diff --git a/built-in-policies/policyDefinitions/App Configuration/DisableLocalAuth_Audit.json b/built-in-policies/policyDefinitions/App Configuration/DisableLocalAuth_Audit.json index 5bad1f300..b7a080fe3 100644 --- a/built-in-policies/policyDefinitions/App Configuration/DisableLocalAuth_Audit.json +++ b/built-in-policies/policyDefinitions/App Configuration/DisableLocalAuth_Audit.json @@ -3,12 +3,12 @@ "displayName": "App Configuration stores should have local authentication methods disabled", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Disabling local authentication methods improves security by ensuring that App Configuration stores require Azure Active Directory identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954.", + "description": "Disabling local authentication methods improves security by ensuring that App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954.", "metadata": { - "version": "1.0.0", + "version": "1.0.1", "category": "App Configuration" }, - "version": "1.0.0", + "version": "1.0.1", "parameters": { "effect": { "type": "String", diff --git a/built-in-policies/policyDefinitions/App Configuration/DisableLocalAuth_Modify.json b/built-in-policies/policyDefinitions/App Configuration/DisableLocalAuth_Modify.json index 15b6202cf..4f04e74e9 100644 --- a/built-in-policies/policyDefinitions/App Configuration/DisableLocalAuth_Modify.json +++ b/built-in-policies/policyDefinitions/App Configuration/DisableLocalAuth_Modify.json @@ -3,12 +3,12 @@ "displayName": "Configure App Configuration stores to disable local authentication methods", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Disable local authentication methods so that your App Configuration stores require Azure Active Directory identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954.", + "description": "Disable local authentication methods so that your App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954.", "metadata": { - "version": "1.0.0", + "version": "1.0.1", "category": "App Configuration" }, - "version": "1.0.0", + "version": "1.0.1", "parameters": { "effect": { "type": "String", diff --git a/built-in-policies/policyDefinitions/Container Registry/ACR_PTCDisabled_AuditDeny.json b/built-in-policies/policyDefinitions/Container Registry/ACR_PTCDisabled_AuditDeny.json new file mode 100644 index 000000000..394866773 --- /dev/null +++ b/built-in-policies/policyDefinitions/Container Registry/ACR_PTCDisabled_AuditDeny.json @@ -0,0 +1,39 @@ +{ + "properties": { + "displayName": "Container registries should prevent cache rule creation", + "description": "Disable cache rule creation for your Azure Container Registry to prevent pull through cache pulls. Learn more at: https://aka.ms/acr/cache.", + "policyType": "BuiltIn", + "mode": "All", + "metadata": { + "version": "1.0.0", + "category": "Container Registry" + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerRegistry/registries/cacheRules" + }, + "then": { + "effect": "[parameters('effect')]" + } + } + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/84497762-32b6-4ab3-80b6-732ea48b85a2", + "name": "84497762-32b6-4ab3-80b6-732ea48b85a2" +} \ No newline at end of file diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/NL_BIO_Cloud_Theme.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/NL_BIO_Cloud_Theme.json new file mode 100644 index 000000000..cce4ab90f --- /dev/null +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/NL_BIO_Cloud_Theme.json @@ -0,0 +1,8365 @@ +{ + "properties": { + "displayName": "NL BIO Cloud Theme", + "policyType": "BuiltIn", + "description": "This initiative includes policies that address the Dutch Baseline Informatiebeveiliging (BIO) controls specifically for the 'thema-uitwerking Clouddiensten' and include policies covered under the SOC2 and ISO 27001:2013 controls.", + "metadata": { + "version": "1.0.0", + "category": "Regulatory Compliance" + }, + "version": "1.0.0", + "policyDefinitionGroups": [ + { + "name": "B.01 - Laws and regulations", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.01" + }, + { + "name": "B.01.1 - Legal, statutory, regulatory requirements", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.01.1" + }, + { + "name": "B.01.2 - Legal, statutory, regulatory requirements", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.01.2" + }, + { + "name": "B.01.3 - Legal, statutory, regulatory requirements", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.01.3" + }, + { + "name": "B.01.4 - Legal, statutory, regulatory requirements", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.01.4" + }, + { + "name": "B.01.5 - Contractual requirements", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.01.5" + }, + { + "name": "B.01.6 - Approach", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.01.6" + }, + { + "name": "B.02 - Cloud Security Strategy", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.02" + }, + { + "name": "B.02.1 - Cloud Security Strategy", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.02.1" + }, + { + "name": "B.02.2 - Cloud Security Strategy", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.02.2" + }, + { + "name": "B.02.3 - Related", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.02.3" + }, + { + "name": "B.03 - Exit strategy", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.03" + }, + { + "name": "B.03.1 - Provisions", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.03.1" + }, + { + "name": "B.03.2 - Conditions", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.03.2" + }, + { + "name": "B.04 - Cloud Services Policy", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.04" + }, + { + "name": "B.04.1 - Cloud beveiligingsbeleid", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.04.1" + }, + { + "name": "B.05 - Transparency", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.05" + }, + { + "name": "B.05.1 - System-description", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.05.1" + }, + { + "name": "B.05.2 - Jurisdiction", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.05.2" + }, + { + "name": "B.05.3 - Research opportunities", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.05.3" + }, + { + "name": "B.05.4 - Certificates", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.05.4" + }, + { + "name": "B.06 - Risk management", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.06" + }, + { + "name": "B.06.1 - Responsibilities", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.06.1" + }, + { + "name": "B.06.2 - Responsibilities", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.06.2" + }, + { + "name": "B.06.3 - Risk management process", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.06.3" + }, + { + "name": "B.07 - IT functionality", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.07" + }, + { + "name": "B.07.1 - IT functionalities", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.07.1" + }, + { + "name": "B.07.2 - IT functionalities", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.07.2" + }, + { + "name": "B.07.3 - IT functionalities", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.07.3" + }, + { + "name": "B.07.4 - Robuuste en beveiligde systeemketen", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.07.4" + }, + { + "name": "B.07.5 - Robuuste en beveiligde systeemketen", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.07.5" + }, + { + "name": "B.08 - Business Continuïty Management", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.08" + }, + { + "name": "B.08.1 - Responsibility for BCM", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.08.1" + }, + { + "name": "B.08.2 - Responsibility for BCM", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.08.2" + }, + { + "name": "B.08.3 - Responsibility for BCM", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.08.3" + }, + { + "name": "B.08.4 - Responsibility for BCM", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.08.4" + }, + { + "name": "B.08.5 - Policies and procedures", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.08.5" + }, + { + "name": "B.08.6 - Business continuity planning", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.08.6" + }, + { + "name": "B.08.7 - Verification and updating", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.08.7" + }, + { + "name": "B.08.8 - Verification and updating", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.08.8" + }, + { + "name": "B.08.9 - Computer Centers", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.08.9" + }, + { + "name": "B.09 - Privacy and protection of personal data", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.09" + }, + { + "name": "B.09.1 - Security aspects and stages", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.09.1" + }, + { + "name": "B.09.2 - Access and privacy", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.09.2" + }, + { + "name": "B.09.3 - Classification - labelling", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.09.3" + }, + { + "name": "B.09.4 - Classification - labelling", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.09.4" + }, + { + "name": "B.09.5 - Classification - labelling", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.09.5" + }, + { + "name": "B.09.6 - Ownership", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.09.6" + }, + { + "name": "B.09.7 - Ownership", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.09.7" + }, + { + "name": "B.09.8 - Location", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.09.8" + }, + { + "name": "B.10 - Security organisation", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.10" + }, + { + "name": "B.10.1 - Security function", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.10.1" + }, + { + "name": "B.10.2 - Security function", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.10.2" + }, + { + "name": "B.10.3 - Organisational position", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.10.3" + }, + { + "name": "B.10.4 - Tasks, responsibilities and powers", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.10.4" + }, + { + "name": "B.10.5 - Tasks, responsibilities and powers", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.10.5" + }, + { + "name": "B.10.6 - Officials", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.10.6" + }, + { + "name": "B.10.7 - Reporting-lines", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.10.7" + }, + { + "name": "B.10.8 - Reporting-lines", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.10.8" + }, + { + "name": "B.11 - Cloud services architecture", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.11" + }, + { + "name": "B.11.1 - Framework", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.11.1" + }, + { + "name": "B.11.2 - Coherence and dependencies", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_B.11.2" + }, + { + "name": "U.01 - Standards for Cloud Services", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.01" + }, + { + "name": "U.01.1 - National standards", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.01.1" + }, + { + "name": "U.01.2 - International standards", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.01.2" + }, + { + "name": "U.02 - Risk assessment", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.02" + }, + { + "name": "U.02.1 - Risk analysis", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.02.1" + }, + { + "name": "U.02.2 - Risk assessment", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.02.2" + }, + { + "name": "U.03 - Business Continuity services", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.03" + }, + { + "name": "U.03.1 - Redundancy", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.03.1" + }, + { + "name": "U.03.2 - Continuity requirements", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.03.2" + }, + { + "name": "U.04 - Data and Cloud Service Recovery", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.04" + }, + { + "name": "U.04.1 - Restore function", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.04.1" + }, + { + "name": "U.04.2 - Restore function", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.04.2" + }, + { + "name": "U.04.3 - Tested", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.04.3" + }, + { + "name": "U.05 - Data protection", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.05" + }, + { + "name": "U.05.1 - Cryptographic measures", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.05.1" + }, + { + "name": "U.05.2 - Cryptographic measures", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.05.2" + }, + { + "name": "U.06 - Data retention and data destruction", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.06" + }, + { + "name": "U.06.1 - Retention period", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.06.1" + }, + { + "name": "U.06.2 - Technology-independent consultable", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.06.2" + }, + { + "name": "U.06.3 - Immutable", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.06.3" + }, + { + "name": "U.06.4 - Destroyed", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.06.4" + }, + { + "name": "U.06.5 - Destroyed", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.06.5" + }, + { + "name": "U.07 - Data separation", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.07" + }, + { + "name": "U.07.1 - Isolated", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.07.1" + }, + { + "name": "U.07.2 - Isolated", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.07.2" + }, + { + "name": "U.07.3 - Management features", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.07.3" + }, + { + "name": "U.08 - Separation of services", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.08" + }, + { + "name": "U.08.1 - Divorced", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.08.1" + }, + { + "name": "U.09 - Malware Protection", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.09" + }, + { + "name": "U.09.1 - Controls", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.09.1" + }, + { + "name": "U.09.2 - Controls", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.09.2" + }, + { + "name": "U.09.3 - Detection, prevention and recovery", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.09.3" + }, + { + "name": "U.10 - Access to IT services and data", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.10" + }, + { + "name": "U.10.1 - Users", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.10.1" + }, + { + "name": "U.10.2 - Users", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.10.2" + }, + { + "name": "U.10.3 - Users", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.10.3" + }, + { + "name": "U.10.4 - Competent", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.10.4" + }, + { + "name": "U.10.5 - Competent", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.10.5" + }, + { + "name": "U.11 - Crypto services", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.11" + }, + { + "name": "U.11.1 - Policy", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.11.1" + }, + { + "name": "U.11.2 - Cryptographic measures", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.11.2" + }, + { + "name": "U.11.3 - Encrypted", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.11.3" + }, + { + "name": "U.12 - Interfaces", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.12" + }, + { + "name": "U.12.1 - Network connections", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.12.1" + }, + { + "name": "U.12.2 - Network connections", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.12.2" + }, + { + "name": "U.12.3 - Network connections", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.12.3" + }, + { + "name": "U.12.4 - Network connections", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.12.4" + }, + { + "name": "U.12.5 - Monitored", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.12.5" + }, + { + "name": "U.12.6 - Monitored", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.12.6" + }, + { + "name": "U.12.7 - Composed", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.12.7" + }, + { + "name": "U.13 - Service Orchestration", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.13" + }, + { + "name": "U.13.1 - Coordination", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.13.1" + }, + { + "name": "U.13.2 - Service components", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.13.2" + }, + { + "name": "U.13.3 - Service components", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.13.3" + }, + { + "name": "U.14 - Interoperability and portability", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.14" + }, + { + "name": "U.14.1 - Interoperability", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.14.1" + }, + { + "name": "U.14.2 - Portability", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.14.2" + }, + { + "name": "U.15 - Logging and monitoring", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.15" + }, + { + "name": "U.15.1 - Events logged", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.15.1" + }, + { + "name": "U.15.2 - Events logged", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.15.2" + }, + { + "name": "U.15.3 - Events logged", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.15.3" + }, + { + "name": "U.15.4 - Events logged", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.15.4" + }, + { + "name": "U.15.5 - Events logged", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.15.5" + }, + { + "name": "U.15.6 - Events logged", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.15.6" + }, + { + "name": "U.16 - Cloud Services Architecture", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.16" + }, + { + "name": "U.16.1 - Cohesion", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.16.1" + }, + { + "name": "U.17 - Multi-tenant architecture", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.17" + }, + { + "name": "U.17.1 - Encrypted", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.17.1" + }, + { + "name": "U.17.2 - Divorced", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.17.2" + }, + { + "name": "U.17.3 - Hardened", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_U.17.3" + }, + { + "name": "C.01 - Service management policy and evaluation guideline", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.01" + }, + { + "name": "C.01.1 - Directives", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.01.1" + }, + { + "name": "C.01.2 - Directives", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.01.2" + }, + { + "name": "C.01.3 - Control activities and reports", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.01.3" + }, + { + "name": "C.02 - Risk Control", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.02" + }, + { + "name": "C.02.1 - Monitored and reviewed", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.02.1" + }, + { + "name": "C.02.2 - Monitored and reviewed", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.02.2" + }, + { + "name": "C.02.3 - Monitored and reviewed", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.02.3" + }, + { + "name": "C.02.4 - Monitored and reviewed", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.02.4" + }, + { + "name": "C.02.5 - Monitored and reviewed", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.02.5" + }, + { + "name": "C.03 - Compliance and assurance", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.03" + }, + { + "name": "C.03.1 - Compliancy", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.03.1" + }, + { + "name": "C.03.2 - Compliancy", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.03.2" + }, + { + "name": "C.03.3 - Compliancy", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.03.3" + }, + { + "name": "C.03.4 - Assurance", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.03.4" + }, + { + "name": "C.03.5 - Assurance", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.03.5" + }, + { + "name": "C.03.6 - Junction", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.03.6" + }, + { + "name": "C.04 - Technical vulnerability management", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.04" + }, + { + "name": "C.04.1 - Technical vulnerabilities", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.04.1" + }, + { + "name": "C.04.2 - Technical vulnerabilities", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.04.2" + }, + { + "name": "C.04.3 - Timelines", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.04.3" + }, + { + "name": "C.04.4 - Timelines", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.04.4" + }, + { + "name": "C.04.5 - Timelines", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.04.5" + }, + { + "name": "C.04.6 - Timelines", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.04.6" + }, + { + "name": "C.04.7 - Evaluated", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.04.7" + }, + { + "name": "C.04.8 - Evaluated", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.04.8" + }, + { + "name": "C.05 - Security Monitoring Reporting", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.05" + }, + { + "name": "C.05.1 - Monitored and reported", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.05.1" + }, + { + "name": "C.05.2 - Monitored and reported", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.05.2" + }, + { + "name": "C.05.3 - Monitored and reported", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.05.3" + }, + { + "name": "C.05.4 - Monitored and reported", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.05.4" + }, + { + "name": "C.05.5 - Monitored and reported", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.05.5" + }, + { + "name": "C.05.6 - Monitored and reported", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.05.6" + }, + { + "name": "C.06 - Management organisation cloud services", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.06" + }, + { + "name": "C.06.1 - Process structure", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.06.1" + }, + { + "name": "C.06.2 - Tasks, responsibilities and powers", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.06.2" + }, + { + "name": "C.06.3 - Officials", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/NL_BIO_Cloud_Theme_C.06.3" + } + ], + "parameters": { + "listOfAllowedLocations": { + "type": "array", + "defaultValue": [ + "europe", + "global", + "westeurope", + "northeurope" + ], + "allowedValues": [ + "europe", + "france", + "francecentral", + "francesouth", + "germany", + "germanynorth", + "germanywestcentral", + "global", + "northeurope", + "norway", + "norwayeast", + "norwaywest", + "swedencentral", + "switzerland", + "switzerlandnorth", + "switzerlandwest", + "westeurope" + ], + "metadata": { + "displayName": "Allowed locations", + "description": "The list of locations that can be specified when deploying resources", + "strongType": "location" + } + }, + "IncludeArcMachines": { + "type": "string", + "metadata": { + "displayName": "Include Arc connected servers for Guest Configuration policies", + "description": "Optionally choose to audit settings inside Arc connected servers using Guest Configuration policies. By selecting this option, you agree to be charged monthly per Arc connected machine." + }, + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "false" + }, + "listOfResourceTypesWithDiagnosticLogsEnabled": { + "type": "Array", + "metadata": { + "displayName": "List of resource types that should have resource logs enabled", + "strongType": "resourceTypes" + }, + "defaultValue": [ + "Microsoft.AnalysisServices/servers", + "Microsoft.ApiManagement/service", + "Microsoft.Network/applicationGateways", + "Microsoft.Automation/automationAccounts", + "Microsoft.ContainerInstance/containerGroups", + "Microsoft.ContainerRegistry/registries", + "Microsoft.ContainerService/managedClusters", + "Microsoft.Batch/batchAccounts", + "Microsoft.Cdn/profiles/endpoints", + "Microsoft.CognitiveServices/accounts", + "Microsoft.DocumentDB/databaseAccounts", + "Microsoft.DataFactory/factories", + "Microsoft.DataLakeAnalytics/accounts", + "Microsoft.DataLakeStore/accounts", + "Microsoft.EventGrid/eventSubscriptions", + "Microsoft.EventGrid/topics", + "Microsoft.EventHub/namespaces", + "Microsoft.Network/expressRouteCircuits", + "Microsoft.Network/azureFirewalls", + "Microsoft.HDInsight/clusters", + "Microsoft.Devices/IotHubs", + "Microsoft.KeyVault/vaults", + "Microsoft.Network/loadBalancers", + "Microsoft.Logic/integrationAccounts", + "Microsoft.Logic/workflows", + "Microsoft.DBforMySQL/servers", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.DBforPostgreSQL/servers", + "Microsoft.PowerBIDedicated/capacities", + "Microsoft.Network/publicIPAddresses", + "Microsoft.RecoveryServices/vaults", + "Microsoft.Cache/redis", + "Microsoft.Relay/namespaces", + "Microsoft.Search/searchServices", + "Microsoft.ServiceBus/namespaces", + "Microsoft.SignalRService/SignalR", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/elasticPools", + "Microsoft.StreamAnalytics/streamingjobs", + "Microsoft.TimeSeriesInsights/environments", + "Microsoft.Network/trafficManagerProfiles", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworkGateways" + ] + }, + "logsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Logs Enabled" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "metricsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Metrics Enabled" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "listOfImageIdToInclude_windows": { + "type": "Array", + "metadata": { + "displayName": "Optional: List of virtual machine images that have supported Windows OS to add to scope", + "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [] + }, + "listOfImageIdToInclude_linux": { + "type": "Array", + "metadata": { + "displayName": "Optional: List of virtual machine images that have supported Linux OS to add to scope", + "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [] + }, + "dataBoxSkusForDoubleEncryption": { + "type": "Array", + "defaultValue": [ + "DataBox", + "DataBoxHeavy" + ], + "allowedValues": [ + "DataBox", + "DataBoxHeavy" + ], + "metadata": { + "displayName": "Azure Data Box SKUs that support software-based double encryption", + "description": "The list of Azure Data Box SKUs that support software-based double encryption" + } + }, + "NotAvailableMachineState": { + "type": "String", + "defaultValue": "Compliant", + "allowedValues": [ + "Compliant", + "Non-Compliant" + ], + "metadata": { + "displayName": "Status if Windows Defender is not available on machine", + "description": "Windows Defender Exploit Guard is only available starting with Windows 10/Windows Server with update 1709. Setting this value to 'Non-Compliant' shows machines with older versions on which Windows Defender Exploit Guard is not available (such as Windows Server 2012 R2) as non-compliant. Setting this value to 'Compliant' shows these machines as compliant." + } + }, + "effect-feedbf84-6b99-488c-acc2-71c829aa5ffc": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: SQL databases should have vulnerability findings resolved", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-da0f98fe-a24b-4ad5-af69-bd0400233661": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Audit Windows machines that do not store passwords using reversible encryption", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect for policy: Function App should only be accessible over HTTPS", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-a4af4a39-4135-47fb-b175-47fbdf85311d": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Web Application should only be accessible over HTTPS", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-0961003e-5a0a-4549-abde-af6a37f2724d": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-3657f5a0-770e-44a3-b44e-9431ba1e9735": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Automation account variables should be encrypted", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Only secure connections to your Azure Cache for Redis should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-404c3081-a854-4457-ae30-26a93ef643f9": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Secure transfer to storage accounts should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-617c02be-7f02-4efd-8836-3180d47b6c68": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-17k78e20-9358-41c9-923c-fb736d382a12": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Transparent Data Encryption on SQL databases should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-9daedab3-fb2d-461e-b861-71790eead4f6": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: All network ports should be restricted on network security groups associated to your virtual machine", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-34c877ad-507e-4c82-993e-3452a6e0ad3c": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Storage accounts should restrict network access", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-4f11b553-d42e-4e3a-89be-32ca364cad4c": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: A maximum of 3 owners should be designated for your subscription", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: There should be more than one owner assigned to your subscription", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-f6ec09a3-78bf-4f8f-99dc-6c77182d0f99": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Audit Linux machines that have accounts without passwords", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-ea53dbee-c6c9-4f0e-9f9e-de0039b78023": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Audit Linux machines that allow remote connections from accounts without passwords", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Storage accounts should be migrated to new Azure Resource Manager resources", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Virtual machines should be migrated to new Azure Resource Manager resources", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-11ac78e3-31bc-4f0c-8434-37ab963cea07": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Dependency agent should be enabled for listed virtual machine images", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-e2dd799a-a932-4e9d-ac17-d473bc3c6c10": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-32133ab0-ee4b-4b44-98d6-042180979d50": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: [Preview]: Log Analytics Extension should be enabled for listed virtual machine images", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Auditing on SQL server should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "setting": { + "type": "String", + "metadata": { + "displayName": "Desired Auditing setting" + }, + "allowedValues": [ + "enabled", + "Disabled" + ], + "defaultValue": "enabled" + }, + "effect-af6cd1bd-1635-48cb-bde7-5b15693900b9": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Monitor missing Endpoint Protection in Azure Security Center", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-86b3d65f-7626-441e-b690-81a8b71cff60": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: System updates should be installed on your machines", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Vulnerabilities in security configuration on your machines should be remediated", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-501541f7-f7e7-4cd6-868c-4190fdad3ac9": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: A vulnerability assessment solution should be enabled on your virtual machines", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-08a6b96f-576e-47a2-8511-119a212d344d": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Edge Hardware Center devices should have double encryption support enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-1760f9d4-7206-436e-a28f-d9f3a5c8a227": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect for policy: Azure Batch pools should have disk encryption enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure HDInsight clusters should use encryption at host to encrypt data at rest", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-24fba194-95d6-48c0-aea7-f65bf859c598": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-3a58212a-c829-4f13-9872-6371df2fd0b4": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Infrastructure encryption should be enabled for Azure Database for MySQL servers", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-fc4d8e41-e223-45ea-9bf5-eada37891d87": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Virtual machines and virtual machine scale sets should have encryption at host enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-d9da03a1-f3c3-412a-9709-947156872263": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Double encryption should be enabled on Azure Data Explorer", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-c349d81b-9985-44ae-a8da-ff98d108ede8": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Data Box jobs should enable double encryption for data at rest on the device", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-ea0dfaed-95fb-448c-934e-d6e713ce393d": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Storage accounts should have infrastructure encryption", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-f4b53539-8df9-40e4-86c6-6b607703bd4e": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Disk encryption should be enabled on Azure Data Explorer", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-41425d9f-d1a5-499a-9932-f8ed8453932c": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-fb74e86f-d351-4b8d-b034-93da7391c01f": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: App Service Environment should enable internal encryption", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-b54ed75b-3e1a-44ac-a333-05ba39b99ff0": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Service Fabric clusters should only use Azure Active Directory for client authentication", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-71ef260a-8f18-47b7-abcb-62d0673d94dc": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Cognitive Services accounts should have local authentication methods disabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-1f314764-cb73-4fc9-b863-8eca98ac36e9": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: An Azure Active Directory administrator should be provisioned for SQL servers", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Audit usage of custom RBAC rules", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-0da106f2-4ca3-48e8-bc85-c638fe6aea8f": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Managed identity should be used in your Function App", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-2b9ad585-36bc-4615-b300-fd4435808332": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Managed identity should be used in your Web App", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-bed48b13-6647-468e-aa2f-1af1d3f4dd40": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Windows Defender Exploit Guard should be enabled on your machines", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Defender for servers should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-26a828e1-e88f-464e-bbb3-c134a282b9de": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Endpoint protection solution should be installed on virtual machine scale sets", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Web Application Firewall should be enabled for Azure Front Door entry-points", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-a7aca53f-2ed4-4466-a25e-0b45ade68efd": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure DDoS Protection Standard should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-bd352bd5-2853-4985-bf0d-73806b4a5744": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: IP Forwarding on your virtual machine should be disabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-013e242c-8828-4970-87b3-ab247555486d": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Backup should be enabled for Virtual Machines", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-0049a6b3-a662-4f3e-8635-39cf44ace45a": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Vulnerability assessment should be enabled on your Synapse workspaces", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Key vaults should have purge protection enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "MinimumTLSVersion": { + "type": "String", + "metadata": { + "displayName": "Minimum TLS version", + "description": "The minimum TLS protocol version that should be enabled. Windows web servers with lower TLS versions will be marked as non-compliant." + }, + "allowedValues": [ + "1.1", + "1.2" + ], + "defaultValue": "1.2" + }, + "effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Key vaults should have soft delete enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Kubernetes clusters should be accessible only over HTTPS", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "excludedNamespaces": { + "type": "Array", + "metadata": { + "displayName": "Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces \"kube-system\", \"gatekeeper-system\" and \"azure-arc\" are always excluded by design. \"azure-extensions-usage-system\" is optional to remove." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system", + "azure-arc", + "azure-extensions-usage-system" + ] + }, + "namespaces": { + "type": "Array", + "metadata": { + "displayName": "Namespace inclusions", + "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." + }, + "defaultValue": [] + }, + "labelSelector": { + "type": "Object", + "metadata": { + "displayName": "Kubernetes label selector", + "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." + }, + "defaultValue": {}, + "schema": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.", + "type": "object", + "properties": { + "matchLabels": { + "description": "matchLabels is a map of {key,value} pairs.", + "type": "object", + "additionalProperties": { + "type": "string" + }, + "minProperties": 1 + }, + "matchExpressions": { + "description": "matchExpressions is a list of values, a key, and an operator.", + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values.", + "type": "string", + "enum": [ + "In", + "NotIn", + "Exists", + "DoesNotExist" + ] + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.", + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "key", + "operator" + ], + "additionalProperties": false + }, + "minItems": 1 + } + }, + "additionalProperties": false + } + }, + "effect-399b2637-a50f-4f95-96f8-3a145476eb15": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: FTPS only should be required in your Function App", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: FTPS should be required in your Web App", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-5752e6d6-1206-46d8-8ab1-ecc2f71a8112": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Windows web servers should be configured to use secure communication protocols", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Enforce SSL connection should be enabled for PostgreSQL database servers", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Enforce SSL connection should be enabled for MySQL database servers", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Latest TLS version should be used in your Web App", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-f9d614c5-c173-4d56-95a7-b4437057d193": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Latest TLS version should be used in your Function App", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-051cba44-2429-45b9-9649-46cec11c7119": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure API for FHIR should use a customer-managed key to encrypt data at rest", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-0a370ff3-6cab-4e85-8995-295fd854c5b8": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: SQL servers should use customer-managed keys to encrypt data at rest", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect for policy: Azure Container Instance container group should use customer-managed key for encryption", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-18adea5e-f416-4d0f-8aa8-d24321e3e274": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: PostgreSQL servers should use customer-managed keys to encrypt data at rest", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-1f68a601-6e6d-4e42-babf-3f643a047ea2": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Monitor Logs clusters should be encrypted with customer-managed key", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect for policy: Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Logic Apps Integration Service Environment should be encrypted with customer-managed keys", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-295fc8b1-dc9f-4f53-9c61-3f313ceab40a": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Service Bus Premium namespaces should use a customer-managed key for encryption", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-2e94d99a-8a36-4563-bc77-810d8893b671": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: [Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-47031206-ce96-41f8-861b-6a915f3de284": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: [Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure data factories should be encrypted with a customer-managed key", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-51522a96-0869-4791-82f3-981000c2c67f": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Bot Service should be encrypted with a customer-managed key", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Automation accounts should use customer-managed keys to encrypt data at rest", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Container registries should be encrypted with a customer-managed key", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-64d314f6-6062-4780-a861-c23e8951bee5": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure HDInsight clusters should use customer-managed keys to encrypt data at rest", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Cognitive Services accounts should enable data encryption with a customer-managed key", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-6fac406b-40ca-413b-bf8e-0bf964659c25": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Storage accounts should use customer-managed key for encryption", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-702dd420-7fcc-42c5-afe8-4026edd20fe0": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: OS and data disks should be encrypted with a customer-managed key", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-81e74cea-30fd-40d5-802f-d72103c2aaaa": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Data Explorer encryption at rest should use a customer-managed key", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-83cef61d-dbd1-4b20-a4fc-5fbc7da10833": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: MySQL servers should use customer-managed keys to encrypt data at rest", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-86efb160-8de7-451d-bc08-5d475b0aadae": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Stream Analytics jobs should use customer-managed keys to encrypt data", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-970f84d8-71b6-4091-9979-ace7e3fb6dbb": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect for policy: HPC Cache accounts should use customer-managed key for encryption", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Batch account should use customer-managed keys to encrypt data", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-a1ad735a-e96f-45d2-a7b2-9a4932cab7ec": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Event Hub namespaces should use a customer-managed key for encryption", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-ac01ad65-10e5-46df-bdd9-6b0cad13e1d2": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: SQL managed instances should use customer-managed keys to encrypt data at rest", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-b5ec538c-daa0-4006-8596-35468b9148e8": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Storage account encryption scopes should use customer-managed keys to encrypt data at rest", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Machine Learning workspaces should be encrypted with a customer-managed key", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-ca91455f-eace-4f96-be59-e6e2c35b4816": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Managed disks should be double encrypted with both platform-managed and customer-managed keys", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-f7d52b2d-e161-4dfa-a82b-55e564167385": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Synapse workspaces should use customer-managed keys to encrypt data at rest", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-fa298e57-9444-42ba-bf04-86e8470e32c7": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-037eea7a-bd0a-46c5-9a66-03aea78705d3": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Cognitive Services accounts should restrict network access", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Cognitive Services accounts should disable public network access", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-0e246bcf-5f6f-4f87-bc6f-775d4712c7ea": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Authorized IP ranges should be defined on Kubernetes Services", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-0fda3595-9f2b-4592-8675-4231d6fa82fe": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Cognitive Search services should use private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-1b8ca024-1d5c-4dec-8995-b1a932b41780": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Public network access on Azure SQL Database should be disabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-1c06e275-d63d-4540-b761-71f364c2111d": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Service Bus namespaces should use private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-1d320205-c6a1-4ac6-873d-46224024e8e2": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure File Sync should use private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-1ee56206-5dd1-42ab-b02d-8aae8b1634ce": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure API for FHIR should use private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-2154edb9-244f-4741-9970-660785bccdaa": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect for policy: VM Image Builder templates should use private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-22730e10-96f6-4aac-ad84-9383d35b5917": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Management ports should be closed on your virtual machines", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Storage accounts should restrict network access using virtual network rules", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-4b90e17e-8448-49db-875e-bd83fb6f804f": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Event Grid topics should use private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: [Preview]: Storage account public access should be disallowed", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-55615ac9-af46-4a59-874e-391cc3dfb490": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Key Vault should disable public network access", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "restrictIPAddresses": { + "type": "String", + "metadata": { + "displayName": "Would you like to restrict specific IP addresses?", + "description": "Select (Yes) to allow or forbid a list of IP addresses. If (No), the list of IP addresses won't have any effect in the policy enforcement" + }, + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "allowedIPAddresses": { + "type": "Array", + "metadata": { + "displayName": "Allowed IP addresses", + "description": "Array with allowed public IP addresses. An empty array is evaluated as to allow all IPs." + }, + "defaultValue": [] + }, + "forbiddenIPAddresses": { + "type": "Array", + "metadata": { + "displayName": "Forbidden IP addresses", + "description": "Array with forbidden public IP addresses. An empty array is evaluated as there are no forbidden IP addresses." + }, + "defaultValue": [] + }, + "effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Web Application Firewall (WAF) should be enabled for Application Gateway", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-58440f8a-10c5-4151-bdce-dfbaad4a20b7": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: CosmosDB accounts should use private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-6edd7eda-6dd8-40f7-810d-67160c639cd9": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Storage accounts should use private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-72d11df1-dd8a-41f7-8925-b05b960ebafc": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Synapse workspaces should use private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-7698e800-9299-47a6-b3b6-5a0fee576eed": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Private endpoint connections on Azure SQL Database should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-7803067c-7d34-46e3-8c79-0ca68fc4036d": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Cache for Redis should use private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Cosmos DB accounts should have firewall rules", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-8b0323be-cc25-4b61-935d-002c3798c6ea": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Data Factory should use private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-9830b652-8523-49cc-b1b3-e17dce1127ca": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Event Grid domains should use private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-a049bf77-880b-470f-ba6d-9f21c530cf83": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Cognitive Search service should use a SKU that supports private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Management ports of virtual machines should be protected with just-in-time network access control", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-b52376f7-9612-48a1-81cd-1ffe4b61032c": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Public network access should be disabled for PostgreSQL servers", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-b8564268-eb4a-4337-89be-a19db070c59d": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Event Hub namespaces should use private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-bb91dfba-c30d-4263-9add-9c2384e659a6": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Non-internet-facing virtual machines should be protected with network security groups", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-ca610c1d-041c-4332-9d88-7ed3094967c7": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: App Configuration should use private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-cddd188c-4b82-4c48-a19d-ddf74ee66a01": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Cognitive Services should use private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-d0793b48-0edc-4296-a390-4c75d1bdfd71": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Container registries should not allow unrestricted network access", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-d9844e8a-1437-4aeb-a32c-0c992f056095": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Public network access should be disabled for MySQL servers", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-df39c015-56a4-45de-b4a3-efe77bed320d": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: IoT Hub device provisioning service instances should use private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-e71308d3-144b-4262-b144-efdc3cc90517": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Subnets should be associated with a Network Security Group", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-e8eef0a8-67cf-4eb4-9386-14b0e78733d4": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Container registries should use private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-ee980b6d-0eca-4501-8d54-f6290fd512c3": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Cognitive Search services should disable public network access", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: API Management services should use a virtual network", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-f39f5f49-4abf-44de-8c70-0756997bfb51": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Disk access resources should use private link", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Internet-facing virtual machines should be protected with network security groups", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-fdccbe47-f3e3-4213-ad5d-ea459b2fa077": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Public network access should be disabled for MariaDB servers", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Vulnerability assessment should be enabled on your SQL servers", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Vulnerability assessment should be enabled on SQL Managed Instance", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-0fc39691-5a3f-4e3e-94ee-2e6447309ad9": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Running container images should have vulnerability findings resolved", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-5f0f936f-2f01-4bf5-b6be-d423792fa562": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Container registry images should have vulnerability findings resolved", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-0e6763cc-5078-4e64-889d-ff4d9a839047": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Defender for Key Vault should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-1c988dd6-ade4-430f-a608-2a3e5b0a6d38": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Microsoft Defender for Containers should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-2913021d-f2fd-4f3d-b958-22354e2bdbcb": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Defender for App Service should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Defender for Storage should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-6581d072-105e-4418-827f-bd446d56421b": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Defender for SQL servers on machines should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-bdc59948-5574-49b3-bb91-76b7c986428d": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Defender for DNS should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-c3d20c29-b36d-48fe-808b-99a87530ad99": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Defender for Resource Manager should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-8dfab9c4-fe7b-49ad-85e4-1e9be085358f": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: [Preview]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Defender for SQL should be enabled for unprotected Azure SQL servers", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Defender for SQL should be enabled for unprotected SQL Managed Instances", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Azure Defender for Azure SQL Database servers should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-e2c1c086-2d84-4019-bff3-c44ccd95113c": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the Function app", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-fb893a29-21bb-418c-a157-e99480ec364c": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-04c4380f-3fae-46e8-96c9-30193528f602": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: [Preview]: Network traffic data collection agent should be installed on Linux virtual machines", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-057ef27e-665e-4328-8ea3-04b3122bd9fb": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Resource logs in Azure Data Lake Store should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-2f2ee1de-44aa-4762-b6bd-0893fc3f306d": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: [Preview]: Network traffic data collection agent should be installed on Windows virtual machines", + "description": "Enable or disable Dependency Agent for Windows VMs monitoring" + } + }, + "effect-e3e008c3-56b9-4133-8fd7-d3347377402a": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Accounts with owner permissions on Azure resources should be MFA enabled", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-931e118d-50a1-4457-a5e4-78550e086c52": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Accounts with write permissions on Azure resources should be MFA enabled", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Accounts with read permissions on Azure resources should be MFA enabled", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-45e05259-1eb5-4f70-9574-baf73e9d219b": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Azure Machine Learning workspaces should use private link", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-2393d2cf-a342-44cd-a2e2-fe0188fd1234": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Azure SignalR Service should use private link", + "description": "Enable or disable the execution of the policy" + } + }, + "audit_effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effect-eb907f70-7514-460d-92b3-a5ae93b4f917": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Azure Web PubSub Service should use private link", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-0cfea604-3201-4e14-88fc-fae4c427a6c5": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Blocked accounts with owner permissions on Azure resources should be removed", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-e9ac8f8e-ce22-4355-8f04-99b911d6be52": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for Policy:Guest accounts with read permissions on Azure resources should be removed", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-94e1c2ac-cbbe-4cac-a2b5-389c812dee87": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Guest accounts with write permissions on Azure resources should be removed", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-339353f6-2387-4a45-abe4-7f529d121046": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Guest accounts with owner permissions on Azure resources should be removed", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-8d7e1fde-fe26-4b5f-8108-f8e432cbc2be": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Blocked accounts with read and write permissions on Azure resources should be removed", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-1c30f9cd-b84c-49cc-aa2c-9288447cc3b3": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:[Preview]: vTPM should be enabled on supported virtual machines", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-97566dd7-78ae-4997-8b36-1c7bfe0d8121": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:[Preview]: Secure Boot should be enabled on supported Windows virtual machines", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-672fe5a1-2fcd-42d7-b85d-902b6e28c6ff": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-a21f8c92-9e22-4f09-b759-50500d1d2dda": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-1cb4d9c2-f88f-4069-bee0-dba239a57b09": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-f655e522-adff-494d-95c2-52d4f6d56a42": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-245fc9df-fa96-4414-9a0b-3738c2f7341c": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Resource logs in Azure Kubernetes Service should be enabled", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-438c38d2-3772-465a-a9cc-7a6666a275ce": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Azure Machine Learning Workspaces should disable public network access", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-7804b5c7-01dc-4723-969b-ae300cc07ff1": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Azure Machine Learning Computes should be in a virtual network", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-0e7849de-b939-4c50-ab48-fc6b0f5eeba2": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Azure Databricks Workspaces should disable public network access", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-51c1490f-3319-459c-bbbc-7f391bbed753": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Azure Databricks Clusters should disable public IP", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-258823f2-4595-4b52-b333-cc96192710d8": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Azure Databricks Workspaces should use private link", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-0ec47710-77ff-4a3d-9181-6aa50af424d0": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Geo-redundant backup should be enabled for Azure Database for MariaDB", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-48af4db5-9b8b-401c-8e74-076be876a430": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Geo-redundant backup should be enabled for Azure Database for PostgreSQL", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-82339799-d096-41ae-8538-b108becf0970": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Geo-redundant backup should be enabled for Azure Database for MySQL", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-0a15ec92-a229-4763-bb14-0ea34a568f8d": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-febd0533-8e55-448f-b837-bd0e06f16469": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Kubernetes cluster containers should only use allowed images", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy.", + "portalReview": true + } + }, + "allowedContainerImagesRegex": { + "type": "string", + "defaultValue": "^(.+){0}$", + "metadata": { + "displayName": "Allowed registry or registries regex", + "description": "The RegEx rule used to match allowed container image field in a Kubernetes cluster. For example, to allow any Azure Container Registry image by matching partial path: ^[^\\/]+\\.azurecr\\.io\\/.+$ and for multiple registries: ^([^\\/]+\\.azurecr\\.io|registry\\.io)\\/.+$" + } + }, + "excludedContainers": { + "type": "Array", + "metadata": { + "displayName": "Containers exclusions", + "description": "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces." + }, + "defaultValue": [] + }, + "effect-95edb821-ddaf-4404-9732-666045e056b4": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Kubernetes cluster should not allow privileged containers", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + } + }, + "excludedImages": { + "type": "Array", + "metadata": { + "displayName": "Image exclusions", + "description": "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository.", + "portalReview": true + }, + "defaultValue": [] + }, + "effect-233a2a17-77ca-4fb1-9b6b-69223d272a44": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Kubernetes cluster services should listen only on allowed ports", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + } + }, + "allowedServicePortsList": { + "type": "Array", + "defaultValue": [ + "-1" + ], + "metadata": { + "displayName": "Allowed service ports list in Kubernetes cluster", + "description": "The list of service ports allowed in a Kubernetes cluster. Array only accepts strings. Example: [\"443\", \"80\"]" + } + }, + "effect-e345eecc-fa47-480f-9e88-67dcc122b164": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + } + }, + "cpuLimit": { + "type": "string", + "defaultValue": "32", + "metadata": { + "displayName": "Max allowed CPU units in Kubernetes cluster", + "description": "The maximum CPU units allowed for a container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits" + } + }, + "memoryLimit": { + "type": "string", + "defaultValue": "64Gi", + "metadata": { + "displayName": "Max allowed memory bytes in Kubernetes cluster", + "description": "The maximum memory bytes allowed for a container. E.g. 1Gi. For more information, please refer https://aka.ms/k8s-policy-pod-limits" + } + }, + "effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Kubernetes cluster pods and containers should only run with approved user and group IDs", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + } + }, + "runAsUserRule": { + "type": "String", + "metadata": { + "displayName": "Run as user rule", + "description": "The 'RunAsUser' rule that containers are allowed to run with. MustRunAs requires at least one range to be specified. MustRunAsNonRoot requires the pod be submitted with non-zero runAsUser or have USER directive defined (using a numeric UID) in the image. RunAsAny allows any runAsUser to be specified", + "portalReview": true + }, + "allowedValues": [ + "MustRunAs", + "MustRunAsNonRoot", + "RunAsAny" + ], + "defaultValue": "MustRunAsNonRoot" + }, + "runAsUserRanges": { + "type": "Object", + "metadata": { + "displayName": "Allowed user ID ranges", + "description": "The user ID ranges that are allowed for containers to use. Set 'max' as '-1' to skip max limit evaluation. Empty array blocks every defined value for 'MustRunAs'.", + "portalReview": true + }, + "defaultValue": { + "ranges": [] + }, + "schema": { + "type": "object", + "properties": { + "ranges": { + "type": "array", + "items": { + "type": "object", + "properties": { + "min": { + "type": "integer" + }, + "max": { + "type": "integer" + } + }, + "required": [ + "min", + "max" + ], + "additionalProperties": false + } + } + }, + "required": [ + "ranges" + ], + "additionalProperties": false + } + }, + "runAsGroupRule": { + "type": "String", + "metadata": { + "displayName": "Run as group rule", + "description": "The 'RunAsGroup' rule that containers are allowed to run with. MustRunAs requires at least one range to be specified. MayRunAs does not require that 'RunAsGroup' be specified. RunAsAny allows any", + "portalReview": true + }, + "allowedValues": [ + "MustRunAs", + "MayRunAs", + "RunAsAny" + ], + "defaultValue": "RunAsAny" + }, + "runAsGroupRanges": { + "type": "Object", + "metadata": { + "displayName": "Allowed group ID ranges", + "description": "The group ID ranges that are allowed for containers to use. Set 'max' as '-1' to skip max limit evaluation. Empty array blocks every defined value for 'MustRunAs' and 'MayRunAs'.", + "portalReview": true + }, + "defaultValue": { + "ranges": [] + }, + "schema": { + "type": "object", + "properties": { + "ranges": { + "type": "array", + "items": { + "type": "object", + "properties": { + "min": { + "type": "integer" + }, + "max": { + "type": "integer" + } + }, + "required": [ + "min", + "max" + ], + "additionalProperties": false + } + } + }, + "required": [ + "ranges" + ], + "additionalProperties": false + } + }, + "supplementalGroupsRule": { + "type": "String", + "metadata": { + "displayName": "Supplemental group rule", + "description": "The 'SupplementalGroups' rule that containers are allowed to run with. MustRunAs requires at least one range to be specified. MayRunAs does not require that 'SupplementalGroups' be specified. RunAsAny allows any", + "portalReview": true + }, + "allowedValues": [ + "MustRunAs", + "MayRunAs", + "RunAsAny" + ], + "defaultValue": "RunAsAny" + }, + "supplementalGroupsRanges": { + "type": "Object", + "metadata": { + "displayName": "Allowed supplemental group ID ranges", + "description": "The supplemental group ID ranges that are allowed for containers to use. Set 'max' as '-1' to skip max limit evaluation. Empty array blocks every defined value for 'MustRunAs' and 'MayRunAs'.", + "portalReview": true + }, + "defaultValue": { + "ranges": [] + }, + "schema": { + "type": "object", + "properties": { + "ranges": { + "type": "array", + "items": { + "type": "object", + "properties": { + "min": { + "type": "integer" + }, + "max": { + "type": "integer" + } + }, + "required": [ + "min", + "max" + ], + "additionalProperties": false + } + } + }, + "required": [ + "ranges" + ], + "additionalProperties": false + } + }, + "fsGroupRule": { + "type": "String", + "metadata": { + "displayName": "File system group rule", + "description": "The 'FSGroup' rule that containers are allowed to run with. MustRunAs requires at least one range to be specified. MayRunAs does not require that 'FSGroup' be specified. RunAsAny allows any", + "portalReview": true + }, + "allowedValues": [ + "MustRunAs", + "MayRunAs", + "RunAsAny" + ], + "defaultValue": "RunAsAny" + }, + "fsGroupRanges": { + "type": "Object", + "metadata": { + "displayName": "Allowed file system group ID ranges", + "description": "The file system group ranges that are allowed for pods to use. Set 'max' as '-1' to skip max limit evaluation. Empty array blocks every defined value for 'MustRunAs' and 'MayRunAs'.", + "portalReview": true + }, + "defaultValue": { + "ranges": [] + }, + "schema": { + "type": "object", + "properties": { + "ranges": { + "type": "array", + "items": { + "type": "object", + "properties": { + "min": { + "type": "integer" + }, + "max": { + "type": "integer" + } + }, + "required": [ + "min", + "max" + ], + "additionalProperties": false + } + } + }, + "required": [ + "ranges" + ], + "additionalProperties": false + } + }, + "effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Kubernetes clusters should not allow container privilege escalation", + "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy.", + "portalReview": true + } + }, + "effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Kubernetes cluster containers should not share host process ID or host IPC namespace", + "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy.", + "portalReview": true + } + }, + "effect-df49d893-a74c-421d-bc95-c663042e5b80": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Kubernetes cluster containers should run with a read only root file system", + "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy.", + "portalReview": true + } + }, + "effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Kubernetes cluster containers should only use allowed capabilities", + "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy.", + "portalReview": true + } + }, + "allowedCapabilities": { + "type": "Array", + "metadata": { + "displayName": "Allowed capabilities", + "description": "The list of capabilities that are allowed to be added to a container. Provide empty list as input to block everything.", + "portalReview": true + }, + "defaultValue": [] + }, + "requiredDropCapabilities": { + "type": "Array", + "metadata": { + "displayName": "Required drop capabilities", + "description": "The list of capabilities that must be dropped by a container.", + "portalReview": true + }, + "defaultValue": [] + }, + "effect-511f5417-5d12-434d-ab2e-816901e72a5e": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Kubernetes cluster containers should only use allowed AppArmor profiles", + "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy.", + "portalReview": true + } + }, + "allowedProfiles": { + "type": "Array", + "metadata": { + "displayName": "Allowed AppArmor profiles", + "description": "The list of AppArmor profiles that containers are allowed to use. E.g. [ \"runtime/default\", \"docker/default\" ]. Provide empty list as input to block everything.", + "portalReview": true + }, + "defaultValue": [ + "runtime/default" + ] + }, + "effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Kubernetes cluster pods should only use approved host network and port range", + "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy.", + "portalReview": true + } + }, + "allowHostNetwork": { + "type": "Boolean", + "metadata": { + "displayName": "Allow host network usage", + "description": "Set this value to true if pod is allowed to use host network otherwise false.", + "portalReview": true + }, + "defaultValue": false + }, + "minPort": { + "type": "Integer", + "metadata": { + "displayName": "Min host port", + "description": "The minimum value in the allowable host port range that pods can use in the host network namespace.", + "portalReview": true + }, + "defaultValue": 0 + }, + "maxPort": { + "type": "Integer", + "metadata": { + "displayName": "Max host port", + "description": "The maximum value in the allowable host port range that pods can use in the host network namespace.", + "portalReview": true + }, + "defaultValue": 0 + }, + "effect-098fc59e-46c7-4d99-9b16-64990e543d75": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Kubernetes cluster pod hostPath volumes should only use allowed host paths", + "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy.", + "portalReview": true + } + }, + "allowedHostPaths": { + "type": "Object", + "metadata": { + "displayName": "Allowed host paths", + "description": "The host paths allowed for pod hostPath volumes to use. Provide an empty paths list to block all host paths.", + "portalReview": true + }, + "defaultValue": { + "paths": [] + }, + "schema": { + "type": "object", + "properties": { + "paths": { + "type": "array", + "items": { + "type": "object", + "properties": { + "pathPrefix": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + } + }, + "required": [ + "pathPrefix", + "readOnly" + ], + "additionalProperties": false + } + } + }, + "required": [ + "paths" + ], + "additionalProperties": false + } + }, + "effect-9f061a12-e40d-4183-a00e-171812443373": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Kubernetes clusters should not use the default namespace", + "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy.", + "portalReview": true + } + }, + "effect-423dd1ba-798e-40e4-9c4d-b6902674b423": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Kubernetes clusters should disable automounting API credentials", + "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy.", + "portalReview": true + } + }, + "effect-d2e7ea85-6b44-4317-a0be-1b951587f626": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities", + "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy.", + "portalReview": true + } + }, + "effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Role-Based Access Control (RBAC) should be used on Kubernetes Services", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-9c25c9e4-ee12-4882-afd2-11fb9d87893f": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Azure Databricks Workspaces should be in a virtual network", + "description": "The effect determines what happens when the policy rule is evaluated to match." + } + }, + "effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Function apps should have remote debugging turned off", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:App Service apps should have remote debugging turned off", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Function apps should not have CORS configured to allow every resource to access your apps", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:App Service apps should not have CORS configured to allow every resource to access your apps", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-6ba6d016-e7c3-4842-b8f2-4992ebc0d72d": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:SQL servers on machines should have vulnerability findings resolved", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-e8cbc669-f12d-49eb-93e7-9273119e9933": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Vulnerabilities in container security configurations should be remediated", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Subscriptions should have a contact email address for security issues", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-6e2593d9-add6-4083-9c9b-4b7d2188c899": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Email notification for high severity alerts should be enabled", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-0b15565f-aa9e-48ba-8619-45960f2c314d": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Email notification to subscription owner for high severity alerts should be enabled", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-91a78b24-f231-4a8a-8da9-02c35b2b6510": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:App Service apps should have resource logs enabled", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-afe0c3be-ba3b-4544-ba52-0c99672a8ad6": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Resource logs in Azure Machine Learning Workspaces should be enabled", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-138ff14d-b687-4faa-a81c-898c91a87fa2": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Resource logs in Azure Databricks Workspaces should be enabled", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-5bb220d9-2698-4ee4-8404-b9c30c9df609": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:App Service apps should have 'Client Certificates (Incoming client certificates)' enabled", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-eaebaea7-8013-4ceb-9d14-7eb32271373c": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Function apps should have 'Client Certificates (Incoming client certificates)' enabled", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-89099bee-89e0-4b26-a5f4-165451757743": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:SQL servers with auditing to storage account destination should be configured with 90 days retention or higher", + "description": "Enable or disable the execution of the policy" + } + }, + "effect-e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy:Azure Machine Learning Computes should have local authentication methods disabled", + "description": "Enable or disable the execution of the policy" + } + }, + "effects": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match." + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effect-34f95f76-5386-4de7-b824-0d8478470c9d": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Resource logs in Logic Apps should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-383856f8-de7f-44a2-81fc-e5135b5c2aa4": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Resource logs in IoT Hub should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-428256e6-1fac-4f48-a757-df34c2b3336d": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Resource logs in Batch accounts should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-475aae12-b88a-4572-8b36-9b712b2b3a17": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Auto provisioning of the Log Analytics agent should be enabled on your subscription", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-83a214f7-d01a-484b-91a9-ed54470c9a6a": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Resource logs in Event Hub should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-842c54e8-c2f9-4d79-ae8d-38d8b8019373": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-a3a6ea0c-e018-4933-9ef0-5aaa1501449b": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-a4fe33eb-e377-4efb-ab31-0784311bc499": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-ae89ebca-1c92-4898-ac2c-9f63decb045c": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Guest Configuration extension should be installed on your machines", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-b4330a05-a843-4bc8-bf9a-cacce50c67f4": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Resource logs in Search services should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Network Watcher should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "listOfLocations": { + "type": "Array", + "metadata": { + "displayName": "[Deprecated]: Locations", + "description": "Audit if Network Watcher is not enabled for region(s).", + "strongType": "location", + "deprecated": true + }, + "defaultValue": [] + }, + "resourceGroupName": { + "type": "String", + "metadata": { + "displayName": "NetworkWatcher resource group name", + "description": "Name of the resource group of NetworkWatcher, such as NetworkWatcherRG. This is the resource group where the Network Watchers are located." + }, + "defaultValue": "NetworkWatcherRG" + }, + "effect-c95c74d9-38fe-4f0d-af86-0c7d626a315c": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Resource logs in Data Lake Analytics should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "requiredRetentionDays": { + "type": "String", + "metadata": { + "displayName": "Required retention (days)", + "description": "The required resource logs retention in days" + }, + "defaultValue": "365" + }, + "effect-cf820ca0-f99e-4f3e-84fb-66e913812d21": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Resource logs in Key Vault should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-f8d36e2f-389b-4ee4-898d-21aeb69a0f45": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Resource logs in Service Bus should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-f9be5368-9bf5-4b84-9e0a-7850da98bb46": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Resource logs in Azure Stream Analytics should be enabled", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-496223c3-ad65-4ecd-878a-bae78737e9ed": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Web app", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-7008174a-fd10-4ef0-817e-fc820a951d73": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Web app", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "LinuxPythonVersion": { + "type": "String", + "metadata": { + "displayName": "Linux Python version", + "description": "Specify a supported Python version for App Service" + }, + "defaultValue": "" + }, + "effect-7238174a-fd10-4ef0-817e-fc820a951d73": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Function app", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-7261b898-8a84-4db8-9e04-18527132abb3": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the WEB app", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "PHPLatestVersion": { + "type": "String", + "metadata": { + "displayName": "[[Deprecated]: Latest PHP version", + "description": "Latest supported PHP version for App Services", + "deprecated": true + }, + "defaultValue": "8.1" + }, + "LinuxPHPVersion": { + "type": "String", + "metadata": { + "displayName": "Linux PHP version", + "description": "Specify a supported PHP version for App Service" + }, + "defaultValue": "" + }, + "WindowsPythonLatestVersion": { + "type": "String", + "metadata": { + "displayName": "[Deprecated]: Latest Windows Python version", + "description": "Latest supported Python version for App Services", + "deprecated": true + }, + "defaultValue": "3.6" + }, + "LinuxPythonLatestVersion": { + "type": "String", + "metadata": { + "displayName": "Linux Latest Python version", + "description": "Latest supported Python version for App Services", + "deprecated": true + }, + "defaultValue": "3.9" + }, + "effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the Web app", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Function app", + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "JavaLatestVersion": { + "type": "String", + "metadata": { + "displayName": "[Deprecated]: Latest Java version", + "description": "Latest supported Java version for App Services", + "deprecated": true + }, + "defaultValue": "11" + }, + "LinuxJavaVersion": { + "type": "String", + "metadata": { + "displayName": "Linux Java version", + "description": "Specify a supported Java version for Function apps" + }, + "defaultValue": "" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AllowedLocationsForResourceGroups", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "definitionVersion": "1.*.*", + "parameters": { + "listOfAllowedLocations": { + "value": "[parameters('listOfAllowedLocations')]" + } + }, + "groupNames": [ + "B.01.3 - Legal, statutory, regulatory requirements" + ] + }, + { + "policyDefinitionReferenceId": "AllowedLocations", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "definitionVersion": "1.*.*", + "parameters": { + "listOfAllowedLocations": { + "value": "[parameters('listOfAllowedLocations')]" + } + }, + "groupNames": [ + "B.01.3 - Legal, statutory, regulatory requirements" + ] + }, + { + "policyDefinitionReferenceId": "PreviewMonitorSQLVulnerabilityAssessmentResultsInAzureSecurityCenter", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc", + "definitionVersion": "4.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-feedbf84-6b99-488c-acc2-71c829aa5ffc')]" + } + }, + "groupNames": [ + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated", + "C.04.8 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "PreviewAuditWindowsVmShouldNotStorePasswordsUsingReversibleEncryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da0f98fe-a24b-4ad5-af69-bd0400233661", + "definitionVersion": "2.*.*", + "parameters": { + "IncludeArcMachines": { + "value": "[parameters('IncludeArcMachines')]" + }, + "effect": { + "value": "[parameters('effect-da0f98fe-a24b-4ad5-af69-bd0400233661')]" + } + }, + "groupNames": [ + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures" + ] + }, + { + "policyDefinitionReferenceId": "FunctionAppShouldOnlyBeAccessibleOverHTTPS", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab", + "definitionVersion": "5.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab')]" + } + }, + "groupNames": [ + "U.05.1 - Cryptographic measures", + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures" + ] + }, + { + "policyDefinitionReferenceId": "WebApplicationShouldOnlyBeAccessibleOverHTTPS", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", + "definitionVersion": "4.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-a4af4a39-4135-47fb-b175-47fbdf85311d')]" + } + }, + "groupNames": [ + "U.05.1 - Cryptographic measures", + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures" + ] + }, + { + "policyDefinitionReferenceId": "PreviewMonitorUnencryptedVmDisksInAzureSecurityCenter", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-0961003e-5a0a-4549-abde-af6a37f2724d')]" + } + }, + "groupNames": [ + "U.05.1 - Cryptographic measures", + "U.05.2 - Cryptographic measures", + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "AuditEnablementOfEncryptionOfAutomationAccountVariables", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-3657f5a0-770e-44a3-b44e-9431ba1e9735')]" + } + }, + "groupNames": [ + "U.07.3 - Management features", + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures" + ] + }, + { + "policyDefinitionReferenceId": "AuditEnablingOfOnlySecureConnectionsToYourRedisCache", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb')]" + } + }, + "groupNames": [ + "U.05.1 - Cryptographic measures", + "B.09.1 - Security aspects and stages", + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures" + ] + }, + { + "policyDefinitionReferenceId": "AuditSecureTransferToStorageAccounts", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-404c3081-a854-4457-ae30-26a93ef643f9')]" + } + }, + "groupNames": [ + "U.05.1 - Cryptographic measures", + "B.09.1 - Security aspects and stages", + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures" + ] + }, + { + "policyDefinitionReferenceId": "AuditTheSettingOfClusterprotectionlevelPropertyToEncryptandsignInServiceFabric", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-617c02be-7f02-4efd-8836-3180d47b6c68')]" + } + }, + "groupNames": [ + "U.07.3 - Management features", + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures" + ] + }, + { + "policyDefinitionReferenceId": "AuditTransparentDataEncryptionStatus", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-17k78e20-9358-41c9-923c-fb736d382a12')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.07.3 - Management features", + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "PreviewMonitorUnprotectedNetworkEndpointsInAzureSecurityCenter", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-9daedab3-fb2d-461e-b861-71790eead4f6')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated", + "U.12.1 - Network connections", + "U.12.2 - Network connections" + ] + }, + { + "policyDefinitionReferenceId": "AuditUnrestrictedNetworkAccessToStorageAccounts", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-34c877ad-507e-4c82-993e-3452a6e0ad3c')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated", + "U.12.1 - Network connections", + "U.12.2 - Network connections" + ] + }, + { + "policyDefinitionReferenceId": "PreviewAuditMaximumNumberOfOwnersForASubscription", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-4f11b553-d42e-4e3a-89be-32ca364cad4c')]" + } + }, + "groupNames": [ + "B.10.2 - Security function", + "B.10.3 - Organisational position", + "B.10.4 - Tasks, responsibilities and powers", + "U.07.3 - Management features", + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent", + "U.17.1 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "PreviewAuditMinimumNumberOfOwnersForSubscription", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-09024ccc-0c5f-475e-9457-b7c0d9ed487b')]" + } + }, + "groupNames": [ + "B.10.2 - Security function", + "B.10.3 - Organisational position", + "B.10.4 - Tasks, responsibilities and powers", + "U.10.2 - Users", + "U.17.1 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "PreviewAuditLinuxVmAccountsWithNoPasswords", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6ec09a3-78bf-4f8f-99dc-6c77182d0f99", + "definitionVersion": "3.*.*", + "parameters": { + "IncludeArcMachines": { + "value": "[parameters('IncludeArcMachines')]" + }, + "effect": { + "value": "[parameters('effect-f6ec09a3-78bf-4f8f-99dc-6c77182d0f99')]" + } + }, + "groupNames": [ + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionReferenceId": "PreviewAuditLinuxVmAllowingRemoteConnectionsFromAccountsWithNoPasswords", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023", + "definitionVersion": "3.*.*", + "parameters": { + "IncludeArcMachines": { + "value": "[parameters('IncludeArcMachines')]" + }, + "effect": { + "value": "[parameters('effect-ea53dbee-c6c9-4f0e-9f9e-de0039b78023')]" + } + }, + "groupNames": [ + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionReferenceId": "AuditUseOfClassicStorageAccounts", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606')]" + } + }, + "groupNames": [ + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionReferenceId": "AuditUseOfClassicVirtualMachines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d')]" + } + }, + "groupNames": [ + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionReferenceId": "AuditVMsThatDoNotUseManagedDisks", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d", + "definitionVersion": "1.*.*", + "parameters": {}, + "groupNames": [ + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionReferenceId": "PreviewAuditDependencyAgentDeploymentVmImageOSUnlisted", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07", + "definitionVersion": "2.*.*", + "parameters": { + "listOfImageIdToInclude_windows": { + "value": "[parameters('listOfImageIdToInclude_windows')]" + }, + "listOfImageIdToInclude_linux": { + "value": "[parameters('listOfImageIdToInclude_linux')]" + }, + "effect": { + "value": "[parameters('effect-11ac78e3-31bc-4f0c-8434-37ab963cea07')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged", + "U.15.3 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "PreviewAuditDependencyAgentDeploymentInVMSSVmImageOSUnlisted", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10", + "definitionVersion": "2.*.*", + "parameters": { + "listOfImageIdToInclude_windows": { + "value": "[parameters('listOfImageIdToInclude_windows')]" + }, + "listOfImageIdToInclude_linux": { + "value": "[parameters('listOfImageIdToInclude_linux')]" + }, + "effect": { + "value": "[parameters('effect-e2dd799a-a932-4e9d-ac17-d473bc3c6c10')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged", + "U.15.3 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "PreviewAuditLogAnalyticsAgentDeploymentVmImageOSUnlisted", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50", + "definitionVersion": "2.*.*-preview", + "parameters": { + "listOfImageIdToInclude_windows": { + "value": "[parameters('listOfImageIdToInclude_windows')]" + }, + "listOfImageIdToInclude_linux": { + "value": "[parameters('listOfImageIdToInclude_linux')]" + }, + "effect": { + "value": "[parameters('effect-32133ab0-ee4b-4b44-98d6-042180979d50')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged", + "U.15.3 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "PreviewAuditLogAnalyticsAgentDeploymentInVMSSVmImageOSUnlisted", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138", + "definitionVersion": "2.*.*", + "parameters": { + "listOfImageIdToInclude_linux": { + "value": "[parameters('listOfImageIdToInclude_linux')]" + }, + "effect": { + "value": "[parameters('effect-5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged", + "U.15.3 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "AuditDiagnosticSetting", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9", + "definitionVersion": "2.*.*", + "parameters": { + "listOfResourceTypes": { + "value": "[parameters('listOfResourceTypesWithDiagnosticLogsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged", + "U.15.3 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "AuditSQLServerLevelAuditingSettings", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9')]" + }, + "setting": { + "value": "[parameters('setting')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged", + "U.15.3 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "PreviewMonitorMissingEndpointProtectionInAzureSecurityCenter", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-af6cd1bd-1635-48cb-bde7-5b15693900b9')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated", + "C.04.8 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", + "definitionVersion": "4.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-86b3d65f-7626-441e-b690-81a8b71cff60')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated", + "C.04.8 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated", + "C.04.8 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "PreviewMonitorVmVulnerabilitiesInAzureSecurityCenter", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-501541f7-f7e7-4cd6-868c-4190fdad3ac9')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated", + "C.04.8 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "08a6b96f-576e-47a2-8511-119a212d344d", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08a6b96f-576e-47a2-8511-119a212d344d", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-08a6b96f-576e-47a2-8511-119a212d344d')]" + } + }, + "groupNames": [ + "U.05.1 - Cryptographic measures", + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "1760f9d4-7206-436e-a28f-d9f3a5c8a227", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1760f9d4-7206-436e-a28f-d9f3a5c8a227", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-1760f9d4-7206-436e-a28f-d9f3a5c8a227')]" + } + }, + "groupNames": [ + "U.05.1 - Cryptographic measures", + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "AzureHdinsightClustersShouldUseEncryptionAtHostToEncryptDataAtRest", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "InfrastructureEncryptionShouldBeEnabledForAzureDatabaseForPostgresqlServers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/24fba194-95d6-48c0-aea7-f65bf859c598", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-24fba194-95d6-48c0-aea7-f65bf859c598')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "InfrastructureEncryptionShouldBeEnabledForAzureDatabaseForMysqlServers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-3a58212a-c829-4f13-9872-6371df2fd0b4')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "fc4d8e41-e223-45ea-9bf5-eada37891d87", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-fc4d8e41-e223-45ea-9bf5-eada37891d87')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "AzureHdinsightClustersShouldUseEncryptionInTransitToEncryptCommunicationBetweenAzureHdinsightClusterNodes", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9da03a1-f3c3-412a-9709-947156872263", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-d9da03a1-f3c3-412a-9709-947156872263')]" + } + }, + "groupNames": [ + "U.05.1 - Cryptographic measures", + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures" + ] + }, + { + "policyDefinitionReferenceId": "DoubleEncryptionShouldBeEnabledOnAzureDataExplorer", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "AzureDataBoxJobsShouldEnableDoubleEncryptionForDataAtRestOnTheDevice", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c349d81b-9985-44ae-a8da-ff98d108ede8", + "definitionVersion": "1.*.*", + "parameters": { + "supportedSKUs": { + "value": "[parameters('dataBoxSkusForDoubleEncryption')]" + }, + "effect": { + "value": "[parameters('effect-c349d81b-9985-44ae-a8da-ff98d108ede8')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "AzureMonitorLogsClustersShouldBeCreatedWithInfrastructureDoubleEncryptionEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea0dfaed-95fb-448c-934e-d6e713ce393d", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-ea0dfaed-95fb-448c-934e-d6e713ce393d')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "AzureStackEdgeDevicesShouldUseDoubleEncryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "DiskEncryptionShouldBeEnabledOnAzureDataExplorer", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-f4b53539-8df9-40e4-86c6-6b607703bd4e')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "StorageAccountsShouldHaveInfrastructureEncryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-41425d9f-d1a5-499a-9932-f8ed8453932c')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "fb74e86f-d351-4b8d-b034-93da7391c01f", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb74e86f-d351-4b8d-b034-93da7391c01f", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-fb74e86f-d351-4b8d-b034-93da7391c01f')]" + } + }, + "groupNames": [ + "U.07.3 - Management features" + ] + }, + { + "policyDefinitionReferenceId": "serviceFabricClustersShouldOnlyUseAzureActiveDirectoryForClientAuthentication", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-b54ed75b-3e1a-44ac-a333-05ba39b99ff0')]" + } + }, + "groupNames": [ + "U.07.3 - Management features", + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionReferenceId": "71ef260a-8f18-47b7-abcb-62d0673d94dc", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-71ef260a-8f18-47b7-abcb-62d0673d94dc')]" + } + }, + "groupNames": [ + "U.07.3 - Management features", + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionReferenceId": "anAzureActiveDirectoryAdministratorShouldBeProvisionedForSqlServers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-1f314764-cb73-4fc9-b863-8eca98ac36e9')]" + } + }, + "groupNames": [ + "U.07.3 - Management features", + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionReferenceId": "auditUsageOfCustomRBACRules", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-a451c1ef-c6ca-483d-87ed-f49761e3ffb5')]" + } + }, + "groupNames": [ + "U.07.3 - Management features", + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionReferenceId": "0da106f2-4ca3-48e8-bc85-c638fe6aea8f", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-0da106f2-4ca3-48e8-bc85-c638fe6aea8f')]" + } + }, + "groupNames": [ + "U.07.3 - Management features", + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionReferenceId": "2b9ad585-36bc-4615-b300-fd4435808332", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-2b9ad585-36bc-4615-b300-fd4435808332')]" + } + }, + "groupNames": [ + "U.07.3 - Management features", + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionReferenceId": "WindowsDefenderExploitGuardShouldBeEnabledOnYourMachines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40", + "definitionVersion": "2.*.*", + "parameters": { + "IncludeArcMachines": { + "value": "[parameters('IncludeArcMachines')]" + }, + "NotAvailableMachineState": { + "value": "[parameters('NotAvailableMachineState')]" + }, + "effect": { + "value": "[parameters('effect-bed48b13-6647-468e-aa2f-1af1d3f4dd40')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "AzureDefenderForServersShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-4da35fc9-c9e7-4960-aec9-797fe7d9051d')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "U.15.1 - Events logged", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "endpointProtectionSolutionShouldBeInstalledOnVirtualMachineScaleSets", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-26a828e1-e88f-464e-bbb3-c134a282b9de')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "AzureWebApplicationFirewallShouldBeEnabledForAzureFrontDoorEntryPoints", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated", + "U.09.3 - Detection, prevention and recovery", + "U.12.1 - Network connections", + "U.12.2 - Network connections" + ] + }, + { + "policyDefinitionReferenceId": "dDoSProtectionStandardShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-a7aca53f-2ed4-4466-a25e-0b45ade68efd')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "U.12.1 - Network connections", + "U.12.2 - Network connections" + ] + }, + { + "policyDefinitionReferenceId": "IPForwardingOnYourVirtualMachineShouldBeDisabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-bd352bd5-2853-4985-bf0d-73806b4a5744')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated", + "U.09.3 - Detection, prevention and recovery", + "U.12.1 - Network connections", + "U.12.2 - Network connections" + ] + }, + { + "policyDefinitionReferenceId": "AuditVirtualMachinesWithoutDisasterRecoveryConfigured", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56", + "definitionVersion": "1.*.*", + "parameters": {}, + "groupNames": [ + "U.03.1 - Redundancy", + "U.03.2 - Continuity requirements", + "U.04.1 - Restore function", + "U.04.2 - Restore function", + "U.04.3 - Tested", + "U.17.1 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "EnsureProtectionOfYourAzureVirtualMachinesByEnablingAzureBackup", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-013e242c-8828-4970-87b3-ab247555486d')]" + } + }, + "groupNames": [ + "U.03.1 - Redundancy", + "U.03.2 - Continuity requirements", + "U.17.1 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "VulnerabilityAssessmentShouldBeEnabledOnYourSynapseWorkspaces", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0049a6b3-a662-4f3e-8635-39cf44ace45a", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-0049a6b3-a662-4f3e-8635-39cf44ace45a')]" + } + }, + "groupNames": [ + "U.17.1 - Encrypted", + "C.04.3 - Timelines" + ] + }, + { + "policyDefinitionReferenceId": "KeyVaultsShouldHavePurgeProtectionEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53')]" + } + }, + "groupNames": [ + "U.04.1 - Restore function", + "U.04.2 - Restore function", + "U.04.3 - Tested" + ] + }, + { + "policyDefinitionReferenceId": "KeyVaultsShouldHaveSoftDeleteEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d')]" + } + }, + "groupNames": [ + "U.04.1 - Restore function", + "U.04.2 - Restore function", + "U.04.3 - Tested" + ] + }, + { + "policyDefinitionReferenceId": "KubernetesClustersShouldBeAccessibleOnlyOverHTTPS", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "definitionVersion": "8.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "namespaces": { + "value": "[parameters('namespaces')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector')]" + } + }, + "groupNames": [ + "U.05.1 - Cryptographic measures", + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures" + ] + }, + { + "policyDefinitionReferenceId": "FTPSOnlyShouldBeRequiredInYourFunctionApp", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-399b2637-a50f-4f95-96f8-3a145476eb15')]" + } + }, + "groupNames": [ + "U.05.1 - Cryptographic measures", + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures" + ] + }, + { + "policyDefinitionReferenceId": "FTPSShouldBeRequiredInYourWebApp", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b')]" + } + }, + "groupNames": [ + "U.05.1 - Cryptographic measures", + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures" + ] + }, + { + "policyDefinitionReferenceId": "WindowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocols", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112", + "definitionVersion": "4.*.*", + "parameters": { + "IncludeArcMachines": { + "value": "[parameters('IncludeArcMachines')]" + }, + "MinimumTLSVersion": { + "value": "[parameters('MinimumTLSVersion')]" + }, + "effect": { + "value": "[parameters('effect-5752e6d6-1206-46d8-8ab1-ecc2f71a8112')]" + } + }, + "groupNames": [ + "U.05.1 - Cryptographic measures", + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures" + ] + }, + { + "policyDefinitionReferenceId": "EnforceSSLConnectionShouldBeEnabledForPostgresqlDatabaseServers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-d158790f-bfb0-486c-8631-2dc6b4e8e6af')]" + } + }, + "groupNames": [ + "U.05.1 - Cryptographic measures", + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures" + ] + }, + { + "policyDefinitionReferenceId": "EnforceSSLConnectionShouldBeEnabledForMysqlDatabaseServers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-e802a67a-daf5-4436-9ea6-f6d821dd0c5d')]" + } + }, + "groupNames": [ + "U.05.1 - Cryptographic measures", + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures" + ] + }, + { + "policyDefinitionReferenceId": "LatestTLSVersionShouldBeUsedInYourWebApp", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b')]" + } + }, + "groupNames": [ + "U.05.1 - Cryptographic measures", + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures" + ] + }, + { + "policyDefinitionReferenceId": "LatestTLSVersionShouldBeUsedInYourFunctionApp", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-f9d614c5-c173-4d56-95a7-b4437057d193')]" + } + }, + "groupNames": [ + "U.05.1 - Cryptographic measures", + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures" + ] + }, + { + "policyDefinitionReferenceId": "AzureAPIForFHIRShouldUseACustomerManagedKeyToEncryptDataAtRest", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-051cba44-2429-45b9-9649-46cec11c7119')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "SQLServerShouldUseCustomerManagedKeysToEncryptDataAtRest", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-0a370ff3-6cab-4e85-8995-295fd854c5b8')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "AzureContainerInstanceContainerGroupShouldUseCustomerManagedKeyForEncryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "PostgresqlServersShouldUseCustomerManagedKeysToEncryptDataAtRest", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-18adea5e-f416-4d0f-8aa8-d24321e3e274')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "AzureMonitorLogsClustersShouldBeEncryptedWithCustomerManagedKey", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f68a601-6e6d-4e42-babf-3f643a047ea2", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-1f68a601-6e6d-4e42-babf-3f643a047ea2')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "AzureCosmosDBAccountsShouldUseCustomerManagedKeysToEncryptDataAtRest", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "LogicAppsIntegrationServiceEnvironmentShouldBeEncryptedWithCustomerManagedKeys", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "ServiceBusPremiumNamespacesShouldUseACustomerManagedKeyForEncryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-295fc8b1-dc9f-4f53-9c61-3f313ceab40a')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "PreviewAzureRecoveryServicesVaultsShouldUseCustomerManagedKeysForEncryptingBackupData", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671", + "definitionVersion": "1.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effect-2e94d99a-8a36-4563-bc77-810d8893b671')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "PreviewIotHubDeviceProvisioningServiceDataShouldBeEncryptedUsingCustomerManagedKeysCMK", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47031206-ce96-41f8-861b-6a915f3de284", + "definitionVersion": "1.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effect-47031206-ce96-41f8-861b-6a915f3de284')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "AzureDataFactoriesShouldBeEncryptedWithACustomerManagedKey", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "BotServiceShouldBeEncryptedWithACustomerManagedKey", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-51522a96-0869-4791-82f3-981000c2c67f')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "AzureAutomationAccountsShouldUseCustomerManagedKeysToEncryptDataAtRest", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "ContainerRegistriesShouldBeEncryptedWithACustomerManagedKey", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "AzureHdinsightClustersShouldUseCustomerManagedKeysToEncryptDataAtRest", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/64d314f6-6062-4780-a861-c23e8951bee5", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-64d314f6-6062-4780-a861-c23e8951bee5')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "CognitiveServicesAccountsShouldEnableDataEncryptionWithACustomerManagedKey", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "StorageAccountsShouldUseCustomerManagedKeyForEncryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-6fac406b-40ca-413b-bf8e-0bf964659c25')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "OSAndDataDisksShouldBeEncryptedWithACustomerManagedKey", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-702dd420-7fcc-42c5-afe8-4026edd20fe0')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "BothOperatingSystemsAndDataDisksInAzureKubernetesServiceClustersShouldBeEncryptedByCustomerManagedKeys", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "AzureDataExplorerEncryptionAtRestShouldUseACustomerManagedKey", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-81e74cea-30fd-40d5-802f-d72103c2aaaa')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "MysqlServersShouldUseCustomerManagedKeysToEncryptDataAtRest", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-83cef61d-dbd1-4b20-a4fc-5fbc7da10833')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "AzureDataBoxJobsShouldUseACustomerManagedKeyToEncryptTheDeviceUnlockPassword", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-86efb160-8de7-451d-bc08-5d475b0aadae')]" + }, + "supportedSKUs": { + "value": "[parameters('dataBoxSkusForDoubleEncryption')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "AzureStreamAnalyticsJobsShouldUseCustomerManagedKeysToEncryptData", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "HPCCacheAccountsShouldUseCustomerManagedKeyForEncryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/970f84d8-71b6-4091-9979-ace7e3fb6dbb", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-970f84d8-71b6-4091-9979-ace7e3fb6dbb')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "AzureBatchAccountShouldUseCustomerManagedKeysToEncryptData", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "EventHubNamespacesShouldUseACustomerManagedKeyForEncryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-a1ad735a-e96f-45d2-a7b2-9a4932cab7ec')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstancesShouldUseCustomerManagedKeysToEncryptDataAtRest", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-ac01ad65-10e5-46df-bdd9-6b0cad13e1d2')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "StorageAccountEncryptionScopesShouldUseCustomerManagedKeysToEncryptDataAtRest", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-b5ec538c-daa0-4006-8596-35468b9148e8')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "AzureMachineLearningWorkspacesShouldBeEncryptedWithACustomerManagedKey", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "ManagedDisksShouldBeDoubleEncryptedWithBothPlatformManagedAndCustomerManagedKeys", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-ca91455f-eace-4f96-be59-e6e2c35b4816')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "AzureSynapseWorkspacesShouldUseCustomerManagedKeysToEncryptDataAtRest", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-f7d52b2d-e161-4dfa-a82b-55e564167385')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "SavedQueriesInAzureMonitorShouldBeSavedInCustomerStorageAccountForLogsEncryption", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa298e57-9444-42ba-bf04-86e8470e32c7", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-fa298e57-9444-42ba-bf04-86e8470e32c7')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionReferenceId": "CognitiveServicesAccountsShouldRestrictNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-037eea7a-bd0a-46c5-9a66-03aea78705d3')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "CognitiveServicesAccountsShouldDisablePublicNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "AuthorizedIPRangesShouldBeDefinedOnKubernetesServices", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-0e246bcf-5f6f-4f87-bc6f-775d4712c7ea')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "AzureCognitiveSearchServicesShouldUsePrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fda3595-9f2b-4592-8675-4231d6fa82fe", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-0fda3595-9f2b-4592-8675-4231d6fa82fe')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "PublicNetworkAccessOnAzureSQLDatabaseShouldBeDisabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-1b8ca024-1d5c-4dec-8995-b1a932b41780')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "AzureServiceBusNamespacesShouldUsePrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c06e275-d63d-4540-b761-71f364c2111d", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-1c06e275-d63d-4540-b761-71f364c2111d')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "AzureFileSyncShouldUsePrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d320205-c6a1-4ac6-873d-46224024e8e2", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-1d320205-c6a1-4ac6-873d-46224024e8e2')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "AzureAPIForFHIRShouldUsePrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1ee56206-5dd1-42ab-b02d-8aae8b1634ce", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-1ee56206-5dd1-42ab-b02d-8aae8b1634ce')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "VMImageBuilderTemplatesShouldUsePrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-2154edb9-244f-4741-9970-660785bccdaa')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "ManagementPortsShouldBeClosedOnYourVirtualMachines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-22730e10-96f6-4aac-ad84-9383d35b5917')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "StorageAccountsShouldRestrictNetworkAccessUsingVirtualNetworkRules", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "AzureEventGridTopicsShouldUsePrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-4b90e17e-8448-49db-875e-bd83fb6f804f')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "PreviewStorageAccountPublicAccessShouldBeDisallowed", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751", + "definitionVersion": "3.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "PreviewAzureKeyVaultShouldDisablePublicNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-55615ac9-af46-4a59-874e-391cc3dfb490')]" + }, + "restrictIPAddresses": { + "value": "[parameters('restrictIPAddresses')]" + }, + "allowedIPAddresses": { + "value": "[parameters('allowedIPAddresses')]" + }, + "forbiddenIPAddresses": { + "value": "[parameters('forbiddenIPAddresses')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "WebApplicationFirewallWAFShouldBeEnabledForApplicationGateway", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated", + "U.09.3 - Detection, prevention and recovery", + "U.12.1 - Network connections", + "U.12.2 - Network connections" + ] + }, + { + "policyDefinitionReferenceId": "CosmosdbAccountsShouldUsePrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/58440f8a-10c5-4151-bdce-dfbaad4a20b7", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-58440f8a-10c5-4151-bdce-dfbaad4a20b7')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "StorageAccountsShouldUsePrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-6edd7eda-6dd8-40f7-810d-67160c639cd9')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "AzureSynapseWorkspacesShouldUsePrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72d11df1-dd8a-41f7-8925-b05b960ebafc", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-72d11df1-dd8a-41f7-8925-b05b960ebafc')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "PrivateEndpointConnectionsOnAzureSQLDatabaseShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-7698e800-9299-47a6-b3b6-5a0fee576eed')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "AzureCacheForRedisShouldUsePrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7803067c-7d34-46e3-8c79-0ca68fc4036d", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-7803067c-7d34-46e3-8c79-0ca68fc4036d')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "AzureCosmosDBAccountsShouldHaveFirewallRules", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "AzureDataFactoryShouldUsePrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b0323be-cc25-4b61-935d-002c3798c6ea", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-8b0323be-cc25-4b61-935d-002c3798c6ea')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "AzureEventGridDomainsShouldUsePrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-9830b652-8523-49cc-b1b3-e17dce1127ca')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "AzureCognitiveSearchServiceShouldUseASKUThatSupportsPrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-a049bf77-880b-470f-ba6d-9f21c530cf83')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "ManagementPortsOfVirtualMachinesShouldBeProtectedWithJustInTimeNetworkAccessControl", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-b0f33259-77d7-4c9e-aac6-3aabcfae693c')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "PublicNetworkAccessShouldBeDisabledForPostgresqlServers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-b52376f7-9612-48a1-81cd-1ffe4b61032c')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "EventHubNamespacesShouldUsePrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b8564268-eb4a-4337-89be-a19db070c59d", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-b8564268-eb4a-4337-89be-a19db070c59d')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "NonInternetFacingVirtualMachinesShouldBeProtectedWithNetworkSecurityGroups", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-bb91dfba-c30d-4263-9add-9c2384e659a6')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "AppConfigurationShouldUsePrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-ca610c1d-041c-4332-9d88-7ed3094967c7')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "CognitiveServicesShouldUsePrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cddd188c-4b82-4c48-a19d-ddf74ee66a01", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-cddd188c-4b82-4c48-a19d-ddf74ee66a01')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "ContainerRegistriesShouldNotAllowUnrestrictedNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-d0793b48-0edc-4296-a390-4c75d1bdfd71')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "PublicNetworkAccessShouldBeDisabledForMysqlServers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-d9844e8a-1437-4aeb-a32c-0c992f056095')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "IotHubDeviceProvisioningServiceInstancesShouldUsePrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df39c015-56a4-45de-b4a3-efe77bed320d", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-df39c015-56a4-45de-b4a3-efe77bed320d')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "SubnetsShouldBeAssociatedWithANetworkSecurityGroup", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-e71308d3-144b-4262-b144-efdc3cc90517')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "ContainerRegistriesShouldUsePrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-e8eef0a8-67cf-4eb4-9386-14b0e78733d4')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "AzureCognitiveSearchServicesShouldDisablePublicNetworkAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-ee980b6d-0eca-4501-8d54-f6290fd512c3')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "APIManagementServicesShouldUseAVirtualNetwork", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "DiskAccessResourcesShouldUsePrivateLink", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f39f5f49-4abf-44de-8c70-0756997bfb51", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-f39f5f49-4abf-44de-8c70-0756997bfb51')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "InternetFacingVirtualMachinesShouldBeProtectedWithNetworkSecurityGroups", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-f6de0be7-9a8a-4b8a-b349-43cf02d22f7c')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "PublicNetworkAccessShouldBeDisabledForMariadbServers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-fdccbe47-f3e3-4213-ad5d-ea459b2fa077')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionReferenceId": "VulnerabilityAssessmentShouldBeEnabledOnYourSQLServers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery" + ] + }, + { + "policyDefinitionReferenceId": "VulnerabilityAssessmentShouldBeEnabledOnSQLManagedInstance", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-1b7aa243-30e4-4c9e-bca8-d0d3022b634a')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery" + ] + }, + { + "policyDefinitionReferenceId": "VulnerabilitiesInRunningImagesShouldBeRemediated", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fc39691-5a3f-4e3e-94ee-2e6447309ad9", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-0fc39691-5a3f-4e3e-94ee-2e6447309ad9')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery" + ] + }, + { + "policyDefinitionReferenceId": "VulnerabilitiesInAzureContainerRegistryImagesShouldBeRemediated", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-5f0f936f-2f01-4bf5-b6be-d423792fa562')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery" + ] + }, + { + "policyDefinitionReferenceId": "AzureDefenderForKeyVaultShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-0e6763cc-5078-4e64-889d-ff4d9a839047')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "U.15.1 - Events logged", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "MicrosoftDefenderForContainersShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-1c988dd6-ade4-430f-a608-2a3e5b0a6d38')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "U.15.1 - Events logged", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "AzureDefenderForAppServiceShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-2913021d-f2fd-4f3d-b958-22354e2bdbcb')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "U.15.1 - Events logged", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "AzureDefenderForStorageShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "U.15.1 - Events logged", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "AzureDefenderForSQLServersOnMachinesShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-6581d072-105e-4418-827f-bd446d56421b')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "U.15.1 - Events logged", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "AzureDefenderForDNSShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bdc59948-5574-49b3-bb91-76b7c986428d", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-bdc59948-5574-49b3-bb91-76b7c986428d')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "U.15.1 - Events logged", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "AzureDefenderForResourceManagerShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-c3d20c29-b36d-48fe-808b-99a87530ad99')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "U.15.1 - Events logged", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "PreviewAzureArcEnabledKubernetesClustersShouldHaveAzureDefendersExtensionInstalled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8dfab9c4-fe7b-49ad-85e4-1e9be085358f", + "definitionVersion": "6.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effect-8dfab9c4-fe7b-49ad-85e4-1e9be085358f')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "AzureDefenderForSQLShouldBeEnabledForUnprotectedAzureSQLServers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "AzureDefenderForSQLShouldBeEnabledForUnprotectedSQLManagedInstances", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "VulnerabilitiesInSecurityConfigurationOnYourVirtualMachineScaleSetsShouldBeRemediated", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "AzureDefenderForAzureSQLDatabaseServersShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-7fe3b40f-802b-4cdd-8bd4-fd799c948cc2')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "U.15.1 - Events logged", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "SystemUpdatesOnVirtualMachineScaleSetsShouldBeInstalled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "EnsureThatHTTPVersionIsTheLatestIfUsedToRunTheFunctionApp", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c", + "definitionVersion": "4.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-e2c1c086-2d84-4019-bff3-c44ccd95113c')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "KubernetesServicesShouldBeUpgradedToANonVulnerableKubernetesVersion", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-fb893a29-21bb-418c-a157-e99480ec364c')]" + } + }, + "groupNames": [ + "U.09.3 - Detection, prevention and recovery", + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "PreviewNetworkTrafficDataCollectionAgentShouldBeInstalledOnLinuxVirtualMachines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602", + "definitionVersion": "1.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effect-04c4380f-3fae-46e8-96c9-30193528f602')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "ResourceLogsInAzureDataLakeStoreShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb", + "definitionVersion": "5.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-057ef27e-665e-4328-8ea3-04b3122bd9fb')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "AccountsWithOwnerPermissionsOnAzureResourcesShouldBeMfaEnabled", + "parameters": { + "effect": { + "value": "[parameters('effect-e3e008c3-56b9-4133-8fd7-d3347377402a')]" + } + }, + "groupNames": [ + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/931e118d-50a1-4457-a5e4-78550e086c52", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "AccountsWithWritePermissionsOnAzureResourcesShouldBeMfaEnabled", + "parameters": { + "effect": { + "value": "[parameters('effect-931e118d-50a1-4457-a5e4-78550e086c52')]" + } + }, + "groupNames": [ + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent", + "U.11.1 - Policy", + "U.11.2 - Cryptographic measures" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "AccountsWithReadPermissionsOnAzureResourcesShouldBeMfaEnabled", + "parameters": { + "effect": { + "value": "[parameters('effect-81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4')]" + } + }, + "groupNames": [ + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "AzurePrivateLinkLetsYouConnectYourVirtualNetworkToAzureServicesWithoutAPublicIpAddressAtTheSourceOrDestinationThePrivateLinkPlatformHandlesTheConnectivityBetweenTheConsumerAndServicesOverTheAzureBackboneNetworkByMappingPrivateEndpointsToAzureMachineLearningWorkspacesDataLeakageRisksAreReducedLearnMoreAboutPrivateLinksAtHttpsDocsMicrosoftComAzureMachineLearningHowToConfigurePrivateLink", + "parameters": { + "effect": { + "value": "[parameters('effect-45e05259-1eb5-4f70-9574-baf73e9d219b')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2393d2cf-a342-44cd-a2e2-fe0188fd1234", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "AzurePrivateLinkLetsYouConnectYourVirtualNetworkToAzureServicesWithoutAPublicIpAddressAtTheSourceOrDestinationThePrivateLinkPlatformHandlesTheConnectivityBetweenTheConsumerAndServicesOverTheAzureBackboneNetworkByMappingPrivateEndpointsToYourAzureSignalRServiceResourceInsteadOfTheEntireServiceYouLlReduceYourDataLeakageRisksLearnMoreAboutPrivateLinksAtHttpsAkaMsAsrsPrivatelink", + "parameters": { + "effect": { + "value": "[parameters('effect-2393d2cf-a342-44cd-a2e2-fe0188fd1234')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6abeaec-4d90-4a02-805f-6b26c4d3fbe9", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "AzureKeyVaultsShouldUsePrivateLink", + "parameters": { + "audit_effect": { + "value": "[parameters('audit_effect')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb907f70-7514-460d-92b3-a5ae93b4f917", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "AzureWebPubSubServiceShouldUsePrivateLink", + "parameters": { + "effect": { + "value": "[parameters('effect-eb907f70-7514-460d-92b3-a5ae93b4f917')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "BlockedAccountsWithOwnerPermissionsOnAzureResourcesShouldBeRemoved", + "parameters": { + "effect": { + "value": "[parameters('effect-0cfea604-3201-4e14-88fc-fae4c427a6c5')]" + } + }, + "groupNames": [ + "U.07.3 - Management features", + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "GuestAccountsWithReadPermissionsOnAzureResourcesShouldBeRemoved", + "parameters": { + "effect": { + "value": "[parameters('effect-e9ac8f8e-ce22-4355-8f04-99b911d6be52')]" + } + }, + "groupNames": [ + "U.07.3 - Management features", + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "GuestAccountsWithWritePermissionsOnAzureResourcesShouldBeRemoved", + "parameters": { + "effect": { + "value": "[parameters('effect-94e1c2ac-cbbe-4cac-a2b5-389c812dee87')]" + } + }, + "groupNames": [ + "U.07.3 - Management features", + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/339353f6-2387-4a45-abe4-7f529d121046", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "GuestAccountsWithOwnerPermissionsOnAzureResourcesShouldBeRemoved", + "parameters": { + "effect": { + "value": "[parameters('effect-339353f6-2387-4a45-abe4-7f529d121046')]" + } + }, + "groupNames": [ + "U.07.3 - Management features", + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "BlockedAccountsWithReadAndWritePermissionsOnAzureResourcesShouldBeRemoved", + "parameters": { + "effect": { + "value": "[parameters('effect-8d7e1fde-fe26-4b5f-8108-f8e432cbc2be')]" + } + }, + "groupNames": [ + "U.07.3 - Management features", + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3", + "definitionVersion": "2.*.*-preview", + "policyDefinitionReferenceId": "EnableVirtualTpmDeviceOnSupportedVirtualMachinesToFacilitateMeasuredBootAndOtherOsSecurityFeaturesThatRequireATpmOnceEnabledVTpmCanBeUsedToAttestBootIntegrityThisAssessmentOnlyAppliesToTrustedLaunchEnabledVirtualMachines", + "parameters": { + "effect": { + "value": "[parameters('effect-1c30f9cd-b84c-49cc-aa2c-9288447cc3b3')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121", + "definitionVersion": "4.*.*-preview", + "policyDefinitionReferenceId": "EnableSecureBootOnSupportedWindowsVirtualMachinesToMitigateAgainstMaliciousAndUnauthorizedChangesToTheBootChainOnceEnabledOnlyTrustedBootloadersKernelAndKernelDriversWillBeAllowedToRunThisAssessmentAppliesToTrustedLaunchAndConfidentialWindowsVirtualMachines", + "parameters": { + "effect": { + "value": "[parameters('effect-97566dd7-78ae-4997-8b36-1c7bfe0d8121')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/672fe5a1-2fcd-42d7-b85d-902b6e28c6ff", + "definitionVersion": "6.*.*-preview", + "policyDefinitionReferenceId": "InstallGuestAttestationExtensionOnSupportedLinuxVirtualMachinesToAllowAzureSecurityCenterToProactivelyAttestAndMonitorTheBootIntegrityOnceInstalledBootIntegrityWillBeAttestedViaRemoteAttestationThisAssessmentAppliesToTrustedLaunchAndConfidentialLinuxVirtualMachines", + "parameters": { + "effect": { + "value": "[parameters('effect-672fe5a1-2fcd-42d7-b85d-902b6e28c6ff')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a21f8c92-9e22-4f09-b759-50500d1d2dda", + "definitionVersion": "5.*.*-preview", + "policyDefinitionReferenceId": "InstallGuestAttestationExtensionOnSupportedLinuxVirtualMachinesScaleSetsToAllowAzureSecurityCenterToProactivelyAttestAndMonitorTheBootIntegrityOnceInstalledBootIntegrityWillBeAttestedViaRemoteAttestationThisAssessmentAppliesToTrustedLaunchAndConfidentialLinuxVirtualMachineScaleSets", + "parameters": { + "effect": { + "value": "[parameters('effect-a21f8c92-9e22-4f09-b759-50500d1d2dda')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1cb4d9c2-f88f-4069-bee0-dba239a57b09", + "definitionVersion": "4.*.*-preview", + "policyDefinitionReferenceId": "InstallGuestAttestationExtensionOnSupportedVirtualMachinesToAllowAzureSecurityCenterToProactivelyAttestAndMonitorTheBootIntegrityOnceInstalledBootIntegrityWillBeAttestedViaRemoteAttestationThisAssessmentAppliesToTrustedLaunchAndConfidentialWindowsVirtualMachines", + "parameters": { + "effect": { + "value": "[parameters('effect-1cb4d9c2-f88f-4069-bee0-dba239a57b09')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f655e522-adff-494d-95c2-52d4f6d56a42", + "definitionVersion": "3.*.*-preview", + "policyDefinitionReferenceId": "InstallGuestAttestationExtensionOnSupportedVirtualMachinesScaleSetsToAllowAzureSecurityCenterToProactivelyAttestAndMonitorTheBootIntegrityOnceInstalledBootIntegrityWillBeAttestedViaRemoteAttestationThisAssessmentAppliesToTrustedLaunchAndConfidentialWindowsVirtualMachineScaleSets", + "parameters": { + "effect": { + "value": "[parameters('effect-f655e522-adff-494d-95c2-52d4f6d56a42')]" + } + }, + "groupNames": [ + "U.05.2 - Cryptographic measures", + "U.11.3 - Encrypted" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "AzureKubernetesServiceSResourceLogsCanHelpRecreateActivityTrailsWhenInvestigatingSecurityIncidentsEnableItToMakeSureTheLogsWillExistWhenNeeded", + "parameters": { + "effect": { + "value": "[parameters('effect-245fc9df-fa96-4414-9a0b-3738c2f7341c')]" + }, + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce", + "definitionVersion": "2.*.*", + "policyDefinitionReferenceId": "DisablingPublicNetworkAccessImprovesSecurityByEnsuringThatTheMachineLearningWorkspacesArenTExposedOnThePublicInternetYouCanControlExposureOfYourWorkspacesByCreatingPrivateEndpointsInsteadLearnMoreAtHttpsLearnMicrosoftComAzureMachineLearningHowToConfigurePrivateLinkViewAzuremlApi_2TabsAzurePortal", + "parameters": { + "effect": { + "value": "[parameters('effect-438c38d2-3772-465a-a9cc-7a6666a275ce')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "AzureVirtualNetworksProvideEnhancedSecurityAndIsolationForYourAzureMachineLearningComputeClustersAndInstancesAsWellAsSubnetsAccessControlPoliciesAndOtherFeaturesToFurtherRestrictAccessWhenAComputeIsConfiguredWithAVirtualNetworkItIsNotPubliclyAddressableAndCanOnlyBeAccessedFromVirtualMachinesAndApplicationsWithinTheVirtualNetwork", + "parameters": { + "effect": { + "value": "[parameters('effect-7804b5c7-01dc-4723-969b-ae300cc07ff1')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e7849de-b939-4c50-ab48-fc6b0f5eeba2", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "DisablingPublicNetworkAccessImprovesSecurityByEnsuringThatTheResourceIsnTExposedOnThePublicInternetYouCanControlExposureOfYourResourcesByCreatingPrivateEndpointsInsteadLearnMoreAtHttpsLearnMicrosoftComAzureDatabricksAdministrationGuideCloudConfigurationsAzurePrivateLink", + "parameters": { + "effect": { + "value": "[parameters('effect-0e7849de-b939-4c50-ab48-fc6b0f5eeba2')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51c1490f-3319-459c-bbbc-7f391bbed753", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "DisablingPublicIpOfClustersInAzureDatabricksWorkspacesImprovesSecurityByEnsuringThatTheClustersArenTExposedOnThePublicInternetLearnMoreAtHttpsLearnMicrosoftComAzureDatabricksSecuritySecureClusterConnectivity", + "parameters": { + "effect": { + "value": "[parameters('effect-51c1490f-3319-459c-bbbc-7f391bbed753')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/258823f2-4595-4b52-b333-cc96192710d8", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "AzurePrivateLinkLetsYouConnectYourVirtualNetworksToAzureServicesWithoutAPublicIpAddressAtTheSourceOrDestinationThePrivateLinkPlatformHandlesTheConnectivityBetweenTheConsumerAndServicesOverTheAzureBackboneNetworkByMappingPrivateEndpointsToAzureDatabricksWorkspacesYouCanReduceDataLeakageRisksLearnMoreAboutPrivateLinksAtHttpsAkaMsAdbpe", + "parameters": { + "effect": { + "value": "[parameters('effect-258823f2-4595-4b52-b333-cc96192710d8')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "AzureDatabaseForMariaDbAllowsYouToChooseTheRedundancyOptionForYourDatabaseServerItCanBeSetToAGeoRedundantBackupStorageInWhichTheDataIsNotOnlyStoredWithinTheRegionInWhichYourServerIsHostedButIsAlsoReplicatedToAPairedRegionToProvideRecoveryOptionInCaseOfARegionFailureConfiguringGeoRedundantStorageForBackupIsOnlyAllowedDuringServerCreate", + "parameters": { + "effect": { + "value": "[parameters('effect-0ec47710-77ff-4a3d-9181-6aa50af424d0')]" + } + }, + "groupNames": [ + "U.03 - Business Continuity services" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "AzureDatabaseForPostgreSqlAllowsYouToChooseTheRedundancyOptionForYourDatabaseServerItCanBeSetToAGeoRedundantBackupStorageInWhichTheDataIsNotOnlyStoredWithinTheRegionInWhichYourServerIsHostedButIsAlsoReplicatedToAPairedRegionToProvideRecoveryOptionInCaseOfARegionFailureConfiguringGeoRedundantStorageForBackupIsOnlyAllowedDuringServerCreate", + "parameters": { + "effect": { + "value": "[parameters('effect-48af4db5-9b8b-401c-8e74-076be876a430')]" + } + }, + "groupNames": [ + "U.03 - Business Continuity services" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "AzureDatabaseForMySqlAllowsYouToChooseTheRedundancyOptionForYourDatabaseServerItCanBeSetToAGeoRedundantBackupStorageInWhichTheDataIsNotOnlyStoredWithinTheRegionInWhichYourServerIsHostedButIsAlsoReplicatedToAPairedRegionToProvideRecoveryOptionInCaseOfARegionFailureConfiguringGeoRedundantStorageForBackupIsOnlyAllowedDuringServerCreate", + "parameters": { + "effect": { + "value": "[parameters('effect-82339799-d096-41ae-8538-b108becf0970')]" + } + }, + "groupNames": [ + "U.03 - Business Continuity services" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "AzurePolicyAddOnForKubernetesServiceAksExtendsGatekeeperV3AnAdmissionControllerWebhookForOpenPolicyAgentOpaToApplyAtScaleEnforcementsAndSafeguardsOnYourClustersInACentralizedConsistentManner", + "parameters": { + "effect": { + "value": "[parameters('effect-0a15ec92-a229-4763-bb14-0ea34a568f8d')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469", + "definitionVersion": "9.*.*", + "policyDefinitionReferenceId": "UseImagesFromTrustedRegistriesToReduceTheKubernetesClusterSExposureRiskToUnknownVulnerabilitiesSecurityIssuesAndMaliciousImagesThisPolicyIsGenerallyAvailableForKubernetesServiceAksAndPreviewForAzureArcEnabledKubernetesForMoreInformationSeeHttpsAkaMsKubepolicydoc", + "parameters": { + "effect": { + "value": "[parameters('effect-febd0533-8e55-448f-b837-bd0e06f16469')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "namespaces": { + "value": "[parameters('namespaces')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector')]" + }, + "allowedContainerImagesRegex": { + "value": "[parameters('allowedContainerImagesRegex')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "definitionVersion": "9.*.*", + "policyDefinitionReferenceId": "DoNotAllowPrivilegedContainersCreationInAKubernetesClusterThisRecommendationIsPartOfCis_5_2_1WhichIsIntendedToImproveTheSecurityOfYourKubernetesEnvironmentsThisPolicyIsGenerallyAvailableForKubernetesServiceAksAndPreviewForAzureArcEnabledKubernetesForMoreInformationSeeHttpsAkaMsKubepolicydoc", + "parameters": { + "effect": { + "value": "[parameters('effect-95edb821-ddaf-4404-9732-666045e056b4')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "namespaces": { + "value": "[parameters('namespaces')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44", + "definitionVersion": "8.*.*", + "policyDefinitionReferenceId": "RestrictServicesToListenOnlyOnAllowedPortsToSecureAccessToTheKubernetesClusterThisPolicyIsGenerallyAvailableForKubernetesServiceAksAndPreviewForAzureArcEnabledKubernetesForMoreInformationSeeHttpsAkaMsKubepolicydoc", + "parameters": { + "effect": { + "value": "[parameters('effect-233a2a17-77ca-4fb1-9b6b-69223d272a44')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "namespaces": { + "value": "[parameters('namespaces')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector')]" + }, + "allowedServicePortsList": { + "value": "[parameters('allowedServicePortsList')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164", + "definitionVersion": "9.*.*", + "policyDefinitionReferenceId": "EnforceContainerCpuAndMemoryResourceLimitsToPreventResourceExhaustionAttacksInAKubernetesClusterThisPolicyIsGenerallyAvailableForKubernetesServiceAksAndPreviewForAzureArcEnabledKubernetesForMoreInformationSeeHttpsAkaMsKubepolicydoc", + "parameters": { + "effect": { + "value": "[parameters('effect-e345eecc-fa47-480f-9e88-67dcc122b164')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "namespaces": { + "value": "[parameters('namespaces')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector')]" + }, + "cpuLimit": { + "value": "[parameters('cpuLimit')]" + }, + "memoryLimit": { + "value": "[parameters('memoryLimit')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042", + "definitionVersion": "6.*.*", + "policyDefinitionReferenceId": "ControlTheUserPrimaryGroupSupplementalGroupAndFileSystemGroupIDsThatPodsAndContainersCanUseToRunInAKubernetesClusterThisRecommendationIsPartOfPodSecurityPoliciesWhichAreIntendedToImproveTheSecurityOfYourKubernetesEnvironmentsThisPolicyIsGenerallyAvailableForKubernetesServiceAksAndPreviewForAzureArcEnabledKubernetesForMoreInformationSeeHttpsAkaMsKubepolicydoc", + "parameters": { + "effect": { + "value": "[parameters('effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "namespaces": { + "value": "[parameters('namespaces')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector')]" + }, + "runAsUserRule": { + "value": "[parameters('runAsUserRule')]" + }, + "runAsUserRanges": { + "value": "[parameters('runAsUserRanges')]" + }, + "runAsGroupRule": { + "value": "[parameters('runAsGroupRule')]" + }, + "runAsGroupRanges": { + "value": "[parameters('runAsGroupRanges')]" + }, + "supplementalGroupsRule": { + "value": "[parameters('supplementalGroupsRule')]" + }, + "supplementalGroupsRanges": { + "value": "[parameters('supplementalGroupsRanges')]" + }, + "fsGroupRule": { + "value": "[parameters('fsGroupRule')]" + }, + "fsGroupRanges": { + "value": "[parameters('fsGroupRanges')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "definitionVersion": "7.*.*", + "policyDefinitionReferenceId": "DoNotAllowContainersToRunWithPrivilegeEscalationToRootInAKubernetesClusterThisRecommendationIsPartOfCis_5_2_5WhichIsIntendedToImproveTheSecurityOfYourKubernetesEnvironmentsThisPolicyIsGenerallyAvailableForKubernetesServiceAksAndPreviewForAzureArcEnabledKubernetesForMoreInformationSeeHttpsAkaMsKubepolicydoc", + "parameters": { + "effect": { + "value": "[parameters('effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "namespaces": { + "value": "[parameters('namespaces')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8", + "definitionVersion": "5.*.*", + "policyDefinitionReferenceId": "BlockPodContainersFromSharingTheHostProcessIdNamespaceAndHostIpcNamespaceInAKubernetesClusterThisRecommendationIsPartOfCis_5_2_2AndCis_5_2_3WhichAreIntendedToImproveTheSecurityOfYourKubernetesEnvironmentsThisPolicyIsGenerallyAvailableForKubernetesServiceAksAndPreviewForAzureArcEnabledKubernetesForMoreInformationSeeHttpsAkaMsKubepolicydoc", + "parameters": { + "effect": { + "value": "[parameters('effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "namespaces": { + "value": "[parameters('namespaces')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80", + "definitionVersion": "6.*.*", + "policyDefinitionReferenceId": "RunContainersWithAReadOnlyRootFileSystemToProtectFromChangesAtRunTimeWithMaliciousBinariesBeingAddedToPathInAKubernetesClusterThisPolicyIsGenerallyAvailableForKubernetesServiceAksAndPreviewForAzureArcEnabledKubernetesForMoreInformationSeeHttpsAkaMsKubepolicydoc", + "parameters": { + "effect": { + "value": "[parameters('effect-df49d893-a74c-421d-bc95-c663042e5b80')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "namespaces": { + "value": "[parameters('namespaces')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c", + "definitionVersion": "6.*.*", + "policyDefinitionReferenceId": "RestrictTheCapabilitiesToReduceTheAttackSurfaceOfContainersInAKubernetesClusterThisRecommendationIsPartOfCis_5_2_8AndCis_5_2_9WhichAreIntendedToImproveTheSecurityOfYourKubernetesEnvironmentsThisPolicyIsGenerallyAvailableForKubernetesServiceAksAndPreviewForAzureArcEnabledKubernetesForMoreInformationSeeHttpsAkaMsKubepolicydoc", + "parameters": { + "effect": { + "value": "[parameters('effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "namespaces": { + "value": "[parameters('namespaces')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector')]" + }, + "allowedCapabilities": { + "value": "[parameters('allowedCapabilities')]" + }, + "requiredDropCapabilities": { + "value": "[parameters('requiredDropCapabilities')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e", + "definitionVersion": "6.*.*", + "policyDefinitionReferenceId": "ContainersShouldOnlyUseAllowedAppArmorProfilesInAKubernetesClusterThisRecommendationIsPartOfPodSecurityPoliciesWhichAreIntendedToImproveTheSecurityOfYourKubernetesEnvironmentsThisPolicyIsGenerallyAvailableForKubernetesServiceAksAndPreviewForAzureArcEnabledKubernetesForMoreInformationSeeHttpsAkaMsKubepolicydoc", + "parameters": { + "effect": { + "value": "[parameters('effect-511f5417-5d12-434d-ab2e-816901e72a5e')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "namespaces": { + "value": "[parameters('namespaces')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector')]" + }, + "allowedProfiles": { + "value": "[parameters('allowedProfiles')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe", + "definitionVersion": "6.*.*", + "policyDefinitionReferenceId": "RestrictPodAccessToTheHostNetworkAndTheAllowableHostPortRangeInAKubernetesClusterThisRecommendationIsPartOfCis_5_2_4WhichIsIntendedToImproveTheSecurityOfYourKubernetesEnvironmentsThisPolicyIsGenerallyAvailableForKubernetesServiceAksAndPreviewForAzureArcEnabledKubernetesForMoreInformationSeeHttpsAkaMsKubepolicydoc", + "parameters": { + "effect": { + "value": "[parameters('effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "namespaces": { + "value": "[parameters('namespaces')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector')]" + }, + "allowHostNetwork": { + "value": "[parameters('allowHostNetwork')]" + }, + "minPort": { + "value": "[parameters('minPort')]" + }, + "maxPort": { + "value": "[parameters('maxPort')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75", + "definitionVersion": "6.*.*", + "policyDefinitionReferenceId": "LimitPodHostPathVolumeMountsToTheAllowedHostPathsInAKubernetesClusterThisRecommendationIsPartOfPodSecurityPoliciesWhichAreIntendedToImproveTheSecurityOfYourKubernetesEnvironmentsThisPolicyIsGenerallyAvailableForKubernetesServiceAksAndAzureArcEnabledKubernetesForMoreInformationSeeHttpsAkaMsKubepolicydoc", + "parameters": { + "effect": { + "value": "[parameters('effect-098fc59e-46c7-4d99-9b16-64990e543d75')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "namespaces": { + "value": "[parameters('namespaces')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector')]" + }, + "allowedHostPaths": { + "value": "[parameters('allowedHostPaths')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373", + "definitionVersion": "4.*.*", + "policyDefinitionReferenceId": "PreventUsageOfTheDefaultNamespaceInKubernetesClustersToProtectAgainstUnauthorizedAccessForConfigMapPodSecretServiceAndServiceAccountResourceTypesForMoreInformationSeeHttpsAkaMsKubepolicydoc", + "parameters": { + "effect": { + "value": "[parameters('effect-9f061a12-e40d-4183-a00e-171812443373')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "namespaces": { + "value": "[parameters('namespaces')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/423dd1ba-798e-40e4-9c4d-b6902674b423", + "definitionVersion": "4.*.*", + "policyDefinitionReferenceId": "DisableAutomountingApiCredentialsToPreventAPotentiallyCompromisedPodResourceToRunApiCommandsAgainstKubernetesClustersForMoreInformationSeeHttpsAkaMsKubepolicydoc", + "parameters": { + "effect": { + "value": "[parameters('effect-423dd1ba-798e-40e4-9c4d-b6902674b423')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "namespaces": { + "value": "[parameters('namespaces')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d2e7ea85-6b44-4317-a0be-1b951587f626", + "definitionVersion": "5.*.*", + "policyDefinitionReferenceId": "ToReduceTheAttackSurfaceOfYourContainersRestrictCapSysAdminLinuxCapabilitiesForMoreInformationSeeHttpsAkaMsKubepolicydoc", + "parameters": { + "effect": { + "value": "[parameters('effect-d2e7ea85-6b44-4317-a0be-1b951587f626')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "namespaces": { + "value": "[parameters('namespaces')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "ToProvideGranularFilteringOnTheActionsThatUsersCanPerformUseRoleBasedAccessControlRbacToManagePermissionsInKubernetesServiceClustersAndConfigureRelevantAuthorizationPolicies", + "parameters": { + "effect": { + "value": "[parameters('effect-ac4a19c2-fa67-49b4-8ae5-0b2e78c49457')]" + } + }, + "groupNames": [ + "U.10.5 - Competent", + "U.10.3 - Users", + "U.07.3 - Management features", + "U.10.2 - Users" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9c25c9e4-ee12-4882-afd2-11fb9d87893f", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "AzureVirtualNetworksProvideEnhancedSecurityAndIsolationForYourAzureDatabricksWorkspacesAsWellAsSubnetsAccessControlPoliciesAndOtherFeaturesToFurtherRestrictAccessLearnMoreAtHttpsDocsMicrosoftComAzureDatabricksAdministrationGuideCloudConfigurationsAzureVnetInject", + "parameters": { + "effect": { + "value": "[parameters('effect-9c25c9e4-ee12-4882-afd2-11fb9d87893f')]" + } + }, + "groupNames": [ + "U.07.1 - Isolated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9", + "definitionVersion": "2.*.*", + "policyDefinitionReferenceId": "RemoteDebuggingRequiresInboundPortsToBeOpenedOnFunctionAppsRemoteDebuggingShouldBeTurnedOff", + "parameters": { + "effect": { + "value": "[parameters('effect-0e60b895-3786-45da-8377-9c6b4b6ac5f9')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71", + "definitionVersion": "2.*.*", + "policyDefinitionReferenceId": "RemoteDebuggingRequiresInboundPortsToBeOpenedOnAnAppServiceAppRemoteDebuggingShouldBeTurnedOff", + "parameters": { + "effect": { + "value": "[parameters('effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5", + "definitionVersion": "2.*.*", + "policyDefinitionReferenceId": "CrossOriginResourceSharingCorsShouldNotAllowAllDomainsToAccessYourFunctionAppAllowOnlyRequiredDomainsToInteractWithYourFunctionApp", + "parameters": { + "effect": { + "value": "[parameters('effect-0820b7b9-23aa-4725-a1ce-ae4558f718e5')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9", + "definitionVersion": "2.*.*", + "policyDefinitionReferenceId": "CrossOriginResourceSharingCorsShouldNotAllowAllDomainsToAccessYourAppAllowOnlyRequiredDomainsToInteractWithYourApp", + "parameters": { + "effect": { + "value": "[parameters('effect-5744710e-cc2f-4ee8-8809-3b11e89f4bc9')]" + } + }, + "groupNames": [ + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "SqlVulnerabilityAssessmentScansYourDatabaseForSecurityVulnerabilitiesAndExposesAnyDeviationsFromBestPracticesSuchAsMisconfigurationsExcessivePermissionsAndUnprotectedSensitiveDataResolvingTheVulnerabilitiesFoundCanGreatlyImproveYourDatabaseSecurityPosture", + "parameters": { + "effect": { + "value": "[parameters('effect-6ba6d016-e7c3-4842-b8f2-4992ebc0d72d')]" + } + }, + "groupNames": [ + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated", + "C.04.8 - Evaluated", + "U.09.3 - Detection, prevention and recovery" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933", + "definitionVersion": "3.*.*", + "policyDefinitionReferenceId": "AuditVulnerabilitiesInSecurityConfigurationOnMachinesWithDockerInstalledAndDisplayAsRecommendationsInAzureSecurityCenter", + "parameters": { + "effect": { + "value": "[parameters('effect-e8cbc669-f12d-49eb-93e7-9273119e9933')]" + } + }, + "groupNames": [ + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated", + "C.04.8 - Evaluated", + "U.09.3 - Detection, prevention and recovery" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "ToEnsureTheRelevantPeopleInYourOrganizationAreNotifiedWhenThereIsAPotentialSecurityBreachInOneOfYourSubscriptionsSetASecurityContactToReceiveEmailNotificationsFromSecurityCenter", + "parameters": { + "effect": { + "value": "[parameters('effect-4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7')]" + } + }, + "groupNames": [ + "C.05.5 - Monitored and reported" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "ToEnsureTheRelevantPeopleInYourOrganizationAreNotifiedWhenThereIsAPotentialSecurityBreachInOneOfYourSubscriptionsEnableEmailNotificationsForHighSeverityAlertsInSecurityCenter", + "parameters": { + "effect": { + "value": "[parameters('effect-6e2593d9-add6-4083-9c9b-4b7d2188c899')]" + } + }, + "groupNames": [ + "C.05.5 - Monitored and reported" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d", + "definitionVersion": "2.*.*", + "policyDefinitionReferenceId": "ToEnsureYourSubscriptionOwnersAreNotifiedWhenThereIsAPotentialSecurityBreachInTheirSubscriptionSetEmailNotificationsToSubscriptionOwnersForHighSeverityAlertsInSecurityCenter", + "parameters": { + "effect": { + "value": "[parameters('effect-0b15565f-aa9e-48ba-8619-45960f2c314d')]" + } + }, + "groupNames": [ + "C.05.5 - Monitored and reported" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/91a78b24-f231-4a8a-8da9-02c35b2b6510", + "definitionVersion": "2.*.*", + "policyDefinitionReferenceId": "AuditEnablingOfResourceLogsOnTheAppThisEnablesYouToRecreateActivityTrailsForInvestigationPurposesIfASecurityIncidentOccursOrYourNetworkIsCompromised", + "parameters": { + "effect": { + "value": "[parameters('effect-91a78b24-f231-4a8a-8da9-02c35b2b6510')]" + }, + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "ResourceLogsEnableRecreatingActivityTrailsToUseForInvestigationPurposesWhenASecurityIncidentOccursOrWhenYourNetworkIsCompromised", + "parameters": { + "effect": { + "value": "[parameters('effect-afe0c3be-ba3b-4544-ba52-0c99672a8ad6')]" + }, + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/138ff14d-b687-4faa-a81c-898c91a87fa2", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "ResourceLogsInAzureDatabricksWorkspacesShouldBeEnabled", + "parameters": { + "effect": { + "value": "[parameters('effect-138ff14d-b687-4faa-a81c-898c91a87fa2')]" + }, + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609", + "definitionVersion": "3.*.*", + "policyDefinitionReferenceId": "ClientCertificatesAllowForTheAppToRequestACertificateForIncomingRequestsOnlyClientsThatHaveAValidCertificateWillBeAbleToReachTheApp", + "parameters": { + "effect": { + "value": "[parameters('effect-5bb220d9-2698-4ee4-8404-b9c30c9df609')]" + } + }, + "groupNames": [ + "U.10.3 - Users" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c", + "definitionVersion": "3.*.*", + "policyDefinitionReferenceId": "ClientCertificatesAllowForTheAppToRequestACertificateForIncomingRequestsOnlyClientsWithValidCertificatesWillBeAbleToReachTheApp", + "parameters": { + "effect": { + "value": "[parameters('effect-eaebaea7-8013-4ceb-9d14-7eb32271373c')]" + } + }, + "groupNames": [ + "U.10.3 - Users" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743", + "definitionVersion": "3.*.*", + "policyDefinitionReferenceId": "ForIncidentInvestigationPurposesWeRecommendSettingTheDataRetentionForYourSqlServerAuditingToStorageAccountDestinationToAtLeast_90DaysConfirmThatYouAreMeetingTheNecessaryRetentionRulesForTheRegionsInWhichYouAreOperatingThisIsSometimesRequiredForComplianceWithRegulatoryStandards", + "parameters": { + "effect": { + "value": "[parameters('effect-89099bee-89e0-4b26-a5f4-165451757743')]" + } + }, + "groupNames": [ + "U.10.3 - Users" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f", + "definitionVersion": "2.*.*", + "policyDefinitionReferenceId": "DisablingLocalAuthenticationMethodsImprovesSecurityByEnsuringThatMachineLearningComputesRequireAzureActiveDirectoryIdentitiesExclusivelyForAuthenticationLearnMoreAtHttpsAkaMsAzureMlAadPolicy", + "parameters": { + "effect": { + "value": "[parameters('effect-e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f')]" + } + }, + "groupNames": [ + "U.10.2 - Users", + "U.10.3 - Users", + "U.10.5 - Competent" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "EnsureAzureMachineLearningComputeInstancesRunOnTheLatestAvailableOperatingSystemSecurityIsImprovedAndVulnerabilitiesReducedByRunningWithTheLatestSecurityPatchesForMoreInformationVisitHttpAkaMsAzuremlCiUpdates", + "parameters": { + "effects": { + "value": "[parameters('effects')]" + } + }, + "groupNames": [ + "C.04.6 - Timelines" + ] + }, + { + "policyDefinitionReferenceId": "PreviewNetworkTrafficDataCollectionAgentShouldBeInstalledOnWindowsVirtualMachines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d", + "definitionVersion": "1.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effect-2f2ee1de-44aa-4762-b6bd-0893fc3f306d')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "ResourceLogsInLogicAppsShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d", + "definitionVersion": "5.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-34f95f76-5386-4de7-b824-0d8478470c9d')]" + }, + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "ResourceLogsInIotHubShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-383856f8-de7f-44a2-81fc-e5135b5c2aa4')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "ResourceLogsInBatchAccountsShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d", + "definitionVersion": "5.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-428256e6-1fac-4f48-a757-df34c2b3336d')]" + }, + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "AutoProvisioningOfTheLogAnalyticsAgentShouldBeEnabledOnYourSubscription", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-475aae12-b88a-4572-8b36-9b712b2b3a17')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "ResourceLogsInEventHubShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a", + "definitionVersion": "5.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-83a214f7-d01a-484b-91a9-ed54470c9a6a')]" + }, + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "PreviewLogAnalyticsExtensionShouldBeInstalledOnYourLinuxAzureArcMachines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373", + "definitionVersion": "1.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effect-842c54e8-c2f9-4d79-ae8d-38d8b8019373')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "LogAnalyticsAgentShouldBeInstalledOnYourVirtualMachineForAzureSecurityCenterMonitoring", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-a4fe33eb-e377-4efb-ab31-0784311bc499')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "GuestConfigurationExtensionShouldBeInstalledOnYourMachines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-ae89ebca-1c92-4898-ac2c-9f63decb045c')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "ResourceLogsInSearchServicesShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4", + "definitionVersion": "5.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-b4330a05-a843-4bc8-bf9a-cacce50c67f4')]" + }, + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "NetworkWatcherShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6')]" + }, + "resourceGroupName": { + "value": "[parameters('resourceGroupName')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "ResourceLogsInDataLakeAnalyticsShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c", + "definitionVersion": "5.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-c95c74d9-38fe-4f0d-af86-0c7d626a315c')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "ResourceLogsInKeyVaultShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21", + "definitionVersion": "5.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-cf820ca0-f99e-4f3e-84fb-66e913812d21')]" + }, + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "VirtualMachinesGuestConfigurationExtensionShouldBeDeployedWithSystemAssignedManagedIdentity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-d26f7642-7545-4e18-9b75-8c9bbdee3a9a')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "PreviewLogAnalyticsExtensionShouldBeInstalledOnYourWindowsAzureArcMachines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e", + "definitionVersion": "1.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effect-d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "LogAnalyticsAgentShouldBeInstalledOnYourVirtualMachineScaleSetsForAzureSecurityCenterMonitoring", + "parameters": { + "effect": { + "value": "[parameters('effect-a3a6ea0c-e018-4933-9ef0-5aaa1501449b')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "ResourceLogsInServiceBusShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45", + "definitionVersion": "5.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-f8d36e2f-389b-4ee4-898d-21aeb69a0f45')]" + }, + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "ResourceLogsInAzureStreamAnalyticsShouldBeEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46", + "definitionVersion": "5.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-f9be5368-9bf5-4b84-9e0a-7850da98bb46')]" + }, + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays')]" + } + }, + "groupNames": [ + "U.15.1 - Events logged" + ] + }, + { + "policyDefinitionReferenceId": "EnsureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheWebApp", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-496223c3-ad65-4ecd-878a-bae78737e9ed')]" + }, + "LinuxJavaVersion": { + "value": "[parameters('LinuxJavaVersion')]" + } + }, + "groupNames": [ + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "EnsureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheWebApp", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73", + "definitionVersion": "4.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-7008174a-fd10-4ef0-817e-fc820a951d73')]" + }, + "LinuxPythonVersion": { + "value": "[parameters('LinuxPythonVersion')]" + } + }, + "groupNames": [ + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "EnsureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheFunctionApp", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73", + "definitionVersion": "4.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-7238174a-fd10-4ef0-817e-fc820a951d73')]" + }, + "LinuxPythonVersion": { + "value": "[parameters('LinuxPythonVersion')]" + } + }, + "groupNames": [ + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "EnsureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheWebApp", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-7261b898-8a84-4db8-9e04-18527132abb3')]" + }, + "LinuxPHPVersion": { + "value": "[parameters('LinuxPHPVersion')]" + } + }, + "groupNames": [ + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "EnsureThatHTTPVersionIsTheLatestIfUsedToRunTheWebApp", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae", + "definitionVersion": "4.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-8c122334-9d20-4eb8-89ea-ac9a705b74ae')]" + } + }, + "groupNames": [ + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + }, + { + "policyDefinitionReferenceId": "EnsureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheFunctionApp", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc", + "definitionVersion": "3.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect-9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc')]" + }, + "LinuxJavaVersion": { + "value": "[parameters('LinuxJavaVersion')]" + } + }, + "groupNames": [ + "C.04.3 - Timelines", + "C.04.6 - Timelines", + "C.04.7 - Evaluated" + ] + } + ] + }, + "id": "/providers/Microsoft.Authorization/policySetDefinitions/6ce73208-883e-490f-a2ac-44aac3b3687f", + "name": "6ce73208-883e-490f-a2ac-44aac3b3687f" +} \ No newline at end of file