Built-in Policy Release b05e19b7 (#831)

Co-authored-by: Azure Policy Bot <[email protected]>

Author: pilor

built-in-policies/policyDefinitions/Automation/AutomationAccount_DisableLocalAuth_Audit.json

@@ -0,0 +1,46 @@
+{
+    "properties": {
+        "displayName": "Azure Automation account should have local authentication method disabled",
+        "policyType": "BuiltIn",
+        "mode": "Indexed",
+        "description": "Disabling local authentication methods improves security by ensuring that Azure Automation accounts exclusively require Azure Active Directory identities for authentication.",
+        "metadata": {
+            "version": "1.0.0",
+            "category": "Automation"
+        },
+        "parameters": {
+            "effect": {
+                "type": "String",
+                "defaultValue": "Audit",
+                "allowedValues": [
+                    "Audit",
+                    "Deny",
+                    "Disabled"
+                ],
+                "metadata": {
+                    "displayName": "Effect",
+                    "description": "Enable or disable the execution of the policy"
+                }
+            }
+        },
+        "policyRule": {
+            "if": {
+                "allOf": [
+                    {
+                        "field": "type",
+                        "equals": "Microsoft.Automation/automationAccounts"
+                    },
+                    {
+                        "field": "Microsoft.Automation/automationAccounts/disableLocalAuth",
+                        "notEquals": true
+                    }
+                ]
+            },
+            "then": {
+                "effect": "[parameters('effect')]"
+            }
+        }
+    },
+    "id": "/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700", 
+    "name": "48c5f1cb-14ad-4797-8e3b-f78ab3f8d700"
+}

built-in-policies/policyDefinitions/Automation/AutomationAccount_DisableLocalAuth_Modify.json

@@ -0,0 +1,59 @@
+{
+    "properties": {
+        "displayName": "Configure Azure Automation account to disable local authentication",
+        "policyType": "BuiltIn",
+        "mode": "Indexed",
+        "description": "Disable local authentication methods so that your Azure Automation accounts exclusively require Azure Active Directory identities for authentication.",
+        "metadata": {
+            "version": "1.0.0",
+            "category": "Automation"
+        },
+        "parameters": {
+            "effect": {
+                "type": "String",
+                "defaultValue": "Modify",
+                 "allowedValues": [
+                    "Modify",
+                    "Disabled"
+                ],
+                "metadata": {
+                    "displayName": "Effect",
+                    "description": "Enable or disable the execution of the policy"
+                }
+            }
+        },
+        "policyRule": {
+            "if": {
+                "allOf": [
+                    {
+                        "field": "type",
+                        "equals": "Microsoft.Automation/automationAccounts"
+                    },
+                    {
+                        "field": "Microsoft.Automation/automationAccounts/disableLocalAuth",
+                        "notEquals": true
+                    }
+                ]
+            },
+            "then": {
+                "effect": "[parameters('effect')]",
+                "details": {
+                    "conflictEffect": "audit",
+                    "roleDefinitionIds": [
+                        "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
+                    ],
+                    "operations": [
+                        {
+                            "condition": "[greaterOrEquals(requestContext().apiVersion, '2021-06-22')]",
+                            "operation": "addOrReplace",
+                            "field": "Microsoft.Automation/automationAccounts/disableLocalAuth",
+                            "value": true
+                        }
+                    ]
+                }
+            }
+        }
+    },
+    "id": "/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81", 
+    "name": "30d1d58e-8f96-47a5-8564-499a3f3cca81"
+}

built-in-policies/policyDefinitions/Azure Government/Kubernetes/AllowedUsersGroups.json

@@ -5,7 +5,7 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "4.0.1",
+      "version": "4.0.2",
       "category": "Kubernetes"
     },
     "parameters": {
@@ -105,7 +105,7 @@
         "type": "String",
         "metadata": {
           "displayName": "Run as user rule",
-          "description": "The 'RunAsUser' rule that containers are allowed to run with."
+          "description": "The 'RunAsUser' rule that containers are allowed to run with. MustRunAs requires at least one range to be specified. MustRunAsNonRoot requires the pod be submitted with non-zero runAsUser or have USER directive defined (using a numeric UID) in the image. RunAsAny allows any runAsUser to be specified"
         },
         "allowedValues": [
           "MustRunAs",
@@ -156,7 +156,7 @@
         "type": "String",
         "metadata": {
           "displayName": "Run as group rule",
-          "description": "The 'RunAsGroup' rule that containers are allowed to run with."
+          "description": "The 'RunAsGroup' rule that containers are allowed to run with. MustRunAs requires at least one range to be specified. MayRunAs does not require that 'RunAsGroup' be specified. RunAsAny allows any"
         },
         "allowedValues": [
           "MustRunAs",
@@ -207,7 +207,7 @@
         "type": "String",
         "metadata": {
           "displayName": "Supplemental group rule",
-          "description": "The 'SupplementalGroups' rule that containers are allowed to run with."
+          "description": "The 'SupplementalGroups' rule that containers are allowed to run with. MustRunAs requires at least one range to be specified. MayRunAs does not require that 'SupplementalGroups' be specified. RunAsAny allows any"
         },
         "allowedValues": [
           "MustRunAs",
@@ -258,7 +258,7 @@
         "type": "String",
         "metadata": {
           "displayName": "File system group rule",
-          "description": "The 'FSGroup' rule that containers are allowed to run with."
+          "description": "The 'FSGroup' rule that containers are allowed to run with. MustRunAs requires at least one range to be specified. MayRunAs does not require that 'FSGroup' be specified. RunAsAny allows any"
         },
         "allowedValues": [
           "MustRunAs",

built-in-policies/policyDefinitions/Azure Government/Kubernetes/BlockEndpointEditDefaultRole.json

@@ -0,0 +1,125 @@
+{
+  "properties": {
+    "displayName": "Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit",
+    "policyType": "BuiltIn",
+    "mode": "Microsoft.Kubernetes.Data",
+    "description": "ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Kubernetes"
+    },
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Disabled' turns off the policy."
+        },
+        "allowedValues": [
+          "Audit",
+          "Disabled"
+        ],
+        "defaultValue": "Audit"
+      },
+      "excludedNamespaces": {
+        "type": "Array",
+        "metadata": {
+          "displayName": "Namespace exclusions",
+          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
+        },
+        "defaultValue": [
+          "kube-system",
+          "gatekeeper-system",
+          "azure-arc"
+        ]
+      },
+      "namespaces": {
+        "type": "Array",
+        "metadata": {
+          "displayName": "Namespace inclusions",
+          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
+        },
+        "defaultValue": []
+      },
+      "labelSelector": {
+        "type": "object",
+        "metadata": {
+          "displayName": "Kubernetes label selector",
+          "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
+        },
+        "defaultValue": {},
+        "schema": {
+          "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
+          "type": "object",
+          "properties": {
+            "matchLabels": {
+              "description": "matchLabels is a map of {key,value} pairs.",
+              "type": "object",
+              "additionalProperties": {
+                "type": "string"
+              },
+              "minProperties": 1
+            },
+            "matchExpressions": {
+              "description": "matchExpressions is a list of values, a key, and an operator.",
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "key": {
+                    "description": "key is the label key that the selector applies to.",
+                    "type": "string"
+                  },
+                  "operator": {
+                    "description": "operator represents a key's relationship to a set of values.",
+                    "type": "string",
+                    "enum": [
+                      "In",
+                      "NotIn",
+                      "Exists",
+                      "DoesNotExist"
+                    ]
+                  },
+                  "values": {
+                    "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
+                    "type": "array",
+                    "items": {
+                      "type": "string"
+                    }
+                  }
+                },
+                "required": [
+                  "key",
+                  "operator"
+                ],
+                "additionalProperties": false
+              },
+              "minItems": 1
+            }
+          },
+          "additionalProperties": false
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "in": [
+          "Microsoft.ContainerService/managedClusters"
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "constraintTemplate": "https://store.policy.azure.us/kubernetes/block-endpoint-edit-default-role/v1/template.yaml",
+          "constraint": "https://store.policy.azure.us/kubernetes/block-endpoint-edit-default-role/v1/constraint.yaml",
+          "excludedNamespaces": "[parameters('excludedNamespaces')]",
+          "namespaces": "[parameters('namespaces')]",
+          "labelSelector": "[parameters('labelSelector')]"
+        }
+      }
+    }
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/1ddac26b-ed48-4c30-8cc5-3a68c79b8001",
+  "name": "1ddac26b-ed48-4c30-8cc5-3a68c79b8001"
+}

built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerNoPrivilegeEscalation.json

@@ -5,7 +5,7 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "3.0.1",
+      "version": "4.0.0",
       "category": "Kubernetes"
     },
     "parameters": {
@@ -100,6 +100,14 @@
           },
           "additionalProperties": false
         }
+      },
+      "excludedContainers": {
+        "type": "Array",
+        "metadata": {
+          "displayName": "Containers exclusions",
+          "description": "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces."
+        },
+        "defaultValue": []
       }
     },
     "policyRule": {
@@ -112,11 +120,14 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
-          "constraintTemplate": "https://store.policy.azure.us/kubernetes/container-no-privilege-escalation/v1/template.yaml",
-          "constraint": "https://store.policy.azure.us/kubernetes/container-no-privilege-escalation/v1/constraint.yaml",
+          "constraintTemplate": "https://store.policy.azure.us/kubernetes/container-no-privilege-escalation/v2/template.yaml",
+          "constraint": "https://store.policy.azure.us/kubernetes/container-no-privilege-escalation/v2/constraint.yaml",
           "excludedNamespaces": "[parameters('excludedNamespaces')]",
           "namespaces": "[parameters('namespaces')]",
-          "labelSelector": "[parameters('labelSelector')]"
+          "labelSelector": "[parameters('labelSelector')]",
+          "values": {
+            "excludedContainers": "[parameters('excludedContainers')]"
+          }
         }
       }
     }

built-in-policies/policyDefinitions/Event Grid/Domains_DisableLocalAuth_AuditDeny.json

@@ -0,0 +1,46 @@
+{
+  "properties": {
+    "displayName": "Azure Event Grid domains should have local authentication methods disabled",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Disabling local authentication methods improves security by ensuring that Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Event Grid"
+    },
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "defaultValue": "Audit",
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.EventGrid/domains"
+          },
+          {
+            "field": "Microsoft.EventGrid/domains/disableLocalAuth",
+            "notEquals": true
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    }
+  },
+    "id": "/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd",
+    "name": "8bfadddb-ee1c-4639-8911-a38cb8e0b3bd"
+}