From 54defcf7bb69d2d015ee2be2e1ca33438ac6a907 Mon Sep 17 00:00:00 2001 From: Azure Policy Bot Date: Fri, 18 Oct 2024 17:46:57 +0000 Subject: [PATCH] Built-in Policy Release cdc0131b --- ...Center_HCRP_AutoAssessmentMode_Modify.json | 9 +- .../LinuxSshServerSecurityBaseline_AINE.json | 10 +- .../LinuxSshServerSecurityBaseline_DINE.json | 10 +- .../AllowDeployRegistryModels_Audit.json | 86 + .../Regulatory Compliance/NewZealand_ISM.json | 2045 +++++++++-------- 5 files changed, 1181 insertions(+), 979 deletions(-) create mode 100644 built-in-policies/policyDefinitions/Machine Learning/AllowDeployRegistryModels_Audit.json diff --git a/built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_HCRP_AutoAssessmentMode_Modify.json b/built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_HCRP_AutoAssessmentMode_Modify.json index 19b1412c2..3ecd9c181 100644 --- a/built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_HCRP_AutoAssessmentMode_Modify.json +++ b/built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_HCRP_AutoAssessmentMode_Modify.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.", "metadata": { - "version": "2.2.1", + "version": "2.3.0", "category": "Azure Update Manager" }, - "version": "2.2.1", + "version": "2.3.0", "parameters": { "assessmentMode": { "type": "String", @@ -71,6 +71,10 @@ "field": "type", "equals": "Microsoft.HybridCompute/machines" }, + { + "value": "[requestContext().apiVersion]", + "greaterOrEquals": "2022-03-10" + }, { "field": "Microsoft.HybridCompute/machines/osName", "equals": "[parameters('osType')]" @@ -150,6 +154,7 @@ } }, "versions": [ + "2.3.0", "2.2.1" ] }, diff --git a/built-in-policies/policyDefinitions/Guest Configuration/LinuxSshServerSecurityBaseline_AINE.json b/built-in-policies/policyDefinitions/Guest Configuration/LinuxSshServerSecurityBaseline_AINE.json index db90d32bc..4c8d9a486 100644 --- a/built-in-policies/policyDefinitions/Guest Configuration/LinuxSshServerSecurityBaseline_AINE.json +++ b/built-in-policies/policyDefinitions/Guest Configuration/LinuxSshServerSecurityBaseline_AINE.json @@ -1,13 +1,12 @@ { "properties": { - "displayName": "[Preview]: Audit SSH Posture Control on Linux machines", + "displayName": "Audit SSH security posture for Linux (powered by OSConfig)", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if SSH Server is not securely configured on the Linux machines.", + "description": "This policy audits SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview", "metadata": { - "version": "1.0.0-preview", + "version": "1.0.1", "category": "Guest Configuration", - "preview": true, "requiredProviders": [ "Microsoft.GuestConfiguration" ], @@ -37,7 +36,7 @@ } } }, - "version": "1.0.0-preview", + "version": "1.0.1", "parameters": { "IncludeArcMachines": { "type": "string", @@ -470,6 +469,7 @@ } }, "versions": [ + "1.0.1", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Guest Configuration/LinuxSshServerSecurityBaseline_DINE.json b/built-in-policies/policyDefinitions/Guest Configuration/LinuxSshServerSecurityBaseline_DINE.json index e0daa5e7a..62e2e8843 100644 --- a/built-in-policies/policyDefinitions/Guest Configuration/LinuxSshServerSecurityBaseline_DINE.json +++ b/built-in-policies/policyDefinitions/Guest Configuration/LinuxSshServerSecurityBaseline_DINE.json @@ -1,13 +1,12 @@ { "properties": { - "displayName": "[Preview]: Configure SSH Posture Control on Linux machines", + "displayName": "Configure SSH security posture for Linux (powered by OSConfig)", "policyType": "BuiltIn", "mode": "Indexed", - "description": "This policy creates a Guest Configuration assignment to set SSH Posture Control on Linux machines.", + "description": "This policy audits and configures SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview", "metadata": { - "version": "1.0.0-preview", + "version": "1.0.1", "category": "Guest Configuration", - "preview": true, "requiredProviders": [ "Microsoft.GuestConfiguration" ], @@ -37,7 +36,7 @@ } } }, - "version": "1.0.0-preview", + "version": "1.0.1", "parameters": { "IncludeArcMachines": { "type": "string", @@ -902,6 +901,7 @@ } }, "versions": [ + "1.0.1", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Machine Learning/AllowDeployRegistryModels_Audit.json b/built-in-policies/policyDefinitions/Machine Learning/AllowDeployRegistryModels_Audit.json new file mode 100644 index 000000000..857e12fe6 --- /dev/null +++ b/built-in-policies/policyDefinitions/Machine Learning/AllowDeployRegistryModels_Audit.json @@ -0,0 +1,86 @@ +{ + "properties": { + "displayName": "[Preview]: Azure Machine Learning Deployments should only use approved Registry Models", + "policyType": "BuiltIn", + "mode": "Microsoft.MachineLearningServices.v2.Data", + "description": "Restrict the deployment of Registry models to control externally created models used within your organization", + "metadata": { + "version": "1.0.0-preview", + "category": "Machine Learning", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "effect": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + } + }, + "allowedPublishers": { + "type": "Array", + "defaultValue": [], + "metadata": { + "displayName": "Allowed Model Publishers", + "description": "List of Publishers whose Models are allowed to be deployed." + } + }, + "allowedAssetIds": { + "type": "Array", + "defaultValue": [], + "metadata": { + "displayName": "Allowed Asset Ids", + "description": "List of AssetIds of Models that are allowed to be deployed. This can include partial assetIds to allow all Models under a given scope." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices.v2.Data/workspaces/deployments" + }, + { + "field": "Microsoft.MachineLearningServices.v2.Data/workspaces/deployments/model.registryName", + "exists": true + }, + { + "allOf": [ + { + "field": "Microsoft.MachineLearningServices.v2.Data/workspaces/deployments/model.publisher", + "notin": "[parameters('allowedPublishers')]" + }, + { + "count": { + "value": "[parameters('allowedAssetIds')]", + "name": "allowedAssetId", + "where": { + "field": "Microsoft.MachineLearningServices.v2.Data/workspaces/deployments/model.assetId", + "contains": "[current('allowedAssetId')]" + } + }, + "equals": 0 + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + }, + "versions": [ + "1.0.0-PREVIEW" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/12e5dd16-d201-47ff-849b-8454061c293d", + "name": "12e5dd16-d201-47ff-849b-8454061c293d" +} \ No newline at end of file diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/NewZealand_ISM.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/NewZealand_ISM.json index ae5a9ddd8..6654ccb99 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/NewZealand_ISM.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/NewZealand_ISM.json @@ -2,310 +2,323 @@ "properties": { "displayName": "New Zealand ISM", "policyType": "BuiltIn", - "description": "New Zealand Information Security Manual (ISM) policy initiative. This policy set includes definitions that have a Deny effect by default", + "description": "NZISM v3.8. The New Zealand Information Security Manual (NZISM) details processes and controls essential for the protection of all New Zealand Government information and systems. This initiative includes policies that address a subset of NZISM controls. Additional policies will be added in upcoming releases. For full details on controls, please refer to https://www.nzism.gcsb.govt.nz/ism-document. This policy set includes definitions that have a Deny effect by default.", "metadata": { "category": "Regulatory Compliance", - "version": "1.4.0" + "version": "1.5.0" }, - "version": "1.4.0", + "version": "1.5.0", "policyDefinitionGroups": [ { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_06.2.5.C.01", - "description": "A baseline or known point of origin is the basis of any comparison and allows measurement of changes and improvements when further information security monitoring activities are conducted.", + "category": "06. Information security monitoring", "name": "New_Zealand_ISM_06.2.5.C.01", - "category": "06. Information security monitoring" + "description": "Agencies SHOULD conduct vulnerability assessments in order to establish a baseline. This SHOULD be done: before a system is first used; after any significant incident; after a significant change to the system; after changes to standards, policies and guidelines; when specified by an ITSM or system owner." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_06.2.6.C.01", - "description": "Vulnerabilities may occur as a result of poorly designed or implemented information security practices", + "category": "06. Information security monitoring", "name": "New_Zealand_ISM_06.2.6.C.01", - "category": "06. Information security monitoring" + "description": "Agencies SHOULD analyse and treat all vulnerabilities and subsequent security risks to their systems identified during a vulnerability assessment." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_06.4.5.C.01", - "description": "Availability and recovery requirements will vary based on each agency s business needs and are likely to be widely variable across government. Agencies will determine their own availability and recovery requirements and implement measures consistent with the agency's SRMP to achieve them as part of their risk management and governance processes.", + "category": "06. Information security monitoring", "name": "New_Zealand_ISM_06.4.5.C.01", - "category": "06. Information security monitoring" + "description": "Agencies MUST determine availability and recovery requirements for their systems and implement measures consistent with the agency's SRMP to support them." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_07.1.7.C.02", - "description": "Processes and procedures for the detection of information security incidents will assist in mitigating attacks using the most common vectors in systems exploits.", + "category": "07. Information Security Incidents", "name": "New_Zealand_ISM_07.1.7.C.02", - "category": "07. Information Security Incidents" + "description": "Agencies SHOULD develop, implement and maintain tools and procedures covering the detection of potential information security incidents, incorporating: user awareness and training; counter-measures against malicious code, known attack methods and types; intrusion detection strategies; data egress monitoring & control; access control anomalies; audit analysis; system integrity checking; and vulnerability assessments." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_07.2.22.C.01", - "description": "In the case of outsourcing of information technology services and functions", + "category": "07. Information Security Incidents", "name": "New_Zealand_ISM_07.2.22.C.01", - "category": "07. Information Security Incidents" + "description": "Agencies that outsource their information technology services and functions MUST ensure that the service provider advises and consults with the agency when an information security incident occurs." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_10.8.35.C.01", - "description": "Security architectures MUST apply the principles of separation and segregation.", + "category": "10. Infrastructure", "name": "New_Zealand_ISM_10.8.35.C.01", - "category": "10. Infrastructure" + "description": "Security architectures MUST apply the principles of separation and segregation." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_12.4.4.C.02", - "description": "The assurance provided by an evaluation is related to the date at which the results were issued. Over the course of a normal product lifecycle", + "category": "12. Product Security", "name": "New_Zealand_ISM_12.4.4.C.02", - "category": "12. Product Security" + "description": "Agencies MUST implement a patch management strategy, including an evaluation or testing process." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_14.1.8.C.01", - "description": "Antivirus and anti-malware software", + "category": "14. Software security", "name": "New_Zealand_ISM_14.1.8.C.01", - "category": "14. Software security" + "description": "Agencies SHOULD develop a hardened SOE for workstations and servers, covering several requirements detailed here https://www.nzism.gcsb.govt.nz/ism-document#SubSection-15020" }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_14.1.9.C.01", - "description": "Whilst a SOE can be sufficiently hardened when it is deployed", + "category": "14. Software security", "name": "New_Zealand_ISM_14.1.9.C.01", - "category": "14. Software security" + "description": "Agencies MUST ensure that for all servers and workstations: a technical specification is agreed for each platform with specified controls; a standard configuration created and updated for each operating system type and version; system users do not have the ability to install or disable software without approval; and installed software and operating system patching is up to date." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_14.2.4.C.01", - "description": "Application access control can be an effective mechanism to prevent the successful compromise of an agency system resulting from the exploitation of a vulnerability in an application or the execution of malicious code.", + "category": "14. Software security", "name": "New_Zealand_ISM_14.2.4.C.01", - "category": "14. Software security" + "description": "Agencies SHOULD implement application allow listing as part of the SOE for workstations, servers and any other network device." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_14.5.8.C.01", - "description": "The Open Web Application Security Project guide provides a comprehensive resource to consult when developing Web applications.", + "category": "14. Software security", "name": "New_Zealand_ISM_14.5.8.C.01", - "category": "14. Software security" + "description": "Agencies SHOULD follow the documentation provided in the Open Web Application Security Project guide to building secure Web applications and Web services." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_16.1.32.C.01", - "description": "Agencies MUST ensure that all system users are uniquely identifiable; and authenticated on each occasion that access is granted to a system.", + "category": "16. Access Control and Passwords", "name": "New_Zealand_ISM_16.1.32.C.01", - "category": "16. Access Control and Passwords" + "description": "Agencies MUST ensure that all system users are: uniquely identifiable; and authenticated on each occasion that access is granted to a system." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_16.3.5.C.02", - "description": "Inappropriate use of any feature or facility of a system that enables a privileged user to override system or application controls can be a major contributory factor to failures", + "category": "16. Access Control and Passwords", "name": "New_Zealand_ISM_16.3.5.C.02", - "category": "16. Access Control and Passwords" + "description": "Agencies SHOULD: ensure strong change management practices are implemented; ensure that the use of privileged accounts is controlled and accountable; ensure that system administrators are assigned an individual account for the performance of their administration tasks; keep privileged accounts to a minimum; and allow the use of privileged accounts for administrative work only." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_16.4.30.C.01", - "description": "The requirement for an agency security policy is discussed and described in Chapter 5 Information Security Documentation.  A fundamental part of any security policy is the inclusion of requirements for the treatment of Privileged Accounts.  This is most conveniently contained in a Privileged Access Management (PAM) section within the agency s security policy.  A PAM policy is a fundamental component of an agency s IT Governance.", + "category": "16. Access Control and Passwords", "name": "New_Zealand_ISM_16.4.30.C.01", - "category": "16. Access Control and Passwords" + "description": "Agencies MUST establish a Privileged Access Management (PAM) policy." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_16.4.32.C.01", - "description": "The approval and authorisation process for the granting of privileged access should be based on the requirement to manage and protect agency systems and assets or as an operational necessity only.", + "category": "16. Access Control and Passwords", "name": "New_Zealand_ISM_16.4.32.C.01", - "category": "16. Access Control and Passwords" + "description": "As part of a Privileged Access Management (PAM) policy, agencies MUST establish and implement a strong approval and authorisation process before any privileged access credentials are issued." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.1.55.C.03", - "description": "When encryption is applied to information being communicated over networks", + "category": "17. Cryptography", "name": "New_Zealand_ISM_17.1.55.C.03", - "category": "17. Cryptography" + "description": "Agencies MUST encrypt aggregated agency data using an approved algorithm and protocol over insecure or unprotected networks such as the Internet, public infrastructure or non-agency controlled networks when the compromise of the aggregated data would present a significant impact to the agency." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.1.58.C.01", - "description": "All cryptographic keys have a limited useful life after which the key should be replaced or retired. Typically the useful life of the cryptographic key (cryptoperiod) is use", + "category": "17. Cryptography", "name": "New_Zealand_ISM_17.1.58.C.01", - "category": "17. Cryptography" + "description": "Agencies SHOULD establish cryptoperiods for all keys and cryptographic implementations in their systems and operations." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.2.19.C.01", - "description": "While ECDH should be used in preference to DH", + "category": "17. Cryptography", "name": "New_Zealand_ISM_17.2.19.C.01", - "category": "17. Cryptography" + "description": "Agencies using DH, for the approved use of agreeing on encryption session keys, MUST use a modulus of at least 3072 bits." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.2.22.C.01", - "description": "A field/key size of at least 384 bits for ECDH is now considered good practice by the cryptographic community.", + "category": "17. Cryptography", "name": "New_Zealand_ISM_17.2.22.C.01", - "category": "17. Cryptography" + "description": "Agencies using ECDH, for the approved use of agreeing on encryption session keys, MUST implement the curve P-384 (prime moduli)." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.2.24.C.01", - "description": "A modulus of at least 3072 bits for RSA is considered good practice by the cryptographic community.", + "category": "17. Cryptography", "name": "New_Zealand_ISM_17.2.24.C.01", - "category": "17. Cryptography" + "description": "Agencies using RSA, for the approved use of digital signatures and passing encryption session keys or similar keys, MUST use a modulus of at least 3072 bits." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.4.16.C.01", - "description": "Whilst version 1.0 of SSL was never released", + "category": "17. Cryptography", "name": "New_Zealand_ISM_17.4.16.C.01", - "category": "17. Cryptography" + "description": "Agencies SHOULD use the current version of TLS (version 1.3)." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.5.6.C.01", - "description": "The configuration directives provided are based on the OpenSSH implementation of SSH. Agencies implementing SSH will need to adapt these settings to suit other SSH implementations.", + "category": "17. Cryptography", "name": "New_Zealand_ISM_17.5.6.C.01", - "category": "17. Cryptography" + "description": "The settings that SHOULD be implemented when using SSH areoutlined on the NCSC website for this control https://www.nzism.gcsb.govt.nz/ism-document#SubSection-15978" }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.5.7.C.01", - "description": "Public key-based systems have greater potential for strong authentication", + "category": "17. Cryptography", "name": "New_Zealand_ISM_17.5.7.C.01", - "category": "17. Cryptography" + "description": "Agencies SHOULD use public key-based authentication before using password-based authentication." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.9.35.C.01", - "description": "The cryptographic system administrator is a highly privileged position which involves granting privileged access to a cryptographic system. Therefore extra precautions need to be put in place surrounding the security and vetting of the personnel as well as the access control procedures for individuals designated as cryptographic system administrators.", + "category": "17. Cryptography", "name": "New_Zealand_ISM_17.9.35.C.01", - "category": "17. Cryptography" + "description": "Before personnel are granted cryptographic system administrator access, agencies MUST ensure the requirements for access are met. For a full list see the control published here https://www.nzism.gcsb.govt.nz/ism-document#SubSection-16122" }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.9.36.C.02", - "description": "As cryptographic equipment contains particularly sensitive information additional physical security measures need to be applied to the equipment.", + "category": "17. Cryptography", "name": "New_Zealand_ISM_17.9.36.C.02", - "category": "17. Cryptography" + "description": "Areas in which cryptographic system material is used SHOULD be separated from other areas and designated as a controlled cryptography area." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_18.1.10.C.01", - "description": "If the network is not centrally managed", + "category": "18. Network security", "name": "New_Zealand_ISM_18.1.10.C.01", - "category": "18. Network security" + "description": "Agencies SHOULD keep the network configuration under the control of a network management authority." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_18.1.13.C.02", - "description": "If an attacker has limited opportunities to connect to a given network", + "category": "18. Network security", "name": "New_Zealand_ISM_18.1.13.C.02", - "category": "18. Network security" + "description": "Agencies SHOULD implement network access controls on all networks." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_18.4.7.C.02", - "description": "An IDS/IPS when configured correctly", + "category": "18. Network security", "name": "New_Zealand_ISM_18.4.7.C.02", - "category": "18. Network security" + "description": "Agencies SHOULD develop, implement and maintain an intrusion detection strategy that includes: appropriate intrusion detection mechanisms, including network-based IDS/IPSs and host-based IDS/IPSs as necessary; the audit analysis of event logs, including IDS/IPS logs; a periodic audit of intrusion detection procedures; information security awareness and training programs; and a documented IRP." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_18.4.8.C.01", - "description": "If the firewall is configured to block all traffic on a particular range of port numbers", + "category": "18. Network security", "name": "New_Zealand_ISM_18.4.8.C.01", - "category": "18. Network security" + "description": "Agencies SHOULD deploy IDS/IPSs in all gateways between the agency�s networks and unsecure public networks or BYOD wireless networks." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_22.1.24.C.03", - "description": "Cloud service providers may not provide adequate physical security and physical and logical access controls to meet agencies requirements.  An assessment of cloud service risks will include physical and systems security.  Refer also to Chapter 19 Gateway Security", + "category": "22. Enterprise systems security", "name": "New_Zealand_ISM_22.1.24.C.03", - "category": "22. Enterprise systems security" + "description": "Agencies intending to adopt cloud technologies or services SHOULD apply controls to detect and prevent unauthorised data transfers and multiple or large scale data transfers to offshore locations and entities." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_22.1.24.C.04", - "description": "Cloud service providers may not provide adequate physical security and physical and logical access controls to meet agencies requirements.  An assessment of cloud service risks will include physical and systems security.  Refer also to Chapter 19 Gateway Security", + "category": "22. Enterprise systems security", "name": "New_Zealand_ISM_22.1.24.C.04", - "category": "22. Enterprise systems security" + "description": "Agencies intending to adopt cloud technologies or services SHOULD consider the use of encryption for data in transit and at rest." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_23.3.19.C.01", - "description": "Credentials used to access public cloud services can be reused across cloud service providers", + "category": "23. Public Cloud Security", "name": "New_Zealand_ISM_23.3.19.C.01", - "category": "23. Public Cloud Security" + "description": "Where administration interfaces or portals are accessible from the internet, privileged accounts MUST be configured to use multiple factors of authentication." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_23.4.10.C.01", - "description": "Many public cloud services are designed to make customer data directly accessible through multiple interfaces. These service endpoints may be internet-accessible by default", + "category": "23. Public Cloud Security", "name": "New_Zealand_ISM_23.4.10.C.01", - "category": "23. Public Cloud Security" + "description": "Agencies MUST apply the principle of least privilege and configure service endpoints to restrict access to authorised parties." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_23.4.9.C.01", - "description": "Agencies remain accountable for the confidentiality", + "category": "23. Public Cloud Security", "name": "New_Zealand_ISM_23.4.9.C.01", - "category": "23. Public Cloud Security" + "description": "For each cloud service, agencies MUST ensure that the mechanisms used to protect data meet agency requirements." }, { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_23.5.11.C.01", - "description": "It may not be possible", + "category": "23. Public Cloud Security", "name": "New_Zealand_ISM_23.5.11.C.01", - "category": "23. Public Cloud Security" + "description": "Agencies MUST ensure that logs associated with public cloud services are collected, protected, and that their integrity can be confirmed in accordance with the agency�s documented logging requirements." } ], "parameters": { - "modeRequirement-1": { - "type": "String", + "namespaces-1": { + "type": "Array", "metadata": { - "displayName": "Mode Requirement", - "description": "Mode required for all WAF policies" + "displayName": "Namespace inclusions", + "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." + }, + "defaultValue": [] + }, + "evaluatedSkuNames-2": { + "type": "Array", + "metadata": { + "displayName": "Azure Spring Cloud SKU Names", + "description": "List of Azure Spring Cloud SKUs against which this policy will be evaluated." }, "allowedValues": [ - "Prevention", - "Detection" + "Standard", + "Enterprise" ], - "defaultValue": "Detection" + "defaultValue": [ + "Standard", + "Enterprise" + ] }, - "audit_effect-1": { + "warn-1": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, + "NotAvailableMachineState-1": { "type": "String", "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" + "displayName": "Status if Windows Defender is not available on machine", + "description": "Windows Defender Exploit Guard is only available starting with Windows 10/Windows Server with update 1709. Setting this value to 'Non-Compliant' shows machines with older versions on which Windows Defender Exploit Guard is not available (such as Windows Server 2012 R2) as non-compliant. Setting this value to 'Compliant' shows these machines as compliant." }, "allowedValues": [ - "Audit", - "Disabled" + "Compliant", + "Non-Compliant" ], - "defaultValue": "Audit" + "defaultValue": "Compliant" }, - "deny_effect-1": { + "setting-1": { "type": "String", "metadata": { - "displayName": "Audit, deny or disable the execution of the policy", - "description": "Audit, deny or disable the execution of the policy" + "displayName": "Desired Auditing setting" }, "allowedValues": [ - "Audit", - "Deny", - "Disabled" + "enabled", + "disabled" ], - "defaultValue": "Deny" + "defaultValue": "enabled" }, - "evaluatedSkuNames-2": { + "evaluatedSkuNames-1": { "type": "Array", "metadata": { - "displayName": "Azure Spring Cloud SKU Names", - "description": "List of Azure Spring Cloud SKUs against which this policy will be evaluated." + "displayName": "API Management SKU Names", + "description": "List of API Management SKUs against which this policy will be evaluated." }, "allowedValues": [ + "Developer", + "Basic", "Standard", - "Enterprise" + "Premium", + "Consumption" ], "defaultValue": [ - "Standard", - "Enterprise" + "Developer", + "Premium" ] }, - "allowedIPAddresses-1": { + "allowedECNames-1": { "type": "Array", "metadata": { - "displayName": "Allowed IP addresses", - "description": "Array with allowed public IP addresses. An empty array is evaluated as to allow all IPs." - }, - "defaultValue": [] - }, - "IncludeArcMachines-1": { - "type": "String", - "metadata": { - "displayName": "Include Arc connected servers", - "description": "By selecting this option, you agree to be charged monthly per Arc connected machine.", - "portalReview": "true" + "displayName": "Allowed elliptic curve names", + "description": "The list of allowed curve names for elliptic curve cryptography certificates." }, "allowedValues": [ - "true", - "false" + "P-256", + "P-256K", + "P-384", + "P-521" ], - "defaultValue": "false" + "defaultValue": [ + "P-256", + "P-256K", + "P-384", + "P-521" + ] }, - "minimumTlsVersion-2": { + "LinuxPythonVersion-1": { "type": "String", "metadata": { - "displayName": "Minimum TLS Version", - "description": "Minimum version of TLS required to access data in this storage account" + "displayName": "Linux Python version", + "description": "Specify a supported Python version for App Service" }, - "allowedValues": [ - "TLS1_0", - "TLS1_1", - "TLS1_2" - ], - "defaultValue": "TLS1_2" + "defaultValue": "" }, "forbiddenIPAddresses-1": { "type": "Array", @@ -315,13 +328,30 @@ }, "defaultValue": [] }, - "LinuxPythonVersion-1": { - "type": "String", + "excludedKinds-1": { + "type": "Array", "metadata": { - "displayName": "Linux Python version", - "description": "Specify a supported Python version for App Service" + "displayName": "Excluded Kinds", + "description": "The list of excluded API kinds for customer-managed key, default is the list of API kinds that don't have data stored in Cognitive Services" }, - "defaultValue": "" + "defaultValue": [ + "CognitiveServices", + "ContentSafety", + "ImmersiveReader", + "HealthInsights", + "LUIS.Authoring", + "LUIS", + "QnAMaker", + "QnAMaker.V2", + "AIServices", + "MetricsAdvisor", + "SpeechTranslation", + "Internal.AllInOne", + "ConversationalLanguageUnderstanding", + "knowledge", + "TranscriptionIntelligence", + "HealthDecisionSupport" + ] }, "excludedNamespaces-1": { "type": "Array", @@ -336,6 +366,27 @@ "azure-extensions-usage-system" ] }, + "endpointType-1": { + "type": "String", + "metadata": { + "displayName": "Public Endpoint Type", + "description": "Public Endpoint Type for which to enforce the access check" + }, + "allowedValues": [ + "Management", + "Git", + "Gateway Configuration" + ], + "defaultValue": "Management" + }, + "allowedIPAddresses-1": { + "type": "Array", + "metadata": { + "displayName": "Allowed IP addresses", + "description": "Array with allowed public IP addresses. An empty array is evaluated as to allow all IPs." + }, + "defaultValue": [] + }, "minimumRSAKeySize-1": { "type": "Integer", "metadata": { @@ -348,75 +399,46 @@ 4096 ] }, - "excludedImages-1": { - "type": "Array", - "metadata": { - "displayName": "Image exclusions", - "description": "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository.", - "portalReview": true - }, - "defaultValue": [] - }, - "LinuxJavaVersion-1": { + "IncludeArcMachines-1": { "type": "String", "metadata": { - "displayName": "Linux Java version", - "description": "Specify a supported Java version for App Service" + "displayName": "Include Arc connected servers", + "description": "By selecting this option, you agree to be charged monthly per Arc connected machine.", + "portalReview": "true" }, - "defaultValue": "" + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "false" }, - "allowedECNames-1": { - "type": "Array", + "requiredRetentionDays-1": { + "type": "String", "metadata": { - "displayName": "Allowed elliptic curve names", - "description": "The list of allowed curve names for elliptic curve cryptography certificates." + "displayName": "Required retention (days)", + "description": "The required resource logs retention in days" }, - "allowedValues": [ - "P-256", - "P-256K", - "P-384", - "P-521" - ], - "defaultValue": [ - "P-256", - "P-256K", - "P-384", - "P-521" - ] + "defaultValue": "365" }, - "namespaces-1": { + "excludedContainers-1": { "type": "Array", "metadata": { - "displayName": "Namespace inclusions", - "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." + "displayName": "Containers exclusions", + "description": "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces." }, "defaultValue": [] }, - "LinuxPHPVersion-1": { + "modeRequirement-1": { "type": "String", "metadata": { - "displayName": "Linux PHP version", - "description": "Specify a supported PHP version for App Service" - }, - "defaultValue": "" - }, - "evaluatedSkuNames-1": { - "type": "Array", - "metadata": { - "displayName": "API Management SKU Names", - "description": "List of API Management SKUs against which this policy will be evaluated." + "displayName": "Mode Requirement", + "description": "Mode required for all WAF policies" }, "allowedValues": [ - "Developer", - "Basic", - "Standard", - "Premium", - "Consumption" + "Prevention", + "Detection" ], - "defaultValue": [ - "Developer", - "Premium" - ] + "defaultValue": "Detection" }, "MinimumTLSVersion-1": { "type": "String", @@ -430,18 +452,47 @@ ], "defaultValue": "1.2" }, - "endpointType-1": { + "excludedImages-1": { + "type": "Array", + "metadata": { + "displayName": "Image exclusions", + "description": "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository.", + "portalReview": true + }, + "defaultValue": [] + }, + "restrictIPAddresses-1": { "type": "String", "metadata": { - "displayName": "Public Endpoint Type", - "description": "Public Endpoint Type for which to enforce the access check" + "displayName": "Would you like to restrict specific IP addresses?", + "description": "Select (Yes) to allow or forbid a list of IP addresses. If (No), the list of IP addresses won't have any effect in the policy enforcement" }, "allowedValues": [ - "Management", - "Git", - "Gateway Configuration" + "Yes", + "No" ], - "defaultValue": "Management" + "defaultValue": "No" + }, + "source-1": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "allowedValues": [ + "All", + "Generated", + "Original" + ], + "defaultValue": "Original" + }, + "LinuxPHPVersion-1": { + "type": "String", + "metadata": { + "displayName": "Linux PHP version", + "description": "Specify a supported PHP version for App Service" + }, + "defaultValue": "" }, "labelSelector-1": { "type": "Object", @@ -502,772 +553,783 @@ "additionalProperties": false } }, - "restrictIPAddresses-1": { + "minimumTlsVersion-2": { "type": "String", "metadata": { - "displayName": "Would you like to restrict specific IP addresses?", - "description": "Select (Yes) to allow or forbid a list of IP addresses. If (No), the list of IP addresses won't have any effect in the policy enforcement" + "displayName": "Minimum TLS Version", + "description": "Minimum version of TLS required to access data in this storage account" }, "allowedValues": [ - "Yes", - "No" + "TLS1_0", + "TLS1_1", + "TLS1_2" ], - "defaultValue": "No" - }, - "requiredRetentionDays-1": { - "type": "String", - "metadata": { - "displayName": "Required retention (days)", - "description": "The required resource logs retention in days" - }, - "defaultValue": "365" + "defaultValue": "TLS1_2" }, - "setting-1": { + "audit_effect-1": { "type": "String", "metadata": { - "displayName": "Desired Auditing setting" - }, - "allowedValues": [ - "enabled", - "disabled" - ], - "defaultValue": "enabled" - }, - "excludedContainers-1": { - "type": "Array", - "metadata": { - "displayName": "Containers exclusions", - "description": "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces." - }, - "defaultValue": [] - }, - "warn-1": { - "type": "Boolean", - "metadata": { - "displayName": "Warn", - "description": "Whether or not to return warnings back to the user in the kubectl cli" + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" }, - "defaultValue": false + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" }, - "excludedKinds-1": { - "type": "Array", + "audit-effect-2": { + "type": "String", "metadata": { - "displayName": "Excluded Kinds", - "description": "The list of excluded API kinds for customer-managed key, default is the list of API kinds that don't have data stored in Cognitive Services" + "displayName": "Effect", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy.", + "portalReview": true }, - "defaultValue": [ - "CognitiveServices", - "Knowledge", - "LUIS", - "QnAMaker", - "TextAnalytics", - "ComputerVision", - "HealthDecisionSupport", - "ImmersiveReader" - ] + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ], + "defaultValue": "Audit" }, - "NotAvailableMachineState-1": { + "deny_effect-1": { "type": "String", "metadata": { - "displayName": "Status if Windows Defender is not available on machine", - "description": "Windows Defender Exploit Guard is only available starting with Windows 10/Windows Server with update 1709. Setting this value to 'Non-Compliant' shows machines with older versions on which Windows Defender Exploit Guard is not available (such as Windows Server 2012 R2) as non-compliant. Setting this value to 'Compliant' shows these machines as compliant." + "displayName": "Audit, deny or disable the execution of the policy", + "description": "Audit, deny or disable the execution of the policy" }, "allowedValues": [ - "Compliant", - "Non-Compliant" + "Audit", + "Deny", + "Disabled" ], - "defaultValue": "Compliant" + "defaultValue": "Deny" + }, + "LinuxJavaVersion-1": { + "type": "String", + "metadata": { + "displayName": "Linux Java version", + "description": "Specify a supported Java version for App Service" + }, + "defaultValue": "" } }, "policyDefinitions": [ { - "policyDefinitionReferenceId": "A vulnerability assessment solution should be enabled on your virtual machines", "groupNames": [ "New_Zealand_ISM_06.2.5.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9", + "parameters": {}, + "policyDefinitionReferenceId": "A vulnerability assessment solution should be enabled on your virtual machines", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9" }, { - "policyDefinitionReferenceId": "Vulnerability assessment should be enabled on SQL Managed Instance", "groupNames": [ "New_Zealand_ISM_06.2.5.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a", + "parameters": {}, + "policyDefinitionReferenceId": "Vulnerability assessment should be enabled on SQL Managed Instance", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a" }, { - "policyDefinitionReferenceId": "Vulnerability assessment should be enabled on your SQL servers", "groupNames": [ "New_Zealand_ISM_06.2.5.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9", + "parameters": {}, + "policyDefinitionReferenceId": "Vulnerability assessment should be enabled on your SQL servers", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9" }, { - "policyDefinitionReferenceId": "SQL databases should have vulnerability findings resolved", "groupNames": [ "New_Zealand_ISM_06.2.6.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc", + "parameters": {}, + "policyDefinitionReferenceId": "SQL databases should have vulnerability findings resolved", "definitionVersion": "4.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc" }, { - "policyDefinitionReferenceId": "SQL servers on machines should have vulnerability findings resolved", "groupNames": [ "New_Zealand_ISM_06.2.6.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d", + "parameters": {}, + "policyDefinitionReferenceId": "SQL servers on machines should have vulnerability findings resolved", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d" }, { - "policyDefinitionReferenceId": "Vulnerabilities in security configuration on your machines should be remediated", "groupNames": [ "New_Zealand_ISM_06.2.6.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", + "parameters": {}, + "policyDefinitionReferenceId": "Vulnerabilities in security configuration on your machines should be remediated", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15" }, { - "policyDefinitionReferenceId": "Machines should have secret findings resolved", "groupNames": [ "New_Zealand_ISM_06.2.6.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3ac7c827-eea2-4bde-acc7-9568cd320efa", + "parameters": {}, + "policyDefinitionReferenceId": "Machines should have secret findings resolved", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3ac7c827-eea2-4bde-acc7-9568cd320efa" }, { - "policyDefinitionReferenceId": "Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)", "groupNames": [ "New_Zealand_ISM_06.2.6.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/090c7b07-b4ed-4561-ad20-e9075f3ccaff", + "parameters": {}, + "policyDefinitionReferenceId": "Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/090c7b07-b4ed-4561-ad20-e9075f3ccaff" }, { - "policyDefinitionReferenceId": "Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)", "groupNames": [ "New_Zealand_ISM_06.2.6.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17f4b1cc-c55c-4d94-b1f9-2978f6ac2957", + "parameters": {}, + "policyDefinitionReferenceId": "Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17f4b1cc-c55c-4d94-b1f9-2978f6ac2957" }, { - "policyDefinitionReferenceId": "Configure Microsoft Defender for Containers to be enabled", "groupNames": [ "New_Zealand_ISM_06.2.6.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", + "parameters": {}, + "policyDefinitionReferenceId": "Configure Microsoft Defender for Containers to be enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f" }, { - "policyDefinitionReferenceId": "Audit virtual machines without disaster recovery configured", "groupNames": [ "New_Zealand_ISM_06.4.5.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56", + "parameters": {}, + "policyDefinitionReferenceId": "Audit virtual machines without disaster recovery configured", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56" }, { - "policyDefinitionReferenceId": "Azure Defender for App Service should be enabled", "groupNames": [ "New_Zealand_ISM_07.1.7.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Defender for App Service should be enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb" }, { - "policyDefinitionReferenceId": "Azure Defender for Azure SQL Database servers should be enabled", "groupNames": [ "New_Zealand_ISM_07.1.7.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Defender for Azure SQL Database servers should be enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2" }, { - "policyDefinitionReferenceId": "Azure Defender for Key Vault should be enabled", "groupNames": [ "New_Zealand_ISM_07.1.7.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Defender for Key Vault should be enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047" }, { - "policyDefinitionReferenceId": "Azure Defender for open-source relational databases should be enabled", "groupNames": [ "New_Zealand_ISM_07.1.7.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Defender for open-source relational databases should be enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835" }, { - "policyDefinitionReferenceId": "Azure Defender for Resource Manager should be enabled", "groupNames": [ "New_Zealand_ISM_07.1.7.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Defender for Resource Manager should be enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99" }, { - "policyDefinitionReferenceId": "Azure Defender for servers should be enabled", "groupNames": [ "New_Zealand_ISM_07.1.7.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Defender for servers should be enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d" }, { - "policyDefinitionReferenceId": "Azure Defender for SQL servers on machines should be enabled", "groupNames": [ "New_Zealand_ISM_07.1.7.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Defender for SQL servers on machines should be enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b" }, { - "policyDefinitionReferenceId": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers", "groupNames": [ "New_Zealand_ISM_07.1.7.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9" }, { - "policyDefinitionReferenceId": "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances", "groupNames": [ "New_Zealand_ISM_07.1.7.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9" }, { - "policyDefinitionReferenceId": "Azure Kubernetes Service clusters should have Defender profile enabled", "groupNames": [ "New_Zealand_ISM_07.1.7.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1840de2-8088-4ea8-b153-b4c723e9cb01", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Kubernetes Service clusters should have Defender profile enabled", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1840de2-8088-4ea8-b153-b4c723e9cb01" }, { - "policyDefinitionReferenceId": "Microsoft Defender for Containers should be enabled", "groupNames": [ "New_Zealand_ISM_07.1.7.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38", + "parameters": {}, + "policyDefinitionReferenceId": "Microsoft Defender for Containers should be enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38" }, { - "policyDefinitionReferenceId": "Microsoft Defender for Storage should be enabled", "groupNames": [ "New_Zealand_ISM_07.1.7.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/640d2586-54d2-465f-877f-9ffc1d2109f4", + "parameters": {}, + "policyDefinitionReferenceId": "Microsoft Defender for Storage should be enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/640d2586-54d2-465f-877f-9ffc1d2109f4" }, { - "policyDefinitionReferenceId": "Microsoft Defender for APIs should be enabled", "groupNames": [ "New_Zealand_ISM_07.1.7.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7926a6d1-b268-4586-8197-e8ae90c877d7", + "parameters": {}, + "policyDefinitionReferenceId": "Microsoft Defender for APIs should be enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7926a6d1-b268-4586-8197-e8ae90c877d7" }, { - "policyDefinitionReferenceId": "Microsoft Defender for Azure Cosmos DB should be enabled", "groupNames": [ "New_Zealand_ISM_07.1.7.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/adbe85b5-83e6-4350-ab58-bf3a4f736e5e", + "parameters": {}, + "policyDefinitionReferenceId": "Microsoft Defender for Azure Cosmos DB should be enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/adbe85b5-83e6-4350-ab58-bf3a4f736e5e" }, { - "policyDefinitionReferenceId": "Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces", "groupNames": [ "New_Zealand_ISM_07.1.7.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d31e5c31-63b2-4f12-887b-e49456834fa1", + "parameters": {}, + "policyDefinitionReferenceId": "Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d31e5c31-63b2-4f12-887b-e49456834fa1" }, { - "policyDefinitionReferenceId": "Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers", "groupNames": [ "New_Zealand_ISM_07.1.7.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d38668f5-d155-42c7-ab3d-9b57b50f8fbf", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d38668f5-d155-42c7-ab3d-9b57b50f8fbf" }, { - "policyDefinitionReferenceId": "Email notification for high severity alerts should be enabled", "groupNames": [ "New_Zealand_ISM_07.2.22.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899", + "parameters": {}, + "policyDefinitionReferenceId": "Email notification for high severity alerts should be enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899" }, { - "policyDefinitionReferenceId": "Email notification to subscription owner for high severity alerts should be enabled", "groupNames": [ "New_Zealand_ISM_07.2.22.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d", + "parameters": {}, + "policyDefinitionReferenceId": "Email notification to subscription owner for high severity alerts should be enabled", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d" }, { - "policyDefinitionReferenceId": "Subscriptions should have a contact email address for security issues", "groupNames": [ "New_Zealand_ISM_07.2.22.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7", + "parameters": {}, + "policyDefinitionReferenceId": "Subscriptions should have a contact email address for security issues", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7" }, { - "policyDefinitionReferenceId": "API Management services should use a virtual network", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b", - "definitionVersion": "1.*.*", "parameters": { "evaluatedSkuNames": { "value": "[parameters('evaluatedSkuNames-1')]" } - } + }, + "policyDefinitionReferenceId": "API Management services should use a virtual network", + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b" }, { - "policyDefinitionReferenceId": "App Configuration should use private link", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7", + "parameters": {}, + "policyDefinitionReferenceId": "App Configuration should use private link", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7" }, { - "policyDefinitionReferenceId": "Azure API for FHIR should use private link", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1ee56206-5dd1-42ab-b02d-8aae8b1634ce", + "parameters": {}, + "policyDefinitionReferenceId": "Azure API for FHIR should use private link", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1ee56206-5dd1-42ab-b02d-8aae8b1634ce" }, { - "policyDefinitionReferenceId": "Azure Cache for Redis should use private link", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7803067c-7d34-46e3-8c79-0ca68fc4036d", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Cache for Redis should use private link", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7803067c-7d34-46e3-8c79-0ca68fc4036d" }, { - "policyDefinitionReferenceId": "Azure Event Grid domains should use private link", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Event Grid domains should use private link", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca" }, { - "policyDefinitionReferenceId": "Azure Event Grid topics should use private link", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Event Grid topics should use private link", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f" }, { - "policyDefinitionReferenceId": "Azure Key Vaults should use private link", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6abeaec-4d90-4a02-805f-6b26c4d3fbe9", - "definitionVersion": "1.*.*", "parameters": { "audit_effect": { "value": "[parameters('audit_effect-1')]" } - } + }, + "policyDefinitionReferenceId": "Azure Key Vaults should use private link", + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6abeaec-4d90-4a02-805f-6b26c4d3fbe9" }, { - "policyDefinitionReferenceId": "Azure Machine Learning workspaces should use private link", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Machine Learning workspaces should use private link", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b" }, { - "policyDefinitionReferenceId": "Azure SignalR Service should use private link", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2393d2cf-a342-44cd-a2e2-fe0188fd1234", + "parameters": {}, + "policyDefinitionReferenceId": "Azure SignalR Service should use private link", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2393d2cf-a342-44cd-a2e2-fe0188fd1234" }, { - "policyDefinitionReferenceId": "Azure Spring Cloud should use network injection", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4", - "definitionVersion": "1.*.*", "parameters": { "evaluatedSkuNames": { "value": "[parameters('evaluatedSkuNames-2')]" } - } + }, + "policyDefinitionReferenceId": "Azure Spring Cloud should use network injection", + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4" }, { - "policyDefinitionReferenceId": "Container registries should use private link", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4", + "parameters": {}, + "policyDefinitionReferenceId": "Container registries should use private link", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4" }, { - "policyDefinitionReferenceId": "Private endpoint connections on Azure SQL Database should be enabled", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed", + "parameters": {}, + "policyDefinitionReferenceId": "Private endpoint connections on Azure SQL Database should be enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed" }, { - "policyDefinitionReferenceId": "Private endpoint connections on Batch accounts should be enabled", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/009a0c92-f5b4-4776-9b66-4ed2b4775563", + "parameters": {}, + "policyDefinitionReferenceId": "Private endpoint connections on Batch accounts should be enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/009a0c92-f5b4-4776-9b66-4ed2b4775563" }, { - "policyDefinitionReferenceId": "Private endpoint should be enabled for MariaDB servers", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990", + "parameters": {}, + "policyDefinitionReferenceId": "Private endpoint should be enabled for MariaDB servers", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990" }, { - "policyDefinitionReferenceId": "Private endpoint should be enabled for MySQL servers", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49", + "parameters": {}, + "policyDefinitionReferenceId": "Private endpoint should be enabled for MySQL servers", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49" }, { - "policyDefinitionReferenceId": "Private endpoint should be enabled for PostgreSQL servers", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b", + "parameters": {}, + "policyDefinitionReferenceId": "Private endpoint should be enabled for PostgreSQL servers", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b" }, { - "policyDefinitionReferenceId": "Public network access should be disabled for MySQL flexible servers", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", + "parameters": {}, + "policyDefinitionReferenceId": "Public network access should be disabled for MySQL flexible servers", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052" }, { - "policyDefinitionReferenceId": "Public network access should be disabled for PostgreSQL flexible servers", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", + "parameters": {}, + "policyDefinitionReferenceId": "Public network access should be disabled for PostgreSQL flexible servers", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48" }, { - "policyDefinitionReferenceId": "Storage accounts should restrict network access using virtual network rules", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f", + "parameters": {}, + "policyDefinitionReferenceId": "Storage accounts should restrict network access using virtual network rules", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f" }, { - "policyDefinitionReferenceId": "Storage accounts should use private link", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9", + "parameters": {}, + "policyDefinitionReferenceId": "Storage accounts should use private link", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9" }, { - "policyDefinitionReferenceId": "VM Image Builder templates should use private link", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa", + "parameters": {}, + "policyDefinitionReferenceId": "VM Image Builder templates should use private link", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa" }, { - "policyDefinitionReferenceId": "Azure Databricks Clusters should disable public IP", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51c1490f-3319-459c-bbbc-7f391bbed753", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Databricks Clusters should disable public IP", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51c1490f-3319-459c-bbbc-7f391bbed753" }, { - "policyDefinitionReferenceId": "Azure Databricks Workspaces should disable public network access", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e7849de-b939-4c50-ab48-fc6b0f5eeba2", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Databricks Workspaces should disable public network access", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e7849de-b939-4c50-ab48-fc6b0f5eeba2" }, { - "policyDefinitionReferenceId": "Azure Databricks Workspaces should use private link", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/258823f2-4595-4b52-b333-cc96192710d8", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Databricks Workspaces should use private link", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/258823f2-4595-4b52-b333-cc96192710d8" }, { - "policyDefinitionReferenceId": "Azure Machine Learning Workspaces should disable public network access", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Machine Learning Workspaces should disable public network access", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce" }, { - "policyDefinitionReferenceId": "Azure Cosmos DB should disable public network access", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Cosmos DB should disable public network access", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a" }, { - "policyDefinitionReferenceId": "Azure Databricks Workspaces should be in a virtual network", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9c25c9e4-ee12-4882-afd2-11fb9d87893f", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Databricks Workspaces should be in a virtual network", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9c25c9e4-ee12-4882-afd2-11fb9d87893f" }, { - "policyDefinitionReferenceId": "Azure SQL Managed Instances should disable public network access", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91", + "parameters": {}, + "policyDefinitionReferenceId": "Azure SQL Managed Instances should disable public network access", "definitionVersion": "1.*.*", - "parameters": {} - }, - { - "policyDefinitionReferenceId": "Cognitive Services should use private link", - "groupNames": [ - "New_Zealand_ISM_10.8.35.C.01" - ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cddd188c-4b82-4c48-a19d-ddf74ee66a01", - "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91" }, { - "policyDefinitionReferenceId": "API Management should disable public network access to the service configuration endpoints", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd", - "definitionVersion": "1.*.*", "parameters": { "endpointType": { "value": "[parameters('endpointType-1')]" } - } + }, + "policyDefinitionReferenceId": "API Management should disable public network access to the service configuration endpoints", + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd" }, { - "policyDefinitionReferenceId": "CosmosDB accounts should use private link", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/58440f8a-10c5-4151-bdce-dfbaad4a20b7", + "parameters": {}, + "policyDefinitionReferenceId": "CosmosDB accounts should use private link", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/58440f8a-10c5-4151-bdce-dfbaad4a20b7" }, { - "policyDefinitionReferenceId": "Azure Machine Learning Computes should be in a virtual network", "groupNames": [ "New_Zealand_ISM_10.8.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Machine Learning Computes should be in a virtual network", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1" }, { - "policyDefinitionReferenceId": "Machines should be configured to periodically check for missing system updates", "groupNames": [ "New_Zealand_ISM_12.4.4.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9", + "parameters": {}, + "policyDefinitionReferenceId": "Machines should be configured to periodically check for missing system updates", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9" }, { - "policyDefinitionReferenceId": "Azure Machine Learning compute instances should be recreated to get the latest software updates", "groupNames": [ "New_Zealand_ISM_12.4.4.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2", - "definitionVersion": "1.*.*", "parameters": { "effects": { "value": "[parameters('audit_effect-1')]" } - } + }, + "policyDefinitionReferenceId": "Azure Machine Learning compute instances should be recreated to get the latest software updates", + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2" }, { - "policyDefinitionReferenceId": "App Service apps should have remote debugging turned off", "groupNames": [ "New_Zealand_ISM_14.1.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71", + "parameters": {}, + "policyDefinitionReferenceId": "App Service apps should have remote debugging turned off", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71" }, { - "policyDefinitionReferenceId": "Function apps should have remote debugging turned off", "groupNames": [ "New_Zealand_ISM_14.1.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9", + "parameters": {}, + "policyDefinitionReferenceId": "Function apps should have remote debugging turned off", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9" }, { - "policyDefinitionReferenceId": "Management ports should be closed on your virtual machines", "groupNames": [ "New_Zealand_ISM_14.1.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917", + "parameters": {}, + "policyDefinitionReferenceId": "Management ports should be closed on your virtual machines", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917" }, { - "policyDefinitionReferenceId": "Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters", "groupNames": [ "New_Zealand_ISM_14.1.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d" }, { + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "parameters": {}, "policyDefinitionReferenceId": "Role-Based Access Control (RBAC) should be used on Kubernetes Services", + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457" + }, + { "groupNames": [ "New_Zealand_ISM_14.1.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457", + "parameters": {}, + "policyDefinitionReferenceId": "Endpoint protection health issues should be resolved on your machines", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2" }, { - "policyDefinitionReferenceId": "Guest Configuration extension should be installed on your machines", "groupNames": [ "New_Zealand_ISM_14.1.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c", + "parameters": {}, + "policyDefinitionReferenceId": "Endpoint protection should be installed on your machines", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8" + }, + { + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "parameters": {}, + "policyDefinitionReferenceId": "Endpoint protection solution should be installed on virtual machine scale sets", + "definitionVersion": "3.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de" + }, + { + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "parameters": {}, + "policyDefinitionReferenceId": "Guest Configuration extension should be installed on your machines", + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c" }, { - "policyDefinitionReferenceId": "Kubernetes cluster containers should not share host process ID or host IPC namespace", "groupNames": [ "New_Zealand_ISM_14.1.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8", - "definitionVersion": "5.*.*", "parameters": { "excludedNamespaces": { "value": "[parameters('excludedNamespaces-1')]" }, - "excludedImages": { - "value": "[parameters('excludedImages-1')]" + "source": { + "value": "[parameters('source-1')]" + }, + "warn": { + "value": "[parameters('warn-1')]" }, "labelSelector": { "value": "[parameters('labelSelector-1')]" }, + "excludedImages": { + "value": "[parameters('excludedImages-1')]" + }, "namespaces": { "value": "[parameters('namespaces-1')]" } - } + }, + "policyDefinitionReferenceId": "Kubernetes cluster containers should not share host process ID or host IPC namespace", + "definitionVersion": "5.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8" }, { - "policyDefinitionReferenceId": "Kubernetes cluster containers should run with a read only root file system", "groupNames": [ "New_Zealand_ISM_14.1.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80", - "definitionVersion": "6.*.*", "parameters": { - "warn": { - "value": "[parameters('warn-1')]" - }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces-1')]" }, - "namespaces": { - "value": "[parameters('namespaces-1')]" + "source": { + "value": "[parameters('source-1')]" + }, + "warn": { + "value": "[parameters('warn-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" }, "excludedContainers": { "value": "[parameters('excludedContainers-1')]" @@ -1275,24 +1337,27 @@ "excludedImages": { "value": "[parameters('excludedImages-1')]" }, - "labelSelector": { - "value": "[parameters('labelSelector-1')]" + "namespaces": { + "value": "[parameters('namespaces-1')]" } - } + }, + "policyDefinitionReferenceId": "Kubernetes cluster containers should run with a read only root file system", + "definitionVersion": "6.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80" }, { - "policyDefinitionReferenceId": "Kubernetes cluster should not allow privileged containers", "groupNames": [ "New_Zealand_ISM_14.1.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", - "definitionVersion": "9.*.*", "parameters": { "excludedNamespaces": { "value": "[parameters('excludedNamespaces-1')]" }, - "excludedImages": { - "value": "[parameters('excludedImages-1')]" + "source": { + "value": "[parameters('source-1')]" + }, + "warn": { + "value": "[parameters('warn-1')]" }, "labelSelector": { "value": "[parameters('labelSelector-1')]" @@ -1300,65 +1365,89 @@ "excludedContainers": { "value": "[parameters('excludedContainers-1')]" }, + "excludedImages": { + "value": "[parameters('excludedImages-1')]" + }, "namespaces": { "value": "[parameters('namespaces-1')]" + }, + "effect": { + "value": "[parameters('audit-effect-2')]" } - } + }, + "policyDefinitionReferenceId": "Kubernetes cluster should not allow privileged containers", + "definitionVersion": "9.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4" }, { - "policyDefinitionReferenceId": "Kubernetes clusters should be accessible only over HTTPS", "groupNames": [ "New_Zealand_ISM_14.1.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", - "definitionVersion": "8.*.*", "parameters": { "excludedNamespaces": { "value": "[parameters('excludedNamespaces-1')]" }, + "namespaces": { + "value": "[parameters('namespaces-1')]" + }, + "warn": { + "value": "[parameters('warn-1')]" + }, + "source": { + "value": "[parameters('source-1')]" + }, "labelSelector": { "value": "[parameters('labelSelector-1')]" }, - "namespaces": { - "value": "[parameters('namespaces-1')]" + "effect": { + "value": "[parameters('audit-effect-2')]" } - } + }, + "policyDefinitionReferenceId": "Kubernetes clusters should be accessible only over HTTPS", + "definitionVersion": "8.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d" }, { - "policyDefinitionReferenceId": "Kubernetes clusters should disable automounting API credentials", "groupNames": [ "New_Zealand_ISM_14.1.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/423dd1ba-798e-40e4-9c4d-b6902674b423", - "definitionVersion": "4.*.*", "parameters": { "excludedNamespaces": { "value": "[parameters('excludedNamespaces-1')]" }, - "excludedImages": { - "value": "[parameters('excludedImages-1')]" + "source": { + "value": "[parameters('source-1')]" + }, + "warn": { + "value": "[parameters('warn-1')]" }, "labelSelector": { "value": "[parameters('labelSelector-1')]" }, + "excludedImages": { + "value": "[parameters('excludedImages-1')]" + }, "namespaces": { "value": "[parameters('namespaces-1')]" } - } + }, + "policyDefinitionReferenceId": "Kubernetes clusters should disable automounting API credentials", + "definitionVersion": "4.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/423dd1ba-798e-40e4-9c4d-b6902674b423" }, { - "policyDefinitionReferenceId": "Kubernetes clusters should not allow container privilege escalation", "groupNames": [ "New_Zealand_ISM_14.1.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", - "definitionVersion": "7.*.*", "parameters": { "excludedNamespaces": { "value": "[parameters('excludedNamespaces-1')]" }, - "excludedImages": { - "value": "[parameters('excludedImages-1')]" + "source": { + "value": "[parameters('source-1')]" + }, + "warn": { + "value": "[parameters('warn-1')]" }, "labelSelector": { "value": "[parameters('labelSelector-1')]" @@ -1366,741 +1455,759 @@ "excludedContainers": { "value": "[parameters('excludedContainers-1')]" }, + "excludedImages": { + "value": "[parameters('excludedImages-1')]" + }, "namespaces": { "value": "[parameters('namespaces-1')]" } - } + }, + "policyDefinitionReferenceId": "Kubernetes clusters should not allow container privilege escalation", + "definitionVersion": "7.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99" }, { - "policyDefinitionReferenceId": "Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities", "groupNames": [ "New_Zealand_ISM_14.1.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d2e7ea85-6b44-4317-a0be-1b951587f626", - "definitionVersion": "5.*.*", "parameters": { "excludedNamespaces": { "value": "[parameters('excludedNamespaces-1')]" }, - "excludedImages": { - "value": "[parameters('excludedImages-1')]" - }, - "labelSelector": { - "value": "[parameters('labelSelector-1')]" - }, "excludedContainers": { "value": "[parameters('excludedContainers-1')]" }, "namespaces": { "value": "[parameters('namespaces-1')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" } - } + }, + "policyDefinitionReferenceId": "Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities", + "definitionVersion": "5.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d2e7ea85-6b44-4317-a0be-1b951587f626" }, { - "policyDefinitionReferenceId": "Kubernetes clusters should not use the default namespace", "groupNames": [ "New_Zealand_ISM_14.1.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373", - "definitionVersion": "4.*.*", "parameters": { "excludedNamespaces": { "value": "[parameters('excludedNamespaces-1')]" }, - "labelSelector": { - "value": "[parameters('labelSelector-1')]" - }, "namespaces": { "value": "[parameters('namespaces-1')]" + }, + "warn": { + "value": "[parameters('warn-1')]" + }, + "source": { + "value": "[parameters('source-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" } - } + }, + "policyDefinitionReferenceId": "Kubernetes clusters should not use the default namespace", + "definitionVersion": "4.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373" }, { - "policyDefinitionReferenceId": "Management ports of virtual machines should be protected with just-in-time network access control", "groupNames": [ "New_Zealand_ISM_14.1.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c", + "parameters": {}, + "policyDefinitionReferenceId": "Management ports of virtual machines should be protected with just-in-time network access control", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c" }, { - "policyDefinitionReferenceId": "Microsoft Antimalware for Azure should be configured to automatically update protection signatures", "groupNames": [ "New_Zealand_ISM_14.1.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57", + "parameters": {}, + "policyDefinitionReferenceId": "Microsoft Antimalware for Azure should be configured to automatically update protection signatures", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57" }, { - "policyDefinitionReferenceId": "Microsoft IaaSAntimalware extension should be deployed on Windows servers", "groupNames": [ "New_Zealand_ISM_14.1.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257", + "parameters": {}, + "policyDefinitionReferenceId": "Microsoft IaaSAntimalware extension should be deployed on Windows servers", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257" + }, + { + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "parameters": {}, + "policyDefinitionReferenceId": "Monitor missing Endpoint Protection in Azure Security Center", + "definitionVersion": "3.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9" }, { - "policyDefinitionReferenceId": "Virtual machines- Guest Configuration extension should be deployed with system-assigned managed identity", "groupNames": [ "New_Zealand_ISM_14.1.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a", + "parameters": {}, + "policyDefinitionReferenceId": "Virtual machines- Guest Configuration extension should be deployed with system-assigned managed identity", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a" }, { - "policyDefinitionReferenceId": "Windows Defender Exploit Guard should be enabled on your machines", "groupNames": [ "New_Zealand_ISM_14.1.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40", - "definitionVersion": "2.*.*", "parameters": { - "IncludeArcMachines": { - "value": "[parameters('IncludeArcMachines-1')]" - }, "NotAvailableMachineState": { "value": "[parameters('NotAvailableMachineState-1')]" + }, + "IncludeArcMachines": { + "value": "[parameters('IncludeArcMachines-1')]" } - } + }, + "policyDefinitionReferenceId": "Windows Defender Exploit Guard should be enabled on your machines", + "definitionVersion": "2.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40" }, { - "policyDefinitionReferenceId": "App Service apps should have authentication enabled", "groupNames": [ "New_Zealand_ISM_14.5.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc", + "parameters": {}, + "policyDefinitionReferenceId": "App Service apps should have authentication enabled", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc" }, { - "policyDefinitionReferenceId": "App Service apps should not have CORS configured to allow every resource to access your apps", "groupNames": [ "New_Zealand_ISM_14.5.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9", + "parameters": {}, + "policyDefinitionReferenceId": "App Service apps should not have CORS configured to allow every resource to access your apps", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9" }, { - "policyDefinitionReferenceId": "App Service apps should only be accessible over HTTPS", "groupNames": [ "New_Zealand_ISM_14.5.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", + "parameters": {}, + "policyDefinitionReferenceId": "App Service apps should only be accessible over HTTPS", "definitionVersion": "4.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d" }, { - "policyDefinitionReferenceId": "App Service apps should require FTPS only", "groupNames": [ "New_Zealand_ISM_14.5.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b", + "parameters": {}, + "policyDefinitionReferenceId": "App Service apps should require FTPS only", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b" }, { - "policyDefinitionReferenceId": "App Service apps should use latest -HTTP Version-", "groupNames": [ "New_Zealand_ISM_14.5.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae", + "parameters": {}, + "policyDefinitionReferenceId": "App Service apps should use latest -HTTP Version-", "definitionVersion": "4.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae" }, { - "policyDefinitionReferenceId": "App Service apps that use Java should use a specified -Java version-", "groupNames": [ "New_Zealand_ISM_14.5.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed", - "definitionVersion": "3.*.*", "parameters": { "LinuxJavaVersion": { "value": "[parameters('LinuxJavaVersion-1')]" } - } + }, + "policyDefinitionReferenceId": "App Service apps that use Java should use a specified -Java version-", + "definitionVersion": "3.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed" }, { - "policyDefinitionReferenceId": "App Service apps that use PHP should use a specified -PHP version-", "groupNames": [ "New_Zealand_ISM_14.5.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3", - "definitionVersion": "3.*.*", "parameters": { "LinuxPHPVersion": { "value": "[parameters('LinuxPHPVersion-1')]" } - } + }, + "policyDefinitionReferenceId": "App Service apps that use PHP should use a specified -PHP version-", + "definitionVersion": "3.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3" }, { - "policyDefinitionReferenceId": "App Service apps that use Python should use a specified -Python version-", "groupNames": [ "New_Zealand_ISM_14.5.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73", - "definitionVersion": "4.*.*", "parameters": { "LinuxPythonVersion": { "value": "[parameters('LinuxPythonVersion-1')]" } - } + }, + "policyDefinitionReferenceId": "App Service apps that use Python should use a specified -Python version-", + "definitionVersion": "4.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73" }, { - "policyDefinitionReferenceId": "Function apps should have authentication enabled", "groupNames": [ "New_Zealand_ISM_14.5.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8", + "parameters": {}, + "policyDefinitionReferenceId": "Function apps should have authentication enabled", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8" }, { - "policyDefinitionReferenceId": "Function apps should not have CORS configured to allow every resource to access your apps", "groupNames": [ "New_Zealand_ISM_14.5.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5", + "parameters": {}, + "policyDefinitionReferenceId": "Function apps should not have CORS configured to allow every resource to access your apps", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5" }, { - "policyDefinitionReferenceId": "Function apps should only be accessible over HTTPS", "groupNames": [ "New_Zealand_ISM_14.5.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab", + "parameters": {}, + "policyDefinitionReferenceId": "Function apps should only be accessible over HTTPS", "definitionVersion": "5.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab" }, { - "policyDefinitionReferenceId": "Function apps should require FTPS only", "groupNames": [ "New_Zealand_ISM_14.5.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15", + "parameters": {}, + "policyDefinitionReferenceId": "Function apps should require FTPS only", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15" }, { - "policyDefinitionReferenceId": "Function apps should use latest -HTTP Version-", "groupNames": [ "New_Zealand_ISM_14.5.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c", + "parameters": {}, + "policyDefinitionReferenceId": "Function apps should use latest -HTTP Version-", "definitionVersion": "4.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c" }, { - "policyDefinitionReferenceId": "Function apps that use Java should use a specified -Java version-", "groupNames": [ "New_Zealand_ISM_14.5.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc", - "definitionVersion": "3.*.*", "parameters": { "LinuxJavaVersion": { "value": "[parameters('LinuxJavaVersion-1')]" } - } + }, + "policyDefinitionReferenceId": "Function apps that use Java should use a specified -Java version-", + "definitionVersion": "3.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc" }, { - "policyDefinitionReferenceId": "Function apps that use Python should use a specified -Python version-", "groupNames": [ "New_Zealand_ISM_14.5.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73", - "definitionVersion": "4.*.*", "parameters": { "LinuxPythonVersion": { "value": "[parameters('LinuxPythonVersion-1')]" } - } + }, + "policyDefinitionReferenceId": "Function apps that use Python should use a specified -Python version-", + "definitionVersion": "4.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73" }, { - "policyDefinitionReferenceId": "App Service apps should have Client Certificates (Incoming client certificates) enabled", "groupNames": [ "New_Zealand_ISM_14.5.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19dd1db6-f442-49cf-a838-b0786b4401ef", + "parameters": {}, + "policyDefinitionReferenceId": "App Service apps should have Client Certificates (Incoming client certificates) enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19dd1db6-f442-49cf-a838-b0786b4401ef" }, { - "policyDefinitionReferenceId": "App Service app slots should have Client Certificates (Incoming client certificates) enabled", "groupNames": [ "New_Zealand_ISM_14.5.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b0bd968-5cb5-4513-8987-27786c6f0df8", + "parameters": {}, + "policyDefinitionReferenceId": "App Service app slots should have Client Certificates (Incoming client certificates) enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b0bd968-5cb5-4513-8987-27786c6f0df8" }, { - "policyDefinitionReferenceId": "Function apps should have Client Certificates (Incoming client certificates) enabled", "groupNames": [ "New_Zealand_ISM_14.5.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ab6a902f-9493-453b-928d-62c30b11b5a6", + "parameters": {}, + "policyDefinitionReferenceId": "Function apps should have Client Certificates (Incoming client certificates) enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ab6a902f-9493-453b-928d-62c30b11b5a6" }, { - "policyDefinitionReferenceId": "App Service apps should use managed identity", "groupNames": [ "New_Zealand_ISM_16.1.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332", + "parameters": {}, + "policyDefinitionReferenceId": "App Service apps should use managed identity", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332" }, { - "policyDefinitionReferenceId": "Azure SQL Database should have Microsoft Entra-only authentication enabled during creation", "groupNames": [ "New_Zealand_ISM_16.1.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027", + "parameters": {}, + "policyDefinitionReferenceId": "Azure SQL Database should have Microsoft Entra-only authentication enabled during creation", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027" }, { - "policyDefinitionReferenceId": "Cosmos DB database accounts should have local authentication methods disabled", "groupNames": [ "New_Zealand_ISM_16.1.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2", + "parameters": {}, + "policyDefinitionReferenceId": "Cosmos DB database accounts should have local authentication methods disabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2" }, { - "policyDefinitionReferenceId": "Function apps should use managed identity", "groupNames": [ "New_Zealand_ISM_16.1.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f", + "parameters": {}, + "policyDefinitionReferenceId": "Function apps should use managed identity", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f" }, { - "policyDefinitionReferenceId": "Service Fabric clusters should only use Azure Active Directory for client authentication", "groupNames": [ "New_Zealand_ISM_16.1.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0", + "parameters": {}, + "policyDefinitionReferenceId": "Service Fabric clusters should only use Azure Active Directory for client authentication", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0" }, { - "policyDefinitionReferenceId": "API Management calls to API backends should be authenticated", "groupNames": [ "New_Zealand_ISM_16.1.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54", + "parameters": {}, + "policyDefinitionReferenceId": "API Management calls to API backends should be authenticated", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54" }, { - "policyDefinitionReferenceId": "Storage accounts should prevent shared key access", "groupNames": [ "New_Zealand_ISM_16.1.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54", + "parameters": {}, + "policyDefinitionReferenceId": "Storage accounts should prevent shared key access", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54" }, { - "policyDefinitionReferenceId": "Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled", "groupNames": [ "New_Zealand_ISM_16.1.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0c28c3fb-c244-42d5-a9bf-f35f2999577b", + "parameters": {}, + "policyDefinitionReferenceId": "Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0c28c3fb-c244-42d5-a9bf-f35f2999577b" }, { - "policyDefinitionReferenceId": "A Microsoft Entra administrator should be provisioned for MySQL servers", "groupNames": [ "New_Zealand_ISM_16.1.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/146412e9-005c-472b-9e48-c87b72ac229e", + "parameters": {}, + "policyDefinitionReferenceId": "A Microsoft Entra administrator should be provisioned for MySQL servers", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/146412e9-005c-472b-9e48-c87b72ac229e" }, { - "policyDefinitionReferenceId": "Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation", "groupNames": [ "New_Zealand_ISM_16.1.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8", + "parameters": {}, + "policyDefinitionReferenceId": "Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8" }, { - "policyDefinitionReferenceId": "Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled", "groupNames": [ "New_Zealand_ISM_16.1.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/40e85574-ef33-47e8-a854-7a65c7500560", + "parameters": {}, + "policyDefinitionReferenceId": "Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/40e85574-ef33-47e8-a854-7a65c7500560" }, { - "policyDefinitionReferenceId": "Synapse Workspaces should have Microsoft Entra-only authentication enabled", "groupNames": [ "New_Zealand_ISM_16.1.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6ea81a52-5ca7-4575-9669-eaa910b7edf8", + "parameters": {}, + "policyDefinitionReferenceId": "Synapse Workspaces should have Microsoft Entra-only authentication enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6ea81a52-5ca7-4575-9669-eaa910b7edf8" }, { - "policyDefinitionReferenceId": "Azure AI Services resources should have key access disabled (disable local authentication)", "groupNames": [ "New_Zealand_ISM_16.1.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc", + "parameters": {}, + "policyDefinitionReferenceId": "Azure AI Services resources should have key access disabled (disable local authentication)", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc" }, { - "policyDefinitionReferenceId": "Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation", "groupNames": [ "New_Zealand_ISM_16.1.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f", + "parameters": {}, + "policyDefinitionReferenceId": "Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f" }, { - "policyDefinitionReferenceId": "Azure SQL Database should have Microsoft Entra-only authentication enabled", "groupNames": [ "New_Zealand_ISM_16.1.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b3a22bc9-66de-45fb-98fa-00f5df42f41a", + "parameters": {}, + "policyDefinitionReferenceId": "Azure SQL Database should have Microsoft Entra-only authentication enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b3a22bc9-66de-45fb-98fa-00f5df42f41a" }, { - "policyDefinitionReferenceId": "A Microsoft Entra administrator should be provisioned for PostgreSQL servers", "groupNames": [ "New_Zealand_ISM_16.1.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4dec045-250a-48c2-b5cc-e0c4eec8b5b4", + "parameters": {}, + "policyDefinitionReferenceId": "A Microsoft Entra administrator should be provisioned for PostgreSQL servers", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4dec045-250a-48c2-b5cc-e0c4eec8b5b4" }, { - "policyDefinitionReferenceId": "Azure Machine Learning Computes should have local authentication methods disabled", "groupNames": [ "New_Zealand_ISM_16.1.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Machine Learning Computes should have local authentication methods disabled", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f" }, { - "policyDefinitionReferenceId": "API endpoints in Azure API Management should be authenticated", "groupNames": [ "New_Zealand_ISM_16.1.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8ac833bd-f505-48d5-887e-c993a1d3eea0", + "parameters": {}, + "policyDefinitionReferenceId": "API endpoints in Azure API Management should be authenticated", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8ac833bd-f505-48d5-887e-c993a1d3eea0" }, { - "policyDefinitionReferenceId": "A maximum of 3 owners should be designated for your subscription", "groupNames": [ "New_Zealand_ISM_16.3.5.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c", + "parameters": {}, + "policyDefinitionReferenceId": "A maximum of 3 owners should be designated for your subscription", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c" }, { - "policyDefinitionReferenceId": "Blocked accounts with owner permissions on Azure resources should be removed", "groupNames": [ "New_Zealand_ISM_16.4.30.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5", + "parameters": {}, + "policyDefinitionReferenceId": "Blocked accounts with owner permissions on Azure resources should be removed", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5" }, { - "policyDefinitionReferenceId": "Blocked accounts with read and write permissions on Azure resources should be removed", "groupNames": [ "New_Zealand_ISM_16.4.30.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be", + "parameters": {}, + "policyDefinitionReferenceId": "Blocked accounts with read and write permissions on Azure resources should be removed", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be" }, { - "policyDefinitionReferenceId": "Guest accounts with owner permissions on Azure resources should be removed", "groupNames": [ "New_Zealand_ISM_16.4.30.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/339353f6-2387-4a45-abe4-7f529d121046", + "parameters": {}, + "policyDefinitionReferenceId": "Guest accounts with owner permissions on Azure resources should be removed", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/339353f6-2387-4a45-abe4-7f529d121046" }, { - "policyDefinitionReferenceId": "Guest accounts with read permissions on Azure resources should be removed", "groupNames": [ "New_Zealand_ISM_16.4.30.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52", + "parameters": {}, + "policyDefinitionReferenceId": "Guest accounts with read permissions on Azure resources should be removed", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52" }, { - "policyDefinitionReferenceId": "Guest accounts with write permissions on Azure resources should be removed", "groupNames": [ "New_Zealand_ISM_16.4.30.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87", + "parameters": {}, + "policyDefinitionReferenceId": "Guest accounts with write permissions on Azure resources should be removed", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87" }, { - "policyDefinitionReferenceId": "There should be more than one owner assigned to your subscription", "groupNames": [ "New_Zealand_ISM_16.4.30.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b", + "parameters": {}, + "policyDefinitionReferenceId": "There should be more than one owner assigned to your subscription", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b" }, { - "policyDefinitionReferenceId": "An Azure Active Directory administrator should be provisioned for SQL servers", "groupNames": [ "New_Zealand_ISM_16.4.32.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9", + "parameters": {}, + "policyDefinitionReferenceId": "An Azure Active Directory administrator should be provisioned for SQL servers", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9" }, { - "policyDefinitionReferenceId": "API Management APIs should use only encrypted protocols", "groupNames": [ "New_Zealand_ISM_17.1.55.C.03" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4", + "parameters": {}, + "policyDefinitionReferenceId": "API Management APIs should use only encrypted protocols", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4" }, { - "policyDefinitionReferenceId": "Key Vault keys should have an expiration date", "groupNames": [ "New_Zealand_ISM_17.1.58.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0", + "parameters": {}, + "policyDefinitionReferenceId": "Key Vault keys should have an expiration date", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0" }, { - "policyDefinitionReferenceId": "Key Vault secrets should have an expiration date", "groupNames": [ "New_Zealand_ISM_17.1.58.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37", + "parameters": {}, + "policyDefinitionReferenceId": "Key Vault secrets should have an expiration date", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37" }, { - "policyDefinitionReferenceId": "Storage account keys should not be expired", "groupNames": [ "New_Zealand_ISM_17.1.58.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537", + "parameters": {}, + "policyDefinitionReferenceId": "Storage account keys should not be expired", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537" }, { - "policyDefinitionReferenceId": "Keys using RSA cryptography should have a specified minimum key size", "groupNames": [ "New_Zealand_ISM_17.2.19.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9", - "definitionVersion": "1.*.*", "parameters": { "minimumRSAKeySize": { "value": "[parameters('minimumRSAKeySize-1')]" } - } + }, + "policyDefinitionReferenceId": "Keys using RSA cryptography should have a specified minimum key size", + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9" }, { - "policyDefinitionReferenceId": "Keys using elliptic curve cryptography should have the specified curve names", "groupNames": [ "New_Zealand_ISM_17.2.22.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255", - "definitionVersion": "1.*.*", "parameters": { "allowedECNames": { "value": "[parameters('allowedECNames-1')]" } - } + }, + "policyDefinitionReferenceId": "Keys using elliptic curve cryptography should have the specified curve names", + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255" }, { - "policyDefinitionReferenceId": "Certificates using RSA cryptography should have the specified minimum key size", "groupNames": [ "New_Zealand_ISM_17.2.24.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0", - "definitionVersion": "2.*.*", "parameters": { "minimumRSAKeySize": { "value": "[parameters('minimumRSAKeySize-1')]" } - } + }, + "policyDefinitionReferenceId": "Certificates using RSA cryptography should have the specified minimum key size", + "definitionVersion": "2.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0" }, { - "policyDefinitionReferenceId": "App Service apps should use the latest TLS version", "groupNames": [ "New_Zealand_ISM_17.4.16.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "parameters": {}, + "policyDefinitionReferenceId": "App Service apps should use the latest TLS version", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b" }, { - "policyDefinitionReferenceId": "Function apps should use the latest TLS version", "groupNames": [ "New_Zealand_ISM_17.4.16.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "parameters": {}, + "policyDefinitionReferenceId": "Function apps should use the latest TLS version", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193" }, { - "policyDefinitionReferenceId": "Windows machines should be configured to use secure communication protocols", "groupNames": [ "New_Zealand_ISM_17.4.16.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112", - "definitionVersion": "4.*.*", "parameters": { - "IncludeArcMachines": { - "value": "[parameters('IncludeArcMachines-1')]" - }, "MinimumTLSVersion": { "value": "[parameters('MinimumTLSVersion-1')]" + }, + "IncludeArcMachines": { + "value": "[parameters('IncludeArcMachines-1')]" } - } + }, + "policyDefinitionReferenceId": "Windows machines should be configured to use secure communication protocols", + "definitionVersion": "4.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112" }, { - "policyDefinitionReferenceId": "Azure SQL Database should be running TLS version 1.2 or newer", "groupNames": [ "New_Zealand_ISM_17.4.16.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf", + "parameters": {}, + "policyDefinitionReferenceId": "Azure SQL Database should be running TLS version 1.2 or newer", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf" }, { - "policyDefinitionReferenceId": "Storage accounts should have the specified minimum TLS version", "groupNames": [ "New_Zealand_ISM_17.4.16.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0", - "definitionVersion": "1.*.*", "parameters": { "minimumTlsVersion": { "value": "[parameters('minimumTlsVersion-2')]" } - } + }, + "policyDefinitionReferenceId": "Storage accounts should have the specified minimum TLS version", + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0" }, { - "policyDefinitionReferenceId": "IP Forwarding on your virtual machine should be disabled", "groupNames": [ "New_Zealand_ISM_17.5.6.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744", + "parameters": {}, + "policyDefinitionReferenceId": "IP Forwarding on your virtual machine should be disabled", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744" }, { - "policyDefinitionReferenceId": "Authentication to Linux machines should require SSH keys", "groupNames": [ "New_Zealand_ISM_17.5.7.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6", - "definitionVersion": "3.*.*", "parameters": { "IncludeArcMachines": { "value": "[parameters('IncludeArcMachines-1')]" } - } + }, + "policyDefinitionReferenceId": "Authentication to Linux machines should require SSH keys", + "definitionVersion": "3.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6" }, { - "policyDefinitionReferenceId": "Azure Key Vault should use RBAC permission model", "groupNames": [ "New_Zealand_ISM_17.9.35.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Key Vault should use RBAC permission model", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5" }, { - "policyDefinitionReferenceId": "API Management secret named values should be stored in Azure Key Vault", "groupNames": [ "New_Zealand_ISM_17.9.36.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249", + "parameters": {}, + "policyDefinitionReferenceId": "API Management secret named values should be stored in Azure Key Vault", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249" }, { - "policyDefinitionReferenceId": "All network ports should be restricted on network security groups associated to your virtual machine", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6", + "parameters": {}, + "policyDefinitionReferenceId": "All network ports should be restricted on network security groups associated to your virtual machine", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6" }, { - "policyDefinitionReferenceId": "Authorized IP ranges should be defined on Kubernetes Services", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea", + "parameters": {}, + "policyDefinitionReferenceId": "Authorized IP ranges should be defined on Kubernetes Services", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea" }, { - "policyDefinitionReferenceId": "Azure AI Services resources should restrict network access", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", + "parameters": {}, + "policyDefinitionReferenceId": "Azure AI Services resources should restrict network access", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3" }, { - "policyDefinitionReferenceId": "Azure Cosmos DB accounts should have firewall rules", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb", - "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[parameters('deny_effect-1')]" } - } + }, + "policyDefinitionReferenceId": "Azure Cosmos DB accounts should have firewall rules", + "definitionVersion": "2.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb" }, { - "policyDefinitionReferenceId": "Azure Key Vault should have firewall enabled", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", - "definitionVersion": "3.*.*", "parameters": { "allowedIPAddresses": { "value": "[parameters('allowedIPAddresses-1')]" @@ -2111,672 +2218,676 @@ "restrictIPAddresses": { "value": "[parameters('restrictIPAddresses-1')]" } - } + }, + "policyDefinitionReferenceId": "Azure Key Vault should have firewall enabled", + "definitionVersion": "3.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490" }, { - "policyDefinitionReferenceId": "Container registries should not allow unrestricted network access", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71", + "parameters": {}, + "policyDefinitionReferenceId": "Container registries should not allow unrestricted network access", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71" }, { - "policyDefinitionReferenceId": "CORS should not allow every domain to access your API for FHIR", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fea8f8a-4169-495d-8307-30ec335f387d", + "parameters": {}, + "policyDefinitionReferenceId": "CORS should not allow every domain to access your API for FHIR", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fea8f8a-4169-495d-8307-30ec335f387d" }, { - "policyDefinitionReferenceId": "Enforce SSL connection should be enabled for MySQL database servers", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d", + "parameters": {}, + "policyDefinitionReferenceId": "Enforce SSL connection should be enabled for MySQL database servers", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d" }, { - "policyDefinitionReferenceId": "Enforce SSL connection should be enabled for PostgreSQL database servers", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af", + "parameters": {}, + "policyDefinitionReferenceId": "Enforce SSL connection should be enabled for PostgreSQL database servers", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af" }, { - "policyDefinitionReferenceId": "Internet-facing virtual machines should be protected with network security groups", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c", + "parameters": {}, + "policyDefinitionReferenceId": "Internet-facing virtual machines should be protected with network security groups", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c" }, { - "policyDefinitionReferenceId": "Non-internet-facing virtual machines should be protected with network security groups", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6", + "parameters": {}, + "policyDefinitionReferenceId": "Non-internet-facing virtual machines should be protected with network security groups", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6" }, { - "policyDefinitionReferenceId": "Only secure connections to your Azure Cache for Redis should be enabled", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb", + "parameters": {}, + "policyDefinitionReferenceId": "Only secure connections to your Azure Cache for Redis should be enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb" }, { - "policyDefinitionReferenceId": "Public network access on Azure SQL Database should be disabled", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", + "parameters": {}, + "policyDefinitionReferenceId": "Public network access on Azure SQL Database should be disabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780" }, { - "policyDefinitionReferenceId": "Public network access should be disabled for MariaDB servers", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077", + "parameters": {}, + "policyDefinitionReferenceId": "Public network access should be disabled for MariaDB servers", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077" }, { - "policyDefinitionReferenceId": "Public network access should be disabled for MySQL servers", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095", + "parameters": {}, + "policyDefinitionReferenceId": "Public network access should be disabled for MySQL servers", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095" }, { - "policyDefinitionReferenceId": "Public network access should be disabled for PostgreSQL servers", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c", + "parameters": {}, + "policyDefinitionReferenceId": "Public network access should be disabled for PostgreSQL servers", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c" }, { - "policyDefinitionReferenceId": "Secure transfer to storage accounts should be enabled", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", + "parameters": {}, + "policyDefinitionReferenceId": "Secure transfer to storage accounts should be enabled", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9" }, { - "policyDefinitionReferenceId": "Storage accounts should restrict network access", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", + "parameters": {}, + "policyDefinitionReferenceId": "Storage accounts should restrict network access", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c" }, { - "policyDefinitionReferenceId": "Subnets should be associated with a Network Security Group", "groupNames": [ "New_Zealand_ISM_18.1.13.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517", + "parameters": {}, + "policyDefinitionReferenceId": "Subnets should be associated with a Network Security Group", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517" }, { - "policyDefinitionReferenceId": "Azure DDoS Protection should be enabled", "groupNames": [ "New_Zealand_ISM_18.4.7.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd", + "parameters": {}, + "policyDefinitionReferenceId": "Azure DDoS Protection should be enabled", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd" }, { - "policyDefinitionReferenceId": "Connection throttling should be enabled for PostgreSQL database servers", "groupNames": [ "New_Zealand_ISM_18.4.7.C.02" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd", + "parameters": {}, + "policyDefinitionReferenceId": "Connection throttling should be enabled for PostgreSQL database servers", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd" }, { - "policyDefinitionReferenceId": "All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace", "groupNames": [ "New_Zealand_ISM_18.4.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee", + "parameters": {}, + "policyDefinitionReferenceId": "All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee" }, { - "policyDefinitionReferenceId": "Azure Web Application Firewall should be enabled for Azure Front Door entry-points", "groupNames": [ "New_Zealand_ISM_18.4.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Web Application Firewall should be enabled for Azure Front Door entry-points", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c" }, { - "policyDefinitionReferenceId": "Web Application Firewall (WAF) should be enabled for Application Gateway", "groupNames": [ "New_Zealand_ISM_18.4.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", + "parameters": {}, + "policyDefinitionReferenceId": "Web Application Firewall (WAF) should be enabled for Application Gateway", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66" }, { - "policyDefinitionReferenceId": "Web Application Firewall (WAF) should use the specified mode for Application Gateway", "groupNames": [ "New_Zealand_ISM_18.4.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096", - "definitionVersion": "1.*.*", "parameters": { "modeRequirement": { "value": "[parameters('modeRequirement-1')]" } - } + }, + "policyDefinitionReferenceId": "Web Application Firewall (WAF) should use the specified mode for Application Gateway", + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096" }, { - "policyDefinitionReferenceId": "Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service", "groupNames": [ "New_Zealand_ISM_18.4.8.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8", - "definitionVersion": "1.*.*", "parameters": { "modeRequirement": { "value": "[parameters('modeRequirement-1')]" } - } + }, + "policyDefinitionReferenceId": "Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service", + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8" }, { - "policyDefinitionReferenceId": "API endpoints that are unused should be disabled and removed from the Azure API Management service", "groupNames": [ "New_Zealand_ISM_22.1.24.C.03" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c8acafaf-3d23-44d1-9624-978ef0f8652c", + "parameters": {}, + "policyDefinitionReferenceId": "API endpoints that are unused should be disabled and removed from the Azure API Management service", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c8acafaf-3d23-44d1-9624-978ef0f8652c" }, { - "policyDefinitionReferenceId": "Virtual machines and virtual machine scale sets should have encryption at host enabled", "groupNames": [ "New_Zealand_ISM_22.1.24.C.04" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87", + "parameters": {}, + "policyDefinitionReferenceId": "Virtual machines and virtual machine scale sets should have encryption at host enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87" }, { - "policyDefinitionReferenceId": "Accounts with owner permissions on Azure resources should be MFA enabled", "groupNames": [ "New_Zealand_ISM_23.3.19.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a", + "parameters": {}, + "policyDefinitionReferenceId": "Accounts with owner permissions on Azure resources should be MFA enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a" }, { - "policyDefinitionReferenceId": "Accounts with read permissions on Azure resources should be MFA enabled", "groupNames": [ "New_Zealand_ISM_23.3.19.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4", + "parameters": {}, + "policyDefinitionReferenceId": "Accounts with read permissions on Azure resources should be MFA enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4" }, { - "policyDefinitionReferenceId": "Accounts with write permissions on Azure resources should be MFA enabled", "groupNames": [ "New_Zealand_ISM_23.3.19.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/931e118d-50a1-4457-a5e4-78550e086c52", + "parameters": {}, + "policyDefinitionReferenceId": "Accounts with write permissions on Azure resources should be MFA enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/931e118d-50a1-4457-a5e4-78550e086c52" }, { - "policyDefinitionReferenceId": "API Management minimum API version should be set to 2019-12-01 or higher", "groupNames": [ "New_Zealand_ISM_23.4.10.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67", + "parameters": {}, + "policyDefinitionReferenceId": "API Management minimum API version should be set to 2019-12-01 or higher", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67" }, { - "policyDefinitionReferenceId": "API Management subscriptions should not be scoped to all APIs", "groupNames": [ "New_Zealand_ISM_23.4.10.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1", + "parameters": {}, + "policyDefinitionReferenceId": "API Management subscriptions should not be scoped to all APIs", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1" }, { - "policyDefinitionReferenceId": "API Management direct management endpoint should not be enabled", "groupNames": [ "New_Zealand_ISM_23.4.10.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4", + "parameters": {}, + "policyDefinitionReferenceId": "API Management direct management endpoint should not be enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4" }, { - "policyDefinitionReferenceId": "API Management calls to API backends should not bypass certificate thumbprint or name validation", "groupNames": [ "New_Zealand_ISM_23.4.10.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4", + "parameters": {}, + "policyDefinitionReferenceId": "API Management calls to API backends should not bypass certificate thumbprint or name validation", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4" }, { - "policyDefinitionReferenceId": "Automation account variables should be encrypted", "groupNames": [ "New_Zealand_ISM_23.4.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735", + "parameters": {}, + "policyDefinitionReferenceId": "Automation account variables should be encrypted", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735" }, { - "policyDefinitionReferenceId": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", "groupNames": [ "New_Zealand_ISM_23.4.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f" }, { - "policyDefinitionReferenceId": "Azure Key Vault Managed HSM should have purge protection enabled", "groupNames": [ "New_Zealand_ISM_23.4.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Key Vault Managed HSM should have purge protection enabled", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383" }, { - "policyDefinitionReferenceId": "Azure Machine Learning workspaces should be encrypted with a customer-managed key", "groupNames": [ "New_Zealand_ISM_23.4.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "parameters": {}, + "policyDefinitionReferenceId": "Azure Machine Learning workspaces should be encrypted with a customer-managed key", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8" }, { - "policyDefinitionReferenceId": "Cognitive Services accounts should enable data encryption with a customer-managed key", "groupNames": [ "New_Zealand_ISM_23.4.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", - "definitionVersion": "2.*.*", "parameters": { "excludedKinds": { "value": "[parameters('excludedKinds-1')]" } - } + }, + "policyDefinitionReferenceId": "Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)", + "definitionVersion": "2.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d" }, { - "policyDefinitionReferenceId": "Container registries should be encrypted with a customer-managed key", "groupNames": [ "New_Zealand_ISM_23.4.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "parameters": {}, + "policyDefinitionReferenceId": "Container registries should be encrypted with a customer-managed key", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580" }, { - "policyDefinitionReferenceId": "Disk encryption should be enabled on Azure Data Explorer", "groupNames": [ "New_Zealand_ISM_23.4.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e", + "parameters": {}, + "policyDefinitionReferenceId": "Disk encryption should be enabled on Azure Data Explorer", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e" }, { - "policyDefinitionReferenceId": "Key vaults should have deletion protection enabled", "groupNames": [ "New_Zealand_ISM_23.4.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53", + "parameters": {}, + "policyDefinitionReferenceId": "Key vaults should have deletion protection enabled", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53" }, { - "policyDefinitionReferenceId": "Key vaults should have soft delete enabled", "groupNames": [ "New_Zealand_ISM_23.4.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d", + "parameters": {}, + "policyDefinitionReferenceId": "Key vaults should have soft delete enabled", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d" }, { - "policyDefinitionReferenceId": "MySQL servers should use customer-managed keys to encrypt data at rest", "groupNames": [ "New_Zealand_ISM_23.4.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "parameters": {}, + "policyDefinitionReferenceId": "MySQL servers should use customer-managed keys to encrypt data at rest", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833" }, { - "policyDefinitionReferenceId": "PostgreSQL servers should use customer-managed keys to encrypt data at rest", "groupNames": [ "New_Zealand_ISM_23.4.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "parameters": {}, + "policyDefinitionReferenceId": "PostgreSQL servers should use customer-managed keys to encrypt data at rest", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274" }, { - "policyDefinitionReferenceId": "Require encryption on Data Lake Store accounts", "groupNames": [ "New_Zealand_ISM_23.4.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a", + "parameters": {}, + "policyDefinitionReferenceId": "Require encryption on Data Lake Store accounts", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a" }, { - "policyDefinitionReferenceId": "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", "groupNames": [ "New_Zealand_ISM_23.4.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68", + "parameters": {}, + "policyDefinitionReferenceId": "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68" }, { - "policyDefinitionReferenceId": "SQL managed instances should use customer-managed keys to encrypt data at rest", "groupNames": [ "New_Zealand_ISM_23.4.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2", + "parameters": {}, + "policyDefinitionReferenceId": "SQL managed instances should use customer-managed keys to encrypt data at rest", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2" }, { - "policyDefinitionReferenceId": "SQL servers should use customer-managed keys to encrypt data at rest", "groupNames": [ "New_Zealand_ISM_23.4.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8", + "parameters": {}, + "policyDefinitionReferenceId": "SQL servers should use customer-managed keys to encrypt data at rest", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8" }, { - "policyDefinitionReferenceId": "Storage accounts should use customer-managed key for encryption", "groupNames": [ "New_Zealand_ISM_23.4.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "parameters": {}, + "policyDefinitionReferenceId": "Storage accounts should use customer-managed key for encryption", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25" }, { - "policyDefinitionReferenceId": "Transparent Data Encryption on SQL databases should be enabled", "groupNames": [ "New_Zealand_ISM_23.4.9.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12", + "parameters": {}, + "policyDefinitionReferenceId": "Transparent Data Encryption on SQL databases should be enabled", "definitionVersion": "2.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12" }, { - "policyDefinitionReferenceId": "App Service apps should have resource logs enabled", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/91a78b24-f231-4a8a-8da9-02c35b2b6510", - "definitionVersion": "2.*.*", "parameters": { "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-1')]" } - } + }, + "policyDefinitionReferenceId": "App Service apps should have resource logs enabled", + "definitionVersion": "2.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/91a78b24-f231-4a8a-8da9-02c35b2b6510" }, { - "policyDefinitionReferenceId": "Audit usage of custom RBAC roles", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5", + "parameters": {}, + "policyDefinitionReferenceId": "Audit usage of custom RBAC roles", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5" }, { - "policyDefinitionReferenceId": "Auditing on SQL server should be enabled", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", - "definitionVersion": "2.*.*", "parameters": { "setting": { "value": "[parameters('setting-1')]" } - } + }, + "policyDefinitionReferenceId": "Auditing on SQL server should be enabled", + "definitionVersion": "2.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9" }, { - "policyDefinitionReferenceId": "Disconnections should be logged for PostgreSQL database servers.", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446", + "parameters": {}, + "policyDefinitionReferenceId": "Disconnections should be logged for PostgreSQL database servers.", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446" }, { - "policyDefinitionReferenceId": "Log connections should be enabled for PostgreSQL database servers", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442", + "parameters": {}, + "policyDefinitionReferenceId": "Log connections should be enabled for PostgreSQL database servers", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442" }, { - "policyDefinitionReferenceId": "Resource logs in Azure Data Lake Store should be enabled", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb", - "definitionVersion": "5.*.*", "parameters": { "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-1')]" } - } + }, + "policyDefinitionReferenceId": "Resource logs in Azure Data Lake Store should be enabled", + "definitionVersion": "5.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb" }, { - "policyDefinitionReferenceId": "Resource logs in Azure Kubernetes Service should be enabled", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c", - "definitionVersion": "1.*.*", "parameters": { "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-1')]" } - } + }, + "policyDefinitionReferenceId": "Resource logs in Azure Kubernetes Service should be enabled", + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c" }, { - "policyDefinitionReferenceId": "Resource logs in Azure Stream Analytics should be enabled", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46", - "definitionVersion": "5.*.*", "parameters": { "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-1')]" } - } + }, + "policyDefinitionReferenceId": "Resource logs in Azure Stream Analytics should be enabled", + "definitionVersion": "5.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46" }, { - "policyDefinitionReferenceId": "Resource logs in Batch accounts should be enabled", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d", - "definitionVersion": "5.*.*", "parameters": { "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-1')]" } - } + }, + "policyDefinitionReferenceId": "Resource logs in Batch accounts should be enabled", + "definitionVersion": "5.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d" }, { - "policyDefinitionReferenceId": "Resource logs in Data Lake Analytics should be enabled", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c", - "definitionVersion": "5.*.*", "parameters": { "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-1')]" } - } + }, + "policyDefinitionReferenceId": "Resource logs in Data Lake Analytics should be enabled", + "definitionVersion": "5.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c" }, { - "policyDefinitionReferenceId": "Resource logs in Event Hub should be enabled", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a", - "definitionVersion": "5.*.*", "parameters": { "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-1')]" } - } + }, + "policyDefinitionReferenceId": "Resource logs in Event Hub should be enabled", + "definitionVersion": "5.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a" }, { - "policyDefinitionReferenceId": "Resource logs in IoT Hub should be enabled", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4", - "definitionVersion": "3.*.*", "parameters": { "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-1')]" } - } + }, + "policyDefinitionReferenceId": "Resource logs in IoT Hub should be enabled", + "definitionVersion": "3.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4" }, { - "policyDefinitionReferenceId": "Resource logs in Key Vault should be enabled", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21", - "definitionVersion": "5.*.*", "parameters": { "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-1')]" } - } + }, + "policyDefinitionReferenceId": "Resource logs in Key Vault should be enabled", + "definitionVersion": "5.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21" }, { - "policyDefinitionReferenceId": "Resource logs in Logic Apps should be enabled", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d", - "definitionVersion": "5.*.*", "parameters": { "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-1')]" } - } + }, + "policyDefinitionReferenceId": "Resource logs in Logic Apps should be enabled", + "definitionVersion": "5.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d" }, { - "policyDefinitionReferenceId": "Resource logs in Search services should be enabled", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4", - "definitionVersion": "5.*.*", "parameters": { "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-1')]" } - } + }, + "policyDefinitionReferenceId": "Resource logs in Search services should be enabled", + "definitionVersion": "5.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4" }, { - "policyDefinitionReferenceId": "Resource logs in Service Bus should be enabled", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45", - "definitionVersion": "5.*.*", "parameters": { "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-1')]" } - } + }, + "policyDefinitionReferenceId": "Resource logs in Service Bus should be enabled", + "definitionVersion": "5.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45" }, { - "policyDefinitionReferenceId": "SQL servers with auditing to storage account destination should be configured with 90 days retention or higher", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743", + "parameters": {}, + "policyDefinitionReferenceId": "SQL servers with auditing to storage account destination should be configured with 90 days retention or higher", "definitionVersion": "3.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743" }, { - "policyDefinitionReferenceId": "SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c6283572-73bb-4deb-bf2c-7a2b8f7462cb", + "parameters": {}, + "policyDefinitionReferenceId": "SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan", "definitionVersion": "1.*.*", - "parameters": {} + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c6283572-73bb-4deb-bf2c-7a2b8f7462cb" }, { - "policyDefinitionReferenceId": "Resource logs in Azure Machine Learning Workspaces should be enabled", "groupNames": [ "New_Zealand_ISM_23.5.11.C.01" ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6", - "definitionVersion": "1.*.*", "parameters": { "requiredRetentionDays": { "value": "[parameters('requiredRetentionDays-1')]" } - } + }, + "policyDefinitionReferenceId": "Resource logs in Azure Machine Learning Workspaces should be enabled", + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6" } ], "versions": [ + "1.5.0", "1.4.0", "1.3.0", "1.2.1",