Framework/Configurations/SubscriptionSecurity/Subscription.ARMPolicies.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
{
   "Version": "3.1803.0",
   "Policies": [
      {
         "policyDefinitionName": "AzSK_ARMPol_Audit_SQL_Basic_Create",
         "policyDefinition": "{\"if\":{\"field\":\"Microsoft.SQL/servers/databases/edition\",\"equals\":\"Basic\"},\"then\":{\"effect\":\"audit\"}}",
         "description": "Policy to generate an audit event upon creation of a SQL database with 'Basic' edition type",
         "tags": [
            "Mandatory"
         ],
         "enabled": true,
         "scope": "/subscriptions/$subscriptionId"
      },
      {
         "policyDefinitionName": "AzSK_ARMPol_Audit_NonGRS_Storage_SKU",
         "policyDefinition": "{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"field\":\"Microsoft.Storage/storageAccounts/sku.name\",\"equals\":\"Standard_LRS\"}]},\"then\":{\"effect\":\"audit\"}}",
         "description": "Policy to generate an audit event upon creation of a storage account with Standard LRS (no Geo-Replication)",
         "tags": [
            "Mandatory"
         ],
         "enabled": true,
         "scope": "/subscriptions/$subscriptionId"
      },
      {
         "policyDefinitionName": "AzSK_ARMPol_Audit_Job_Scheduler_Free_Tier",
         "policyDefinition": "{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Scheduler/jobcollections\"},{\"field\":\"Microsoft.Scheduler/jobcollections/sku.name\",\"equals\":\"Free\"}]},\"then\":{\"effect\":\"audit\"}}",
         "description": "Policy to generate an audit event upon creation of a job scheduler with free tier",
         "tags": [
            "Mandatory"
         ],
         "enabled": true,
         "scope": "/subscriptions/$subscriptionId"
      },
      {
         "policyDefinitionName": "AzSK_ARMPol_Audit_Old_SQL_Version",
         "policyDefinition": "{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.SQL/servers\"},{\"field\":\"Microsoft.SQL/servers/version\",\"in\":[\"2.0\",\"3.0\",\"4.0\",\"5.0\",\"6.0\",\"7.0\",\"8.0\",\"9.0\",\"10.0\",\"11.0\"]}]},\"then\":{\"effect\":\"audit\"}}",
         "description": "Policy to generate an audit event upon creation of a sql server with version less than 12.0",
         "tags": [
            "Mandatory"
         ],
         "enabled": true,
         "scope": "/subscriptions/$subscriptionId"
      },
      {
         "policyDefinitionName": "AzSK_ARMPol_Audit_NonHBI_Resource_Create",
         "policyDefinition": "{\"if\":{\"not\":{\"anyOf\":[{\"field\":\"type\",\"like\":\"Microsoft.DataFactory/*\"},{\"field\":\"type\",\"like\":\"Microsoft.DataLakeAnalytics/*\"},{\"field\":\"type\",\"like\":\"Microsoft.DataLakeStore/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Web/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Search/*\"},{\"field\":\"type\",\"like\":\"Microsoft.ServiceBus/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Relay/*\"},{\"field\":\"type\",\"like\":\"Microsoft.EventHub/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Logic/*\"},{\"field\":\"type\",\"like\":\"Microsoft.NotificationHubs/*\"},{\"field\":\"type\",\"like\":\"Microsoft.ServiceFabric/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Sql/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Compute/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Storage/*\"},{\"field\":\"type\",\"like\":\"Microsoft.AnalysisServices/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Automation/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Cdn/*\"},{\"field\":\"type\",\"like\":\"Microsoft.DocumentDb/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Network/*\"},{\"field\":\"type\",\"like\":\"Microsoft.KeyVault/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Cache/*\"},{\"field\":\"type\",\"like\":\"Microsoft.StreamAnalytics/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Compute/*\"}]}},\"then\":{\"effect\":\"audit\"}}",
         "description": "Policy to generate an audit event upon creation of resource types which have not been ratified for critical enterprise data",
         "tags": [
            "Mandatory"
         ],
         "enabled": true,
         "scope": "/subscriptions/$subscriptionId"
      },
      {
         "policyDefinitionName": "AzSK_ARMPol_Audit_Classic_Resource_Create",
         "policyDefinition": "{\"if\":{\"anyOf\":[{\"field\":\"type\",\"like\":\"Microsoft.ClassicCompute/*\"},{\"field\":\"type\",\"like\":\"microsoft.classicStorage/*\"},{\"field\":\"type\",\"like\":\"Microsoft.ClassicNetwork/*\"},{\"field\": \"type\",\"like\": \"Microsoft.Backup/*\"}]},\"then\":{\"effect\":\"audit\"}}",
         "description": "Policy to generate an audit event upon creation of classic/v1 (i.e., ASM-based) resources",
         "tags": [
            "Mandatory"
         ],
         "enabled": true,
         "scope": "/subscriptions/$subscriptionId"
      },
      {
         "policyDefinitionName": "AzSK_ARMPol_Deny_Classic_Resource_Create",
         "policyDefinition": "{\"if\":{\"anyOf\":[{\"field\":\"type\",\"like\":\"Microsoft.ClassicCompute/*\"},{\"field\":\"type\",\"like\":\"microsoft.classicStorage/*\"},{\"field\":\"type\",\"like\":\"Microsoft.ClassicNetwork/*\"}]},\"then\":{\"effect\":\"deny\"}}",
         "description": "Policy to deny upon creation of classic/v1 (i.e., ASM-based) resources",
         "tags": [
            "Mandatory"
         ],
         "enabled": true,
         "scope": "/subscriptions/$subscriptionId"
      }
   ]
 
}