Skip to content

Commit

Permalink
Built-in Policy Release 4c6a4f6a
Browse files Browse the repository at this point in the history
  • Loading branch information
Azure Policy Bot committed Jul 24, 2024
1 parent 2f77e26 commit ecd20eb
Show file tree
Hide file tree
Showing 6 changed files with 158 additions and 44 deletions.
77 changes: 77 additions & 0 deletions built-in-policies/policyDefinitions/Azure Ai Services/EnablePrivateEndpoints_Audit.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
{
"properties": {
"displayName": "Azure AI Services resources should use Azure Private Link",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform reduces data leakage risks by handling the connectivity between the consumer and services over the Azure backbone network. Learn more about private links at: https://aka.ms/AzurePrivateLink/Overview",
"metadata": {
"version": "1.0.0",
"category": "Azure Ai Services"
},
"version": "1.0.0",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.CognitiveServices/accounts"
},
{
"count": {
"field": "Microsoft.CognitiveServices/accounts/privateEndpointConnections[*]",
"where": {
"field": "Microsoft.CognitiveServices/accounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
"equals": "Approved"
}
},
"less": 1
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Search/searchServices"
},
{
"count": {
"field": "Microsoft.Search/searchServices/privateEndpointConnections[*]",
"where": {
"field": "Microsoft.Search/searchServices/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
"equals": "Approved"
}
},
"less": 1
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"versions": [
"1.0.0"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782",
"name": "d6759c02-b87f-42b7-892e-71b3f471d782"
}
10 changes: 6 additions & 4 deletions built-in-policies/policyDefinitions/Cognitive Services/EnablePrivateEndpoints_Audit.json
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
{
"properties": {
"displayName": "Cognitive Services should use private link",
"displayName": "[Deprecated]: Cognitive Services should use private link",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800.",
"metadata": {
"version": "3.0.0",
"category": "Cognitive Services"
"version": "3.0.1-deprecated",
"category": "Cognitive Services",
"deprecated": true
},
"version": "3.0.0",
"version": "3.0.1",
"parameters": {
"effect": {
"type": "String",
Expand Down Expand Up @@ -47,6 +48,7 @@
}
},
"versions": [
"3.0.1",
"3.0.0"
]
},
Expand Down
27 changes: 25 additions & 2 deletions built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VMSS_UAI_DINE.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@
"mode": "Indexed",
"description": "Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.",
"metadata": {
"version": "1.5.0",
"version": "1.6.0",
"category": "Monitoring"
},
"version": "1.5.0",
"version": "1.6.0",
"parameters": {
"effect": {
"type": "String",
Expand Down Expand Up @@ -101,32 +101,53 @@
"field": "location",
"in": [
"australiacentral",
"australiacentral2",
"australiaeast",
"australiasoutheast",
"brazilsouth",
"brazilsoutheast",
"canadacentral",
"canadaeast",
"centralindia",
"centralus",
"centraluseuap",
"eastasia",
"eastus2euap",
"eastus",
"eastus2",
"francecentral",
"francesouth",
"germanynorth",
"germanywestcentral",
"israelcentral",
"italynorth",
"japaneast",
"japanwest",
"jioindiacentral",
"jioindiawest",
"koreacentral",
"koreasouth",
"malaysiasouth",
"mexicocentral",
"northcentralus",
"northeurope",
"norwayeast",
"norwaywest",
"polandcentral",
"qatarcentral",
"southafricanorth",
"southafricawest",
"southcentralus",
"southeastasia",
"southindia",
"spaincentral",
"swedencentral",
"swedensouth",
"switzerlandnorth",
"switzerlandwest",
"taiwannorth",
"taiwannorthwest",
"uaecentral",
"uaenorth",
"uksouth",
"ukwest",
Expand All @@ -135,6 +156,7 @@
"westindia",
"westus",
"westus2",
"westus3",
"chinaeast",
"chinaeast2",
"chinaeast3",
Expand Down Expand Up @@ -436,6 +458,7 @@
}
},
"versions": [
"1.6.0",
"1.5.0",
"1.4.0"
]
Expand Down
27 changes: 25 additions & 2 deletions built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VM_UAI_DINE.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@
"mode": "Indexed",
"description": "Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.",
"metadata": {
"version": "1.5.0",
"version": "1.6.0",
"category": "Monitoring"
},
"version": "1.5.0",
"version": "1.6.0",
"parameters": {
"effect": {
"type": "String",
Expand Down Expand Up @@ -101,32 +101,53 @@
"field": "location",
"in": [
"australiacentral",
"australiacentral2",
"australiaeast",
"australiasoutheast",
"brazilsouth",
"brazilsoutheast",
"canadacentral",
"canadaeast",
"centralindia",
"centralus",
"centraluseuap",
"eastasia",
"eastus2euap",
"eastus",
"eastus2",
"francecentral",
"francesouth",
"germanynorth",
"germanywestcentral",
"israelcentral",
"italynorth",
"japaneast",
"japanwest",
"jioindiacentral",
"jioindiawest",
"koreacentral",
"koreasouth",
"malaysiasouth",
"mexicocentral",
"northcentralus",
"northeurope",
"norwayeast",
"norwaywest",
"polandcentral",
"qatarcentral",
"southafricanorth",
"southafricawest",
"southcentralus",
"southeastasia",
"southindia",
"spaincentral",
"swedencentral",
"swedensouth",
"switzerlandnorth",
"switzerlandwest",
"taiwannorth",
"taiwannorthwest",
"uaecentral",
"uaenorth",
"uksouth",
"ukwest",
Expand All @@ -135,6 +156,7 @@
"westindia",
"westus",
"westus2",
"westus3",
"chinaeast",
"chinaeast2",
"chinaeast3",
Expand Down Expand Up @@ -436,6 +458,7 @@
}
},
"versions": [
"1.6.0",
"1.5.0",
"1.4.0"
]
Expand Down
10 changes: 6 additions & 4 deletions built-in-policies/policyDefinitions/Search/PrivateEndpoints_Audit.json
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
{
"properties": {
"displayName": "Azure Cognitive Search services should use private link",
"displayName": "[Deprecated]: Azure Cognitive Search services should use private link",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.",
"metadata": {
"version": "1.0.0",
"category": "Search"
"version": "1.0.1-deprecated",
"category": "Search",
"deprecated": true
},
"version": "1.0.0",
"version": "1.0.1",
"parameters": {
"effect": {
"type": "String",
Expand Down Expand Up @@ -47,6 +48,7 @@
}
},
"versions": [
"1.0.1",
"1.0.0"
]
},
Expand Down
51 changes: 19 additions & 32 deletions ...icies/policyDefinitions/Security Center/MDC_Microsoft_Defender_For_Storage_Full_DINE.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@
"policyType": "BuiltIn",
"mode": "All",
"description": "Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts.\nThis policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage.",
"version": "1.3.0",
"version": "1.4.0",
"metadata": {
"version": "1.3.0",
"version": "1.4.0",
"category": "Security Center"
},
"parameters": {
Expand Down Expand Up @@ -38,7 +38,7 @@
"type": "Integer",
"metadata": {
"displayName": "Cap GB Per Month Per Storage Account",
"description": "Limit the GB to be scanned per month for each storage account within the subscription. Set to -1 for unlimited GB scanning"
"description": "Limit the GB scanned per month for each storage account within the subscription.\nValue must be an integer, 10GB or higher\nSet to -1 for unlimited scanning"
},
"defaultValue": 5000
},
Expand Down Expand Up @@ -135,7 +135,7 @@
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.2.0.0",
"contentVersion": "1.3.0.0",
"parameters": {
"isOnUploadMalwareScanningEnabled": {
"type": "String"
Expand All @@ -147,44 +147,30 @@
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2023-01-01",
"name": "StorageAccounts",
"condition": "[equals(parameters('isOnUploadMalwareScanningEnabled'), 'true')]",
"properties": {
"subPlan": "DefenderForStorageV2",
"pricingTier": "Standard",
"extensions": [
{
"name": "OnUploadMalwareScanning",
"isEnabled": "[parameters('isOnUploadMalwareScanningEnabled')]",
"additionalExtensionProperties": {
"CapGBPerMonthPerStorageAccount": "[parameters('capGBPerMonthPerStorageAccount')]"
}
},
{
"name": "SensitiveDataDiscovery",
"isEnabled": "[parameters('isSensitiveDataDiscoveryEnabled')]"
}
]
"variables": {
"enabledMalwareScanningExtension": {
"name": "OnUploadMalwareScanning",
"isEnabled": "true",
"additionalExtensionProperties": {
"CapGBPerMonthPerStorageAccount": "[parameters('capGBPerMonthPerStorageAccount')]"
}
},
"disabledMalwareScanningExtension": {
"name": "OnUploadMalwareScanning",
"isEnabled": "false"
},
"malwareScanningExtension": "[if(equals(parameters('isOnUploadMalwareScanningEnabled'),'true'), variables('enabledMalwareScanningExtension'), variables('disabledMalwareScanningExtension'))]"
},
"resources": [
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2023-01-01",
"name": "StorageAccounts",
"condition": "[equals(parameters('isOnUploadMalwareScanningEnabled'), 'false')]",
"properties": {
"subPlan": "DefenderForStorageV2",
"pricingTier": "Standard",
"extensions": [
{
"name": "OnUploadMalwareScanning",
"isEnabled": "[parameters('isOnUploadMalwareScanningEnabled')]"
},
"[variables('malwareScanningExtension')]",
{
"name": "SensitiveDataDiscovery",
"isEnabled": "[parameters('isSensitiveDataDiscoveryEnabled')]"
Expand All @@ -201,6 +187,7 @@
}
},
"versions": [
"1.4.0",
"1.3.0",
"1.2.0",
"1.1.0"
Expand Down

0 comments on commit ecd20eb

Please sign in to comment.