     ],
     "versions": [
+      "1.0.1-PREVIEW",
       "1.0.0-PREVIEW"
     ]
   },

diff --git a/...policySetDefinitions/Regulatory Compliance/MCfS_Sovereignty_Baseline_Global_Policies.json b/...policySetDefinitions/Regulatory Compliance/MCfS_Sovereignty_Baseline_Global_Policies.json
@@ -5,14 +5,18 @@
     "description": "The Microsoft Cloud for Sovereignty recommends global policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies",
     "metadata": {
       "category": "Regulatory Compliance",
-      "version": "1.0.0-preview",
+      "version": "1.1.0-preview",
       "preview": true
     },
-    "version": "1.0.0-preview",
+    "version": "1.1.0-preview",
     "policyDefinitionGroups": [
       {
         "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/MCfS_Sovereignty_Baseline_Policy_SO.1",
         "name": "SO.1 - Data Residency"
+      },
+      {
+        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/MCfS_Sovereignty_Baseline_Policy_SO.5",
+        "name": "SO.5 - Trusted Launch"
       }
     ],
     "parameters": {
@@ -88,7 +92,7 @@
         ],
         "defaultValue": [],
         "metadata": {
-          "description": "Any non-global resources attempted to be deployed outsize of this region will be.",
+          "description": "Any non-global resources attempted to be deployed outsize of this region will be blocked by default.",
           "displayName": "The list of Azure regions that are approved for usage",
           "strongType": "location"
         },
@@ -137,9 +141,28 @@
         },
         "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0473574d-2d43-4217-aefe-941fcdf7e684",
         "policyDefinitionReferenceId": "AllowedLocationsForAzureCosmosDB"
+      },
+      {
+        "definitionVersion": "1.*.*",
+        "groupNames": [
+          "SO.5 - Trusted Launch"
+        ],
+        "parameters": {},
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa",
+        "policyDefinitionReferenceId": "SupportTrustedLaunchVmImages"
+      },
+      {
+        "definitionVersion": "1.*.*",
+        "groupNames": [
+          "SO.5 - Trusted Launch"
+        ],
+        "parameters": {},
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf",
+        "policyDefinitionReferenceId": "EnableTrustedLaunchVmImages"
       }
     ],
     "versions": [
+      "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"
     ]
   },