Skip to content

Commit

Permalink
Built-in Policy Release b5d9fffe (#1294)
Browse files Browse the repository at this point in the history 
Co-authored-by: Azure Policy Bot <azgovpolicy@microsoft.com>
  • Loading branch information
@gokmen-msft
gokmen-msft and Azure Policy Bot authored Mar 13, 2024
1 parent 4fdc615 commit 9a3984e
Show file tree
Hide file tree
Showing 15 changed files with 485 additions and 49 deletions.
21 changes: 14 additions & 7 deletions built-in-policies/policyDefinitions/Kubernetes/AKS_DisableRunCommand_DINE.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@
"description": "Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster",
"mode": "Indexed",
"metadata": {
"version": "1.1.0",
"version": "1.2.0",
"category": "Kubernetes"
},
"version": "1.1.0",
"version": "1.2.0",
"parameters": {
"effect": {
"type": "String",
Expand Down Expand Up @@ -74,7 +74,7 @@
"outputs": {
"aksCluster": {
"type": "object",
"value": "[reference(resourceId(parameters('clusterResourceGroupName'), 'Microsoft.ContainerService/managedClusters', parameters('clusterName')), '2021-08-01', 'Full')]"
"value": "[reference(resourceId(parameters('clusterResourceGroupName'), 'Microsoft.ContainerService/managedClusters', parameters('clusterName')), '2023-11-01', 'Full')]"
}
}
}
Expand Down Expand Up @@ -102,15 +102,14 @@
},
"resources": [
{
"apiVersion": "2021-08-01",
"apiVersion": "2023-11-01",
"type": "Microsoft.ContainerService/managedClusters",
"name": "[parameters('aksClusterName')]",
"location": "[parameters('aksClusterContent').location]",
"sku": "[parameters('aksClusterContent').sku]",
"tags": "[if(contains(parameters('aksClusterContent'), 'tags'), parameters('aksClusterContent').tags, json('null'))]",
"properties": {
"kubernetesVersion": "[parameters('aksClusterContent').properties.kubernetesVersion]",
"agentPoolProfiles": "[if(contains(parameters('aksClusterContent').properties, 'agentPoolProfiles'), parameters('aksClusterContent').properties.agentPoolProfiles, json('null'))]",
"linuxProfile": "[if(contains(parameters('aksClusterContent').properties, 'linuxProfile'), parameters('aksClusterContent').properties.linuxProfile, json('null'))]",
"windowsProfile": "[if(contains(parameters('aksClusterContent').properties, 'windowsProfile'), parameters('aksClusterContent').properties.windowsProfile, json('null'))]",
"servicePrincipalProfile": "[if(contains(parameters('aksClusterContent').properties, 'servicePrincipalProfile'), parameters('aksClusterContent').properties.servicePrincipalProfile, json('null'))]",
Expand All @@ -121,17 +120,24 @@
"aadProfile": "[if(contains(parameters('aksClusterContent').properties, 'aadProfile'), parameters('aksClusterContent').properties.aadProfile, json('null'))]",
"autoScalerProfile": "[if(contains(parameters('aksClusterContent').properties, 'autoScalerProfile'), parameters('aksClusterContent').properties.autoScalerProfile, json('null'))]",
"autoUpgradeProfile": "[if(contains(parameters('aksClusterContent').properties, 'autoUpgradeProfile'), parameters('aksClusterContent').properties.autoUpgradeProfile, json('null'))]",
"azureMonitorProfile": "[if(contains(parameters('aksClusterContent').properties, 'azureMonitorProfile'), parameters('aksClusterContent').properties.azureMonitorProfile, json('null'))]",
"apiServerAccessProfile": {
"disableRunCommand": true
},
"diskEncryptionSetID": "[if(contains(parameters('aksClusterContent').properties, 'diskEncryptionSetID'), parameters('aksClusterContent').properties.diskEncryptionSetID, json('null'))]",
"disableLocalAccounts": "[if(contains(parameters('aksClusterContent').properties, 'disableLocalAccounts'), parameters('aksClusterContent').properties.disableLocalAccounts, json('null'))]",
"fqdnSubdomain": "[if(contains(parameters('aksClusterContent').properties, 'fqdnSubdomain'), parameters('aksClusterContent').properties.fqdnSubdomain, json('null'))]",
"httpProxyConfig": "[if(contains(parameters('aksClusterContent').properties, 'httpProxyConfig'), parameters('aksClusterContent').properties.httpProxyConfig, json('null'))]",
"oidcIssuerProfile": "[if(contains(parameters('aksClusterContent').properties, 'oidcIssuerProfile'), parameters('aksClusterContent').properties.oidcIssuerProfile, json('null'))]",
"podIdentityProfile": "[if(contains(parameters('aksClusterContent').properties, 'podIdentityProfile'), parameters('aksClusterContent').properties.podIdentityProfile, json('null'))]",
"privateLinkResources": "[if(contains(parameters('aksClusterContent').properties, 'privateLinkResources'), parameters('aksClusterContent').properties.privateLinkResources, json('null'))]",
"securityProfile": "[if(contains(parameters('aksClusterContent').properties, 'securityProfile'), parameters('aksClusterContent').properties.securityProfile, json('null'))]",
"identityProfile": "[if(contains(parameters('aksClusterContent').properties, 'identityProfile'), parameters('aksClusterContent').properties.identityProfile, json('null'))]"
"identityProfile": "[if(contains(parameters('aksClusterContent').properties, 'identityProfile'), parameters('aksClusterContent').properties.identityProfile, json('null'))]",
"publicNetworkAccess": "[if(contains(parameters('aksClusterContent').properties, 'publicNetworkAccess'), parameters('aksClusterContent').properties.publicNetworkAccess, json('null'))]",
"serviceMeshProfile": "[if(contains(parameters('aksClusterContent').properties, 'serviceMeshProfile'), parameters('aksClusterContent').properties.serviceMeshProfile, json('null'))]",
"storageProfile": "[if(contains(parameters('aksClusterContent').properties, 'storageProfile'), parameters('aksClusterContent').properties.storageProfile, json('null'))]",
"supportPlan": "[if(contains(parameters('aksClusterContent').properties, 'supportPlan'), parameters('aksClusterContent').properties.supportPlan, json('null'))]",
"upgradeSettings": "[if(contains(parameters('aksClusterContent').properties, 'upgradeSettings'), parameters('aksClusterContent').properties.upgradeSettings, json('null'))]",
"workloadAutoScalerProfile": "[if(contains(parameters('aksClusterContent').properties, 'workloadAutoScalerProfile'), parameters('aksClusterContent').properties.workloadAutoScalerProfile, json('null'))]"
}
}
],
Expand Down Expand Up @@ -163,6 +169,7 @@
}
},
"versions": [
"1.2.0",
"1.1.0",
"1.0.3"
]
Expand Down
50 changes: 50 additions & 0 deletions ...nitions/Mobile Network/ConfigurePacketCoreDiagnosticAccessWithMicrosoftEntraID_Audit.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
"properties": {
"displayName": "Packet Core Control Plane diagnostic access should only use Microsoft EntraID authentication type",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Authenticaton type must be Microsoft EntraID for packet core diagnostic access over local APIs",
"metadata": {
"category": "Mobile Network",
"version": "1.0.0"
},
"version": "1.0.0",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.MobileNetwork/packetCoreControlPlanes"
},
{
"field": "Microsoft.MobileNetwork/packetCoreControlPlanes/localDiagnosticsAccess.authenticationType",
"notEquals": "AAD"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"versions": [
"1.0.0"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/aec63c84-f9ea-46c7-9e66-ba567bae0f09",
"name": "aec63c84-f9ea-46c7-9e66-ba567bae0f09"
}
63 changes: 63 additions & 0 deletions ...itions/Mobile Network/ConfigurePacketCoreDiagnosticAccessWithMicrosoftEntraID_Modify.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
{
"properties": {
"displayName": "Configure Packet Core Control Plane diagnostic access to use authentication type Microsoft EntraID",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Authenticaton type must be Microsoft EntraID for packet core diagnostic access over local APIs",
"metadata": {
"category": "Mobile Network",
"version": "1.0.0"
},
"version": "1.0.0",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Modify",
"Disabled"
],
"defaultValue": "Modify"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.MobileNetwork/packetCoreControlPlanes"
},
{
"field": "Microsoft.MobileNetwork/packetCoreControlPlanes/localDiagnosticsAccess.authenticationType",
"notEquals": "AAD"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"conflictEffect": "audit",
"operations": [
{
"condition": "[greaterOrEquals(requestContext().apiVersion, '2022-11-01')]",
"operation": "addOrReplace",
"field": "Microsoft.MobileNetwork/packetCoreControlPlanes/localDiagnosticsAccess.authenticationType",
"value": "AAD"
}
]
}
}
},
"versions": [
"1.0.0"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/7508b186-60e2-4518-bf70-3d7fbaba1f3a",
"name": "7508b186-60e2-4518-bf70-3d7fbaba1f3a"
}
50 changes: 50 additions & 0 deletions built-in-policies/policyDefinitions/Mobile Network/ConfigureSIMGroupwithCMK_Audit.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
"properties": {
"displayName": "SIM Group should use customer-managed keys to encrypt data at rest",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Use customer-managed keys to manage the encryption at rest of SIM secrets in a SIM Group. Customer-managed keys are commonly required to meet regulatory compliance standards and they enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.",
"metadata": {
"category": "Mobile Network",
"version": "1.0.0"
},
"version": "1.0.0",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.MobileNetwork/simGroups"
},
{
"value": "[length(field('Microsoft.MobileNetwork/simGroups/encryptionKey.keyUrl'))]",
"equals": "0"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"versions": [
"1.0.0"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/45c4e9bd-ad6b-4634-9566-c2dad2f03cbf",
"name": "45c4e9bd-ad6b-4634-9566-c2dad2f03cbf"
}
65 changes: 65 additions & 0 deletions built-in-policies/policyDefinitions/Stack HCI/DataAtRestEncryptedAtCluster_Audit.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
{
"properties": {
"displayName": "[Preview]: Azure Stack HCI systems should have encrypted volumes",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Use BitLocker to encrypt the OS and data volumes on Azure Stack HCI systems.",
"metadata": {
"version": "1.0.0-preview",
"category": "Stack HCI",
"preview": true
},
"version": "1.0.0-preview",
"parameters": {
"effect": {
"type": "String",
"defaultValue": "AuditIfNotExists",
"allowedValues": [
"Audit",
"Disabled",
"AuditIfNotExists"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.AzureStackHCI/clusters"
},
{
"field": "Microsoft.AzureStackHCI/clusters/reportedProperties.clusterVersion",
"greater": "10.0.20350"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.AzureStackHCI/clusters/securitySettings",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.AzureStackHCI/clusters/securitySettings/securityComplianceStatus.dataAtRestEncrypted",
"in": [
"Compliant",
"Pending"
]
}
]
}
}
}
},
"versions": [
"1.0.0-PREVIEW"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/ee8ca833-1583-4d24-837e-96c2af9488a4",
"name": "ee8ca833-1583-4d24-837e-96c2af9488a4"
}
13 changes: 7 additions & 6 deletions built-in-policies/policyDefinitions/Stack HCI/DataAtRestEncrypted_Audit.json
View file
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
{
"properties": {
"displayName": "[Preview]: Azure Stack HCI systems should have encrypted volumes",
"displayName": "[Deprecated]: Azure Stack HCI systems should have encrypted volumes",
"policyType": "BuiltIn",
"mode": "All",
"description": "Use BitLocker to encrypt the OS and data volumes on Azure Stack HCI systems.",
"description": "This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/ee8ca833-1583-4d24-837e-96c2af9488a4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.",
"metadata": {
"version": "1.0.0-preview",
"version": "1.1.0-deprecated",
"category": "Stack HCI",
"preview": true
"deprecated": true
},
"version": "1.0.0-preview",
"version": "1.1.0",
"parameters": {
"effect": {
"type": "String",
"defaultValue": "Audit",
"defaultValue": "Disabled",
"allowedValues": [
"Audit",
"Disabled"
Expand Down Expand Up @@ -47,6 +47,7 @@
}
},
"versions": [
"1.1.0",
"1.0.0-PREVIEW"
]
},
Expand Down
Loading

0 comments on commit 9a3984e

Please sign in to comment.