Built-in Policy Release ff326952 (#1221)

Co-authored-by: Azure Policy Bot <[email protected]>

Author: pilor

built-in-policies/policyDefinitions/Azure Government/Machine Learning/Workspace_PublicNetworkAccessDisabled_Modify.json

@@ -6,9 +6,9 @@
     "description": "Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal.",
     "metadata": {
       "category": "Machine Learning",
-      "version": "1.0.1"
+      "version": "1.0.2"
     },
-    "version": "1.0.1",
+    "version": "1.0.2",
     "parameters": {
       "effect": {
         "type": "String",
@@ -40,12 +40,12 @@
         "effect": "[parameters('effect')]",
         "details": {
           "roleDefinitionIds": [
-            "/providers/microsoft.authorization/roleDefinitions/f6c7c914-8db3-469d-8ca1-694a8f32e121"
+            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
           ],
           "conflictEffect": "audit",
           "operations": [
             {
-              "condition": "[greaterOrEquals(requestContext().apiVersion, '2021-07-01')]",
+              "condition": "[greaterOrEquals(requestContext().apiVersion, '2021-10-01')]",
               "operation": "addOrReplace",
               "field": "Microsoft.MachineLearningServices/workspaces/publicNetworkAccess",
               "value": "Disabled"

built-in-policies/policyDefinitions/Machine Learning/Workspace_PublicNetworkAccessDisabled_Modify.json

@@ -6,9 +6,9 @@
     "description": "Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal.",
     "metadata": {
       "category": "Machine Learning",
-      "version": "1.0.2"
+      "version": "1.0.3"
     },
-    "version": "1.0.2",
+    "version": "1.0.3",
     "parameters": {
       "effect": {
         "type": "String",
@@ -45,7 +45,7 @@
           "conflictEffect": "audit",
           "operations": [
             {
-              "condition": "[greaterOrEquals(requestContext().apiVersion, '2021-07-01')]",
+              "condition": "[greaterOrEquals(requestContext().apiVersion, '2021-10-01')]",
               "operation": "addOrReplace",
               "field": "Microsoft.MachineLearningServices/workspaces/publicNetworkAccess",
               "value": "Disabled"

built-in-policies/policySetDefinitions/Azure Government/Kubernetes/AKS_Guardrails.json

@@ -4,11 +4,11 @@
     "policyType": "BuiltIn",
     "description": "A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use AKS Guardrails to assign this policy initiative: https://aka.ms/aks/guardrails.",
     "metadata": {
-      "version": "1.1.1-preview",
+      "version": "1.2.1-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.1.1-preview",
+    "version": "1.2.1-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -249,6 +249,19 @@
             "value": "[parameters('excludedImages')]"
           }
         }
+      },
+      {
+        "policyDefinitionReferenceId": "ensureCsiDriverStorageClass",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f3823b6-6dac-4b5a-9c61-ce1afb829f17",
+        "definitionVersion": "3.*.*",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('effect')]"
+          },
+          "excludedNamespaces": {
+            "value": "[parameters('excludedNamespaces')]"
+          }
+        }
       }
     ]
   },

built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json

@@ -4,10 +4,10 @@
     "policyType": "BuiltIn",
     "description": "The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.",
     "metadata": {
-      "version": "47.6.0",
+      "version": "47.7.0",
       "category": "Security Center"
     },
-    "version": "47.6.0",
+    "version": "47.7.0",
     "policyDefinitionGroups": [
       {
         "name": "Azure_Security_Benchmark_v3.0_NS-1",
@@ -5910,6 +5910,79 @@
         "groupNames": [
           "Azure_Security_Benchmark_v3.0_PV-4"
         ]
+      },
+      {
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc",
+        "definitionVersion": "1.*.*",
+        "policyDefinitionReferenceId": "cognitiveServicesAccountsShouldHaveLocalAuthenticationMethodsDisabled",
+        "groupNames": [
+          "Azure_Security_Benchmark_v3.0_IM-1"
+        ]
+      },
+      {
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cddd188c-4b82-4c48-a19d-ddf74ee66a01",
+        "definitionVersion": "3.*.*",
+        "policyDefinitionReferenceId": "cognitiveServicesShouldUsePrivateLink",
+        "groupNames": [
+          "Azure_Security_Benchmark_v3.0_NS-2"
+        ]
+      },
+      {
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87",
+        "definitionVersion": "1.*.*",
+        "policyDefinitionReferenceId": "virtualMachinesAndVirtualMachineScaleSetsShouldHaveEncryptionAtHostEnabled",
+        "groupNames": [
+          "Azure_Security_Benchmark_v3.0_DP-4"
+        ]
+      },
+      {
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a",
+        "definitionVersion": "1.*.*",
+        "policyDefinitionReferenceId": "azureCosmosDBShouldDisablePublicNetworkAccess",
+        "groupNames": [
+          "Azure_Security_Benchmark_v3.0_NS-2"
+        ]
+      },
+      {
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/58440f8a-10c5-4151-bdce-dfbaad4a20b7",
+        "definitionVersion": "1.*.*",
+        "policyDefinitionReferenceId": "cosmosDBAaccountsShouldUsePrivateLink",
+        "groupNames": [
+          "Azure_Security_Benchmark_v3.0_NS-2"
+        ]
+      },
+      {
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7",
+        "definitionVersion": "1.*.*",
+        "policyDefinitionReferenceId": "vPNGatewaysShouldUseOnlyAzureActiveDirectoryAzureADAuthenticationForPointtositeUsers",
+        "groupNames": [
+          "Azure_Security_Benchmark_v3.0_IM-1"
+        ]
+      },
+      {
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf",
+        "definitionVersion": "2.*.*",
+        "policyDefinitionReferenceId": "azureSQLDatabaseShouldBeRunningTLSVersion12OrNewer",
+        "groupNames": [
+          "Azure_Security_Benchmark_v3.0_DP-3",
+          "Azure_Security_Benchmark_v3.0_IM-4"
+        ]
+      },
+      {
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91",
+        "definitionVersion": "1.*.*",
+        "policyDefinitionReferenceId": "azureSQLManagedInstancesShouldDisablePublicNetworkAccess",
+        "groupNames": [
+          "Azure_Security_Benchmark_v3.0_NS-2"
+        ]
+      },
+      {
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54",
+        "definitionVersion": "2.*.*",
+        "policyDefinitionReferenceId": "storageAccountsShouldPreventSharedKeyAccess",
+        "groupNames": [
+          "Azure_Security_Benchmark_v3.0_IM-1"
+        ]
       }
     ]
   },

built-in-policies/policySetDefinitions/Kubernetes/AKS_Guardrails.json

@@ -4,11 +4,11 @@
     "policyType": "BuiltIn",
     "description": "A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use AKS Guardrails to assign this policy initiative: https://aka.ms/aks/guardrails.",
     "metadata": {
-      "version": "1.1.1-preview",
+      "version": "1.2.1-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.1.1-preview",
+    "version": "1.2.1-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -249,6 +249,19 @@
             "value": "[parameters('excludedImages')]"
           }
         }
+      },
+      {
+        "policyDefinitionReferenceId": "ensureCsiDriverStorageClass",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f3823b6-6dac-4b5a-9c61-ce1afb829f17",
+        "definitionVersion": "2.*.*",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('effect')]"
+          },
+          "excludedNamespaces": {
+            "value": "[parameters('excludedNamespaces')]"
+          }
+        }
       }
     ]
   },