Built-in Policy Release 964b8894 (#1429)

Co-authored-by: Azure Policy Bot <[email protected]>

Author: robga

built-in-policies/policyDefinitions/App Service/App_Slot_VNetIntegrationEnabled_Audit.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "App Service"
     },
-    "version": "1.0.0",
+    "version": "1.1.0",
     "parameters": {
       "effect": {
         "type": "string",
@@ -32,8 +32,16 @@
             "equals": "Microsoft.Web/sites/slots"
           },
           {
-            "field": "Microsoft.Web/sites/slots/virtualNetworkSubnetId",
-            "equals": ""
+            "anyOf": [
+              {
+                "field": "Microsoft.Web/sites/slots/virtualNetworkSubnetId",
+                "exists": "false"
+              },
+              {
+                "field": "Microsoft.Web/sites/slots/virtualNetworkSubnetId",
+                "equals": ""
+              }
+            ]
           }
         ]
       },
@@ -42,6 +50,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.0"
     ]
   },

built-in-policies/policyDefinitions/App Service/App_VNetIntegrationEnabled_Audit.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet.",
     "metadata": {
-      "version": "3.0.0",
+      "version": "3.1.0",
       "category": "App Service"
     },
-    "version": "3.0.0",
+    "version": "3.1.0",
     "parameters": {
       "effect": {
         "type": "string",
@@ -32,8 +32,16 @@
             "equals": "Microsoft.Web/sites"
           },
           {
-            "field": "Microsoft.Web/sites/virtualNetworkSubnetId",
-            "equals": ""
+            "anyOf": [
+              {
+                "field": "Microsoft.Web/sites/virtualNetworkSubnetId",
+                "exists": "false"
+              },
+              {
+                "field": "Microsoft.Web/sites/virtualNetworkSubnetId",
+                "equals": ""
+              }
+            ]
           }
         ]
       },
@@ -42,6 +50,7 @@
       }
     },
     "versions": [
+      "3.1.0",
       "3.0.0"
     ]
   },

built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_EnableRBAC_KubernetesService_Audit.json

@@ -5,10 +5,10 @@
     "mode": "All",
     "description": "To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.",
     "metadata": {
-      "version": "1.0.4",
+      "version": "1.1.0",
       "category": "Security Center"
     },
-    "version": "1.0.4",
+    "version": "1.1.0",
     "parameters": {
       "effect": {
         "type": "string",
@@ -31,16 +31,12 @@
             "equals": "Microsoft.ContainerService/managedClusters"
           },
           {
-            "anyOf": [
-              {
-                "field": "Microsoft.ContainerService/managedClusters/enableRBAC",
-                "exists": "false"
-              },
-              {
-                "field": "Microsoft.ContainerService/managedClusters/enableRBAC",
-                "equals": "false"
-              }
-            ]
+            "field": "Microsoft.ContainerService/managedClusters/enableRBAC",
+            "exists": "true"
+          },
+          {
+            "field": "Microsoft.ContainerService/managedClusters/enableRBAC",
+            "equals": "false"
           }
         ]
       },
@@ -49,6 +45,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.4",
       "1.0.3"
     ]

built-in-policies/policyDefinitions/Backup/FileShare_EnableAzureBackup_Audit.json

@@ -0,0 +1,53 @@
+{
+  "properties": {
+    "displayName": "[Preview]: Azure Backup should be enabled on Azure file shares",
+    "policyType": "BuiltIn",
+    "mode": "All",
+    "description": "Ensure protection of your Azure file shares by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.",
+    "metadata": {
+      "version": "1.0.0-preview",
+      "category": "Backup",
+      "preview": true
+    },
+    "version": "1.0.0-preview",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "AuditIfNotExists",
+          "Disabled"
+        ],
+        "defaultValue": "AuditIfNotExists"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Storage/storageAccounts/fileServices/shares"
+          },
+          {
+            "field": "Microsoft.Storage/storageAccounts/fileServices/shares/enabledProtocols",
+            "equals": "SMB"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "type": "Microsoft.RecoveryServices/backupprotecteditems"
+        }
+      }
+    },
+    "versions": [
+      "1.0.0-PREVIEW"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/cfc5190a-3b19-4a23-b563-a4c719b666e4",
+  "name": "cfc5190a-3b19-4a23-b563-a4c719b666e4"
+}

built-in-policies/policyDefinitions/Kubernetes/AKS_EnableKMS.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Use Key Management Service (KMS) to encrypt secret data at rest in etcd for Kubernetes cluster security. Learn more at: https://aka.ms/aks/kmsetcdencryption.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "Kubernetes"
     },
-    "version": "1.0.0",
+    "version": "1.1.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -31,10 +31,6 @@
             "field": "type",
             "equals": "Microsoft.ContainerService/managedClusters"
           },
-          {
-            "field": "identity.type",
-            "notEquals": "SystemAssigned"
-          },
           {
             "field": "Microsoft.ContainerService/managedClusters/securityProfile.azureKeyVaultKms.enabled",
             "notEquals": true
@@ -46,6 +42,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.0"
     ]
   },

built-in-policies/policyDefinitions/Security Center/ASC_EnableRBAC_KubernetesService_Audit.json

@@ -5,10 +5,10 @@
     "mode": "All",
     "description": "To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.",
     "metadata": {
-      "version": "1.0.4",
+      "version": "1.1.0",
       "category": "Security Center"
     },
-    "version": "1.0.4",
+    "version": "1.1.0",
     "parameters": {
       "effect": {
         "type": "string",
@@ -31,16 +31,12 @@
             "equals": "Microsoft.ContainerService/managedClusters"
           },
           {
-            "anyOf": [
-              {
-                "field": "Microsoft.ContainerService/managedClusters/enableRBAC",
-                "exists": "false"
-              },
-              {
-                "field": "Microsoft.ContainerService/managedClusters/enableRBAC",
-                "equals": "false"
-              }
-            ]
+            "field": "Microsoft.ContainerService/managedClusters/enableRBAC",
+            "exists": "true"
+          },
+          {
+            "field": "Microsoft.ContainerService/managedClusters/enableRBAC",
+            "equals": "false"
           }
         ]
       },
@@ -49,6 +45,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.4",
       "1.0.3"
     ]

built-in-policies/policySetDefinitions/Regulatory Compliance/CMMC_L3.json

@@ -4,10 +4,10 @@
     "policyType": "BuiltIn",
     "description": "This initiative includes policies that address a subset of Cybersecurity Maturity Model Certification (CMMC) Level 3 requirements. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cmmc-initiative.",
     "metadata": {
-      "version": "11.11.0",
+      "version": "11.12.0",
       "category": "Regulatory Compliance"
     },
-    "version": "11.11.0",
+    "version": "11.12.0",
     "policyDefinitionGroups": [
       {
         "name": "CMMC_L3_AC.1.001",
@@ -1950,7 +1950,8 @@
         ],
         "metadata": {
           "displayName": "Effect for policy: Deploy Advanced Threat Protection on Storage Accounts",
-          "description": "For more information about effects, visit https://aka.ms/policyeffects"
+          "description": "For more information about effects, visit https://aka.ms/policyeffects",
+          "deprecated": true
         }
       },
       "effect-b5f04e03-92a3-4b09-9410-2cc5e5047656": {
@@ -4579,19 +4580,6 @@
           "CMMC_L3_SI.2.216"
         ]
       },
-      {
-        "policyDefinitionReferenceId": "361c2074-3595-4e5d-8cab-4f21dffc835c",
-        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c",
-        "definitionVersion": "1.*.*",
-        "parameters": {
-          "effect": {
-            "value": "[parameters('effect-361c2074-3595-4e5d-8cab-4f21dffc835c')]"
-          }
-        },
-        "groupNames": [
-          "CMMC_L3_IR.2.093"
-        ]
-      },
       {
         "policyDefinitionReferenceId": "b5f04e03-92a3-4b09-9410-2cc5e5047656",
         "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656",
@@ -6095,6 +6083,7 @@
       }
     ],
     "versions": [
+      "11.12.0",
       "11.11.0",
       "11.10.0",
       "11.9.0",

built-in-policies/policySetDefinitions/Regulatory Compliance/MCfS_Sovereignty_Baseline_Confidential_Policies.json

@@ -4,10 +4,10 @@
     "policyType": "BuiltIn",
     "description": "The Microsoft Cloud for Sovereignty recommends confidential policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions, denying resources that are not backed by Azure Confidential Computing, and denying data storage resources that are not using Customer-Managed Keys. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies",
     "metadata": {
-      "version": "1.1.0",
+      "version": "1.1.1",
       "category": "Regulatory Compliance"
     },
-    "version": "1.1.0",
+    "version": "1.1.1",
     "policyDefinitionGroups": [
       {
         "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/MCfS_Sovereignty_Baseline_Policy_SO.1",
@@ -355,6 +355,7 @@
       },
       "listOfAllowedLocations": {
         "allowedValues": [
+          "australia",
           "australiacentral",
           "australiacentral2",
           "australiaeast",
@@ -676,6 +677,7 @@
       }
     ],
     "versions": [
+      "1.1.1",
       "1.1.0",
       "1.0.1-PREVIEW",
       "1.0.0-PREVIEW"

built-in-policies/policySetDefinitions/Regulatory Compliance/RMIT_Malaysia.json

@@ -4,10 +4,10 @@
     "policyType": "BuiltIn",
     "description": "This initiative includes policies that address a subset of RMIT requirements. Additional policies will be added in upcoming releases. For more information, visit aka.ms/rmit-initiative.",
     "metadata": {
-      "version": "9.14.0",
+      "version": "9.15.0",
       "category": "Regulatory Compliance"
     },
-    "version": "9.14.0",
+    "version": "9.15.0",
     "policyDefinitionGroups": [
       {
         "name": "RMiT_v1.0_10.1",
@@ -2115,7 +2115,8 @@
         ],
         "metadata": {
           "displayName": "Effect for policy: Deploy Advanced Threat Protection on storage accounts",
-          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects."
+          "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects.",
+          "deprecated": true
         }
       },
       "effect-404c3081-a854-4457-ae30-26a93ef643f9": {
@@ -4685,19 +4686,6 @@
           "RMiT_v1.0_11.15"
         ]
       },
-      {
-        "policyDefinitionReferenceId": "361c2074-3595-4e5d-8cab-4f21dffc835c",
-        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c",
-        "definitionVersion": "1.*.*",
-        "parameters": {
-          "effect": {
-            "value": "[parameters('effect-361c2074-3595-4e5d-8cab-4f21dffc835c')]"
-          }
-        },
-        "groupNames": [
-          "RMiT_v1.0_11.5"
-        ]
-      },
       {
         "policyDefinitionReferenceId": "404c3081-a854-4457-ae30-26a93ef643f9",
         "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
@@ -4770,6 +4758,7 @@
       }
     ],
     "versions": [
+      "9.15.0",
       "9.14.0",
       "9.13.0",
       "9.12.0",