diff --git a/built-in-policies/policyDefinitions/API Management/ApiManagement_PlatformVersion_AuditDeny.json b/built-in-policies/policyDefinitions/API Management/ApiManagement_PlatformVersion_AuditDeny.json new file mode 100644 index 000000000..66c19428d --- /dev/null +++ b/built-in-policies/policyDefinitions/API Management/ApiManagement_PlatformVersion_AuditDeny.json @@ -0,0 +1,47 @@ +{ + "properties": { + "displayName": "Azure API Management platform version should be stv2", + "policyType": "BuiltIn", + "mode": "Indexed", + "description": "Azure API Management stv1 compute platform version will be retired effective 31 August 2024, and these instances should be migrated to stv2 compute platform for continued support. Learn more at https://learn.microsoft.com/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024", + "metadata": { + "version": "1.0.0", + "category": "API Management" + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.ApiManagement/service" + }, + { + "field": "Microsoft.ApiManagement/service/platformVersion", + "equals": "stv1" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/1dc2fc00-2245-4143-99f4-874c937f13ef", + "name": "1dc2fc00-2245-4143-99f4-874c937f13ef" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerAllowedImages.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerAllowedImages.json index 9a761dcc8..2c240d7f3 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerAllowedImages.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerAllowedImages.json @@ -3,12 +3,12 @@ "displayName": "Kubernetes cluster containers should only use allowed images", "policyType": "BuiltIn", "mode": "Microsoft.Kubernetes.Data", - "description": "Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "description": "Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "10.1.0", + "version": "10.1.1", "category": "Kubernetes" }, - "version": "10.1.0", + "version": "10.1.1", "parameters": { "effect": { "type": "String", diff --git a/built-in-policies/policyDefinitions/ElasticSan/ElasticSan_VolumeGroup_Encryption_Audit.json b/built-in-policies/policyDefinitions/ElasticSan/ElasticSan_VolumeGroup_Encryption_Audit.json new file mode 100644 index 000000000..b7990aac4 --- /dev/null +++ b/built-in-policies/policyDefinitions/ElasticSan/ElasticSan_VolumeGroup_Encryption_Audit.json @@ -0,0 +1,46 @@ +{ + "properties": { + "displayName": "ElasticSan Volume Group should use customer-managed keys to encrypt data at rest", + "policyType": "BuiltIn", + "mode": "All", + "description": "Use customer-managed keys to manage the encryption at rest of your VolumeGroup. By default, customer data is encrypted with platform-managed keys, but CMKs are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you, with full control and responsibility, including rotation and management.", + "metadata": { + "version": "1.0.0", + "category": "ElasticSan" + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.ElasticSan/elasticSans/volumeGroups" + }, + { + "field": "Microsoft.ElasticSan/elasticSans/volumeGroups/encryption", + "notEquals": "EncryptionAtRestWithCustomerManagedKey" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/7698f4ed-80ce-4e13-b408-ee135fa400a5", + "name": "7698f4ed-80ce-4e13-b408-ee135fa400a5" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json b/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json index b7efdfc2f..f94fa66c4 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json +++ b/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json @@ -3,12 +3,12 @@ "displayName": "Kubernetes cluster containers should only use allowed images", "policyType": "BuiltIn", "mode": "Microsoft.Kubernetes.Data", - "description": "Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "description": "Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "9.1.0", + "version": "9.1.1", "category": "Kubernetes" }, - "version": "9.1.0", + "version": "9.1.1", "parameters": { "effect": { "type": "String", diff --git a/built-in-policies/policyDefinitions/Security Center/DeployAtpOnPostgreSqlFlexibleServers_Deploy.json b/built-in-policies/policyDefinitions/Security Center/DeployAtpOnPostgreSqlFlexibleServers_Deploy.json new file mode 100644 index 000000000..fc15e7059 --- /dev/null +++ b/built-in-policies/policyDefinitions/Security Center/DeployAtpOnPostgreSqlFlexibleServers_Deploy.json @@ -0,0 +1,80 @@ +{ + "properties": { + "displayName": "Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL flexible servers", + "policyType": "BuiltIn", + "mode": "Indexed", + "description": "Enable Advanced Threat Protection on your Azure database for PostgreSQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.", + "metadata": { + "version": "1.0.0", + "category": "Security Center" + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleservers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforPostgreSQL/flexibleservers/advancedThreatProtectionSettings", + "name": "Default", + "evaluationDelay": "AfterProvisioning", + "existenceCondition": { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/advancedThreatProtectionSettings/state", + "equals": "Enabled" + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "serverName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('serverName'), '/Default')]", + "type": "Microsoft.DBforPostgreSQL/flexibleservers/advancedThreatProtectionSettings", + "apiVersion": "2023-06-01-preview", + "properties": { + "state": "Enabled" + } + } + ] + }, + "parameters": { + "serverName": { + "value": "[field('name')]" + } + } + } + } + } + } + } + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/2a6ae02f-7590-40d7-88ba-b18e205a32fd", + "name": "2a6ae02f-7590-40d7-88ba-b18e205a32fd" +} \ No newline at end of file diff --git a/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json b/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json index 1a9892c6e..7f1d9bd75 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.", "metadata": { - "version": "47.9.0", + "version": "47.10.0", "category": "Security Center" }, - "version": "47.9.0", + "version": "47.10.0", "policyDefinitionGroups": [ { "name": "Azure_Security_Benchmark_v3.0_NS-1", @@ -4408,6 +4408,30 @@ "description": "Enable or disable monitoring of Azure container registries by Microsoft Defender for Cloud vulnerability assessment (powered by Qualys)" } }, + "azureContainerRegistryVulnerabilityAssessmentEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Vulnerabilities in Azure Container Registry images should be remediated", + "description": "Enable or disable monitoring of Azure container registries by Microsoft Defender for Cloud vulnerability assessment (powered by Microsoft Defender Vulnerability Management)" + } + }, + "kubernetesRunningImagesVulnerabilityMDVMAssessmentEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Vulnerabilities in running images should be remediated", + "description": "Enable or disable monitoring of Kubernetes Service clusters by Defender for Containers running images vulnerability assessment" + } + }, "privateEndpointConnectionsOnAzureSQLDatabaseShouldBeEnabledMonitoringEffect": { "type": "string", "defaultValue": "Audit", @@ -4788,6 +4812,34 @@ "Azure_Security_Benchmark_v3.0_DS-6" ] }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/090c7b07-b4ed-4561-ad20-e9075f3ccaff", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "azureContainerRegistryVulnerabilityAssessment", + "parameters": { + "effect": { + "value": "[parameters('azureContainerRegistryVulnerabilityAssessmentEffect')]" + } + }, + "groupNames": [ + "Azure_Security_Benchmark_v3.0_PV-6", + "Azure_Security_Benchmark_v3.0_DS-6" + ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17f4b1cc-c55c-4d94-b1f9-2978f6ac2957", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "kubernetesRunningImagesVulnerabilityMDVMAssessment", + "parameters": { + "effect": { + "value": "[parameters('kubernetesRunningImagesVulnerabilityMDVMAssessmentEffect')]" + } + }, + "groupNames": [ + "Azure_Security_Benchmark_v3.0_PV-6", + "Azure_Security_Benchmark_v3.0_DS-6" + ] + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", "definitionVersion": "1.*.*", diff --git a/built-in-policies/policySetDefinitions/Security Center/ASC_AtpForOssDatabases.json b/built-in-policies/policySetDefinitions/Security Center/ASC_AtpForOssDatabases.json index a5aebce60..6d139eb48 100644 --- a/built-in-policies/policySetDefinitions/Security Center/ASC_AtpForOssDatabases.json +++ b/built-in-policies/policySetDefinitions/Security Center/ASC_AtpForOssDatabases.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu.", "metadata": { - "version": "1.0.1", + "version": "1.1.0", "category": "Security Center" }, - "version": "1.0.1", + "version": "1.1.0", "parameters": {}, "policyDefinitions": [ { @@ -27,6 +27,12 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6cf7411-da9e-49e2-aec0-cba0250eaf8c", "definitionVersion": "1.*.*", "parameters": {} + }, + { + "policyDefinitionReferenceId": "deployAtpOnAzureDatabaseForPostgreSqlFlexibleServer", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a6ae02f-7590-40d7-88ba-b18e205a32fd", + "definitionVersion": "1.*.*", + "parameters": {} } ] }, diff --git a/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json b/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json index 9982d7e0c..8b61fab5c 100644 --- a/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json +++ b/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.", "metadata": { - "version": "57.26.0", + "version": "57.27.0", "category": "Security Center" }, - "version": "57.26.0", + "version": "57.27.0", "policyDefinitionGroups": [ { "name": "Azure_Security_Benchmark_v3.0_NS-1", @@ -8743,6 +8743,15 @@ "groupNames": [ "Azure_Security_Benchmark_v3.0_IM-1" ] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1dc2fc00-2245-4143-99f4-874c937f13ef", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "aPIManagementServicePlatformVersionShouldBeStv2", + "groupNames": [ + "Azure_Security_Benchmark_v3.0_PV-2", + "Azure_Security_Benchmark_v3.0_AM-2" + ] } ] },