From 181ac23c0621bf02ffc676ba5869cd35965bac92 Mon Sep 17 00:00:00 2001 From: gokmen-msft <48890186+gokmen-msft@users.noreply.github.com> Date: Thu, 8 Aug 2024 20:40:44 -0700 Subject: [PATCH] Built-in Policy Release 5ee9af9d (#1364) Co-authored-by: Azure Policy Bot --- ...edisCache_DisableAccessKeysAuth_Audit.json | 50 ++++++++++++ .../CustomerManagedKey_Audit.json | 27 ++++--- .../ASC_Azure_Defender_AI_DINE.json | 78 +++++++++++++++++++ .../Security Center/AzureSecurityCenter.json | 47 ++++++++++- ...eignty_Baseline_Confidential_Policies.json | 7 +- ..._Sovereignty_Baseline_Global_Policies.json | 29 ++++++- .../Security Center/AzureSecurityCenter.json | 21 ++++- 7 files changed, 240 insertions(+), 19 deletions(-) create mode 100644 built-in-policies/policyDefinitions/Cache/RedisCache_DisableAccessKeysAuth_Audit.json create mode 100644 built-in-policies/policyDefinitions/Security Center/ASC_Azure_Defender_AI_DINE.json diff --git a/built-in-policies/policyDefinitions/Cache/RedisCache_DisableAccessKeysAuth_Audit.json b/built-in-policies/policyDefinitions/Cache/RedisCache_DisableAccessKeysAuth_Audit.json new file mode 100644 index 000000000..89a49dd1e --- /dev/null +++ b/built-in-policies/policyDefinitions/Cache/RedisCache_DisableAccessKeysAuth_Audit.json @@ -0,0 +1,50 @@ +{ + "properties": { + "displayName": "Azure Cache for Redis should not use access keys for authentication", + "policyType": "BuiltIn", + "mode": "Indexed", + "description": "Not using local authentication methods like access keys and using more secure alternatives like Microsoft Entra ID (recommended) improves security for your Azure Cache for Redis. Learn more at aka.ms/redis/disableAccessKeyAuthentication", + "metadata": { + "version": "1.0.0", + "category": "Cache" + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/Redis" + }, + { + "field": "Microsoft.Cache/Redis/disableAccessKeyAuthentication", + "equals": "false" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + }, + "versions": [ + "1.0.0" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/3827af20-8f80-4b15-8300-6db0873ec901", + "name": "3827af20-8f80-4b15-8300-6db0873ec901" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Cognitive Services/CustomerManagedKey_Audit.json b/built-in-policies/policyDefinitions/Cognitive Services/CustomerManagedKey_Audit.json index 3358622a6..30c12e844 100644 --- a/built-in-policies/policyDefinitions/Cognitive Services/CustomerManagedKey_Audit.json +++ b/built-in-policies/policyDefinitions/Cognitive Services/CustomerManagedKey_Audit.json @@ -1,14 +1,14 @@ { "properties": { - "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key", + "displayName": "Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321.", + "description": "Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope.", "metadata": { - "version": "2.1.0", + "version": "2.2.0", "category": "Cognitive Services" }, - "version": "2.1.0", + "version": "2.2.0", "parameters": { "effect": { "type": "string", @@ -31,13 +31,21 @@ }, "defaultValue": [ "CognitiveServices", - "Knowledge", + "ContentSafety", + "ImmersiveReader", + "HealthInsights", + "LUIS.Authoring", "LUIS", "QnAMaker", - "TextAnalytics", - "ComputerVision", - "HealthDecisionSupport", - "ImmersiveReader" + "QnAMaker.V2", + "AIServices", + "MetricsAdvisor", + "SpeechTranslation", + "Internal.AllInOne", + "ConversationalLanguageUnderstanding", + "knowledge", + "TranscriptionIntelligence", + "HealthDecisionSupport" ] } }, @@ -63,6 +71,7 @@ } }, "versions": [ + "2.2.0", "2.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Security Center/ASC_Azure_Defender_AI_DINE.json b/built-in-policies/policyDefinitions/Security Center/ASC_Azure_Defender_AI_DINE.json new file mode 100644 index 000000000..4f3d3abb4 --- /dev/null +++ b/built-in-policies/policyDefinitions/Security Center/ASC_Azure_Defender_AI_DINE.json @@ -0,0 +1,78 @@ +{ + "properties": { + "displayName": "Enable threat protection for AI workloads", + "policyType": "BuiltIn", + "mode": "All", + "description": "Microsoft threat protection for AI workloads provides contextualized, evidence-based security alerts aimed at protecting home grown Generative AI powered applications", + "metadata": { + "version": "1.0.0", + "category": "Security Center" + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Security/pricings", + "name": "AI", + "deploymentScope": "subscription", + "existenceScope": "subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" + ], + "existenceCondition": { + "field": "Microsoft.Security/pricings/pricingTier", + "equals": "Standard" + }, + "deployment": { + "location": "westeurope", + "properties": { + "mode": "incremental", + "parameters": {}, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "AI", + "properties": { + "pricingTier": "Standard" + } + } + ], + "outputs": {} + } + } + } + } + } + }, + "versions": [ + "1.0.0" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/7e92882a-2f8a-4991-9bc4-d3147d40abb0", + "name": "7e92882a-2f8a-4991-9bc4-d3147d40abb0" +} \ No newline at end of file diff --git a/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json b/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json index f8101181f..9ebba5746 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.", "metadata": { - "version": "47.22.0", + "version": "47.24.0", "category": "Security Center" }, - "version": "47.22.0", + "version": "47.24.0", "policyDefinitionGroups": [ { "name": "Azure_Security_Benchmark_v3.0_NS-1", @@ -513,6 +513,18 @@ "description": "Enable or disable reporting of system updates" } }, + "systemUpdatesAutoAssessmentModeEffect": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Machines should be configured to periodically check for missing system updates", + "description": "Enable or disable monitoring of assessment mode" + } + }, "systemConfigurationsMonitoringEffect": { "type": "string", "defaultValue": "AuditIfNotExists", @@ -5159,6 +5171,19 @@ "Azure_Security_Benchmark_v3.0_PV-6" ] }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9", + "definitionVersion": "3.*.*-preview", + "policyDefinitionReferenceId": "systemUpdatesAutoAssessmentMode", + "parameters": { + "effect": { + "value": "[parameters('systemUpdatesAutoAssessmentModeEffect')]" + } + }, + "groupNames": [ + "Azure_Security_Benchmark_v3.0_PV-6" + ] + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c", "definitionVersion": "3.*.*", @@ -6705,6 +6730,22 @@ "Azure_Security_Benchmark_v3.0_NS-2" ] }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "diagnosticLogsInAzureAIServicesResourcesShouldBeEnabledMonitoring", + "groupNames": [ + "Azure_Security_Benchmark_v3.0_LT-3" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "azureAIServicesResourcesShouldUseAzurePrivateLinkMonitoring", + "groupNames": [ + "Azure_Security_Benchmark_v3.0_NS-2" + ] + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b", "definitionVersion": "1.*.*", @@ -7115,6 +7156,8 @@ } ], "versions": [ + "47.24.0", + "47.23.0", "47.22.0", "47.21.0", "47.20.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/MCfS_Sovereignty_Baseline_Confidential_Policies.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/MCfS_Sovereignty_Baseline_Confidential_Policies.json index 0a9a750bb..9574360e2 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/MCfS_Sovereignty_Baseline_Confidential_Policies.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/MCfS_Sovereignty_Baseline_Confidential_Policies.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "The Microsoft Cloud for Sovereignty recommends confidential policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions, denying resources that are not backed by Azure Confidential Computing, and denying data storage resources that are not using Customer-Managed Keys. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies", "metadata": { - "version": "1.0.0-preview", + "version": "1.0.1-preview", "category": "Regulatory Compliance", "preview": true }, - "version": "1.0.0-preview", + "version": "1.0.1-preview", "policyDefinitionGroups": [ { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/MCfS_Sovereignty_Baseline_Policy_SO.1", @@ -360,7 +360,7 @@ ], "defaultValue": [], "metadata": { - "description": "Any non-global resources attempted to be deployed outsize of this region will be", + "description": "Any non-global resources attempted to be deployed outsize of this region will be blocked by default.", "displayName": "The list of Azure regions that are approved for usage", "strongType": "location" }, @@ -579,6 +579,7 @@ } ], "versions": [ + "1.0.1-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/MCfS_Sovereignty_Baseline_Global_Policies.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/MCfS_Sovereignty_Baseline_Global_Policies.json index cf94e162f..184bd7616 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/MCfS_Sovereignty_Baseline_Global_Policies.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/MCfS_Sovereignty_Baseline_Global_Policies.json @@ -5,14 +5,18 @@ "description": "The Microsoft Cloud for Sovereignty recommends global policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies", "metadata": { "category": "Regulatory Compliance", - "version": "1.0.0-preview", + "version": "1.1.0-preview", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "policyDefinitionGroups": [ { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/MCfS_Sovereignty_Baseline_Policy_SO.1", "name": "SO.1 - Data Residency" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/MCfS_Sovereignty_Baseline_Policy_SO.5", + "name": "SO.5 - Trusted Launch" } ], "parameters": { @@ -88,7 +92,7 @@ ], "defaultValue": [], "metadata": { - "description": "Any non-global resources attempted to be deployed outsize of this region will be.", + "description": "Any non-global resources attempted to be deployed outsize of this region will be blocked by default.", "displayName": "The list of Azure regions that are approved for usage", "strongType": "location" }, @@ -137,9 +141,28 @@ }, "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0473574d-2d43-4217-aefe-941fcdf7e684", "policyDefinitionReferenceId": "AllowedLocationsForAzureCosmosDB" + }, + { + "definitionVersion": "1.*.*", + "groupNames": [ + "SO.5 - Trusted Launch" + ], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa", + "policyDefinitionReferenceId": "SupportTrustedLaunchVmImages" + }, + { + "definitionVersion": "1.*.*", + "groupNames": [ + "SO.5 - Trusted Launch" + ], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf", + "policyDefinitionReferenceId": "EnableTrustedLaunchVmImages" } ], "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json b/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json index fb4faa955..c04e76b1a 100644 --- a/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json +++ b/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.", "metadata": { - "version": "57.41.0", + "version": "57.42.0", "category": "Security Center" }, - "version": "57.41.0", + "version": "57.42.0", "policyDefinitionGroups": [ { "name": "Azure_Security_Benchmark_v3.0_NS-1", @@ -8049,6 +8049,22 @@ "Azure_Security_Benchmark_v3.0_NS-2" ] }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "diagnosticLogsInAzureAIServicesResourcesShouldBeEnabledMonitoring", + "groupNames": [ + "Azure_Security_Benchmark_v3.0_LT-3" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "azureAIServicesResourcesShouldUseAzurePrivateLinkMonitoring", + "groupNames": [ + "Azure_Security_Benchmark_v3.0_NS-2" + ] + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b", "definitionVersion": "1.*.*", @@ -8742,6 +8758,7 @@ } ], "versions": [ + "57.42.0", "57.41.0", "57.40.0", "57.39.0",