Framework/Configurations/SubscriptionSecurity/Subscription.ARMPolicies.json
{
"Version": "3.1803.0", "Policies": [ { "policyDefinitionName": "AzSK_ARMPol_Audit_SQL_Basic_Create", "policyDefinition": "{\"if\":{\"field\":\"Microsoft.SQL/servers/databases/edition\",\"equals\":\"Basic\"},\"then\":{\"effect\":\"audit\"}}", "description": "Policy to generate an audit event upon creation of a SQL database with 'Basic' edition type", "tags": [ "Mandatory" ], "enabled": true, "scope": "/subscriptions/$subscriptionId" }, { "policyDefinitionName": "AzSK_ARMPol_Audit_NonGRS_Storage_SKU", "policyDefinition": "{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"field\":\"Microsoft.Storage/storageAccounts/sku.name\",\"equals\":\"Standard_LRS\"}]},\"then\":{\"effect\":\"audit\"}}", "description": "Policy to generate an audit event upon creation of a storage account with Standard LRS (no Geo-Replication)", "tags": [ "Mandatory" ], "enabled": true, "scope": "/subscriptions/$subscriptionId" }, { "policyDefinitionName": "AzSK_ARMPol_Audit_Job_Scheduler_Free_Tier", "policyDefinition": "{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Scheduler/jobcollections\"},{\"field\":\"Microsoft.Scheduler/jobcollections/sku.name\",\"equals\":\"Free\"}]},\"then\":{\"effect\":\"audit\"}}", "description": "Policy to generate an audit event upon creation of a job scheduler with free tier", "tags": [ "Mandatory" ], "enabled": true, "scope": "/subscriptions/$subscriptionId" }, { "policyDefinitionName": "AzSK_ARMPol_Audit_Old_SQL_Version", "policyDefinition": "{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.SQL/servers\"},{\"field\":\"Microsoft.SQL/servers/version\",\"in\":[\"2.0\",\"3.0\",\"4.0\",\"5.0\",\"6.0\",\"7.0\",\"8.0\",\"9.0\",\"10.0\",\"11.0\"]}]},\"then\":{\"effect\":\"audit\"}}", "description": "Policy to generate an audit event upon creation of a sql server with version less than 12.0", "tags": [ "Mandatory" ], "enabled": true, "scope": "/subscriptions/$subscriptionId" }, { "policyDefinitionName": "AzSK_ARMPol_Audit_NonHBI_Resource_Create", "policyDefinition": "{\"if\":{\"not\":{\"anyOf\":[{\"field\":\"type\",\"like\":\"Microsoft.DataFactory/*\"},{\"field\":\"type\",\"like\":\"Microsoft.DataLakeAnalytics/*\"},{\"field\":\"type\",\"like\":\"Microsoft.DataLakeStore/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Web/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Search/*\"},{\"field\":\"type\",\"like\":\"Microsoft.ServiceBus/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Relay/*\"},{\"field\":\"type\",\"like\":\"Microsoft.EventHub/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Logic/*\"},{\"field\":\"type\",\"like\":\"Microsoft.NotificationHubs/*\"},{\"field\":\"type\",\"like\":\"Microsoft.ServiceFabric/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Sql/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Compute/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Storage/*\"},{\"field\":\"type\",\"like\":\"Microsoft.AnalysisServices/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Automation/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Cdn/*\"},{\"field\":\"type\",\"like\":\"Microsoft.DocumentDb/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Network/*\"},{\"field\":\"type\",\"like\":\"Microsoft.KeyVault/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Cache/*\"},{\"field\":\"type\",\"like\":\"Microsoft.StreamAnalytics/*\"},{\"field\":\"type\",\"like\":\"Microsoft.Compute/*\"}]}},\"then\":{\"effect\":\"audit\"}}", "description": "Policy to generate an audit event upon creation of resource types which have not been ratified for critical enterprise data", "tags": [ "Mandatory" ], "enabled": true, "scope": "/subscriptions/$subscriptionId" }, { "policyDefinitionName": "AzSK_ARMPol_Audit_Classic_Resource_Create", "policyDefinition": "{\"if\":{\"anyOf\":[{\"field\":\"type\",\"like\":\"Microsoft.ClassicCompute/*\"},{\"field\":\"type\",\"like\":\"microsoft.classicStorage/*\"},{\"field\":\"type\",\"like\":\"Microsoft.ClassicNetwork/*\"},{\"field\": \"type\",\"like\": \"Microsoft.Backup/*\"}]},\"then\":{\"effect\":\"audit\"}}", "description": "Policy to generate an audit event upon creation of classic/v1 (i.e., ASM-based) resources", "tags": [ "Mandatory" ], "enabled": true, "scope": "/subscriptions/$subscriptionId" }, { "policyDefinitionName": "AzSK_ARMPol_Deny_Classic_Resource_Create", "policyDefinition": "{\"if\":{\"anyOf\":[{\"field\":\"type\",\"like\":\"Microsoft.ClassicCompute/*\"},{\"field\":\"type\",\"like\":\"microsoft.classicStorage/*\"},{\"field\":\"type\",\"like\":\"Microsoft.ClassicNetwork/*\"}]},\"then\":{\"effect\":\"deny\"}}", "description": "Policy to deny upon creation of classic/v1 (i.e., ASM-based) resources", "tags": [ "Mandatory" ], "enabled": true, "scope": "/subscriptions/$subscriptionId" } ] } |