diff --git a/Docs/ci-cd-overview.md b/Docs/ci-cd-overview.md index 807e2a82..42aceadb 100644 --- a/Docs/ci-cd-overview.md +++ b/Docs/ci-cd-overview.md @@ -163,7 +163,6 @@ For saving the output related to ```Build-DeploymentPlans``` there is global var | `OutputFolder` | Output folder path for plan files. Defaults to environment variable `$env:PAC_OUTPUT_FOLDER` or `./Output`. | | `DevOpsType` | If set, outputs variables consumable by conditions in a DevOps pipeline. Default: not set. | | `BuildExemptionsOnly` | If set, only builds the Exemptions plan. This useful to fast-track Exemption when utilizing [Release Flow](#advanced-cicd-with-release-flow) Default: not set. | -| `VirtualCores` | **Deprecated - DO NOT USE** -- Number of (virtual) cores available to calculate the deployment plan. Defaults to 4. | ### Deploy-PolicyPlan.ps1 @@ -173,7 +172,6 @@ Deploys Policies, Policy Sets, Policy Assignments, and Policy Exemptions at thei |Parameter | Explanation | |----------|-------------| | `InputFolder` | Input folder path for plan files. Defaults to environment variable `$env:PAC_INPUT_FOLDER`, `$env:PAC_OUTPUT_FOLDER` or `./Output`. | -| `VirtualCores` | **Deprecated - DO NOT USE** -- Number of (virtual) cores available to deploy Policy objects in parallel. Defaults to 4. | ### Deploy-RolesPlan.ps1 diff --git a/Docs/operational-scripts-reference.md b/Docs/operational-scripts-reference.md index 9518ffb6..3376d33f 100644 --- a/Docs/operational-scripts-reference.md +++ b/Docs/operational-scripts-reference.md @@ -35,10 +35,6 @@ Suppresses prompt for confirmation to delete existing file in interactive mode Include Policies with effect Manual. Default: do not include Polcies with effect Manual. -#### **Deprecated - DO NOT USE** -- `-VirtualCores ` - -Number of virtual cores to use for the operation. Default is 4. - ## Script `New-AzRemediationTasks` The New-AzRemediationTasks PowerShell creates remediation tasks for all non-compliant resources in the current AAD tenant. If one or multiple remediation tasks fail, their respective objects are added to a PowerShell variable that is outputted for later use in the Azure DevOps Pipeline. diff --git a/Docs/policy-exemptions.md b/Docs/policy-exemptions.md index 2a216ebe..f9b0ff07 100644 --- a/Docs/policy-exemptions.md +++ b/Docs/policy-exemptions.md @@ -65,7 +65,7 @@ EPAC injects `deployedBy` into the `metadata` section. This is a string that ide The following properties can be used to specify the Policy or Policies to be exempted. > [!CAUTION] -> `assignmentScopeValidation` value `DoNotValidate` only works reliably for Option **B**. It may work for Option **A** and **C** in some cases, but it is not recommended. EPAC cannot gracefully handle this and display a specific error message. Instead, it will display a generic error message with the following text `"Exemption entry $($entryNumber): No assignments found for scope $($currentScope), skipping entry."`. +> `assignmentScopeValidation` value `DoNotValidate` only works for Option **B**. It may work for Option **A** and **C** in some cases, but it is not recommended. EPAC cannot gracefully handle this and display a specific error message. Instead, it will display a generic error message with the following text `"Exemption entry $($entryNumber): No assignments found for scope $($currentScope), skipping entry."`. ### Option **A**: Policy definition Ids or Names diff --git a/Docs/settings-global-setting-file.md b/Docs/settings-global-setting-file.md index 946d26e2..ee7e6520 100644 --- a/Docs/settings-global-setting-file.md +++ b/Docs/settings-global-setting-file.md @@ -89,6 +89,8 @@ EPAC has a concept of an environment identified by a string (unique per reposito - `managedIdentityLocation`: see [DeployIfNotExists and Modify Policy Assignments need `managedIdentityLocation`](#deployifnotexists-and-modify-policy-assignments-need-managedidentitylocation) - Optional: - `globalNotScopes`: see [Excluding scopes for all Assignments with `globalNotScopes`](#excluding-scopes-for-all-assignments-with-globalnotscopes) + - `skipResourceValidationForExemptions`: disables checking the resource existence for Policy Exemptions. Default is false. This can be useful if you have a massive amount of exemptions and the validation is taking too long. + - `doNotDisableDeprecatedPolicies`: **NOT YET IMPLEMENTED**: Planed feature will automatically set effect for deprecated Policies to "Disabled" when using the CSV file. This setting can be used to override that behavior by setting it to `true`. Default is `false`. - `deployedBy`: populates the `metadata` fields. It defaults to `epac/$pacOwnerId/$pacSelector`. We recommend to use the default. - Policy Definitions, Policy Set Definitions and Policy Exemptions - `metadata.deployedBy`. - Policy Assignments - `metadata.assignedBy` since Azure Portal displays it as 'Assigned by'. @@ -96,8 +98,8 @@ EPAC has a concept of an environment identified by a string (unique per reposito - `managedTenant`: Used when the `pacEnvironment` is in a lighthouse managed tenant, [see this example](#example-for-lighthouse-manged-tenant) It must contain: - `managingTenantId` - The tenantId of the managing tenant. - `managingTenantRootScope` - An array of all subscriptions that will need `additionalRoleAssignments` deployed to them. -- `defaultContext`: In rare cases (typicaslly only when deploying to a lighthouse managed tenant) the default context (Get-azContext) of a user/SPN running a plan will -be set to a suscription where that user/SPN does not have sufficient priveleges. Some checks have been built in so that in some cases when this happens EPAC is able to fix the context issue. When it is not, a `defaultContext` subscription name must be provided. This can be any subscription within the `deploymentRootScope`. +- `defaultContext`: In rare cases (typically only when deploying to a lighthouse managed tenant) the default context (Get-azContext) of a user/SPN running a plan will +be set to a subscription where that user/SPN does not have sufficient privileges. Some checks have been built in so that in some cases when this happens EPAC is able to fix the context issue. When it is not, a `defaultContext` subscription name must be provided. This can be any subscription within the `deploymentRootScope`. ### DeployIfNotExists and Modify Policy Assignments need `managedIdentityLocation` diff --git a/Scripts/Deploy/Build-DeploymentPlans.ps1 b/Scripts/Deploy/Build-DeploymentPlans.ps1 index aa5488e4..1d54b0e4 100644 --- a/Scripts/Deploy/Build-DeploymentPlans.ps1 +++ b/Scripts/Deploy/Build-DeploymentPlans.ps1 @@ -53,21 +53,13 @@ param ( [Parameter(HelpMessage = "If set, outputs variables consumable by conditions in a DevOps pipeline.")] [ValidateSet("ado", "gitlab", "")] - [string] $DevOpsType = "", - - [Parameter(HelpMessage = "Deprecated.")] - [Int16] $VirtualCores = 0 + [string] $DevOpsType = "" ) $PSDefaultParameterValues = @{ "Write-Information:InformationVariable" = "+global:epacInfoStream" } -if ($VirtualCores -gt 0) { - Write-Warning "VirtualCores parameter is deprecated. parallel processing is no longer supported. Please remove the parameter!" -WarningAction Continue - $VirtualCores = 0 -} - Clear-Variable -Name epacInfoStream -Scope global -Force -ErrorAction SilentlyContinue # Dot Source Helper Scripts @@ -315,8 +307,7 @@ if ($buildSelections.buildAny) { # Convert Policy and PolicySetDefinition to detailed Info $combinedPolicyDetails = Convert-PolicyResourcesToDetails ` -AllPolicyDefinitions $allDefinitions.policydefinitions ` - -AllPolicySetDefinitions $allDefinitions.policysetdefinitions ` - -VirtualCores 4 + -AllPolicySetDefinitions $allDefinitions.policysetdefinitions # Populate allAssignments $deployedPolicyAssignments = $deployedPolicyResources.policyassignments.managed diff --git a/Scripts/Deploy/Deploy-PolicyPlan.ps1 b/Scripts/Deploy/Deploy-PolicyPlan.ps1 index a7be3203..ad555991 100644 --- a/Scripts/Deploy/Deploy-PolicyPlan.ps1 +++ b/Scripts/Deploy/Deploy-PolicyPlan.ps1 @@ -44,17 +44,9 @@ param ( [string] $InputFolder, [Parameter(HelpMessage = "Use switch to indicate interactive use")] - [switch] $Interactive, - - [Parameter(HelpMessage = "Deprecated.")] - [Int16] $VirtualCores = 0 + [switch] $Interactive ) -if ($VirtualCores -gt 0) { - Write-Warning "VirtualCores parameter is deprecated. parallel processing is no longer supported. Please remove the parameter!" -WarningAction Continue - $VirtualCores = 0 -} - $PSDefaultParameterValues = @{ "Write-Information:InformationVariable" = "+global:epacInfoStream" } diff --git a/Scripts/Helpers/Add-HelperScripts.ps1 b/Scripts/Helpers/Add-HelperScripts.ps1 index 87c4ca1e..08cb3966 100644 --- a/Scripts/Helpers/Add-HelperScripts.ps1 +++ b/Scripts/Helpers/Add-HelperScripts.ps1 @@ -104,6 +104,7 @@ . "$PSScriptRoot/RestMethods/Get-AzPolicyAssignmentRestMethod.ps1" . "$PSScriptRoot/RestMethods/Get-AzPolicyExemptionsRestMethod.ps1" +. "$PSScriptRoot/RestMethods/Get-AzResourceListRestMethod.ps1" . "$PSScriptRoot/RestMethods/Get-AzRoleAssignmentsRestMethod.ps1" . "$PSScriptRoot/RestMethods/Get-AzRoleDefinitionsRestMethod.ps1" . "$PSScriptRoot/RestMethods/Remove-AzResourceByIdRestMethod.ps1" diff --git a/Scripts/Helpers/Build-ExemptionsPlan.ps1 b/Scripts/Helpers/Build-ExemptionsPlan.ps1 index 13d4fdb7..248570b8 100644 --- a/Scripts/Helpers/Build-ExemptionsPlan.ps1 +++ b/Scripts/Helpers/Build-ExemptionsPlan.ps1 @@ -30,6 +30,8 @@ function Build-ExemptionsPlan { $numberOfFilesWithErrors = 0 $desiredState = $PacEnvironment.desiredState $desiredStateStrategy = $desiredState.strategy + $resourceIdsBySubscriptionId = @{} + $validateResources = -not $PacEnvironment.skipResourceValidationForExemptions $now = Get-Date -AsUTC #endregion read files and cache data structures @@ -41,7 +43,6 @@ function Build-ExemptionsPlan { } else { Write-Information "Number of Policy Exemption files = $($exemptionFiles.Length)" - $resourceIdsExist = @{} #region pre-calculate assignments $sortedAssignments = $AllAssignments.Values | Sort-Object -Property id # for a stable order @@ -294,77 +295,111 @@ function Build-ExemptionsPlan { #endregion JSON files require exactly one field from set @(policyAssignmentId,policyDefinitionName,policyDefinitionId,policySetDefinitionName,policySetDefinitionId) } - #region only allow Exemptions for managed Assignment - $epacMetadataDefinitionSpecification = @{} - if ($null -ne $policyAssignmentId) { - $epacMetadataDefinitionSpecification.policyAssignmentId = $policyAssignmentId - if (-not $AllAssignments.ContainsKey($policyAssignmentId)) { - Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "policyAssignmentId '$assignmentReferenceId' not found in current root scope $($PacEnvironment.deploymentRootScope)" -EntryNumber $entryNumber - } + #region retrieve pre-calculated Assignments + if ([string]::IsNullOrWhitespace($assignmentScopeValidation)) { + $assignmentScopeValidation = "Default" } - elseif ($null -ne $policyDefinitionName) { - $epacMetadataDefinitionSpecification.policyDefinitionName = $policyDefinitionName - $policyDefinitionId = Confirm-PolicyDefinitionUsedExists ` - -Name $policyDefinitionName ` - -PolicyDefinitionsScopes $PacEnvironment.policyDefinitionsScopes ` - -AllDefinitions $AllDefinitions.policydefinitions - if ($null -eq $policyDefinitionId) { - Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "policyDefinitionName '$($row.policyDefinitionName)' not found in current EPAC environment '$($PacEnvironment.pacSelector)'" -EntryNumber $entryNumber + else { + if ($assignmentScopeValidation -ne "Default" -and $assignmentScopeValidation -ne "DoNotValidate") { + Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "invalid assignmentScopeValidation '$assignmentScopeValidation' (must be 'Default' or 'DoNotValidate')" -EntryNumber $entryNumber } } - elseif ($null -ne $policyDefinitionId) { - $epacMetadataDefinitionSpecification.policyDefinitionId = $policyDefinitionId - $policyDefinitionId = Confirm-PolicyDefinitionUsedExists ` - -Id $policyDefinitionId ` - -PolicyDefinitionsScopes $PacEnvironment.policyDefinitionsScopes ` - -AllDefinitions $AllDefinitions.policydefinitions - if ($null -eq $policyDefinitionId) { - Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "policyDefinitionId '$($row.policyDefinitionId)' not found in current EPAC environment '$($PacEnvironment.pacSelector)'" -EntryNumber $entryNumber + $validateScope = $assignmentScopeValidation -eq "Default" + $unValidatedPolicyAssignment = $false + if (!$validateScope) { + if ($null -eq $policyAssignmentId) { + Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "DoNotValidate (assignmentScopeValidation) is only valid when policyAssignmentId is specified." -EntryNumber $entryNumber } - } - elseif ($null -ne $policySetDefinitionName) { - $epacMetadataDefinitionSpecification.policySetDefinitionName = $policySetDefinitionName - $policySetDefinitionId = Confirm-PolicySetDefinitionUsedExists ` - -Name $policySetDefinitionName ` - -PolicySetDefinitionsScopes $PacEnvironment.policySetDefinitionsScopes ` - -AllDefinitions $AllDefinitions.policysetdefinitions - if ($null -eq $policySetDefinitionId) { - Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "policySetDefinitionName '$($row.policySetDefinitionName)' not found in current EPAC environment '$($PacEnvironment.pacSelector)'" -EntryNumber $entryNumber + else { + $epacMetadataDefinitionSpecification.policyAssignmentId = $policyAssignmentId + $calculatedPolicyAssignments = $byAssignmentIdCalculatedAssignments.$policyAssignmentId + if ($null -eq $calculatedPolicyAssignments -or $calculatedPolicyAssignments.Count -eq 0) { + $unValidatedPolicyAssignment = $true + $calculatedPolicyAssignment = @{ + id = $policyAssignmentId + name = $policyAssignmentId + scope = "" + notScopes = @() + policyDefinitionReferenceIds = @() + perPolicyReferenceIdTable = @{} + allowReferenceIdsInRow = $true + isPolicyAssignment = $true + + } + $calculatedPolicyAssignments = @($calculatedPolicyAssignment) + } } } - elseif ($null -ne $policySetDefinitionId) { - $epacMetadataDefinitionSpecification.policySetDefinitionId = $policySetDefinitionId - $policySetDefinitionId = Confirm-PolicySetDefinitionUsedExists ` - -Id $policySetDefinitionId ` - -PolicySetDefinitionsScopes $PacEnvironment.policySetDefinitionsScopes ` - -AllDefinitions $AllDefinitions.policysetdefinitions - if ($null -eq $policySetDefinitionId) { - Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "policySetDefinitionId '$($row.policySetDefinitionId)' not found in current EPAC environment '$($PacEnvironment.pacSelector)'" -EntryNumber $entryNumber + else { + $epacMetadataDefinitionSpecification = @{} + if ($null -ne $policyAssignmentId) { + $epacMetadataDefinitionSpecification.policyAssignmentId = $policyAssignmentId + if (-not $AllAssignments.ContainsKey($policyAssignmentId)) { + Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "policyAssignmentId '$assignmentReferenceId' not found in current root scope $($PacEnvironment.deploymentRootScope)" -EntryNumber $entryNumber + } + } + elseif ($null -ne $policyDefinitionName) { + $epacMetadataDefinitionSpecification.policyDefinitionName = $policyDefinitionName + $policyDefinitionId = Confirm-PolicyDefinitionUsedExists ` + -Name $policyDefinitionName ` + -PolicyDefinitionsScopes $PacEnvironment.policyDefinitionsScopes ` + -AllDefinitions $AllDefinitions.policydefinitions + if ($null -eq $policyDefinitionId) { + Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "policyDefinitionName '$($row.policyDefinitionName)' not found in current EPAC environment '$($PacEnvironment.pacSelector)'" -EntryNumber $entryNumber + } + } + elseif ($null -ne $policyDefinitionId) { + $epacMetadataDefinitionSpecification.policyDefinitionId = $policyDefinitionId + $policyDefinitionId = Confirm-PolicyDefinitionUsedExists ` + -Id $policyDefinitionId ` + -PolicyDefinitionsScopes $PacEnvironment.policyDefinitionsScopes ` + -AllDefinitions $AllDefinitions.policydefinitions + if ($null -eq $policyDefinitionId) { + Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "policyDefinitionId '$($row.policyDefinitionId)' not found in current EPAC environment '$($PacEnvironment.pacSelector)'" -EntryNumber $entryNumber + } + } + elseif ($null -ne $policySetDefinitionName) { + $epacMetadataDefinitionSpecification.policySetDefinitionName = $policySetDefinitionName + $policySetDefinitionId = Confirm-PolicySetDefinitionUsedExists ` + -Name $policySetDefinitionName ` + -PolicySetDefinitionsScopes $PacEnvironment.policySetDefinitionsScopes ` + -AllDefinitions $AllDefinitions.policysetdefinitions + if ($null -eq $policySetDefinitionId) { + Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "policySetDefinitionName '$($row.policySetDefinitionName)' not found in current EPAC environment '$($PacEnvironment.pacSelector)'" -EntryNumber $entryNumber + } + } + elseif ($null -ne $policySetDefinitionId) { + $epacMetadataDefinitionSpecification.policySetDefinitionId = $policySetDefinitionId + $policySetDefinitionId = Confirm-PolicySetDefinitionUsedExists ` + -Id $policySetDefinitionId ` + -PolicySetDefinitionsScopes $PacEnvironment.policySetDefinitionsScopes ` + -AllDefinitions $AllDefinitions.policysetdefinitions + if ($null -eq $policySetDefinitionId) { + Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "policySetDefinitionId '$($row.policySetDefinitionId)' not found in current EPAC environment '$($PacEnvironment.pacSelector)'" -EntryNumber $entryNumber + } } - } - #endregion only allow Exemptions for managed Assignment - - #region retrieve pre-calculated assignments for this row - $calculatedPolicyAssignments = $null - if ($null -ne $policyDefinitionId) { - $calculatedPolicyAssignments = $byPolicyIdCalculatedAssignments.$policyDefinitionId - if ($null -eq $calculatedPolicyAssignments -or $calculatedPolicyAssignments.Count -eq 0) { - Write-Warning "Row $($entryNumber): No assignments found for policyDefinitionId '$policyDefinitionId', skipping row" + + $calculatedPolicyAssignments = $null + if ($null -ne $policyDefinitionId) { + $calculatedPolicyAssignments = $byPolicyIdCalculatedAssignments.$policyDefinitionId + if ($null -eq $calculatedPolicyAssignments -or $calculatedPolicyAssignments.Count -eq 0) { + Write-Warning "Row $($entryNumber): No assignments found for policyDefinitionId '$policyDefinitionId', skipping row" + } } - } - elseif ($null -ne $policySetDefinitionId) { - $calculatedPolicyAssignments = $byPolicySetIdCalculatedAssignments.$policySetDefinitionId - if ($null -eq $calculatedPolicyAssignments -or $calculatedPolicyAssignments.Count -eq 0) { - Write-Warning "Row $($entryNumber): No assignments found for policySetDefinitionId '$policySetDefinitionId', skipping row" + elseif ($null -ne $policySetDefinitionId) { + $calculatedPolicyAssignments = $byPolicySetIdCalculatedAssignments.$policySetDefinitionId + if ($null -eq $calculatedPolicyAssignments -or $calculatedPolicyAssignments.Count -eq 0) { + Write-Warning "Row $($entryNumber): No assignments found for policySetDefinitionId '$policySetDefinitionId', skipping row" + } } - } - elseif ($null -ne $policyAssignmentId) { - $calculatedPolicyAssignments = $byAssignmentIdCalculatedAssignments.$policyAssignmentId - if ($null -eq $calculatedPolicyAssignments -or $calculatedPolicyAssignments.Count -eq 0) { - Write-Warning "Row $($entryNumber): No assignment found for policyAssignmentId '$policyAssignmentId', skipping row" + elseif ($null -ne $policyAssignmentId) { + $calculatedPolicyAssignments = $byAssignmentIdCalculatedAssignments.$policyAssignmentId + if ($null -eq $calculatedPolicyAssignments -or $calculatedPolicyAssignments.Count -eq 0) { + Write-Warning "Row $($entryNumber): No assignment found for policyAssignmentId '$policyAssignmentId', skipping row" + } } } - #endregion retrieve pre-calculated assignments for this row + #endregion retrieve pre-calculated Assignments #region check required fields and allowed values if ([string]::IsNullOrWhitespace($name)) { @@ -399,14 +434,6 @@ function Build-ExemptionsPlan { Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "description '$($description.Substring(0, 32))...' too long (max 512 characters)" -EntryNumber $entryNumber } } - if ([string]::IsNullOrWhitespace($assignmentScopeValidation)) { - $assignmentScopeValidation = "Default" - } - else { - if ($assignmentScopeValidation -ne "Default" -and $assignmentScopeValidation -ne "DoNotValidate") { - Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "invalid assignmentScopeValidation '$assignmentScopeValidation' (must be 'Default' or 'DoNotValidate')" -EntryNumber $entryNumber - } - } #endregion check required fields and allowed values #region pre-process scope or scopes array @@ -502,42 +529,63 @@ function Build-ExemptionsPlan { $currentScope = $scopeInformation.scope $scopePostfix = $scopeInformation.scopePostfix $trimmedScope = $currentScope.Trim() - $validateScope = $assignmentScopeValidation -eq "Default" + $subscriptionId = "" $scopeIsValid = $true + $resourceStatus = "notAnIndividualResource" + $splits = $currentScope -split "/" if ($currentScope.StartsWith("/subscriptions/")) { + $subscriptionId = $splits[2] if ($currentScope.Contains("/providers/")) { # an actual resource, keep just the "/subscriptions/.../resourceGroups/..." part - $splits = $currentScope -split "/" $trimmedScope = $splits[0..4] -join "/" - if ($validateScope) { - $thisResourceIdExists = $false - if ($resourceIdsExist.ContainsKey($currentScope)) { - $thisResourceIdExists = $resourceIdsExist.$currentScope + if ($validateScope -and $validateResources) { + $resourceStatus = "individualResourceDoesNotExists" + if ($resourceIdsBySubscriptionId.ContainsKey($subscriptionId)) { + $resourceIds = $resourceIdsBySubscriptionId.$subscriptionId + if ($resourceIds.ContainsKey($currentScope)) { + $resourceStatus = "individualResourceExists" + } } else { - $resource = Get-AzResource -ResourceId $currentScope -ErrorAction SilentlyContinue - $thisResourceIdExists = $null -ne $resource - $resourceIdsExist[$currentScope] = $thisResourceIdExists + $resources = Get-AzResourceListRestMethod -SubscriptionId $subscriptionId + $resourceIds = @{} + foreach ($resource in $resources) { + $resourceId = $resource.id + $resourceIds.Add($resourceId, $resource) + if ($resourceId -eq $currentScope) { + $resourceStatus = "individualResourceExists" + } + } + $resourceIdsBySubscriptionId.Add($subscriptionId, $resourceIds) } - if (-not $thisResourceIdExists) { + if ($resourceStatus -eq "individualResourceDoesNotExists") { Write-Warning "Row $($entryNumber): Resource '$currentScope' does not exist, skipping entry." - $scopeIsValid = $false } } + else { + $resourceStatus = "individualResourceExists" + } } } if ($ScopeTable.ContainsKey($trimmedScope)) { $exemptionScopeDetails = $ScopeTable.$trimmedScope } - else { + elseif ($validateScope) { Write-Warning "Exemption entry $($entryNumber): Exemption scope $($currentScope) not found in current scope tree for root $($PacEnvironment.deploymentRootScope), skipping entry." $scopeIsValid = $false } - + else { + $exemptionScopeDetails = @{ + isExcluded = $false + parentTable = @{} + } + Write-Verbose "Exemption entry $($entryNumber): Unvalidated Exemption scope $($currentScope) not found in current scope tree for root $($PacEnvironment.deploymentRootScope)." + } + #region filter assignments in the current scope tree or are not in excluded scopes $filteredPolicyAssignments = [System.Collections.ArrayList]::new() $uniqueAssignmentNames = @{} - if ($null -ne $policyAssignmentId -and !$validateScope) { + if ($unValidatedPolicyAssignment) { $calculatedPolicyAssignment = $calculatedPolicyAssignments[0] $clonedCalculatedPolicyAssignment = $calculatedPolicyAssignment.Clone() $null = $filteredPolicyAssignments.Add($clonedCalculatedPolicyAssignment) @@ -584,9 +632,6 @@ function Build-ExemptionsPlan { Write-Verbose "Assignment scope = '$($policyAssignmentScope)' is not in the current scope tree for root $($PacEnvironment.deploymentRootScope), skipping assignment." } } - else { - Write-Verbose "Exemption scope = '$($currentScope)' is not in the current scope tree for root $($PacEnvironment.deploymentRootScope), skipping assignment." - } } foreach ($uniqueAssignmentName in $uniqueAssignmentNames.Keys) { $listOfAssignmentsWithSameName = $uniqueAssignmentNames.$uniqueAssignmentName @@ -670,42 +715,47 @@ function Build-ExemptionsPlan { $policyDefinitionReferenceIdsAugmented = [System.Collections.ArrayList]::new() if ($allowReferenceIdsInRow) { if ($null -ne $policyDefinitionReferenceIds -and $policyDefinitionReferenceIds.Count -gt 0) { - $epacMetadataDefinitionSpecification.policyDefinitionReferenceIds = ConvertTo-Json $policyDefinitionReferenceIds - foreach ($referenceId in $policyDefinitionReferenceIds) { - if ($policyAssignmentReferenceIds -contains $referenceId) { - $null = $policyDefinitionReferenceIdsAugmented.Add($referenceId) - } - elseif ($referenceId.StartsWith("policyDefinitions/")) { - $referenceIdTrimmed = $referenceId.Substring(18) - $policyDefinitionId = Confirm-PolicyDefinitionUsedExists ` - -Name $referenceIdTrimmed ` - -PolicyDefinitionsScopes $PacEnvironment.policyDefinitionsScopes ` - -AllDefinitions $AllDefinitions - if ($null -eq $policyDefinitionId) { - Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "policyDefinitionReference '$referenceId' not resolved for policyAssignment '$policyAssignmentName'" -EntryNumber $entryNumber + if ($unValidatedPolicyAssignment) { + $null = $policyDefinitionReferenceIdsAugmented.AddRange($policyDefinitionReferenceIds) + } + else { + $epacMetadataDefinitionSpecification.policyDefinitionReferenceIds = ConvertTo-Json $policyDefinitionReferenceIds + foreach ($referenceId in $policyDefinitionReferenceIds) { + if ($policyAssignmentReferenceIds -contains $referenceId) { + $null = $policyDefinitionReferenceIdsAugmented.Add($referenceId) } - else { - if ($policyAssignmentPerPolicyReferenceIdTable.ContainsKey($policyDefinitionId)) { - $referenceIds = $policyAssignmentPerPolicyReferenceIdTable.$policyDefinitionId + elseif ($referenceId.StartsWith("policyDefinitions/")) { + $referenceIdTrimmed = $referenceId.Substring(18) + $policyDefinitionId = Confirm-PolicyDefinitionUsedExists ` + -Name $referenceIdTrimmed ` + -PolicyDefinitionsScopes $PacEnvironment.policyDefinitionsScopes ` + -AllDefinitions $AllDefinitions + if ($null -eq $policyDefinitionId) { + Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "policyDefinitionReference '$referenceId' not resolved for policyAssignment '$policyAssignmentName'" -EntryNumber $entryNumber + } + else { + if ($policyAssignmentPerPolicyReferenceIdTable.ContainsKey($policyDefinitionId)) { + $referenceIds = $policyAssignmentPerPolicyReferenceIdTable.$policyDefinitionId + $null = $policyDefinitionReferenceIdsAugmented.AddRange($referenceIds) + } + else { + Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "policyDefinitionReference '$referenceId' not resolved for policyAssignment '$policyAssignmentName'" -EntryNumber $entryNumber + } + } + } + elseif ($referenceId -contains "/providers/Microsoft.Authorization/policyDefinitions/") { + if ($policyAssignmentPerPolicyReferenceIdTable.ContainsKey($referenceId)) { + $referenceIds = $policyAssignmentPerPolicyReferenceIdTable.$referenceId $null = $policyDefinitionReferenceIdsAugmented.AddRange($referenceIds) } else { Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "policyDefinitionReference '$referenceId' not resolved for policyAssignment '$policyAssignmentName'" -EntryNumber $entryNumber } } - } - elseif ($referenceId -contains "/providers/Microsoft.Authorization/policyDefinitions/") { - if ($policyAssignmentPerPolicyReferenceIdTable.ContainsKey($referenceId)) { - $referenceIds = $policyAssignmentPerPolicyReferenceIdTable.$referenceId - $null = $policyDefinitionReferenceIdsAugmented.AddRange($referenceIds) - } else { - Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "policyDefinitionReference '$referenceId' not resolved for policyAssignment '$policyAssignmentName'" -EntryNumber $entryNumber + Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "policyDefinitionReferenceId '$referenceId' not found in policyAssignment '$policyAssignmentName'." -EntryNumber $entryNumber } } - else { - Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "policyDefinitionReferenceId '$referenceId' not found in policyAssignment '$policyAssignmentName'." -EntryNumber $entryNumber - } } } } @@ -756,13 +806,24 @@ function Build-ExemptionsPlan { } + $reasonStrings = [System.Collections.ArrayList]::new() + if ($expired) { + $null = $reasonStrings.Add("expired") + } + if (!$scopeIsValid) { + $null = $reasonStrings.Add("invalid scope") + } + if ($resourceStatus -eq "individualResourceDoesNotExists") { + $null = $reasonStrings.Add("resource does not exist") + } if ($deployedManagedExemptions.ContainsKey($exemptionId)) { $deployedManagedExemption = $deployedManagedExemptions.$exemptionId $deleteCandidates.Remove($exemptionId) if ($deployedManagedExemption.policyAssignmentId -ne $policyAssignmentId) { # Replaced Assignment - if ($expired -or !$scopeIsValid) { - Write-Verbose "Skip replace (assignmentId changed & expired or invalid scope): '$($exemptionDisplayName)' at scope '$($currentScope)'" + if ($reasonStrings.Count -gt 0) { + $reasonString = "assignmentId changed, $($reasonStrings -join ", ")" + Write-Verbose "Skip replace ($reasonString): '$($exemptionDisplayName)' at scope '$($currentScope)'" $Exemptions.numberUnchanged += 1 } else { @@ -775,8 +836,9 @@ function Build-ExemptionsPlan { } elseif ($replacedAssignments.ContainsKey($policyAssignmentId)) { # Replaced Assignment - if ($expired -or !$scopeIsValid) { - Write-Verbose "Skip replace (replaced assignment & expired or invalid scope): '$($exemptionDisplayName)' at scope '$($currentScope)'" + if ($reasonStrings.Count -gt 0) { + $reasonString = "replaced assignment, $($reasonStrings -join ", ")" + Write-Verbose "Skip replace ($reasonString): '$($exemptionDisplayName)' at scope '$($currentScope)'" $Exemptions.numberUnchanged += 1 } else { @@ -804,7 +866,7 @@ function Build-ExemptionsPlan { -ExistingMetadataObj $deployedManagedExemption.metadata ` -DefinedMetadataObj $clonedMetadata $assignmentScopeValidationMatches = ($deployedManagedExemption.assignmentScopeValidation -eq $assignmentScopeValidation) ` - -or ($null -eq $deployedManagedExemption.assignmentScopeValidation -and ($assignmentScopeValidation -eq "Default")) + -or ($null -eq $deployedManagedExemption.assignmentScopeValidation -and ($validateScope)) $resourceSelectorsMatches = Confirm-ObjectValueEqualityDeep $deployedManagedExemption.resourceSelectors $resourceSelectors # Update Exemption in Azure if necessary if ($displayNameMatches -and $descriptionMatches -and $exemptionCategoryMatches -and $expiresOnMatches ` @@ -812,11 +874,6 @@ function Build-ExemptionsPlan { -and $assignmentScopeValidationMatches -and $resourceSelectorsMatches) { $Exemptions.numberUnchanged += 1 } - elseif ($expired -or !$scopeIsValid) { - # Skip expired or invalid scope Exemptions - Write-Verbose "Skip update (expired or invalid scope): '$($exemptionDisplayName)' at scope '$($currentScope)'" - $Exemptions.numberUnchanged += 1 - } else { # One or more properties have changed $changesStrings = @() @@ -851,31 +908,26 @@ function Build-ExemptionsPlan { $changesStrings += "resourceSelectors" } $changesString = $changesStrings -join "," - $Exemptions.numberOfChanges++ - Write-Information "Update ($changesString): '$($exemptionDisplayName)' at scope '$($currentScope)'" - Write-Verbose " $exemptionId" - $null = $Exemptions.update.Add($exemptionId, $exemption) - } - } - } - else { - if ($expired -or !$scopeIsValid) { - # Skip expired or invalid scope Exemptions - if ($VerbosePreference -eq "Continue") { - if ($expired -and !$scopeIsValid) { - Write-Information "Skip new exemption (expired, invalid scope): '$($exemptionDisplayName)' at scope '$($currentScope)'" - Write-Information " $exemptionId" - } - elseif ($expired) { - Write-Information "Skip new exemption (expired): '$($exemptionDisplayName)' at scope '$($currentScope)'" - Write-Information " $exemptionId" + if ($reasonStrings.Count -gt 0) { + $reasonString = "$($reasonStrings -join ", "), $changesString" + Write-Verbose "Skip update ($reasonString): '$($exemptionDisplayName)' at scope '$($currentScope)'" + $Exemptions.numberUnchanged += 1 } else { - Write-Information "Skip new exemption (invalid scope): '$($exemptionDisplayName)' at scope '$($currentScope)'" - Write-Information " $exemptionId" + $Exemptions.numberOfChanges++ + Write-Information "Update ($changesString): '$($exemptionDisplayName)' at scope '$($currentScope)'" + Write-Verbose " $exemptionId" + $null = $Exemptions.update.Add($exemptionId, $exemption) } } } + } + else { + if ($reasonStrings.Count -gt 0) { + $reasonString = $reasonStrings -join ", " + Write-Information "Skip new exemption ($reasonString): '$($exemptionDisplayName)' at scope '$($currentScope)'" + Write-Verbose " $exemptionId" + } else { # Create Exemption Write-Information "New '$($exemptionDisplayName)' at scope '$($currentScope)'" diff --git a/Scripts/Helpers/Convert-PolicyResourcesDetailsToFlatList.ps1 b/Scripts/Helpers/Convert-PolicyResourcesDetailsToFlatList.ps1 index b0827691..98f821df 100644 --- a/Scripts/Helpers/Convert-PolicyResourcesDetailsToFlatList.ps1 +++ b/Scripts/Helpers/Convert-PolicyResourcesDetailsToFlatList.ps1 @@ -94,6 +94,8 @@ function Convert-PolicyResourcesDetailsToFlatList { description = $policyInPolicySetInfo.description policyType = $policyInPolicySetInfo.policyType category = $policyInPolicySetInfo.category + version = $policyInPolicySetInfo.version + isDeprecated = $policyInPolicySetInfo.isDeprecated effectDefault = $effectDefault effectValue = $effectValue ordinal = 99 diff --git a/Scripts/Helpers/Convert-PolicyResourcesToDetails.ps1 b/Scripts/Helpers/Convert-PolicyResourcesToDetails.ps1 index 5808f382..64a7f309 100644 --- a/Scripts/Helpers/Convert-PolicyResourcesToDetails.ps1 +++ b/Scripts/Helpers/Convert-PolicyResourcesToDetails.ps1 @@ -2,8 +2,7 @@ function Convert-PolicyResourcesToDetails { [CmdletBinding()] param ( [hashtable] $AllPolicyDefinitions, - [hashtable] $AllPolicySetDefinitions, - [Int16] $VirtualCores + [hashtable] $AllPolicySetDefinitions ) Write-Information "===================================================================================================" @@ -12,9 +11,10 @@ function Convert-PolicyResourcesToDetails { # Convert Policy Definitions to Details $policyDetails = @{} - if ($VirtualCores -gt 1) { + $virtualCores = 4 + if ($virtualCores -gt 1) { # maybe parallel processing - $throttleLimit = $VirtualCores + $throttleLimit = $virtualCores $chunks = Split-HashtableIntoChunks -Table $AllPolicyDefinitions -NumberOfChunks $throttleLimit if ($chunks.Count -le 1) { $chunks = $null @@ -70,9 +70,9 @@ function Convert-PolicyResourcesToDetails { # Convert Policy Set Definitions to Details $policySetDetails = @{} - if ($VirtualCores -gt 1) { + if ($virtualCores -gt 1) { # maybe parallel processing - $throttleLimit = $VirtualCores + $throttleLimit = $virtualCores $chunks = Split-HashtableIntoChunks -Table $AllPolicySetDefinitions -NumberOfChunks $throttleLimit if ($chunks.Count -le 1) { $chunks = $null diff --git a/Scripts/Helpers/Convert-PolicyToDetails.ps1 b/Scripts/Helpers/Convert-PolicyToDetails.ps1 index 22df9b58..43b8700b 100644 --- a/Scripts/Helpers/Convert-PolicyToDetails.ps1 +++ b/Scripts/Helpers/Convert-PolicyToDetails.ps1 @@ -119,6 +119,25 @@ function Convert-PolicyToDetails { $null = $parameterDefinitions.Add($parameterName, $parameterDefinition) } + $isDeprecated = $false + $version = "0.0.0" + if ($displayName.Contains("deprecated", [StringComparison]::InvariantCultureIgnoreCase) -or ` + $description.Contains("deprecated", [StringComparison]::InvariantCultureIgnoreCase)) { + $isDeprecated = $true + } + else { + if ($properties.metadata -and $properties.metadata.version) { + $version = $properties.metadata.version + if ($version.Contains("deprecated", [StringComparison]::InvariantCultureIgnoreCase)) { + $isDeprecated = $true + } + } + $version = $properties.version + if ($version -and $version.Contains("deprecated", [StringComparison]::InvariantCultureIgnoreCase)) { + $isDeprecated = $true + } + } + $name = $PolicyDefinition.name $policyDetail = @{ id = $PolicyId @@ -127,6 +146,8 @@ function Convert-PolicyToDetails { description = $description policyType = $properties.policyType category = $category + version = $version + isDeprecated = $isDeprecated effectParameterName = $effectParameterName effectValue = $effectValue effectDefault = $effectDefault diff --git a/Scripts/Helpers/Get-AzPolicyExemptions.ps1 b/Scripts/Helpers/Get-AzPolicyExemptions.ps1 index 1e0e1b16..dbcd8d05 100644 --- a/Scripts/Helpers/Get-AzPolicyExemptions.ps1 +++ b/Scripts/Helpers/Get-AzPolicyExemptions.ps1 @@ -14,7 +14,6 @@ function Get-AzPolicyExemptions { $policyResources = [System.Collections.ArrayList]::new() $ProgressItemName = "Policy Exemptions" $now = Get-Date -AsUTC - $resourceIdsExist = @{} if ($PacEnvironment.cloud -eq "AzureChinaCloud") { # if ($PacEnvironment.cloud -ne "AzureChinaCloud") { # test china cloud in normal environment @@ -130,33 +129,6 @@ function Get-AzPolicyExemptions { $status = "active-expiring-within-15-days" } } - $isIndividualResource = $true - if ($scope.StartsWith("/providers/Microsoft.Management/management")) { - $isIndividualResource = $false - } - elseif ($scope.Contains("/providers/")) { - $isIndividualResource = $true - } - else { - # subscription, resourceGroup - $isIndividualResource = $false - } - if ($isIndividualResource) { - $thisResourceIdExists = $false - if ($resourceIdsExist.ContainsKey($scope)) { - $thisResourceIdExists = $resourceIdsExist.$scope - } - else { - $resource = Get-AzResource -ResourceId $scope -ErrorAction SilentlyContinue - $thisResourceIdExists = $null -ne $resource - $resourceIdsExist[$scope] = $thisResourceIdExists - } - if (-not $thisResourceIdExists) { - $policyResource.status = "orphaned-resource" - $policyExemptionsCounters.orphaned += 1 - Write-Information "Policy Exemption $id is orphaned (resource $scope does not exist)" - } - } $exemption = @{ id = $id diff --git a/Scripts/Helpers/Get-AzPolicyResources.ps1 b/Scripts/Helpers/Get-AzPolicyResources.ps1 index a03c299b..e8a1375e 100644 --- a/Scripts/Helpers/Get-AzPolicyResources.ps1 +++ b/Scripts/Helpers/Get-AzPolicyResources.ps1 @@ -143,27 +143,6 @@ function Get-AzPolicyResources { } } - Write-Information "Processing Exemptions for orphaned assignments" - if (-not $skipExemptionsLocal) { - $policyExemptionsCounters = $deployedPolicyResources.policyexemptions.counters - $managedPolicyExemptionsTable = $deployedPolicyResources.policyexemptions.managed - $managedPolicyAssignmentsTable = $deployedPolicyResources.policyassignments.managed - # change exemption status if exemption orphaned (policyAssignment with policyAssignmentId does not exist) - foreach ($policyResource in $managedPolicyExemptionsTable.Values) { - if ($policyResource.assignmentScopeValidation -eq "Default") { - $assignmentId = $policyResource.policyAssignmentId - $assignmentScopeValidation = $policyResource.assignmentScopeValidation - if ($assignmentScopeValidation -eq "Default") { - if (-not $managedPolicyAssignmentsTable.ContainsKey($assignmentId)) { - $policyResource.status = "orphaned-assignment" - $policyExemptionsCounters.orphaned += 1 - continue - } - } - } - } - } - Write-Information "" Write-Information "===================================================================================================" Write-Information "Policy Resources found for EPAC environment '$($PacEnvironment.pacSelector)' at root scope $($deploymentRootScope -replace '/providers/Microsoft.Management', '')" @@ -216,7 +195,6 @@ function Get-AzPolicyResources { Write-Information " This PaC = $($managedBy.thisPaC)" Write-Information " Other PaC = $($managedBy.otherPaC)" Write-Information " Unknown = $($managedBy.unknown)" - Write-Information " Orphaned = $($counters.orphaned)" Write-Information " Expired = $($counters.expired)" Write-Information " Excluded = $($counters.excluded)" } diff --git a/Scripts/Helpers/Get-AzPolicyResourcesDetails.ps1 b/Scripts/Helpers/Get-AzPolicyResourcesDetails.ps1 index f3a3d05d..0fedb25f 100644 --- a/Scripts/Helpers/Get-AzPolicyResourcesDetails.ps1 +++ b/Scripts/Helpers/Get-AzPolicyResourcesDetails.ps1 @@ -3,8 +3,7 @@ function Get-AzPolicyResourcesDetails { param ( [string] $PacEnvironmentSelector, [hashtable] $PacEnvironment, - [hashtable] $CachedPolicyResourceDetails, - [Int16] $VirtualCores + [hashtable] $CachedPolicyResourceDetails ) $policyResourceDetails = $null @@ -23,8 +22,7 @@ function Get-AzPolicyResourcesDetails { $policyResourceDetails = Convert-PolicyResourcesToDetails ` -AllPolicyDefinitions $deployed.policydefinitions.all ` - -AllPolicySetDefinitions $deployed.policysetdefinitions.all ` - -VirtualCores $VirtualCores + -AllPolicySetDefinitions $deployed.policysetdefinitions.all $null = $policyResourceDetails.policyAssignments = $deployed.policyassignments.managed $null = $CachedPolicyResourceDetails.Add($PacEnvironmentSelector, $policyResourceDetails) } diff --git a/Scripts/Helpers/Get-GlobalSettings.ps1 b/Scripts/Helpers/Get-GlobalSettings.ps1 index 1675e60d..c11ababc 100644 --- a/Scripts/Helpers/Get-GlobalSettings.ps1 +++ b/Scripts/Helpers/Get-GlobalSettings.ps1 @@ -187,6 +187,16 @@ function Get-GlobalSettings { } } } + $skipResourceValidationForExemptions = $false + $skipResourceValidationForExemptionsRaw = $pacEnvironment.skipResourceValidationForExemptions + if ($skipResourceValidationForExemptionsRaw) { + $skipResourceValidationForExemptions = $true + } + $doNotDisableDeprecatedPolicies = $false + $doNotDisableDeprecatedPoliciesRaw = $pacEnvironment.doNotDisableDeprecatedPolicies + if ($doNotDisableDeprecatedPoliciesRaw) { + $doNotDisableDeprecatedPolicies = $true + } $desiredState = @{ strategy = "undefined" @@ -303,22 +313,24 @@ function Get-GlobalSettings { } $pacEnvironmentDefinition = @{ - pacSelector = $pacSelector - pacOwnerId = $pacOwnerId - deployedBy = $deployedBy - cloud = $cloud - tenantId = $tenantId - managingTenantId = $managingTenantId - managingTenantRootScope = $managingTenantRootScope - deploymentRootScope = $deploymentRootScope - defaultContext = $defaultContext - policyDefinitionsScopes = $policyDefinitionsScopes - desiredState = $desiredState - managedIdentityLocation = $managedIdentityLocation - globalNotScopes = $globalNotScopesList.ToArray() - globalNotScopesResourceGroups = $globalNotScopesResourceGroupsList.ToArray() - globalNotScopesSubscriptions = $globalNotScopesSubscriptionsList.ToArray() - globalNotScopesManagementGroups = $globalNotScopesManagementGroupsList.ToArray() + pacSelector = $pacSelector + pacOwnerId = $pacOwnerId + deployedBy = $deployedBy + cloud = $cloud + tenantId = $tenantId + managingTenantId = $managingTenantId + managingTenantRootScope = $managingTenantRootScope + deploymentRootScope = $deploymentRootScope + defaultContext = $defaultContext + policyDefinitionsScopes = $policyDefinitionsScopes + skipResourceValidationForExemptions = $skipResourceValidationForExemptions + doNotDisableDeprecatedPolicies = $doNotDisableDeprecatedPolicies + desiredState = $desiredState + managedIdentityLocation = $managedIdentityLocation + globalNotScopes = $globalNotScopesList.ToArray() + globalNotScopesResourceGroups = $globalNotScopesResourceGroupsList.ToArray() + globalNotScopesSubscriptions = $globalNotScopesSubscriptionsList.ToArray() + globalNotScopesManagementGroups = $globalNotScopesManagementGroupsList.ToArray() } $null = $pacEnvironmentDefinitions.Add($pacSelector, $pacEnvironmentDefinition) diff --git a/Scripts/Helpers/RestMethods/Get-AzResourceListRestMethod.ps1 b/Scripts/Helpers/RestMethods/Get-AzResourceListRestMethod.ps1 new file mode 100644 index 00000000..26b2cd42 --- /dev/null +++ b/Scripts/Helpers/RestMethods/Get-AzResourceListRestMethod.ps1 @@ -0,0 +1,24 @@ +function Get-AzResourceListRestMethod { + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true)] + $SubscriptionId, + + [string] $ApiVersion = "2021-04-01" + ) + + $path = "/subscriptions/$SubscriptionId/resources?api-version=$ApiVersion" + $response = Invoke-AzRestMethod -Path $path -Method GET + + # Process response + $statusCode = $response.StatusCode + if ($statusCode -lt 200 -or $statusCode -ge 300) { + $content = $response.Content + Write-Warning "Policy Exemption error for scope '$Scope' $($statusCode) -- $($content)" + Write-Output @() -NoEnumerate + } + + $content = $response.Content + $resources = $content | ConvertFrom-Json -Depth 100 -AsHashtable + Write-Output $resources.value -NoEnumerate +} \ No newline at end of file diff --git a/Scripts/Helpers/Search-AzGraphAllItems.ps1 b/Scripts/Helpers/Search-AzGraphAllItems.ps1 index bd1e9f91..7d4066fb 100644 --- a/Scripts/Helpers/Search-AzGraphAllItems.ps1 +++ b/Scripts/Helpers/Search-AzGraphAllItems.ps1 @@ -6,23 +6,77 @@ function Search-AzGraphAllItems { $ProgressIncrement = 1000 ) - [System.Collections.ArrayList] $data = [System.Collections.ArrayList]::new() # Search-AzGraph can only return a maximum of 1000 items. Without the -First it will only return 100 items - $result = Search-AzGraph $Query -First 1000 @ScopeSplat - $null = $data.AddRange($result.Data) - while ($null -ne $result.SkipToken) { - # More data available, SkipToken will allow the next query in this loop to continue where the last invocation ended + $body = @{ + query = $Query + # options = @{ + # "`$top" = 1000 + # "`$skip" = 0 + # } + } + if ($ScopeSplat.ManagementGroup) { + $body.managementGroups = @($ScopeSplat.ManagementGroup) + } + elseif ($ScopeSplat.Subscription) { + $body.subscriptions = @($ScopeSplat.Subscription) + } + elseif ($ScopeSplat.ManagementGroups) { + $body.managementGroups = $ScopeSplat.ManagementGroups + } + elseif ($ScopeSplat.Subscriptions) { + $body.subscriptions = $ScopeSplat.Subscriptions + } + + [System.Collections.ArrayList] $data = [System.Collections.ArrayList]::new() + + $bodyJson = $body | ConvertTo-Json -Depth 100 + $response = Invoke-AzRestMethod -Method POST ` + -Path "/providers/Microsoft.ResourceGraph/resources?api-version=2022-10-01" ` + -Payload $bodyJson + $statusCode = $response.StatusCode + $content = $response.Content + if ($statusCode -lt 200 -or $statusCode -ge 300) { + Write-Error "Search-AzGraph REST error for '$Scope' $($statusCode) -- $($content)" -ErrorAction Stop + } + $result = $content | ConvertFrom-Json -Depth 100 -AsHashtable + $count = $result.count + + if ($count -gt 0) { + $null = $data.AddRange($result.data) + if ($data.count % $ProgressIncrement -eq 0) { + Write-Information "Retrieved $($data.count) $ProgressItemName" + } + while ($result.ContainsKey("`$skipToken")) { + # More data available, $skipToken will allow the next query in this loop to continue where the last invocation ended + $body.options = @{ "`$skipToken" = $result["`$skipToken"] } + $bodyJson = $body | ConvertTo-Json -Depth 100 + $response = Invoke-AzRestMethod -Method POST ` + -Path "/providers/Microsoft.ResourceGraph/resources?api-version=2022-10-01" ` + -Payload $bodyJson + $statusCode = $response.StatusCode + $content = $response.Content + if ($statusCode -lt 200 -or $statusCode -ge 300) { + Write-Error "Search-AzGraph REST error for '$Scope' $($statusCode) -- $($content)" -ErrorAction Stop + } + $result = $content | ConvertFrom-Json -Depth 100 -AsHashtable + $count = $result.count + if ($count -gt 0) { + $null = $data.AddRange($result.data) + if ($data.count % $ProgressIncrement -eq 0) { + Write-Information "Retrieved $($data.count) $ProgressItemName" + } + } + else { + break + } + } $count = $data.Count - if ($count % $ProgressIncrement -eq 0) { - Write-Information "Retrieved $count $ProgressItemName" + if ($count % $ProgressIncrement -ne 0) { + Write-Information "Retrieved $($count) $ProgressItemName" } - $result = Search-AzGraph $Query -First 1000 -SkipToken $result.SkipToken @ScopeSplat - $null = $data.AddRange($result.Data) } - $count = $data.Count - if ($count % $ProgressIncrement -ne 0) { - Write-Information "Retrieved $($count) $ProgressItemName" + else { + Write-Information "No $ProgressItemName found" } - $dataClone = Get-DeepCloneAsOrderedHashtable -InputObject $data - Write-Output $dataClone -NoEnumerate + Write-Output $data -NoEnumerate } diff --git a/Scripts/Helpers/Set-AzCloudTenantSubscription.ps1 b/Scripts/Helpers/Set-AzCloudTenantSubscription.ps1 index 2dd438f2..676a935f 100644 --- a/Scripts/Helpers/Set-AzCloudTenantSubscription.ps1 +++ b/Scripts/Helpers/Set-AzCloudTenantSubscription.ps1 @@ -8,11 +8,6 @@ function Set-AzCloudTenantSubscription { [Parameter(Mandatory = $false)] [string] $DeploymentDefaultContext ) - if ($null -eq (Get-Module Az.ResourceGraph -ListAvailable)) { - Write-Information "Installing Az.ResourceGraph module" - Install-Module Az.ResourceGraph -Force -Repository PSGallery - } - if ([string]::IsNullOrWhitespace($DeploymentDefaultContext)) { Get-AzSubscription | Where-Object HomeTenantId -eq (Get-AzContext).Tenant | Select-Object -First 1 | Set-AzContext } diff --git a/Scripts/Operations/Build-PolicyDocumentation.ps1 b/Scripts/Operations/Build-PolicyDocumentation.ps1 index b5a9b9e2..385b5db6 100644 --- a/Scripts/Operations/Build-PolicyDocumentation.ps1 +++ b/Scripts/Operations/Build-PolicyDocumentation.ps1 @@ -55,17 +55,9 @@ param ( [switch] $SuppressConfirmation, [Parameter(Mandatory = $false, HelpMessage = "Include Policies with effect Manual. Default: do not include Polcies with effect Manual.")] - [switch] $IncludeManualPolicies, - - [Parameter(HelpMessage = "Deprecated.")] - [Int16] $VirtualCores = 0 + [switch] $IncludeManualPolicies ) -if ($VirtualCores -gt 0) { - Write-Warning "VirtualCores parameter is deprecated. parallel processing is no longer supported. Please remove the parameter!" -WarningAction Continue - $VirtualCores = 0 -} - # Dot Source Helper Scripts . "$PSScriptRoot/../Helpers/Add-HelperScripts.ps1" @@ -206,8 +198,7 @@ foreach ($file in $files) { $policyResourceDetails = Get-AzPolicyResourcesDetails ` -PacEnvironmentSelector $pacEnvironmentSelector ` -PacEnvironment $pacEnvironment ` - -CachedPolicyResourceDetails $cachedPolicyResourceDetails ` - -VirtualCores 4 + -CachedPolicyResourceDetails $cachedPolicyResourceDetails $policySetDetails = $policyResourceDetails.policySets # Calculate itemList @@ -284,8 +275,7 @@ foreach ($file in $files) { $policyResourceDetails = Get-AzPolicyResourcesDetails ` -PacEnvironmentSelector $currentPacEnvironmentSelector ` -PacEnvironment $pacEnvironment ` - -CachedPolicyResourceDetails $cachedPolicyResourceDetails ` - -VirtualCores 4 + -CachedPolicyResourceDetails $cachedPolicyResourceDetails # Retrieve assignments and process information or retrieve from cache is assignment previously processed $assignmentArray = $environmentCategoryEntry.representativeAssignments diff --git a/StarterKit/Definitions-GitHub-Flow/policyAssignments/pci-dss-effects.csv b/StarterKit/Definitions-GitHub-Flow/policyAssignments/pci-dss-effects.csv new file mode 100644 index 00000000..fa824db1 --- /dev/null +++ b/StarterKit/Definitions-GitHub-Flow/policyAssignments/pci-dss-effects.csv @@ -0,0 +1,278 @@ +name,referencePath,policyType,category,displayName,description,groupNames,policySets,allowedEffects,PRODParameters,NONPRODEffect,PRODParameters,NONPRODParameters +a4af4a39-4135-47fb-b175-47fbdf85311d,,BuiltIn,App Service,App Service apps should only be accessible over HTTPS,Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.,"PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_6.2.4",PCI-DSS: Audit (Policy Default),"Disabled,Audit,Deny",Audit,Audit,, +6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab,,BuiltIn,App Service,Function apps should only be accessible over HTTPS,Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.,"PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_6.2.4",PCI-DSS: Audit (Policy Default),"Disabled,Audit,Deny",Audit,Audit,, +3657f5a0-770e-44a3-b44e-9431ba1e9735,,BuiltIn,Automation,Automation account variables should be encrypted,It is important to enable encryption of Automation account variable assets when storing sensitive data,"PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_6.2.4",PCI-DSS: Audit (Policy Default),"Disabled,Deny,Audit",Audit,Audit,, +22bee202-a82f-4305-9a2a-6d7f44d4dedb,,BuiltIn,Cache,Only secure connections to your Azure Cache for Redis should be enabled,"Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking","PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_6.2.4",PCI-DSS: Audit (Policy Default),"Disabled,Deny,Audit",Audit,Audit,, +1d84d5fb-01f6-4d12-ba4f-4a26081d403d,,BuiltIn,Compute,Virtual machines should be migrated to new Azure Resource Manager resources,"Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management","PCI_DSS_v4.0_10.2.2,PCI_DSS_v4.0_10.3.3",PCI-DSS: Audit (Policy Default),"Disabled,Deny,Audit",Audit,Audit,, +a451c1ef-c6ca-483d-87ed-f49761e3ffb5,,BuiltIn,General,Audit usage of custom RBAC roles,"Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling","PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_8.4.1",PCI-DSS: Audit (Policy Default),"Audit,Disabled",Audit,Audit,, +3cf2ab00-13f1-4d0c-8971-2ac904541a7e,,BuiltIn,Guest Configuration,Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,"This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.",PCI_DSS_v4.0_8.3.6,PCI-DSS: modify (Policy Fixed),"modify,audit",audit,audit,, +497dff13-db2a-4c0f-8603-28fa3b331ab6,,BuiltIn,Guest Configuration,Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity,"This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.",PCI_DSS_v4.0_8.3.6,PCI-DSS: modify (Policy Fixed),"modify,audit",audit,audit,, +5b054a0d-39e2-4d53-bea3-9734cad2c69b,,BuiltIn,Guest Configuration,Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords,"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24",PCI_DSS_v4.0_8.3.6,PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +4ceb8dc2-559c-478b-a15b-733fbf1e3738,,BuiltIn,Guest Configuration,Audit Windows machines that do not have the maximum password age set to specified number of days,"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days",PCI_DSS_v4.0_8.3.6,PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,"{""IncludeArcMachines"":""false""}","{""IncludeArcMachines"":""false""}" +a2d0e922-65d0-40c4-8f87-ea6da2d307a2,,BuiltIn,Guest Configuration,Audit Windows machines that do not restrict the minimum password length to specified number of characters,"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters",PCI_DSS_v4.0_8.3.6,PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +385f5831-96d4-41db-9a3c-cd3af78aaae6,,BuiltIn,Guest Configuration,Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs,"This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.",PCI_DSS_v4.0_8.3.6,PCI-DSS: deployIfNotExists (Policy Fixed),deployIfNotExists,AuditIfNotExists,AuditIfNotExists,, +7f89b1eb-583c-429a-8828-af049802c1d9,,BuiltIn,Monitoring,Audit diagnostic setting for selected resource types,Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings.,"PCI_DSS_v4.0_10.2.2,PCI_DSS_v4.0_10.3.3",PCI-DSS: AuditIfNotExists (Policy Fixed),AuditIfNotExists,AuditIfNotExists,AuditIfNotExists,"{""listOfResourceTypesWithDiagnosticLogsEnabled"":[""Microsoft.AnalysisServices/servers"",""Microsoft.ApiManagement/service"",""Microsoft.Network/applicationGateways"",""Microsoft.Automation/automationAccounts"",""Microsoft.ContainerInstance/containerGroups"",""Microsoft.ContainerRegistry/registries"",""Microsoft.ContainerService/managedClusters"",""Microsoft.Batch/batchAccounts"",""Microsoft.Cdn/profiles/endpoints"",""Microsoft.CognitiveServices/accounts"",""Microsoft.DocumentDB/databaseAccounts"",""Microsoft.DataFactory/factories"",""Microsoft.DataLakeAnalytics/accounts"",""Microsoft.DataLakeStore/accounts"",""Microsoft.EventGrid/eventSubscriptions"",""Microsoft.EventGrid/topics"",""Microsoft.EventHub/namespaces"",""Microsoft.Network/expressRouteCircuits"",""Microsoft.Network/azureFirewalls"",""Microsoft.HDInsight/clusters"",""Microsoft.Devices/IotHubs"",""Microsoft.KeyVault/vaults"",""Microsoft.Network/loadBalancers"",""Microsoft.Logic/integrationAccounts"",""Microsoft.Logic/workflows"",""Microsoft.DBforMySQL/servers"",""Microsoft.Network/networkInterfaces"",""Microsoft.Network/networkSecurityGroups"",""Microsoft.DBforPostgreSQL/servers"",""Microsoft.PowerBIDedicated/capacities"",""Microsoft.Network/publicIPAddresses"",""Microsoft.RecoveryServices/vaults"",""Microsoft.Cache/redis"",""Microsoft.Relay/namespaces"",""Microsoft.Search/searchServices"",""Microsoft.ServiceBus/namespaces"",""Microsoft.SignalRService/SignalR"",""Microsoft.Sql/servers/databases"",""Microsoft.Sql/servers/elasticPools"",""Microsoft.StreamAnalytics/streamingjobs"",""Microsoft.TimeSeriesInsights/environments"",""Microsoft.Network/trafficManagerProfiles"",""Microsoft.Compute/virtualMachines"",""Microsoft.Compute/virtualMachineScaleSets"",""Microsoft.Network/virtualNetworks"",""Microsoft.Network/virtualNetworkGateways""]}","{""listOfResourceTypesWithDiagnosticLogsEnabled"":[""Microsoft.AnalysisServices/servers"",""Microsoft.ApiManagement/service"",""Microsoft.Network/applicationGateways"",""Microsoft.Automation/automationAccounts"",""Microsoft.ContainerInstance/containerGroups"",""Microsoft.ContainerRegistry/registries"",""Microsoft.ContainerService/managedClusters"",""Microsoft.Batch/batchAccounts"",""Microsoft.Cdn/profiles/endpoints"",""Microsoft.CognitiveServices/accounts"",""Microsoft.DocumentDB/databaseAccounts"",""Microsoft.DataFactory/factories"",""Microsoft.DataLakeAnalytics/accounts"",""Microsoft.DataLakeStore/accounts"",""Microsoft.EventGrid/eventSubscriptions"",""Microsoft.EventGrid/topics"",""Microsoft.EventHub/namespaces"",""Microsoft.Network/expressRouteCircuits"",""Microsoft.Network/azureFirewalls"",""Microsoft.HDInsight/clusters"",""Microsoft.Devices/IotHubs"",""Microsoft.KeyVault/vaults"",""Microsoft.Network/loadBalancers"",""Microsoft.Logic/integrationAccounts"",""Microsoft.Logic/workflows"",""Microsoft.DBforMySQL/servers"",""Microsoft.Network/networkInterfaces"",""Microsoft.Network/networkSecurityGroups"",""Microsoft.DBforPostgreSQL/servers"",""Microsoft.PowerBIDedicated/capacities"",""Microsoft.Network/publicIPAddresses"",""Microsoft.RecoveryServices/vaults"",""Microsoft.Cache/redis"",""Microsoft.Relay/namespaces"",""Microsoft.Search/searchServices"",""Microsoft.ServiceBus/namespaces"",""Microsoft.SignalRService/SignalR"",""Microsoft.Sql/servers/databases"",""Microsoft.Sql/servers/elasticPools"",""Microsoft.StreamAnalytics/streamingjobs"",""Microsoft.TimeSeriesInsights/environments"",""Microsoft.Network/trafficManagerProfiles"",""Microsoft.Compute/virtualMachines"",""Microsoft.Compute/virtualMachineScaleSets"",""Microsoft.Network/virtualNetworks"",""Microsoft.Network/virtualNetworkGateways""]}" +1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1,,BuiltIn,Regulatory Compliance,Adhere to retention periods defined,CMA_0004 - Adhere to retention periods defined,"PCI_DSS_v4.0_10.5.1,PCI_DSS_v4.0_3.2.1,PCI_DSS_v4.0_3.3.1,PCI_DSS_v4.0_3.3.1.1,PCI_DSS_v4.0_3.3.1.3,PCI_DSS_v4.0_5.3.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +7d7a8356-5c34-9a95-3118-1424cfaf192a,,BuiltIn,Regulatory Compliance,Adopt biometric authentication mechanisms,CMA_0005 - Adopt biometric authentication mechanisms,"PCI_DSS_v4.0_8.2.3,PCI_DSS_v4.0_8.3.1,PCI_DSS_v4.0_8.3.11,PCI_DSS_v4.0_8.4.1,PCI_DSS_v4.0_8.4.2,PCI_DSS_v4.0_8.4.3,PCI_DSS_v4.0_8.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +9622aaa9-5c49-40e2-5bf8-660b7cd23deb,,BuiltIn,Regulatory Compliance,Alert personnel of information spillage,CMA_0007 - Alert personnel of information spillage,"PCI_DSS_v4.0_11.5.1,PCI_DSS_v4.0_11.5.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +c6cf9f2c-5fd8-3f16-a1f1-f0b69c904928,,BuiltIn,Regulatory Compliance,Appoint a senior information security officer,CMA_C1733 - Appoint a senior information security officer,PCI_DSS_v4.0_12.1.4,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +37b0045b-3887-367b-8b4d-b9a6fa911bb9,,BuiltIn,Regulatory Compliance,Assess information security events,CMA_0013 - Assess information security events,"PCI_DSS_v4.0_12.10.2,PCI_DSS_v4.0_12.10.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08,,BuiltIn,Regulatory Compliance,Assess risk in third party relationships,CMA_0014 - Assess risk in third party relationships,"PCI_DSS_v4.0_12.8.3,PCI_DSS_v4.0_12.8.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +c423e64d-995c-9f67-0403-b540f65ba42a,,BuiltIn,Regulatory Compliance,Assess Security Controls,CMA_C1145 - Assess Security Controls,PCI_DSS_v4.0_12.4.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f29b17a4-0df2-8a50-058a-8570f9979d28,,BuiltIn,Regulatory Compliance,Assign system identifiers,CMA_0018 - Assign system identifiers,"PCI_DSS_v4.0_8.2.1,PCI_DSS_v4.0_8.2.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f26af0b1-65b6-689a-a03f-352ad2d00f98,,BuiltIn,Regulatory Compliance,Audit privileged functions,CMA_0019 - Audit privileged functions,"PCI_DSS_v4.0_10.2.1,PCI_DSS_v4.0_10.2.1.2,PCI_DSS_v4.0_10.2.1.3,PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_10.2.1.6,PCI_DSS_v4.0_10.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +49c23d9b-02b0-0e42-4f94-e8cef1b8381b,,BuiltIn,Regulatory Compliance,Audit user account status,CMA_0020 - Audit user account status,"PCI_DSS_v4.0_10.2.1,PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_7.2.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +6f1de470-79f3-1572-866e-db0771352fc8,,BuiltIn,Regulatory Compliance,Authenticate to cryptographic module,CMA_0021 - Authenticate to cryptographic module,"PCI_DSS_v4.0_3.3.2,PCI_DSS_v4.0_3.3.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +aeed863a-0f56-429f-945d-8bb66bd06841,,BuiltIn,Regulatory Compliance,Authorize access to security functions and information,CMA_0022 - Authorize access to security functions and information,"PCI_DSS_v4.0_10.6.3,PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.2,PCI_DSS_v4.0_7.2.3,PCI_DSS_v4.0_7.2.6,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2,PCI_DSS_v4.0_7.3.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +50e9324a-7410-0539-0662-2c1e775538b7,,BuiltIn,Regulatory Compliance,Authorize and manage access,CMA_0023 - Authorize and manage access,"PCI_DSS_v4.0_10.6.3,PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.2,PCI_DSS_v4.0_7.2.3,PCI_DSS_v4.0_7.2.6,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2,PCI_DSS_v4.0_7.3.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +dad8a2e9-6f27-4fc2-8933-7e99fe700c9c,,BuiltIn,Regulatory Compliance,Authorize remote access,CMA_0024 - Authorize remote access,"PCI_DSS_v4.0_1.5.1,PCI_DSS_v4.0_8.4.2,PCI_DSS_v4.0_8.4.3,PCI_DSS_v4.0_8.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2cc9c165-46bd-9762-5739-d2aae5ba90a1,,BuiltIn,Regulatory Compliance,Automate account management,CMA_0026 - Automate account management,"PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +3d399cf3-8fc6-0efc-6ab0-1412f1198517,,BuiltIn,Regulatory Compliance,Block untrusted and unsigned processes that run from USB,CMA_0050 - Block untrusted and unsigned processes that run from USB,"PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_5.3.1,PCI_DSS_v4.0_5.3.3,PCI_DSS_v4.0_5.4.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab,,BuiltIn,Regulatory Compliance,Check for privacy and security compliance before establishing internal connections,CMA_0053 - Check for privacy and security compliance before establishing internal connections,PCI_DSS_v4.0_1.2.3,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +c42f19c9-5d88-92da-0742-371a0ea03126,,BuiltIn,Regulatory Compliance,Clear personnel with access to classified information,CMA_0054 - Clear personnel with access to classified information,PCI_DSS_v4.0_12.7.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8eea8c14-4d93-63a3-0c82-000343ee5204,,BuiltIn,Regulatory Compliance,Conduct a full text analysis of logged privileged commands,CMA_0056 - Conduct a full text analysis of logged privileged commands,"PCI_DSS_v4.0_10.2.1.2,PCI_DSS_v4.0_10.2.1.3,PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_10.2.1.6,PCI_DSS_v4.0_10.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +203101f5-99a3-1491-1b56-acccd9b66a9e,,BuiltIn,Regulatory Compliance,Conduct a security impact analysis,CMA_0057 - Conduct a security impact analysis,"PCI_DSS_v4.0_1.2.2,PCI_DSS_v4.0_5.3.5,PCI_DSS_v4.0_6.5.1,PCI_DSS_v4.0_6.5.3,PCI_DSS_v4.0_6.5.4,PCI_DSS_v4.0_6.5.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +677e1da4-00c3-287a-563d-f4a1cf9b99a0,,BuiltIn,Regulatory Compliance,Conduct Risk Assessment,CMA_C1543 - Conduct Risk Assessment,"PCI_DSS_v4.0_12.3.1,PCI_DSS_v4.0_12.3.2,PCI_DSS_v4.0_5.2.3.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +d7c1ecc3-2980-a079-1569-91aec8ac4a77,,BuiltIn,Regulatory Compliance,Conduct risk assessment and distribute its results,CMA_C1544 - Conduct risk assessment and distribute its results,"PCI_DSS_v4.0_12.3.1,PCI_DSS_v4.0_12.3.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68,,BuiltIn,Regulatory Compliance,Conduct risk assessment and document its results,CMA_C1542 - Conduct risk assessment and document its results,"PCI_DSS_v4.0_12.3.1,PCI_DSS_v4.0_12.3.2,PCI_DSS_v4.0_5.2.3.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b53aa659-513e-032c-52e6-1ce0ba46582f,,BuiltIn,Regulatory Compliance,Configure actions for noncompliant devices,CMA_0062 - Configure actions for noncompliant devices,"PCI_DSS_v4.0_1.2.1,PCI_DSS_v4.0_2.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2927e340-60e4-43ad-6b5f-7a1468232cc2,,BuiltIn,Regulatory Compliance,Configure detection whitelist,CMA_0068 - Configure detection whitelist,"PCI_DSS_v4.0_12.4.2,PCI_DSS_v4.0_12.4.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +26daf649-22d1-97e9-2a8a-01b182194d59,,BuiltIn,Regulatory Compliance,Configure workstations to check for digital certificates,CMA_0073 - Configure workstations to check for digital certificates,"PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +59bedbdc-0ba9-39b9-66bb-1d1c192384e6,,BuiltIn,Regulatory Compliance,Control information flow,CMA_0079 - Control information flow,"PCI_DSS_v4.0_1.4.1,PCI_DSS_v4.0_1.4.2,PCI_DSS_v4.0_1.4.3,PCI_DSS_v4.0_1.4.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +55a7f9a0-6397-7589-05ef-5ed59a8149e7,,BuiltIn,Regulatory Compliance,Control physical access,CMA_0081 - Control physical access,"PCI_DSS_v4.0_3.2.1,PCI_DSS_v4.0_9.2.2,PCI_DSS_v4.0_9.2.3,PCI_DSS_v4.0_9.2.4,PCI_DSS_v4.0_9.3.1,PCI_DSS_v4.0_9.3.1.1,PCI_DSS_v4.0_9.3.2,PCI_DSS_v4.0_9.3.3,PCI_DSS_v4.0_9.3.4,PCI_DSS_v4.0_9.5.1,PCI_DSS_v4.0_9.5.1.2,PCI_DSS_v4.0_9.5.1.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +10874318-0bf7-a41f-8463-03e395482080,,BuiltIn,Regulatory Compliance,Correlate audit records,CMA_0087 - Correlate audit records,"PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +043c1e56-5a16-52f8-6af8-583098ff3e60,,BuiltIn,Regulatory Compliance,Create a data inventory,CMA_0096 - Create a data inventory,"PCI_DSS_v4.0_12.5.2.1,PCI_DSS_v4.0_9.4.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +cc2f7339-2fac-1ea9-9ca3-cd530fbb0da2,,BuiltIn,Regulatory Compliance,Create alternative actions for identified anomalies,CMA_C1711 - Create alternative actions for identified anomalies,"PCI_DSS_v4.0_10.7.1,PCI_DSS_v4.0_10.7.2,PCI_DSS_v4.0_10.7.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7,,BuiltIn,Regulatory Compliance,Define a physical key management process,CMA_0115 - Define a physical key management process,"PCI_DSS_v4.0_3.6.1,PCI_DSS_v4.0_3.6.1.1,PCI_DSS_v4.0_3.6.1.2,PCI_DSS_v4.0_3.6.1.3,PCI_DSS_v4.0_3.6.1.4,PCI_DSS_v4.0_3.7.1,PCI_DSS_v4.0_3.7.2,PCI_DSS_v4.0_3.7.3,PCI_DSS_v4.0_3.7.4,PCI_DSS_v4.0_3.7.5,PCI_DSS_v4.0_3.7.6,PCI_DSS_v4.0_3.7.7,PCI_DSS_v4.0_3.7.8,PCI_DSS_v4.0_3.7.9,PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f7eb1d0b-6d4f-2d59-1591-7563e11a9313,,BuiltIn,Regulatory Compliance,Define and enforce conditions for shared and group accounts,CMA_0117 - Define and enforce conditions for shared and group accounts,PCI_DSS_v4.0_8.2.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2af4640d-11a6-a64b-5ceb-a468f4341c0c,,BuiltIn,Regulatory Compliance,Define and enforce inactivity log policy,CMA_C1017 - Define and enforce inactivity log policy,PCI_DSS_v4.0_8.2.8,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +c4ccd607-702b-8ae6-8eeb-fc3339cd4b42,,BuiltIn,Regulatory Compliance,Define cryptographic use,CMA_0120 - Define cryptographic use,"PCI_DSS_v4.0_3.6.1,PCI_DSS_v4.0_3.6.1.1,PCI_DSS_v4.0_3.6.1.2,PCI_DSS_v4.0_3.6.1.3,PCI_DSS_v4.0_3.6.1.4,PCI_DSS_v4.0_3.7.1,PCI_DSS_v4.0_3.7.2,PCI_DSS_v4.0_3.7.3,PCI_DSS_v4.0_3.7.4,PCI_DSS_v4.0_3.7.5,PCI_DSS_v4.0_3.7.6,PCI_DSS_v4.0_3.7.7,PCI_DSS_v4.0_3.7.8,PCI_DSS_v4.0_3.7.9,PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +623b5f0a-8cbd-03a6-4892-201d27302f0c,,BuiltIn,Regulatory Compliance,Define information system account types,CMA_0121 - Define information system account types,"PCI_DSS_v4.0_7.2.5,PCI_DSS_v4.0_8.6.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +d661e9eb-4e15-5ba1-6f02-cdc467db0d6c,,BuiltIn,Regulatory Compliance,Define organizational requirements for cryptographic key management,CMA_0123 - Define organizational requirements for cryptographic key management,"PCI_DSS_v4.0_3.6.1,PCI_DSS_v4.0_3.6.1.1,PCI_DSS_v4.0_3.6.1.2,PCI_DSS_v4.0_3.6.1.3,PCI_DSS_v4.0_3.6.1.4,PCI_DSS_v4.0_3.7.1,PCI_DSS_v4.0_3.7.2,PCI_DSS_v4.0_3.7.3,PCI_DSS_v4.0_3.7.4,PCI_DSS_v4.0_3.7.5,PCI_DSS_v4.0_3.7.6,PCI_DSS_v4.0_3.7.7,PCI_DSS_v4.0_3.7.8,PCI_DSS_v4.0_3.7.9,PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2b2f3a72-9e68-3993-2b69-13dcdecf8958,,BuiltIn,Regulatory Compliance,Define requirements for supplying goods and services,CMA_0126 - Define requirements for supplying goods and services,"PCI_DSS_v4.0_12.8.3,PCI_DSS_v4.0_12.8.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +52375c01-4d4c-7acc-3aa4-5b3d53a047ec,,BuiltIn,Regulatory Compliance,Define the duties of processors,CMA_0127 - Define the duties of processors,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.9.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8e49107c-3338-40d1-02aa-d524178a2afe,,BuiltIn,Regulatory Compliance,Deliver security assessment results,CMA_C1147 - Deliver security assessment results,PCI_DSS_v4.0_12.4.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +03b6427e-6072-4226-4bd9-a410ab65317e,,BuiltIn,Regulatory Compliance,Design an access control model,CMA_0129 - Design an access control model,"PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.2,PCI_DSS_v4.0_7.2.3,PCI_DSS_v4.0_7.2.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +7a0ecd94-3699-5273-76a5-edb8499f655a,,BuiltIn,Regulatory Compliance,Determine assertion requirements,CMA_0136 - Determine assertion requirements,"PCI_DSS_v4.0_3.6.1,PCI_DSS_v4.0_3.6.1.1,PCI_DSS_v4.0_3.6.1.2,PCI_DSS_v4.0_3.6.1.3,PCI_DSS_v4.0_3.6.1.4,PCI_DSS_v4.0_3.7.1,PCI_DSS_v4.0_3.7.2,PCI_DSS_v4.0_3.7.3,PCI_DSS_v4.0_3.7.4,PCI_DSS_v4.0_3.7.5,PCI_DSS_v4.0_3.7.6,PCI_DSS_v4.0_3.7.7,PCI_DSS_v4.0_3.7.8,PCI_DSS_v4.0_3.7.9,PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2f67e567-03db-9d1f-67dc-b6ffb91312f4,,BuiltIn,Regulatory Compliance,Determine auditable events,CMA_0137 - Determine auditable events,"PCI_DSS_v4.0_10.2.1,PCI_DSS_v4.0_10.2.1.1,PCI_DSS_v4.0_10.2.1.3,PCI_DSS_v4.0_10.2.1.4,PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_10.2.1.6,PCI_DSS_v4.0_10.2.1.7,PCI_DSS_v4.0_10.2.2,PCI_DSS_v4.0_5.3.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +67ada943-8539-083d-35d0-7af648974125,,BuiltIn,Regulatory Compliance,Determine supplier contract obligations,CMA_0140 - Determine supplier contract obligations,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.3,PCI_DSS_v4.0_12.8.4,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +42116f15-5665-a52a-87bb-b40e64c74b6c,,BuiltIn,Regulatory Compliance,Develop acceptable use policies and procedures,CMA_0143 - Develop acceptable use policies and procedures,PCI_DSS_v4.0_12.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +59f7feff-02aa-6539-2cf7-bea75b762140,,BuiltIn,Regulatory Compliance,Develop access control policies and procedures,CMA_0144 - Develop access control policies and procedures,"PCI_DSS_v4.0_7.1.1,PCI_DSS_v4.0_7.1.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2b4e134f-1e4c-2bff-573e-082d85479b6e,,BuiltIn,Regulatory Compliance,Develop an incident response plan,CMA_0145 - Develop an incident response plan,"PCI_DSS_v4.0_11.5.1,PCI_DSS_v4.0_11.5.1.1,PCI_DSS_v4.0_12.10.2,PCI_DSS_v4.0_12.10.5,PCI_DSS_v4.0_12.10.7",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +055da733-55c6-9e10-8194-c40731057ec4,,BuiltIn,Regulatory Compliance,Develop and maintain a vulnerability management standard,CMA_0152 - Develop and maintain a vulnerability management standard,"PCI_DSS_v4.0_1.2.2,PCI_DSS_v4.0_5.3.5,PCI_DSS_v4.0_6.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2f20840e-7925-221c-725d-757442753e7c,,BuiltIn,Regulatory Compliance,Develop and maintain baseline configurations,CMA_0153 - Develop and maintain baseline configurations,"PCI_DSS_v4.0_1.2.1,PCI_DSS_v4.0_2.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +a28323fe-276d-3787-32d2-cef6395764c4,,BuiltIn,Regulatory Compliance,Develop audit and accountability policies and procedures,CMA_0154 - Develop audit and accountability policies and procedures,PCI_DSS_v4.0_10.1.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +af227964-5b8b-22a2-9364-06d2cb9d6d7c,,BuiltIn,Regulatory Compliance,Develop information security policies and procedures,CMA_0158 - Develop information security policies and procedures,PCI_DSS_v4.0_10.1.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +477bd136-7dd9-55f8-48ac-bae096b86a07,,BuiltIn,Regulatory Compliance,Develop POA&M,CMA_C1156 - Develop POA&M,PCI_DSS_v4.0_12.4.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +1c258345-5cd4-30c8-9ef3-5ee4dd5231d6,,BuiltIn,Regulatory Compliance,Develop security assessment plan,CMA_C1144 - Develop security assessment plan,"PCI_DSS_v4.0_12.4.1,PCI_DSS_v4.0_12.4.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +423f6d9c-0c73-9cc6-64f4-b52242490368,,BuiltIn,Regulatory Compliance,Develop security safeguards,CMA_0161 - Develop security safeguards,PCI_DSS_v4.0_12.10.7,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +d9d48ffb-0d8c-0bd5-5f31-5a5826d19f10,,BuiltIn,Regulatory Compliance,Disable authenticators upon termination,CMA_0169 - Disable authenticators upon termination,PCI_DSS_v4.0_8.2.6,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +9c93ef57-7000-63fb-9b74-88f2e17ca5d2,,BuiltIn,Regulatory Compliance,Disseminate security alerts to personnel,CMA_C1705 - Disseminate security alerts to personnel,"PCI_DSS_v4.0_12.3.4,PCI_DSS_v4.0_6.3.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +098dcde7-016a-06c3-0985-0daaf3301d3a,,BuiltIn,Regulatory Compliance,Distribute authenticators,CMA_0184 - Distribute authenticators,PCI_DSS_v4.0_8.3.11,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +0803eaa7-671c-08a7-52fd-ac419f775e75,,BuiltIn,Regulatory Compliance,Document acquisition contract acceptance criteria,CMA_0187 - Document acquisition contract acceptance criteria,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +04b3e7f6-4841-888d-4799-cda19a0084f6,,BuiltIn,Regulatory Compliance,Document and implement wireless access guidelines,CMA_0190 - Document and implement wireless access guidelines,"PCI_DSS_v4.0_1.3.3,PCI_DSS_v4.0_11.2.2,PCI_DSS_v4.0_2.3.1,PCI_DSS_v4.0_2.3.2,PCI_DSS_v4.0_4.2.1.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +83dfb2b8-678b-20a0-4c44-5c75ada023e6,,BuiltIn,Regulatory Compliance,Document mobility training,CMA_0191 - Document mobility training,"PCI_DSS_v4.0_1.5.1,PCI_DSS_v4.0_8.4.2,PCI_DSS_v4.0_8.4.3,PCI_DSS_v4.0_8.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +271a3e58-1b38-933d-74c9-a580006b80aa,,BuiltIn,Regulatory Compliance,Document personnel acceptance of privacy requirements,CMA_0193 - Document personnel acceptance of privacy requirements,PCI_DSS_v4.0_12.6.3,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f9ec3263-9562-1768-65a1-729793635a8d,,BuiltIn,Regulatory Compliance,Document protection of personal data in acquisition contracts,CMA_0194 - Document protection of personal data in acquisition contracts,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +d78f95ba-870a-a500-6104-8a5ce2534f19,,BuiltIn,Regulatory Compliance,Document protection of security information in acquisition contracts,CMA_0195 - Document protection of security information in acquisition contracts,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +3d492600-27ba-62cc-a1c3-66eb919f6a0d,,BuiltIn,Regulatory Compliance,Document remote access guidelines,CMA_0196 - Document remote access guidelines,"PCI_DSS_v4.0_1.5.1,PCI_DSS_v4.0_8.4.2,PCI_DSS_v4.0_8.4.3,PCI_DSS_v4.0_8.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +0ba211ef-0e85-2a45-17fc-401d1b3f8f85,,BuiltIn,Regulatory Compliance,Document requirements for the use of shared data in contracts,CMA_0197 - Document requirements for the use of shared data in contracts,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +524e7136-9f6a-75ba-9089-501018151346,,BuiltIn,Regulatory Compliance,Document security and privacy training activities,CMA_0198 - Document security and privacy training activities,PCI_DSS_v4.0_12.6.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +13efd2d7-3980-a2a4-39d0-527180c009e8,,BuiltIn,Regulatory Compliance,Document security assurance requirements in acquisition contracts,CMA_0199 - Document security assurance requirements in acquisition contracts,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +a465e8e9-0095-85cb-a05f-1dd4960d02af,,BuiltIn,Regulatory Compliance,Document security documentation requirements in acquisition contract,CMA_0200 - Document security documentation requirements in acquisition contract,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +57927290-8000-59bf-3776-90c468ac5b4b,,BuiltIn,Regulatory Compliance,Document security functional requirements in acquisition contracts,CMA_0201 - Document security functional requirements in acquisition contracts,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ebb0ba89-6d8c-84a7-252b-7393881e43de,,BuiltIn,Regulatory Compliance,Document security strength requirements in acquisition contracts,CMA_0203 - Document security strength requirements in acquisition contracts,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5,PCI_DSS_v4.0_8.3.6,PCI_DSS_v4.0_8.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +c148208b-1a6f-a4ac-7abc-23b1d41121b1,,BuiltIn,Regulatory Compliance,Document the information system environment in acquisition contracts,CMA_0205 - Document the information system environment in acquisition contracts,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +79c75b38-334b-1a69-65e0-a9d929a42f75,,BuiltIn,Regulatory Compliance,Document the legal basis for processing personal information,CMA_0206 - Document the legal basis for processing personal information,"PCI_DSS_v4.0_3.2.1,PCI_DSS_v4.0_3.3.1,PCI_DSS_v4.0_3.3.1.1,PCI_DSS_v4.0_3.3.1.2,PCI_DSS_v4.0_3.3.1.3,PCI_DSS_v4.0_3.3.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +77acc53d-0f67-6e06-7d04-5750653d4629,,BuiltIn,Regulatory Compliance,Document the protection of cardholder data in third party contracts,CMA_0207 - Document the protection of cardholder data in third party contracts,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +eaaae23f-92c9-4460-51cf-913feaea4d52,,BuiltIn,Regulatory Compliance,Employ a media sanitization mechanism,CMA_0208 - Employ a media sanitization mechanism,"PCI_DSS_v4.0_9.4.6,PCI_DSS_v4.0_9.4.7",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +1b8a7ec3-11cc-a2d3-8cd0-eedf074424a4,,BuiltIn,Regulatory Compliance,Employ automatic shutdown/restart when violations are detected,CMA_C1715 - Employ automatic shutdown/restart when violations are detected,"PCI_DSS_v4.0_11.5.2,PCI_DSS_v4.0_11.6.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +79365f13-8ba4-1f6c-2ac4-aa39929f56d0,,BuiltIn,Regulatory Compliance,Employ flow control mechanisms of encrypted information,CMA_0211 - Employ flow control mechanisms of encrypted information,"PCI_DSS_v4.0_1.4.1,PCI_DSS_v4.0_1.4.2,PCI_DSS_v4.0_1.4.3,PCI_DSS_v4.0_1.4.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +611ebc63-8600-50b6-a0e3-fef272457132,,BuiltIn,Regulatory Compliance,Employ independent team for penetration testing,CMA_C1171 - Employ independent team for penetration testing,"PCI_DSS_v4.0_11.4.1,PCI_DSS_v4.0_11.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +1bc7fd64-291f-028e-4ed6-6e07886e163f,,BuiltIn,Regulatory Compliance,Employ least privilege access,CMA_0212 - Employ least privilege access,"PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.2,PCI_DSS_v4.0_7.2.3,PCI_DSS_v4.0_7.2.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2c843d78-8f64-92b5-6a9b-e8186c0e7eb6,,BuiltIn,Regulatory Compliance,Enable dual or joint authorization,CMA_0226 - Enable dual or joint authorization,"PCI_DSS_v4.0_10.3.1,PCI_DSS_v4.0_10.3.2,PCI_DSS_v4.0_10.3.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8c255136-994b-9616-79f5-ae87810e0dcf,,BuiltIn,Regulatory Compliance,Enable network protection,CMA_0238 - Enable network protection,"PCI_DSS_v4.0_12.10.5,PCI_DSS_v4.0_12.10.7",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b4409bff-2287-8407-05fd-c73175a68302,,BuiltIn,Regulatory Compliance,Enforce a limit of consecutive failed login attempts,CMA_C1044 - Enforce a limit of consecutive failed login attempts,PCI_DSS_v4.0_8.3.4,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8cd815bf-97e1-5144-0735-11f6ddb50a59,,BuiltIn,Regulatory Compliance,Enforce and audit access restrictions,CMA_C1203 - Enforce and audit access restrictions,PCI_DSS_v4.0_1.2.8,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +10c4210b-3ec9-9603-050d-77e4d26c7ebb,,BuiltIn,Regulatory Compliance,Enforce logical access,CMA_0245 - Enforce logical access,"PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.3,PCI_DSS_v4.0_7.2.6,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2,PCI_DSS_v4.0_7.3.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b1666a13-8f67-9c47-155e-69e027ff6823,,BuiltIn,Regulatory Compliance,Enforce mandatory and discretionary access control policies,CMA_0246 - Enforce mandatory and discretionary access control policies,"PCI_DSS_v4.0_10.6.3,PCI_DSS_v4.0_7.1.1,PCI_DSS_v4.0_7.1.2,PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.2,PCI_DSS_v4.0_7.2.3,PCI_DSS_v4.0_7.2.6,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2,PCI_DSS_v4.0_7.3.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +509552f5-6528-3540-7959-fbeae4832533,,BuiltIn,Regulatory Compliance,Enforce rules of behavior and access agreements,CMA_0248 - Enforce rules of behavior and access agreements,PCI_DSS_v4.0_12.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +058e9719-1ff9-3653-4230-23f76b6492e0,,BuiltIn,Regulatory Compliance,Enforce security configuration settings,CMA_0249 - Enforce security configuration settings,"PCI_DSS_v4.0_1.2.1,PCI_DSS_v4.0_2.2.1,PCI_DSS_v4.0_2.2.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +e336d5f4-4d8f-0059-759c-ae10f63d1747,,BuiltIn,Regulatory Compliance,Enforce user uniqueness,CMA_0250 - Enforce user uniqueness,PCI_DSS_v4.0_8.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +37dbe3dc-0e9c-24fa-36f2-11197cbfa207,,BuiltIn,Regulatory Compliance,Ensure authorized users protect provided authenticators,CMA_C1339 - Ensure authorized users protect provided authenticators,PCI_DSS_v4.0_8.3.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +54a9c072-4a93-2a03-6a43-a060d30383d7,,BuiltIn,Regulatory Compliance,Eradicate contaminated information,CMA_0253 - Eradicate contaminated information,PCI_DSS_v4.0_12.10.7,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +7380631c-5bf5-0e3a-4509-0873becd8a63,,BuiltIn,Regulatory Compliance,Establish a configuration control board,CMA_0254 - Establish a configuration control board,"PCI_DSS_v4.0_1.2.1,PCI_DSS_v4.0_2.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +3c9aa856-6b86-35dc-83f4-bc72cec74dea,,BuiltIn,Regulatory Compliance,Establish a data leakage management procedure,CMA_0255 - Establish a data leakage management procedure,"PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_3.5.1.1,PCI_DSS_v4.0_3.5.1.2,PCI_DSS_v4.0_3.5.1.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +d8bbd80e-3bb1-5983-06c2-428526ec6a63,,BuiltIn,Regulatory Compliance,Establish a password policy,CMA_0256 - Establish a password policy,"PCI_DSS_v4.0_8.3.6,PCI_DSS_v4.0_8.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +39eb03c1-97cc-11ab-0960-6209ed2869f7,,BuiltIn,Regulatory Compliance,Establish a privacy program,CMA_0257 - Establish a privacy program,"PCI_DSS_v4.0_12.4.1,PCI_DSS_v4.0_3.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +d36700f2-2f0d-7c2a-059c-bdadd1d79f70,,BuiltIn,Regulatory Compliance,Establish a risk management strategy,CMA_0258 - Establish a risk management strategy,"PCI_DSS_v4.0_1.2.2,PCI_DSS_v4.0_5.3.5,PCI_DSS_v4.0_6.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b0e3035d-6366-2e37-796e-8bcab9c649e6,,BuiltIn,Regulatory Compliance,Establish a threat intelligence program,CMA_0260 - Establish a threat intelligence program,"PCI_DSS_v4.0_12.3.4,PCI_DSS_v4.0_6.3.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +84245967-7882-54f6-2d34-85059f725b47,,BuiltIn,Regulatory Compliance,Establish an information security program,CMA_0263 - Establish an information security program,"PCI_DSS_v4.0_12.1.2,PCI_DSS_v4.0_12.4.1,PCI_DSS_v4.0_12.5.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +526ed90e-890f-69e7-0386-ba5c0f1f784f,,BuiltIn,Regulatory Compliance,Establish and document a configuration management plan,CMA_0264 - Establish and document a configuration management plan,"PCI_DSS_v4.0_1.2.1,PCI_DSS_v4.0_2.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +bd4dc286-2f30-5b95-777c-681f3a7913d3,,BuiltIn,Regulatory Compliance,Establish and document change control processes,CMA_0265 - Establish and document change control processes,"PCI_DSS_v4.0_1.2.2,PCI_DSS_v4.0_1.2.8,PCI_DSS_v4.0_5.3.5,PCI_DSS_v4.0_6.5.1,PCI_DSS_v4.0_6.5.3,PCI_DSS_v4.0_6.5.4,PCI_DSS_v4.0_6.5.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0,,BuiltIn,Regulatory Compliance,Establish authenticator types and processes,CMA_0267 - Establish authenticator types and processes,"PCI_DSS_v4.0_8.3.1,PCI_DSS_v4.0_8.3.11,PCI_DSS_v4.0_8.3.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +4f23967c-a74b-9a09-9dc2-f566f61a87b9,,BuiltIn,Regulatory Compliance,Establish backup policies and procedures,CMA_0268 - Establish backup policies and procedures,PCI_DSS_v4.0_10.3.3,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8747b573-8294-86a0-8914-49e9b06a5ace,,BuiltIn,Regulatory Compliance,Establish configuration management requirements for developers,CMA_0270 - Establish configuration management requirements for developers,"PCI_DSS_v4.0_1.2.2,PCI_DSS_v4.0_5.3.5,PCI_DSS_v4.0_6.5.1,PCI_DSS_v4.0_6.5.3,PCI_DSS_v4.0_6.5.4,PCI_DSS_v4.0_6.5.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b544f797-a73b-1be3-6d01-6b1a085376bc,,BuiltIn,Regulatory Compliance,Establish information security workforce development and improvement program,CMA_C1752 - Establish information security workforce development and improvement program,PCI_DSS_v4.0_12.6.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +9150259b-617b-596d-3bf5-5ca3fce20335,,BuiltIn,Regulatory Compliance,Establish policies for supply chain risk management,CMA_0275 - Establish policies for supply chain risk management,"PCI_DSS_v4.0_12.8.3,PCI_DSS_v4.0_12.8.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b3c8cc83-20d3-3890-8bc8-5568777670f4,,BuiltIn,Regulatory Compliance,Establish requirements for audit review and reporting,CMA_0277 - Establish requirements for audit review and reporting,"PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ba78efc6-795c-64f4-7a02-91effbd34af9,,BuiltIn,Regulatory Compliance,Execute actions in response to information spills,CMA_0281 - Execute actions in response to information spills,PCI_DSS_v4.0_12.10.7,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +333b4ada-4a02-0648-3d4d-d812974f1bb2,,BuiltIn,Regulatory Compliance,Govern and monitor audit processing activities,CMA_0289 - Govern and monitor audit processing activities,"PCI_DSS_v4.0_10.7.1,PCI_DSS_v4.0_10.7.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +1a2a03a4-9992-5788-5953-d8f6615306de,,BuiltIn,Regulatory Compliance,Govern policies and procedures,CMA_0292 - Govern policies and procedures,"PCI_DSS_v4.0_10.1.1,PCI_DSS_v4.0_7.1.1,PCI_DSS_v4.0_7.1.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ae5345d5-8dab-086a-7290-db43a3272198,,BuiltIn,Regulatory Compliance,Identify and authenticate network devices,CMA_0296 - Identify and authenticate network devices,"PCI_DSS_v4.0_2.3.1,PCI_DSS_v4.0_2.3.2,PCI_DSS_v4.0_4.2.1.2,PCI_DSS_v4.0_8.2.3,PCI_DSS_v4.0_8.3.1,PCI_DSS_v4.0_8.3.11,PCI_DSS_v4.0_8.4.2,PCI_DSS_v4.0_8.4.3,PCI_DSS_v4.0_8.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +e1379836-3492-6395-451d-2f5062e14136,,BuiltIn,Regulatory Compliance,Identify and authenticate non-organizational users,CMA_C1346 - Identify and authenticate non-organizational users,PCI_DSS_v4.0_8.2.7,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +46ab2c5e-6654-1f58-8c83-e97a44f39308,,BuiltIn,Regulatory Compliance,Identify external service providers,CMA_C1591 - Identify external service providers,PCI_DSS_v4.0_1.2.5,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +015b4935-448a-8684-27c0-d13086356c33,,BuiltIn,Regulatory Compliance,Implement a threat awareness program,CMA_C1758 - Implement a threat awareness program,PCI_DSS_v4.0_12.6.3.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +33832848-42ab-63f3-1a55-c0ad309d44cd,,BuiltIn,Regulatory Compliance,Implement an automated configuration management tool,CMA_0311 - Implement an automated configuration management tool,"PCI_DSS_v4.0_1.2.1,PCI_DSS_v4.0_2.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +35de8462-03ff-45b3-5746-9d4603c74c56,,BuiltIn,Regulatory Compliance,Implement an insider threat program,CMA_C1751 - Implement an insider threat program,PCI_DSS_v4.0_12.6.3.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +e435f7e3-0dd9-58c9-451f-9b44b96c0232,,BuiltIn,Regulatory Compliance,Implement controls to secure all media,CMA_0314 - Implement controls to secure all media,"PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_3.5.1.1,PCI_DSS_v4.0_3.5.1.2,PCI_DSS_v4.0_3.5.1.3,PCI_DSS_v4.0_9.4.1,PCI_DSS_v4.0_9.4.1.1,PCI_DSS_v4.0_9.4.2,PCI_DSS_v4.0_9.4.3,PCI_DSS_v4.0_9.4.4,PCI_DSS_v4.0_9.4.6,PCI_DSS_v4.0_9.4.7",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e,,BuiltIn,Regulatory Compliance,Implement controls to secure alternate work sites,CMA_0315 - Implement controls to secure alternate work sites,"PCI_DSS_v4.0_1.5.1,PCI_DSS_v4.0_8.4.2,PCI_DSS_v4.0_8.4.3,PCI_DSS_v4.0_8.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +10c3a1b1-29b0-a2d5-8f4c-a284b0f07830,,BuiltIn,Regulatory Compliance,Implement cryptographic mechanisms,CMA_C1419 - Implement cryptographic mechanisms,PCI_DSS_v4.0_2.2.7,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +433de59e-7a53-a766-02c2-f80f8421469a,,BuiltIn,Regulatory Compliance,Implement incident handling,CMA_0318 - Implement incident handling,"PCI_DSS_v4.0_12.10.2,PCI_DSS_v4.0_12.10.5,PCI_DSS_v4.0_12.10.7",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b262e1dd-08e9-41d4-963a-258909ad794b,,BuiltIn,Regulatory Compliance,Implement managed interface for each external service,CMA_C1626 - Implement managed interface for each external service,"PCI_DSS_v4.0_1.4.1,PCI_DSS_v4.0_1.4.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +3b30aa25-0f19-6c04-5ca4-bd3f880a763d,,BuiltIn,Regulatory Compliance,Implement parameters for memorized secret verifiers,CMA_0321 - Implement parameters for memorized secret verifiers,"PCI_DSS_v4.0_8.3.6,PCI_DSS_v4.0_8.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +e0c480bf-0d68-a42d-4cbb-b60f851f8716,,BuiltIn,Regulatory Compliance,Implement personnel screening,CMA_0322 - Implement personnel screening,PCI_DSS_v4.0_12.7.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +05ec66a2-137c-14b8-8e75-3d7a2bef07f8,,BuiltIn,Regulatory Compliance,"Implement physical security for offices, working areas, and secure areas","CMA_0323 - Implement physical security for offices, working areas, and secure areas","PCI_DSS_v4.0_9.2.3,PCI_DSS_v4.0_9.2.4,PCI_DSS_v4.0_9.3.2,PCI_DSS_v4.0_9.3.3,PCI_DSS_v4.0_9.3.4,PCI_DSS_v4.0_9.5.1,PCI_DSS_v4.0_9.5.1.2,PCI_DSS_v4.0_9.5.1.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +06f84330-4c27-21f7-72cd-7488afd50244,,BuiltIn,Regulatory Compliance,Implement privacy notice delivery methods,CMA_0324 - Implement privacy notice delivery methods,"PCI_DSS_v4.0_3.3.1,PCI_DSS_v4.0_3.3.1.1,PCI_DSS_v4.0_3.3.1.2,PCI_DSS_v4.0_3.3.1.3,PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_3.4.1,PCI_DSS_v4.0_3.4.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +26d178a4-9261-6f04-a100-47ed85314c6e,,BuiltIn,Regulatory Compliance,Implement security directives,CMA_C1706 - Implement security directives,PCI_DSS_v4.0_6.3.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +01ae60e2-38bb-0a32-7b20-d3a091423409,,BuiltIn,Regulatory Compliance,Implement system boundary protection,CMA_0328 - Implement system boundary protection,"PCI_DSS_v4.0_1.4.1,PCI_DSS_v4.0_1.4.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +e4b00788-7e1c-33ec-0418-d048508e095b,,BuiltIn,Regulatory Compliance,Implement training for protecting authenticators,CMA_0329 - Implement training for protecting authenticators,"PCI_DSS_v4.0_8.3.8,PCI_DSS_v4.0_8.6.2,PCI_DSS_v4.0_8.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +834b7a4a-83ab-2188-1a26-9c5033d8173b,,BuiltIn,Regulatory Compliance,Incorporate security and data privacy practices in research processing,CMA_0331 - Incorporate security and data privacy practices in research processing,PCI_DSS_v4.0_6.5.5,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f741c4e6-41eb-15a4-25a2-61ac7ca232f0,,BuiltIn,Regulatory Compliance,"Integrate audit review, analysis, and reporting","CMA_0339 - Integrate audit review, analysis, and reporting","PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +9fdde4a9-85fa-7850-6df4-ae9c4a2e56f9,,BuiltIn,Regulatory Compliance,Integrate cloud app security with a siem,CMA_0340 - Integrate cloud app security with a siem,"PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +97d91b33-7050-237b-3e23-a77d57d84e13,,BuiltIn,Regulatory Compliance,Issue public key certificates,CMA_0347 - Issue public key certificates,"PCI_DSS_v4.0_3.6.1,PCI_DSS_v4.0_3.6.1.1,PCI_DSS_v4.0_3.6.1.2,PCI_DSS_v4.0_3.6.1.3,PCI_DSS_v4.0_3.6.1.4,PCI_DSS_v4.0_3.7.1,PCI_DSS_v4.0_3.7.2,PCI_DSS_v4.0_3.7.3,PCI_DSS_v4.0_3.7.4,PCI_DSS_v4.0_3.7.5,PCI_DSS_v4.0_3.7.6,PCI_DSS_v4.0_3.7.7,PCI_DSS_v4.0_3.7.8,PCI_DSS_v4.0_3.7.9,PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2af551d5-1775-326a-0589-590bfb7e9eb2,,BuiltIn,Regulatory Compliance,Limit privileges to make changes in production environment,CMA_C1206 - Limit privileges to make changes in production environment,"PCI_DSS_v4.0_6.5.3,PCI_DSS_v4.0_6.5.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +3ad7f0bc-3d03-0585-4d24-529779bb02c2,,BuiltIn,Regulatory Compliance,Maintain availability of information,CMA_C1644 - Maintain availability of information,"PCI_DSS_v4.0_3.7.3,PCI_DSS_v4.0_4.2.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +0fd1ca29-677b-2f12-1879-639716459160,,BuiltIn,Regulatory Compliance,Maintain data breach records,CMA_0351 - Maintain data breach records,PCI_DSS_v4.0_12.10.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +37546841-8ea1-5be0-214d-8ac599588332,,BuiltIn,Regulatory Compliance,Maintain incident response plan,CMA_0352 - Maintain incident response plan,"PCI_DSS_v4.0_12.10.2,PCI_DSS_v4.0_12.10.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +92ede480-154e-0e22-4dca-8b46a74a3a51,,BuiltIn,Regulatory Compliance,Maintain records of processing of personal data,CMA_0353 - Maintain records of processing of personal data,"PCI_DSS_v4.0_1.2.4,PCI_DSS_v4.0_12.5.2,PCI_DSS_v4.0_12.5.2.1,PCI_DSS_v4.0_9.4.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +29363ae1-68cd-01ca-799d-92c9197c8404,,BuiltIn,Regulatory Compliance,Manage authenticator lifetime and reuse,CMA_0355 - Manage authenticator lifetime and reuse,"PCI_DSS_v4.0_8.3.10,PCI_DSS_v4.0_8.3.10.1,PCI_DSS_v4.0_8.3.9,PCI_DSS_v4.0_8.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +4aacaec9-0628-272c-3e83-0d68446694e0,,BuiltIn,Regulatory Compliance,Manage Authenticators,CMA_C1321 - Manage Authenticators,PCI_DSS_v4.0_2.2.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +4e400494-53a5-5147-6f4d-718b539c7394,,BuiltIn,Regulatory Compliance,Manage compliance activities,CMA_0358 - Manage compliance activities,PCI_DSS_v4.0_12.4.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +63f63e71-6c3f-9add-4c43-64de23e554a7,,BuiltIn,Regulatory Compliance,Manage gateways,CMA_0363 - Manage gateways,"PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_5.3.1,PCI_DSS_v4.0_5.3.3,PCI_DSS_v4.0_5.4.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +9c276cf3-596f-581a-7fbd-f5e46edaa0f4,,BuiltIn,Regulatory Compliance,Manage symmetric cryptographic keys,CMA_0367 - Manage symmetric cryptographic keys,"PCI_DSS_v4.0_3.6.1,PCI_DSS_v4.0_3.6.1.1,PCI_DSS_v4.0_3.6.1.2,PCI_DSS_v4.0_3.6.1.3,PCI_DSS_v4.0_3.6.1.4,PCI_DSS_v4.0_3.7.1,PCI_DSS_v4.0_3.7.2,PCI_DSS_v4.0_3.7.3,PCI_DSS_v4.0_3.7.4,PCI_DSS_v4.0_3.7.5,PCI_DSS_v4.0_3.7.6,PCI_DSS_v4.0_3.7.7,PCI_DSS_v4.0_3.7.8,PCI_DSS_v4.0_3.7.9,PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +34d38ea7-6754-1838-7031-d7fd07099821,,BuiltIn,Regulatory Compliance,Manage system and admin accounts,CMA_0368 - Manage system and admin accounts,"PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +e603da3a-8af7-4f8a-94cb-1bcc0e0333d2,,BuiltIn,Regulatory Compliance,"Manage the input, output, processing, and storage of data","CMA_0369 - Manage the input, output, processing, and storage of data","PCI_DSS_v4.0_3.2.1,PCI_DSS_v4.0_9.5.1,PCI_DSS_v4.0_9.5.1.2,PCI_DSS_v4.0_9.5.1.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +4ac81669-00e2-9790-8648-71bc11bc91eb,,BuiltIn,Regulatory Compliance,Manage the transportation of assets,CMA_0370 - Manage the transportation of assets,"PCI_DSS_v4.0_9.4.3,PCI_DSS_v4.0_9.4.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +48c816c5-2190-61fc-8806-25d6f3df162f,,BuiltIn,Regulatory Compliance,Monitor access across the organization,CMA_0376 - Monitor access across the organization,"PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +7b28ba4f-0a87-46ac-62e1-46b7c09202a8,,BuiltIn,Regulatory Compliance,Monitor account activity,CMA_0377 - Monitor account activity,"PCI_DSS_v4.0_10.2.1.2,PCI_DSS_v4.0_10.2.1.3,PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_10.2.1.6,PCI_DSS_v4.0_10.6.3,PCI_DSS_v4.0_7.2.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ed87d27a-9abf-7c71-714c-61d881889da4,,BuiltIn,Regulatory Compliance,Monitor privileged role assignment,CMA_0378 - Monitor privileged role assignment,"PCI_DSS_v4.0_10.2.1.2,PCI_DSS_v4.0_10.2.1.3,PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_10.2.1.6,PCI_DSS_v4.0_10.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +18e9d748-73d4-0c96-55ab-b108bfbd5bc3,,BuiltIn,Regulatory Compliance,Notify personnel of any failed security verification tests,CMA_C1710 - Notify personnel of any failed security verification tests,"PCI_DSS_v4.0_10.7.1,PCI_DSS_v4.0_10.7.2,PCI_DSS_v4.0_10.7.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8489ff90-8d29-61df-2d84-f9ab0f4c5e84,,BuiltIn,Regulatory Compliance,Notify when account is not needed,CMA_0383 - Notify when account is not needed,"PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +3f1216b0-30ee-1ac9-3899-63eb744e85f5,,BuiltIn,Regulatory Compliance,Obtain Admin documentation,CMA_C1580 - Obtain Admin documentation,PCI_DSS_v4.0_6.3.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +069101ac-4578-31da-0cd4-ff083edd3eb4,,BuiltIn,Regulatory Compliance,Obtain consent prior to collection or processing of personal data,CMA_0385 - Obtain consent prior to collection or processing of personal data,"PCI_DSS_v4.0_3.2.1,PCI_DSS_v4.0_3.3.1,PCI_DSS_v4.0_3.3.1.1,PCI_DSS_v4.0_3.3.1.2,PCI_DSS_v4.0_3.3.1.3,PCI_DSS_v4.0_3.3.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ca6d7878-3189-1833-4620-6c7254ed1607,,BuiltIn,Regulatory Compliance,Obtain continuous monitoring plan for security controls,CMA_C1577 - Obtain continuous monitoring plan for security controls,PCI_DSS_v4.0_12.8.4,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +22a02c9a-49e4-5dc9-0d14-eb35ad717154,,BuiltIn,Regulatory Compliance,Obtain design and implementation information for the security controls,CMA_C1576 - Obtain design and implementation information for the security controls,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +44b71aa8-099d-8b97-1557-0e853ec38e0d,,BuiltIn,Regulatory Compliance,Obtain functional properties of security controls,CMA_C1575 - Obtain functional properties of security controls,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +d18af1ac-0086-4762-6dc8-87cdded90e39,,BuiltIn,Regulatory Compliance,Perform a privacy impact assessment,CMA_0387 - Perform a privacy impact assessment,"PCI_DSS_v4.0_1.2.2,PCI_DSS_v4.0_5.3.5,PCI_DSS_v4.0_6.5.1,PCI_DSS_v4.0_6.5.3,PCI_DSS_v4.0_6.5.4,PCI_DSS_v4.0_6.5.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8c5d3d8d-5cba-0def-257c-5ab9ea9644dc,,BuiltIn,Regulatory Compliance,Perform a risk assessment,CMA_0388 - Perform a risk assessment,"PCI_DSS_v4.0_1.2.2,PCI_DSS_v4.0_12.3.1,PCI_DSS_v4.0_12.3.2,PCI_DSS_v4.0_5.2.3.1,PCI_DSS_v4.0_5.3.5,PCI_DSS_v4.0_6.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +50e81644-923d-33fc-6ebb-9733bc8d1a06,,BuiltIn,Regulatory Compliance,Perform a trend analysis on threats,CMA_0389 - Perform a trend analysis on threats,"PCI_DSS_v4.0_11.5.1,PCI_DSS_v4.0_12.10.7,PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_5.3.1,PCI_DSS_v4.0_5.3.3,PCI_DSS_v4.0_5.4.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +1282809c-9001-176b-4a81-260a085f4872,,BuiltIn,Regulatory Compliance,Perform audit for configuration change control,CMA_0390 - Perform audit for configuration change control,"PCI_DSS_v4.0_1.2.2,PCI_DSS_v4.0_5.3.5,PCI_DSS_v4.0_6.5.1,PCI_DSS_v4.0_6.5.3,PCI_DSS_v4.0_6.5.4,PCI_DSS_v4.0_6.5.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b5a4be05-3997-1731-3260-98be653610f6,,BuiltIn,Regulatory Compliance,Perform disposition review,CMA_0391 - Perform disposition review,"PCI_DSS_v4.0_3.2.1,PCI_DSS_v4.0_3.3.1,PCI_DSS_v4.0_3.3.1.1,PCI_DSS_v4.0_3.3.1.3,PCI_DSS_v4.0_9.4.6,PCI_DSS_v4.0_9.4.7",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f30edfad-4e1d-1eef-27ee-9292d6d89842,,BuiltIn,Regulatory Compliance,Perform security function verification at a defined frequency,CMA_C1709 - Perform security function verification at a defined frequency,"PCI_DSS_v4.0_10.7.1,PCI_DSS_v4.0_10.7.2,PCI_DSS_v4.0_10.7.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f,,BuiltIn,Regulatory Compliance,Perform vulnerability scans,CMA_0393 - Perform vulnerability scans,"PCI_DSS_v4.0_11.3.1,PCI_DSS_v4.0_11.3.1.1,PCI_DSS_v4.0_11.3.1.3,PCI_DSS_v4.0_11.3.2,PCI_DSS_v4.0_11.3.2.1,PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_5.3.1,PCI_DSS_v4.0_5.3.3,PCI_DSS_v4.0_5.4.1,PCI_DSS_v4.0_6.4.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +70a7a065-a060-85f8-7863-eb7850ed2af9,,BuiltIn,Regulatory Compliance,Produce Security Assessment report,CMA_C1146 - Produce Security Assessment report,PCI_DSS_v4.0_12.4.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +de077e7e-0cc8-65a6-6e08-9ab46c827b05,,BuiltIn,Regulatory Compliance,"Produce, control and distribute asymmetric cryptographic keys","CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys",PCI_DSS_v4.0_4.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +16c54e01-9e65-7524-7c33-beda48a75779,,BuiltIn,Regulatory Compliance,"Produce, control and distribute symmetric cryptographic keys","CMA_C1645 - Produce, control and distribute symmetric cryptographic keys","PCI_DSS_v4.0_3.6.1.2,PCI_DSS_v4.0_3.7.2,PCI_DSS_v4.0_3.7.3,PCI_DSS_v4.0_4.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +0e696f5a-451f-5c15-5532-044136538491,,BuiltIn,Regulatory Compliance,Protect audit information,CMA_0401 - Protect audit information,"PCI_DSS_v4.0_10.3.1,PCI_DSS_v4.0_10.3.2,PCI_DSS_v4.0_10.3.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b11697e8-9515-16f1-7a35-477d5c8a1344,,BuiltIn,Regulatory Compliance,Protect data in transit using encryption,CMA_0403 - Protect data in transit using encryption,"PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_3.5.1.1,PCI_DSS_v4.0_3.5.1.2,PCI_DSS_v4.0_3.5.1.3,PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2401b496-7f23-79b2-9f80-89bb5abf3d4a,,BuiltIn,Regulatory Compliance,Protect incident response plan,CMA_0405 - Protect incident response plan,PCI_DSS_v4.0_12.10.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b2d3e5a2-97ab-5497-565a-71172a729d93,,BuiltIn,Regulatory Compliance,Protect passwords with encryption,CMA_0408 - Protect passwords with encryption,"PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.2,PCI_DSS_v4.0_8.3.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +a315c657-4a00-8eba-15ac-44692ad24423,,BuiltIn,Regulatory Compliance,Protect special information,CMA_0409 - Protect special information,"PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_3.5.1.1,PCI_DSS_v4.0_3.5.1.2,PCI_DSS_v4.0_3.5.1.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +d42a8f69-a193-6cbc-48b9-04a9e29961f1,,BuiltIn,Regulatory Compliance,Protect wireless access,CMA_0411 - Protect wireless access,"PCI_DSS_v4.0_1.3.3,PCI_DSS_v4.0_11.2.2,PCI_DSS_v4.0_2.3.1,PCI_DSS_v4.0_2.3.2,PCI_DSS_v4.0_4.2.1.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2d4d0e90-32d9-4deb-2166-a00d51ed57c0,,BuiltIn,Regulatory Compliance,Provide information spillage training,CMA_0413 - Provide information spillage training,"PCI_DSS_v4.0_12.10.4,PCI_DSS_v4.0_12.10.4.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +9ac8621d-9acd-55bf-9f99-ee4212cc3d85,,BuiltIn,Regulatory Compliance,Provide periodic role-based security training,CMA_C1095 - Provide periodic role-based security training,"PCI_DSS_v4.0_12.6.3,PCI_DSS_v4.0_6.2.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +516be556-1353-080d-2c2f-f46f000d5785,,BuiltIn,Regulatory Compliance,Provide periodic security awareness training,CMA_C1091 - Provide periodic security awareness training,PCI_DSS_v4.0_12.6.3,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +098a7b84-1031-66d8-4e78-bd15b5fd2efb,,BuiltIn,Regulatory Compliance,Provide privacy notice,CMA_0414 - Provide privacy notice,"PCI_DSS_v4.0_3.3.1,PCI_DSS_v4.0_3.3.1.1,PCI_DSS_v4.0_3.3.1.2,PCI_DSS_v4.0_3.3.1.3,PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_3.4.1,PCI_DSS_v4.0_3.4.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +518eafdd-08e5-37a9-795b-15a8d798056d,,BuiltIn,Regulatory Compliance,Provide privacy training,CMA_0415 - Provide privacy training,"PCI_DSS_v4.0_1.5.1,PCI_DSS_v4.0_12.6.3,PCI_DSS_v4.0_8.4.2,PCI_DSS_v4.0_8.4.3,PCI_DSS_v4.0_8.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +4c385143-09fd-3a34-790c-a5fd9ec77ddc,,BuiltIn,Regulatory Compliance,Provide role-based security training,CMA_C1094 - Provide role-based security training,PCI_DSS_v4.0_12.6.3,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2b05dca2-25ec-9335-495c-29155f785082,,BuiltIn,Regulatory Compliance,Provide security training before providing access,CMA_0418 - Provide security training before providing access,"PCI_DSS_v4.0_12.6.3,PCI_DSS_v4.0_12.6.3.2,PCI_DSS_v4.0_6.2.2,PCI_DSS_v4.0_9.5.1.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +1cb7bf71-841c-4741-438a-67c65fdd7194,,BuiltIn,Regulatory Compliance,Provide security training for new users,CMA_0419 - Provide security training for new users,"PCI_DSS_v4.0_12.6.3,PCI_DSS_v4.0_12.6.3.1,PCI_DSS_v4.0_12.6.3.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +d136ae80-54dd-321c-98b4-17acf4af2169,,BuiltIn,Regulatory Compliance,Provide updated security awareness training,CMA_C1090 - Provide updated security awareness training,"PCI_DSS_v4.0_12.6.2,PCI_DSS_v4.0_12.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8b1da407-5e60-5037-612e-2caa1b590719,,BuiltIn,Regulatory Compliance,Record disclosures of PII to third parties,CMA_0422 - Record disclosures of PII to third parties,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.9.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +3ae68d9a-5696-8c32-62d3-c6f9c52e437c,,BuiltIn,Regulatory Compliance,Refresh authenticators,CMA_0425 - Refresh authenticators,"PCI_DSS_v4.0_8.3.10,PCI_DSS_v4.0_8.3.10.1,PCI_DSS_v4.0_8.3.9,PCI_DSS_v4.0_8.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2f204e72-1896-3bf8-75c9-9128b8683a36,,BuiltIn,Regulatory Compliance,Reissue authenticators for changed groups and accounts,CMA_0426 - Reissue authenticators for changed groups and accounts,PCI_DSS_v4.0_8.2.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +be38a620-000b-21cf-3cb3-ea151b704c3b,,BuiltIn,Regulatory Compliance,Remediate information system flaws,CMA_0427 - Remediate information system flaws,"PCI_DSS_v4.0_11.3.1,PCI_DSS_v4.0_11.3.1.1,PCI_DSS_v4.0_11.3.1.3,PCI_DSS_v4.0_11.3.2,PCI_DSS_v4.0_11.3.2.1,PCI_DSS_v4.0_12.3.4,PCI_DSS_v4.0_2.2.5,PCI_DSS_v4.0_6.3.1,PCI_DSS_v4.0_6.4.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +de770ba6-50dd-a316-2932-e0d972eaa734,,BuiltIn,Regulatory Compliance,Require approval for account creation,CMA_0431 - Require approval for account creation,"PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.3,PCI_DSS_v4.0_7.2.6,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2,PCI_DSS_v4.0_7.3.3,PCI_DSS_v4.0_8.2.4,PCI_DSS_v4.0_8.6.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +725164e5-3b21-1ec2-7e42-14f077862841,,BuiltIn,Regulatory Compliance,Require compliance with intellectual property rights,CMA_0432 - Require compliance with intellectual property rights,PCI_DSS_v4.0_12.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f6da5cca-5795-60ff-49e1-4972567815fe,,BuiltIn,Regulatory Compliance,"Require developer to identify SDLC ports, protocols, and services","CMA_C1578 - Require developer to identify SDLC ports, protocols, and services",PCI_DSS_v4.0_1.2.5,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b33d61c1-7463-7025-0ec0-a47585b59147,,BuiltIn,Regulatory Compliance,Require developers to manage change integrity,CMA_C1595 - Require developers to manage change integrity,PCI_DSS_v4.0_6.5.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +4e45863d-9ea9-32b4-a204-2680bc6007a6,,BuiltIn,Regulatory Compliance,Require external service providers to comply with security requirements,CMA_C1586 - Require external service providers to comply with security requirements,"PCI_DSS_v4.0_12.8.1,PCI_DSS_v4.0_12.8.3,PCI_DSS_v4.0_12.8.4,PCI_DSS_v4.0_12.9.1,PCI_DSS_v4.0_12.9.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +08ad71d0-52be-6503-4908-e015460a16ae,,BuiltIn,Regulatory Compliance,Require use of individual authenticators,CMA_C1305 - Require use of individual authenticators,PCI_DSS_v4.0_8.2.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +c6aeb800-0b19-944d-92dc-59b893722329,,BuiltIn,Regulatory Compliance,Rescreen individuals at a defined frequency,CMA_C1512 - Rescreen individuals at a defined frequency,PCI_DSS_v4.0_12.7.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8d140e8b-76c7-77de-1d46-ed1b2e112444,,BuiltIn,Regulatory Compliance,Restrict access to private keys,CMA_0445 - Restrict access to private keys,"PCI_DSS_v4.0_3.6.1,PCI_DSS_v4.0_3.6.1.1,PCI_DSS_v4.0_3.6.1.2,PCI_DSS_v4.0_3.6.1.3,PCI_DSS_v4.0_3.6.1.4,PCI_DSS_v4.0_3.7.1,PCI_DSS_v4.0_3.7.2,PCI_DSS_v4.0_3.7.3,PCI_DSS_v4.0_3.7.4,PCI_DSS_v4.0_3.7.5,PCI_DSS_v4.0_3.7.6,PCI_DSS_v4.0_3.7.7,PCI_DSS_v4.0_3.7.8,PCI_DSS_v4.0_3.7.9,PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +873895e8-0e3a-6492-42e9-22cd030e9fcd,,BuiltIn,Regulatory Compliance,Restrict access to privileged accounts,CMA_0446 - Restrict access to privileged accounts,"PCI_DSS_v4.0_10.2.1.2,PCI_DSS_v4.0_10.2.1.3,PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_10.2.1.6,PCI_DSS_v4.0_10.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +5020f3f4-a579-2f28-72a8-283c5a0b15f9,,BuiltIn,Regulatory Compliance,Restrict communications,CMA_0449 - Restrict communications,"PCI_DSS_v4.0_3.3.1,PCI_DSS_v4.0_3.3.1.1,PCI_DSS_v4.0_3.3.1.2,PCI_DSS_v4.0_3.3.1.3,PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_3.4.1,PCI_DSS_v4.0_3.4.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +efef28d0-3226-966a-a1e8-70e89c1b30bc,,BuiltIn,Regulatory Compliance,Retain security policies and procedures,CMA_0454 - Retain security policies and procedures,"PCI_DSS_v4.0_10.5.1,PCI_DSS_v4.0_5.3.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +7c7032fe-9ce6-9092-5890-87a1a3755db1,,BuiltIn,Regulatory Compliance,Retain terminated user data,CMA_0455 - Retain terminated user data,"PCI_DSS_v4.0_10.5.1,PCI_DSS_v4.0_5.3.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +03d550b4-34ee-03f4-515f-f2e2faf7a413,,BuiltIn,Regulatory Compliance,Review access control policies and procedures,CMA_0457 - Review access control policies and procedures,PCI_DSS_v4.0_7.1.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +a830fe9e-08c9-a4fb-420c-6f6bf1702395,,BuiltIn,Regulatory Compliance,Review account provisioning logs,CMA_0460 - Review account provisioning logs,"PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3,PCI_DSS_v4.0_7.2.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f27a298f-9443-014a-0d40-fef12adf0259,,BuiltIn,Regulatory Compliance,Review administrator assignments weekly,CMA_0461 - Review administrator assignments weekly,"PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +eb8a8df9-521f-3ccd-7e2c-3d1fcc812340,,BuiltIn,Regulatory Compliance,Review and update configuration management policies and procedures,CMA_C1175 - Review and update configuration management policies and procedures,"PCI_DSS_v4.0_1.1.1,PCI_DSS_v4.0_2.1.1,PCI_DSS_v4.0_6.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +29acfac0-4bb4-121b-8283-8943198b1549,,BuiltIn,Regulatory Compliance,Review and update identification and authentication policies and procedures,CMA_C1299 - Review and update identification and authentication policies and procedures,PCI_DSS_v4.0_8.1.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +6bededc0-2985-54d5-4158-eb8bad8070a0,,BuiltIn,Regulatory Compliance,Review and update information integrity policies and procedures,CMA_C1667 - Review and update information integrity policies and procedures,"PCI_DSS_v4.0_11.1.1,PCI_DSS_v4.0_5.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b4e19d22-8c0e-7cad-3219-c84c62dc250f,,BuiltIn,Regulatory Compliance,Review and update media protection policies and procedures,CMA_C1427 - Review and update media protection policies and procedures,PCI_DSS_v4.0_9.1.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +91cf132e-0c9f-37a8-a523-dc6a92cd2fb2,,BuiltIn,Regulatory Compliance,Review and update physical and environmental policies and procedures,CMA_C1446 - Review and update physical and environmental policies and procedures,PCI_DSS_v4.0_9.1.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +adf517f3-6dcd-3546-9928-34777d0c277e,,BuiltIn,Regulatory Compliance,Review and update system and communications protection policies and procedures,CMA_C1616 - Review and update system and communications protection policies and procedures,"PCI_DSS_v4.0_1.1.1,PCI_DSS_v4.0_11.1.1,PCI_DSS_v4.0_3.1.1,PCI_DSS_v4.0_4.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f49925aa-9b11-76ae-10e2-6e973cc60f37,,BuiltIn,Regulatory Compliance,Review and update system and services acquisition policies and procedures,CMA_C1560 - Review and update system and services acquisition policies and procedures,PCI_DSS_v4.0_6.1.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +6625638f-3ba1-7404-5983-0ea33d719d34,,BuiltIn,Regulatory Compliance,Review audit data,CMA_0466 - Review audit data,"PCI_DSS_v4.0_10.2.1,PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +c246d146-82b0-301f-32e7-1065dcd248b7,,BuiltIn,Regulatory Compliance,Review changes for any unauthorized changes,CMA_C1204 - Review changes for any unauthorized changes,PCI_DSS_v4.0_1.2.8,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8aec4343-9153-9641-172c-defb201f56b3,,BuiltIn,Regulatory Compliance,Review cloud identity report overview,CMA_0468 - Review cloud identity report overview,"PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ffea18d9-13de-6505-37f3-4c1f88070ad7,,BuiltIn,Regulatory Compliance,Review cloud service provider's compliance with policies and agreements,CMA_0469 - Review cloud service provider's compliance with policies and agreements,"PCI_DSS_v4.0_12.8.4,PCI_DSS_v4.0_12.9.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f48b60c6-4b37-332f-7288-b6ea50d300eb,,BuiltIn,Regulatory Compliance,Review controlled folder access events,CMA_0471 - Review controlled folder access events,"PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ef718fe4-7ceb-9ddf-3198-0ee8f6fe9cba,,BuiltIn,Regulatory Compliance,Review file and folder activity,CMA_0473 - Review file and folder activity,"PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +e23444b9-9662-40f3-289e-6d25c02b48fa,,BuiltIn,Regulatory Compliance,Review label activity and analytics,CMA_0474 - Review label activity and analytics,PCI_DSS_v4.0_3.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +4a6f5cbd-6c6b-006f-2bb1-091af1441bce,,BuiltIn,Regulatory Compliance,Review malware detections report weekly,CMA_0475 - Review malware detections report weekly,"PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_5.3.1,PCI_DSS_v4.0_5.3.3,PCI_DSS_v4.0_5.4.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +70fe686f-1f91-7dab-11bf-bca4201e183b,,BuiltIn,Regulatory Compliance,Review role group changes weekly,CMA_0476 - Review role group changes weekly,"PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +a4493012-908c-5f48-a468-1e243be884ce,,BuiltIn,Regulatory Compliance,Review security assessment and authorization policies and procedures,CMA_C1143 - Review security assessment and authorization policies and procedures,PCI_DSS_v4.0_11.1.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +fad161f5-5261-401a-22dd-e037bae011bd,,BuiltIn,Regulatory Compliance,Review threat protection status weekly,CMA_0479 - Review threat protection status weekly,"PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_5.3.3,PCI_DSS_v4.0_5.4.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +79f081c7-1634-01a1-708e-376197999289,,BuiltIn,Regulatory Compliance,Review user accounts,CMA_0480 - Review user accounts,PCI_DSS_v4.0_7.2.4,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +eb1c944e-0e94-647b-9b7e-fdb8d2af0838,,BuiltIn,Regulatory Compliance,Review user groups and applications with access to sensitive data,CMA_0481 - Review user groups and applications with access to sensitive data,"PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.3,PCI_DSS_v4.0_7.2.6,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2,PCI_DSS_v4.0_7.3.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f96d2186-79df-262d-3f76-f371e3b71798,,BuiltIn,Regulatory Compliance,Review user privileges,CMA_C1039 - Review user privileges,PCI_DSS_v4.0_7.2.4,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +32f22cfa-770b-057c-965b-450898425519,,BuiltIn,Regulatory Compliance,Revoke privileged roles as appropriate,CMA_0483 - Revoke privileged roles as appropriate,"PCI_DSS_v4.0_10.2.1.2,PCI_DSS_v4.0_10.2.1.3,PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_10.2.1.6,PCI_DSS_v4.0_10.6.3,PCI_DSS_v4.0_8.2.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +056a723b-4946-9d2a-5243-3aa27c4d31a1,,BuiltIn,Regulatory Compliance,Satisfy token quality requirements,CMA_0487 - Satisfy token quality requirements,"PCI_DSS_v4.0_8.2.3,PCI_DSS_v4.0_8.3.1,PCI_DSS_v4.0_8.3.11,PCI_DSS_v4.0_8.4.2,PCI_DSS_v4.0_8.4.3,PCI_DSS_v4.0_8.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ff1efad2-6b09-54cc-01bf-d386c4d558a8,,BuiltIn,Regulatory Compliance,Secure the interface to external systems,CMA_0491 - Secure the interface to external systems,"PCI_DSS_v4.0_1.4.1,PCI_DSS_v4.0_1.4.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f78fc35e-1268-0bca-a798-afcba9d2330a,,BuiltIn,Regulatory Compliance,Select additional testing for security control assessments,CMA_C1149 - Select additional testing for security control assessments,PCI_DSS_v4.0_12.4.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +60ee1260-97f0-61bb-8155-5d8b75743655,,BuiltIn,Regulatory Compliance,Separate duties of individuals,CMA_0492 - Separate duties of individuals,PCI_DSS_v4.0_6.2.3.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +af38215f-70c4-0cd6-40c2-c52d86690a45,,BuiltIn,Regulatory Compliance,Set automated notifications for new and trending cloud applications in your organization,CMA_0495 - Set automated notifications for new and trending cloud applications in your organization,"PCI_DSS_v4.0_11.5.1,PCI_DSS_v4.0_11.5.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +1d39b5d9-0392-8954-8359-575ce1957d1a,,BuiltIn,Regulatory Compliance,Support personal verification credentials issued by legal authorities,CMA_0507 - Support personal verification credentials issued by legal authorities,PCI_DSS_v4.0_8.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +76d66b5c-85e4-93f5-96a5-ebb2fad61dc6,,BuiltIn,Regulatory Compliance,Terminate customer controlled account credentials,CMA_C1022 - Terminate customer controlled account credentials,PCI_DSS_v4.0_8.2.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +4502e506-5f35-0df4-684f-b326e3cc7093,,BuiltIn,Regulatory Compliance,Terminate user session automatically,CMA_C1054 - Terminate user session automatically,PCI_DSS_v4.0_8.2.8,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +77cc89bb-774f-48d7-8a84-fb8c322c3000,,BuiltIn,Regulatory Compliance,Track software license usage,CMA_C1235 - Track software license usage,PCI_DSS_v4.0_12.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +5fc24b95-53f7-0ed1-2330-701b539b97fe,,BuiltIn,Regulatory Compliance,Turn on sensors for endpoint security solution,CMA_0514 - Turn on sensors for endpoint security solution,"PCI_DSS_v4.0_12.4.2,PCI_DSS_v4.0_12.4.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +9b55929b-0101-47c0-a16e-d6ac5c7d21f8,,BuiltIn,Regulatory Compliance,Undergo independent security review,CMA_0515 - Undergo independent security review,"PCI_DSS_v4.0_12.4.2,PCI_DSS_v4.0_12.4.2.1,PCI_DSS_v4.0_12.8.4,PCI_DSS_v4.0_12.9.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65,,BuiltIn,Regulatory Compliance,Update antivirus definitions,CMA_0517 - Update antivirus definitions,"PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_5.3.1,PCI_DSS_v4.0_5.3.3,PCI_DSS_v4.0_5.4.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +5226dee6-3420-711b-4709-8e675ebd828f,,BuiltIn,Regulatory Compliance,Update information security policies,CMA_0518 - Update information security policies,"PCI_DSS_v4.0_10.1.1,PCI_DSS_v4.0_12.1.2,PCI_DSS_v4.0_12.5.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +cc057769-01d9-95ad-a36f-1e62a7f9540b,,BuiltIn,Regulatory Compliance,Update POA&M items,CMA_C1157 - Update POA&M items,PCI_DSS_v4.0_12.4.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +96333008-988d-4add-549b-92b3a8c42063,,BuiltIn,Regulatory Compliance,"Update privacy plan, policies, and procedures","CMA_C1807 - Update privacy plan, policies, and procedures","PCI_DSS_v4.0_12.4.1,PCI_DSS_v4.0_3.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +e714b481-8fac-64a2-14a9-6f079b2501a4,,BuiltIn,Regulatory Compliance,Use privileged identity management,CMA_0533 - Use privileged identity management,"PCI_DSS_v4.0_10.2.1.2,PCI_DSS_v4.0_10.2.1.3,PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_10.2.1.6,PCI_DSS_v4.0_10.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +1ee4c7eb-480a-0007-77ff-4ba370776266,,BuiltIn,Regulatory Compliance,Use system clocks for audit records,CMA_0535 - Use system clocks for audit records,"PCI_DSS_v4.0_10.6.1,PCI_DSS_v4.0_10.6.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +72889284-15d2-90b2-4b39-a1e9541e1152,,BuiltIn,Regulatory Compliance,Verify identity before distributing authenticators,CMA_0538 - Verify identity before distributing authenticators,PCI_DSS_v4.0_8.3.11,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +c6b877a6-5d6d-1862-4b7f-3ccc30b25b63,,BuiltIn,Regulatory Compliance,Verify personal data is deleted at the end of processing,CMA_0540 - Verify personal data is deleted at the end of processing,"PCI_DSS_v4.0_3.2.1,PCI_DSS_v4.0_3.3.1,PCI_DSS_v4.0_3.3.1.1,PCI_DSS_v4.0_3.3.1.3,PCI_DSS_v4.0_9.4.6,PCI_DSS_v4.0_9.4.7",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ece8bb17-4080-5127-915f-dc7267ee8549,,BuiltIn,Regulatory Compliance,Verify security functions,CMA_C1708 - Verify security functions,"PCI_DSS_v4.0_10.7.1,PCI_DSS_v4.0_10.7.2,PCI_DSS_v4.0_10.7.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +db28735f-518f-870e-15b4-49623cbe3aa0,,BuiltIn,Regulatory Compliance,"Verify software, firmware and information integrity","CMA_0542 - Verify software, firmware and information integrity","PCI_DSS_v4.0_11.5.2,PCI_DSS_v4.0_11.6.1,PCI_DSS_v4.0_6.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +0123edae-3567-a05a-9b05-b53ebe9d3e7e,,BuiltIn,Regulatory Compliance,View and configure system diagnostic data,CMA_0544 - View and configure system diagnostic data,"PCI_DSS_v4.0_11.5.2,PCI_DSS_v4.0_11.6.1,PCI_DSS_v4.0_6.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +98145a9b-428a-7e81-9d14-ebb154a24f93,,BuiltIn,Regulatory Compliance,View and investigate restricted users,CMA_0545 - View and investigate restricted users,PCI_DSS_v4.0_12.10.7,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +4f11b553-d42e-4e3a-89be-32ca364cad4c,,BuiltIn,Security Center,A maximum of 3 owners should be designated for your subscription,It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.,"PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.2",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +501541f7-f7e7-4cd6-868c-4190fdad3ac9,,BuiltIn,Security Center,A vulnerability assessment solution should be enabled on your virtual machines,"Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.","PCI_DSS_v4.0_11.3.1,PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_6.3.3,PCI_DSS_v4.0_6.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +e3e008c3-56b9-4133-8fd7-d3347377402a,,BuiltIn,Security Center,Accounts with owner permissions on Azure resources should be MFA enabled,Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.,"PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_8.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +931e118d-50a1-4457-a5e4-78550e086c52,,BuiltIn,Security Center,Accounts with write permissions on Azure resources should be MFA enabled,Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.,"PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_8.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +9daedab3-fb2d-461e-b861-71790eead4f6,,BuiltIn,Security Center,All network ports should be restricted on network security groups associated to your virtual machine,Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.,"PCI_DSS_v4.0_1.3.2,PCI_DSS_v4.0_1.4.2",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +0cfea604-3201-4e14-88fc-fae4c427a6c5,,BuiltIn,Security Center,Blocked accounts with owner permissions on Azure resources should be removed,Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.,"PCI_DSS_v4.0_8.2.4,PCI_DSS_v4.0_8.2.5,PCI_DSS_v4.0_8.2.7",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +8d7e1fde-fe26-4b5f-8108-f8e432cbc2be,,BuiltIn,Security Center,Blocked accounts with read and write permissions on Azure resources should be removed,Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.,"PCI_DSS_v4.0_8.2.4,PCI_DSS_v4.0_8.2.5,PCI_DSS_v4.0_8.2.7",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +339353f6-2387-4a45-abe4-7f529d121046,,BuiltIn,Security Center,Guest accounts with owner permissions on Azure resources should be removed,External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.,"PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_8.2.4,PCI_DSS_v4.0_8.2.7,PCI_DSS_v4.0_8.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +e9ac8f8e-ce22-4355-8f04-99b911d6be52,,BuiltIn,Security Center,Guest accounts with read permissions on Azure resources should be removed,External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.,"PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_8.2.4,PCI_DSS_v4.0_8.2.7,PCI_DSS_v4.0_8.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +94e1c2ac-cbbe-4cac-a2b5-389c812dee87,,BuiltIn,Security Center,Guest accounts with write permissions on Azure resources should be removed,External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.,"PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_8.2.4,PCI_DSS_v4.0_8.2.7,PCI_DSS_v4.0_8.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +af6cd1bd-1635-48cb-bde7-5b15693900b9,,BuiltIn,Security Center,Monitor missing Endpoint Protection in Azure Security Center,Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations,"PCI_DSS_v4.0_11.3.1,PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_6.3.3,PCI_DSS_v4.0_6.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +feedbf84-6b99-488c-acc2-71c829aa5ffc,,BuiltIn,Security Center,SQL databases should have vulnerability findings resolved,Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.,"PCI_DSS_v4.0_11.3.1,PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_6.3.3,PCI_DSS_v4.0_6.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +86b3d65f-7626-441e-b690-81a8b71cff60,,BuiltIn,Security Center,System updates should be installed on your machines,Missing security system updates on your servers will be monitored by Azure Security Center as recommendations,"PCI_DSS_v4.0_11.3.1,PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_6.3.3,PCI_DSS_v4.0_6.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +09024ccc-0c5f-475e-9457-b7c0d9ed487b,,BuiltIn,Security Center,There should be more than one owner assigned to your subscription,It is recommended to designate more than one subscription owner in order to have administrator access redundancy.,"PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.2",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +0961003e-5a0a-4549-abde-af6a37f2724d,,BuiltIn,Security Center,"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources","By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison","PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_6.2.4",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15,,BuiltIn,Security Center,Vulnerabilities in security configuration on your machines should be remediated,Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations,"PCI_DSS_v4.0_11.3.1,PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_6.3.3,PCI_DSS_v4.0_6.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +617c02be-7f02-4efd-8836-3180d47b6c68,,BuiltIn,Service Fabric,Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign,"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed","PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_6.2.4",PCI-DSS: Audit (Policy Default),"Disabled,Deny,Audit",Audit,Audit,, +1f314764-cb73-4fc9-b863-8eca98ac36e9,,BuiltIn,SQL,An Azure Active Directory administrator should be provisioned for SQL servers,Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services,"PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_8.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9,,BuiltIn,SQL,Auditing on SQL server should be enabled,Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.,"PCI_DSS_v4.0_10.2.2,PCI_DSS_v4.0_10.3.3",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +17k78e20-9358-41c9-923c-fb736d382a12,,BuiltIn,SQL,Transparent Data Encryption on SQL databases should be enabled,Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements,"PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_6.2.4",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +404c3081-a854-4457-ae30-26a93ef643f9,,BuiltIn,Storage,Secure transfer to storage accounts should be enabled,"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking","PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_6.2.4",PCI-DSS: Audit (Policy Default),"Disabled,Deny,Audit",Audit,Audit,, +37e0d2fe-28a5-43d6-a273-67d37d1f5606,,BuiltIn,Storage,Storage accounts should be migrated to new Azure Resource Manager resources,"Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management","PCI_DSS_v4.0_10.2.2,PCI_DSS_v4.0_10.3.3",PCI-DSS: Audit (Policy Default),"Disabled,Deny,Audit",Audit,Audit,, +34c877ad-507e-4c82-993e-3452a6e0ad3c,,BuiltIn,Storage,Storage accounts should restrict network access,"Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges","PCI_DSS_v4.0_1.3.2,PCI_DSS_v4.0_1.4.2",PCI-DSS: Audit (Policy Default),"Disabled,Deny,Audit",Audit,Audit,, diff --git a/StarterKit/Definitions-GitHub-Flow/policyAssignments/pci-dss4.jsonc b/StarterKit/Definitions-GitHub-Flow/policyAssignments/pci-dss4.jsonc new file mode 100644 index 00000000..f92760a4 --- /dev/null +++ b/StarterKit/Definitions-GitHub-Flow/policyAssignments/pci-dss4.jsonc @@ -0,0 +1,51 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-assignment-schema.json", + "nodeName": "/Security/", + "parameterFile": "pci-dss-effects.csv", + "definitionEntry": { + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/c676748e-3af9-4e22-bc28-50feed564afb", + "displayName": "Microsoft cloud security benchmark", + "assignment": { + "append": true, + "name": "PCI-DSSv4", + "displayName": "PCI DSS Version 4", + "description": "PCI DSS Version 4 initiative." + } + }, + "children": [ + { + "nodeName": "Prod/", + "assignment": { + "name": "pr-", + "displayName": "Prod ", + "description": "Prod Environment controls enforcement with " + }, + "parameterSelector": "prod", + "scope": { + "epac-dev": [ + "/providers/Microsoft.Management/managementGroups/mg-epac-dev-prod" + ], + "tenant": [ + "/providers/Microsoft.Management/managementGroups/mg-prod" + ] + } + }, + { + "nodeName": "Nonprod/", + "assignment": { + "name": "tst-", + "displayName": "Nonprod ", + "description": "Nonprod Environment controls enforcement with " + }, + "parameterSelector": "nonprod", + "scope": { + "epac-dev": [ + "/providers/Microsoft.Management/managementGroups/epac-dev-nonprod" + ], + "tenant": [ + "/providers/Microsoft.Management/managementGroups/mg-nonprod" + ] + } + } + ] +} \ No newline at end of file diff --git a/StarterKit/Definitions-Microsoft-Release-Flow/global-settings.jsonc b/StarterKit/Definitions-Microsoft-Release-Flow/global-settings.jsonc index 66837a64..b2f8109b 100644 --- a/StarterKit/Definitions-Microsoft-Release-Flow/global-settings.jsonc +++ b/StarterKit/Definitions-Microsoft-Release-Flow/global-settings.jsonc @@ -6,30 +6,36 @@ "pacSelector": "epac-dev", "cloud": "AzureCloud", "tenantId": "77777777-8888-9999-1111-222222222222", - "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/mg-epac-dev" + "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/mg-epac-dev", + "desiredState": { + "strategy": "full", + "keepDfcSecurityAssignments": false + } }, { "pacSelector": "nonprod", "cloud": "AzureCloud", "tenantId": "77777777-8888-9999-1111-222222222222", - "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/mg-nonprod" + "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/mg-nonprod", + "desiredState": { + "strategy": "full", + "keepDfcSecurityAssignments": false + } }, { - "pacSelector": "tenant", + "pacSelector": "prod", "cloud": "AzureCloud", "tenantId": "77777777-8888-9999-1111-222222222222", - "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/mg-enterprise" + "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/mg-enterprise", + "managedIdentityLocation": "eastus2", + "desiredState": { + "strategy": "full", + "keepDfcSecurityAssignments": false + }, + "globalNotScopes": [ + "/providers/Microsoft.Management/managementGroups/mg-nonprod", + "/providers/Microsoft.Management/managementGroups/mg-epac-dev" + ] } - ], - "managedIdentityLocations": { - "*": "eastus2" - }, - "globalNotScopes": { - "nonprod": [ - "/providers/Microsoft.Management/managementGroups/mg-epac-dev" - ], - "tenant": [ - "/providers/Microsoft.Management/managementGroups/mg-nonprod" - ] - } + ] } \ No newline at end of file diff --git a/StarterKit/hkDefinitions/policyAssignments/allowed-locations-assignments.jsonc b/StarterKit/hkDefinitions/policyAssignments/allowed-locations-assignments.jsonc new file mode 100644 index 00000000..a2c68409 --- /dev/null +++ b/StarterKit/hkDefinitions/policyAssignments/allowed-locations-assignments.jsonc @@ -0,0 +1,26 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-assignment-schema.json", + "nodeName": "/Loc/", + "assignment": { + "name": "allowed-locations", + "displayName": "Allowed Locations", + "description": "Sets the allowed locations" + }, + "definitionEntry": { + "policySetName": "e14e5d7c-9551-4ae2-b8fa-b5d6b9b3c677", + "displayName": "Allowed Locations Initiative" + }, + "parameters": { + "AllowedLocations": [ + "eastus2" + ] + }, + "scope": { + "epac-dev": [ + "/providers/Microsoft.Management/managementGroups/mg-epac-dev" + ], + "tenant": [ + "/providers/Microsoft.Management/managementGroups/mg-enterprise" + ] + } +} \ No newline at end of file diff --git a/StarterKit/hkDefinitions/policyAssignments/pci-dss-effects.csv b/StarterKit/hkDefinitions/policyAssignments/pci-dss-effects.csv new file mode 100644 index 00000000..4359d15c --- /dev/null +++ b/StarterKit/hkDefinitions/policyAssignments/pci-dss-effects.csv @@ -0,0 +1,278 @@ +name,referencePath,policyType,category,displayName,description,groupNames,policySets,allowedEffects,PRODEffect,NONPRODEffect,PRODParameters,NONPRODParameters +a4af4a39-4135-47fb-b175-47fbdf85311d,,BuiltIn,App Service,App Service apps should only be accessible over HTTPS,Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.,"PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_6.2.4",PCI-DSS: Audit (Policy Default),"Disabled,Audit,Deny",Audit,Audit,, +6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab,,BuiltIn,App Service,Function apps should only be accessible over HTTPS,Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.,"PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_6.2.4",PCI-DSS: Audit (Policy Default),"Disabled,Audit,Deny",Audit,Audit,, +3657f5a0-770e-44a3-b44e-9431ba1e9735,,BuiltIn,Automation,Automation account variables should be encrypted,It is important to enable encryption of Automation account variable assets when storing sensitive data,"PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_6.2.4",PCI-DSS: Audit (Policy Default),"Disabled,Deny,Audit",Audit,Audit,, +22bee202-a82f-4305-9a2a-6d7f44d4dedb,,BuiltIn,Cache,Only secure connections to your Azure Cache for Redis should be enabled,"Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking","PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_6.2.4",PCI-DSS: Audit (Policy Default),"Disabled,Deny,Audit",Audit,Audit,, +1d84d5fb-01f6-4d12-ba4f-4a26081d403d,,BuiltIn,Compute,Virtual machines should be migrated to new Azure Resource Manager resources,"Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management","PCI_DSS_v4.0_10.2.2,PCI_DSS_v4.0_10.3.3",PCI-DSS: Audit (Policy Default),"Disabled,Deny,Audit",Audit,Audit,, +a451c1ef-c6ca-483d-87ed-f49761e3ffb5,,BuiltIn,General,Audit usage of custom RBAC roles,"Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling","PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_8.4.1",PCI-DSS: Audit (Policy Default),"Audit,Disabled",Audit,Audit,, +3cf2ab00-13f1-4d0c-8971-2ac904541a7e,,BuiltIn,Guest Configuration,Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities,"This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.",PCI_DSS_v4.0_8.3.6,PCI-DSS: modify (Policy Fixed),"modify,audit",audit,audit,, +497dff13-db2a-4c0f-8603-28fa3b331ab6,,BuiltIn,Guest Configuration,Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity,"This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.",PCI_DSS_v4.0_8.3.6,PCI-DSS: modify (Policy Fixed),"modify,audit",audit,audit,, +5b054a0d-39e2-4d53-bea3-9734cad2c69b,,BuiltIn,Guest Configuration,Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords,"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24",PCI_DSS_v4.0_8.3.6,PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +4ceb8dc2-559c-478b-a15b-733fbf1e3738,,BuiltIn,Guest Configuration,Audit Windows machines that do not have the maximum password age set to specified number of days,"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days",PCI_DSS_v4.0_8.3.6,PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,"{""IncludeArcMachines"":""false""}","{""IncludeArcMachines"":""false""}" +a2d0e922-65d0-40c4-8f87-ea6da2d307a2,,BuiltIn,Guest Configuration,Audit Windows machines that do not restrict the minimum password length to specified number of characters,"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters",PCI_DSS_v4.0_8.3.6,PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +385f5831-96d4-41db-9a3c-cd3af78aaae6,,BuiltIn,Guest Configuration,Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs,"This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.",PCI_DSS_v4.0_8.3.6,PCI-DSS: deployIfNotExists (Policy Fixed),deployIfNotExists,AuditIfNotExists,AuditIfNotExists,, +7f89b1eb-583c-429a-8828-af049802c1d9,,BuiltIn,Monitoring,Audit diagnostic setting for selected resource types,Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings.,"PCI_DSS_v4.0_10.2.2,PCI_DSS_v4.0_10.3.3",PCI-DSS: AuditIfNotExists (Policy Fixed),AuditIfNotExists,AuditIfNotExists,AuditIfNotExists,"{""listOfResourceTypesWithDiagnosticLogsEnabled"":[""Microsoft.AnalysisServices/servers"",""Microsoft.ApiManagement/service"",""Microsoft.Network/applicationGateways"",""Microsoft.Automation/automationAccounts"",""Microsoft.ContainerInstance/containerGroups"",""Microsoft.ContainerRegistry/registries"",""Microsoft.ContainerService/managedClusters"",""Microsoft.Batch/batchAccounts"",""Microsoft.Cdn/profiles/endpoints"",""Microsoft.CognitiveServices/accounts"",""Microsoft.DocumentDB/databaseAccounts"",""Microsoft.DataFactory/factories"",""Microsoft.DataLakeAnalytics/accounts"",""Microsoft.DataLakeStore/accounts"",""Microsoft.EventGrid/eventSubscriptions"",""Microsoft.EventGrid/topics"",""Microsoft.EventHub/namespaces"",""Microsoft.Network/expressRouteCircuits"",""Microsoft.Network/azureFirewalls"",""Microsoft.HDInsight/clusters"",""Microsoft.Devices/IotHubs"",""Microsoft.KeyVault/vaults"",""Microsoft.Network/loadBalancers"",""Microsoft.Logic/integrationAccounts"",""Microsoft.Logic/workflows"",""Microsoft.DBforMySQL/servers"",""Microsoft.Network/networkInterfaces"",""Microsoft.Network/networkSecurityGroups"",""Microsoft.DBforPostgreSQL/servers"",""Microsoft.PowerBIDedicated/capacities"",""Microsoft.Network/publicIPAddresses"",""Microsoft.RecoveryServices/vaults"",""Microsoft.Cache/redis"",""Microsoft.Relay/namespaces"",""Microsoft.Search/searchServices"",""Microsoft.ServiceBus/namespaces"",""Microsoft.SignalRService/SignalR"",""Microsoft.Sql/servers/databases"",""Microsoft.Sql/servers/elasticPools"",""Microsoft.StreamAnalytics/streamingjobs"",""Microsoft.TimeSeriesInsights/environments"",""Microsoft.Network/trafficManagerProfiles"",""Microsoft.Compute/virtualMachines"",""Microsoft.Compute/virtualMachineScaleSets"",""Microsoft.Network/virtualNetworks"",""Microsoft.Network/virtualNetworkGateways""]}","{""listOfResourceTypesWithDiagnosticLogsEnabled"":[""Microsoft.AnalysisServices/servers"",""Microsoft.ApiManagement/service"",""Microsoft.Network/applicationGateways"",""Microsoft.Automation/automationAccounts"",""Microsoft.ContainerInstance/containerGroups"",""Microsoft.ContainerRegistry/registries"",""Microsoft.ContainerService/managedClusters"",""Microsoft.Batch/batchAccounts"",""Microsoft.Cdn/profiles/endpoints"",""Microsoft.CognitiveServices/accounts"",""Microsoft.DocumentDB/databaseAccounts"",""Microsoft.DataFactory/factories"",""Microsoft.DataLakeAnalytics/accounts"",""Microsoft.DataLakeStore/accounts"",""Microsoft.EventGrid/eventSubscriptions"",""Microsoft.EventGrid/topics"",""Microsoft.EventHub/namespaces"",""Microsoft.Network/expressRouteCircuits"",""Microsoft.Network/azureFirewalls"",""Microsoft.HDInsight/clusters"",""Microsoft.Devices/IotHubs"",""Microsoft.KeyVault/vaults"",""Microsoft.Network/loadBalancers"",""Microsoft.Logic/integrationAccounts"",""Microsoft.Logic/workflows"",""Microsoft.DBforMySQL/servers"",""Microsoft.Network/networkInterfaces"",""Microsoft.Network/networkSecurityGroups"",""Microsoft.DBforPostgreSQL/servers"",""Microsoft.PowerBIDedicated/capacities"",""Microsoft.Network/publicIPAddresses"",""Microsoft.RecoveryServices/vaults"",""Microsoft.Cache/redis"",""Microsoft.Relay/namespaces"",""Microsoft.Search/searchServices"",""Microsoft.ServiceBus/namespaces"",""Microsoft.SignalRService/SignalR"",""Microsoft.Sql/servers/databases"",""Microsoft.Sql/servers/elasticPools"",""Microsoft.StreamAnalytics/streamingjobs"",""Microsoft.TimeSeriesInsights/environments"",""Microsoft.Network/trafficManagerProfiles"",""Microsoft.Compute/virtualMachines"",""Microsoft.Compute/virtualMachineScaleSets"",""Microsoft.Network/virtualNetworks"",""Microsoft.Network/virtualNetworkGateways""]}" +1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1,,BuiltIn,Regulatory Compliance,Adhere to retention periods defined,CMA_0004 - Adhere to retention periods defined,"PCI_DSS_v4.0_10.5.1,PCI_DSS_v4.0_3.2.1,PCI_DSS_v4.0_3.3.1,PCI_DSS_v4.0_3.3.1.1,PCI_DSS_v4.0_3.3.1.3,PCI_DSS_v4.0_5.3.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +7d7a8356-5c34-9a95-3118-1424cfaf192a,,BuiltIn,Regulatory Compliance,Adopt biometric authentication mechanisms,CMA_0005 - Adopt biometric authentication mechanisms,"PCI_DSS_v4.0_8.2.3,PCI_DSS_v4.0_8.3.1,PCI_DSS_v4.0_8.3.11,PCI_DSS_v4.0_8.4.1,PCI_DSS_v4.0_8.4.2,PCI_DSS_v4.0_8.4.3,PCI_DSS_v4.0_8.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +9622aaa9-5c49-40e2-5bf8-660b7cd23deb,,BuiltIn,Regulatory Compliance,Alert personnel of information spillage,CMA_0007 - Alert personnel of information spillage,"PCI_DSS_v4.0_11.5.1,PCI_DSS_v4.0_11.5.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +c6cf9f2c-5fd8-3f16-a1f1-f0b69c904928,,BuiltIn,Regulatory Compliance,Appoint a senior information security officer,CMA_C1733 - Appoint a senior information security officer,PCI_DSS_v4.0_12.1.4,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +37b0045b-3887-367b-8b4d-b9a6fa911bb9,,BuiltIn,Regulatory Compliance,Assess information security events,CMA_0013 - Assess information security events,"PCI_DSS_v4.0_12.10.2,PCI_DSS_v4.0_12.10.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08,,BuiltIn,Regulatory Compliance,Assess risk in third party relationships,CMA_0014 - Assess risk in third party relationships,"PCI_DSS_v4.0_12.8.3,PCI_DSS_v4.0_12.8.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +c423e64d-995c-9f67-0403-b540f65ba42a,,BuiltIn,Regulatory Compliance,Assess Security Controls,CMA_C1145 - Assess Security Controls,PCI_DSS_v4.0_12.4.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f29b17a4-0df2-8a50-058a-8570f9979d28,,BuiltIn,Regulatory Compliance,Assign system identifiers,CMA_0018 - Assign system identifiers,"PCI_DSS_v4.0_8.2.1,PCI_DSS_v4.0_8.2.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f26af0b1-65b6-689a-a03f-352ad2d00f98,,BuiltIn,Regulatory Compliance,Audit privileged functions,CMA_0019 - Audit privileged functions,"PCI_DSS_v4.0_10.2.1,PCI_DSS_v4.0_10.2.1.2,PCI_DSS_v4.0_10.2.1.3,PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_10.2.1.6,PCI_DSS_v4.0_10.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +49c23d9b-02b0-0e42-4f94-e8cef1b8381b,,BuiltIn,Regulatory Compliance,Audit user account status,CMA_0020 - Audit user account status,"PCI_DSS_v4.0_10.2.1,PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_7.2.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +6f1de470-79f3-1572-866e-db0771352fc8,,BuiltIn,Regulatory Compliance,Authenticate to cryptographic module,CMA_0021 - Authenticate to cryptographic module,"PCI_DSS_v4.0_3.3.2,PCI_DSS_v4.0_3.3.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +aeed863a-0f56-429f-945d-8bb66bd06841,,BuiltIn,Regulatory Compliance,Authorize access to security functions and information,CMA_0022 - Authorize access to security functions and information,"PCI_DSS_v4.0_10.6.3,PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.2,PCI_DSS_v4.0_7.2.3,PCI_DSS_v4.0_7.2.6,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2,PCI_DSS_v4.0_7.3.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +50e9324a-7410-0539-0662-2c1e775538b7,,BuiltIn,Regulatory Compliance,Authorize and manage access,CMA_0023 - Authorize and manage access,"PCI_DSS_v4.0_10.6.3,PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.2,PCI_DSS_v4.0_7.2.3,PCI_DSS_v4.0_7.2.6,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2,PCI_DSS_v4.0_7.3.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +dad8a2e9-6f27-4fc2-8933-7e99fe700c9c,,BuiltIn,Regulatory Compliance,Authorize remote access,CMA_0024 - Authorize remote access,"PCI_DSS_v4.0_1.5.1,PCI_DSS_v4.0_8.4.2,PCI_DSS_v4.0_8.4.3,PCI_DSS_v4.0_8.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2cc9c165-46bd-9762-5739-d2aae5ba90a1,,BuiltIn,Regulatory Compliance,Automate account management,CMA_0026 - Automate account management,"PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +3d399cf3-8fc6-0efc-6ab0-1412f1198517,,BuiltIn,Regulatory Compliance,Block untrusted and unsigned processes that run from USB,CMA_0050 - Block untrusted and unsigned processes that run from USB,"PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_5.3.1,PCI_DSS_v4.0_5.3.3,PCI_DSS_v4.0_5.4.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab,,BuiltIn,Regulatory Compliance,Check for privacy and security compliance before establishing internal connections,CMA_0053 - Check for privacy and security compliance before establishing internal connections,PCI_DSS_v4.0_1.2.3,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +c42f19c9-5d88-92da-0742-371a0ea03126,,BuiltIn,Regulatory Compliance,Clear personnel with access to classified information,CMA_0054 - Clear personnel with access to classified information,PCI_DSS_v4.0_12.7.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8eea8c14-4d93-63a3-0c82-000343ee5204,,BuiltIn,Regulatory Compliance,Conduct a full text analysis of logged privileged commands,CMA_0056 - Conduct a full text analysis of logged privileged commands,"PCI_DSS_v4.0_10.2.1.2,PCI_DSS_v4.0_10.2.1.3,PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_10.2.1.6,PCI_DSS_v4.0_10.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +203101f5-99a3-1491-1b56-acccd9b66a9e,,BuiltIn,Regulatory Compliance,Conduct a security impact analysis,CMA_0057 - Conduct a security impact analysis,"PCI_DSS_v4.0_1.2.2,PCI_DSS_v4.0_5.3.5,PCI_DSS_v4.0_6.5.1,PCI_DSS_v4.0_6.5.3,PCI_DSS_v4.0_6.5.4,PCI_DSS_v4.0_6.5.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +677e1da4-00c3-287a-563d-f4a1cf9b99a0,,BuiltIn,Regulatory Compliance,Conduct Risk Assessment,CMA_C1543 - Conduct Risk Assessment,"PCI_DSS_v4.0_12.3.1,PCI_DSS_v4.0_12.3.2,PCI_DSS_v4.0_5.2.3.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +d7c1ecc3-2980-a079-1569-91aec8ac4a77,,BuiltIn,Regulatory Compliance,Conduct risk assessment and distribute its results,CMA_C1544 - Conduct risk assessment and distribute its results,"PCI_DSS_v4.0_12.3.1,PCI_DSS_v4.0_12.3.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68,,BuiltIn,Regulatory Compliance,Conduct risk assessment and document its results,CMA_C1542 - Conduct risk assessment and document its results,"PCI_DSS_v4.0_12.3.1,PCI_DSS_v4.0_12.3.2,PCI_DSS_v4.0_5.2.3.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b53aa659-513e-032c-52e6-1ce0ba46582f,,BuiltIn,Regulatory Compliance,Configure actions for noncompliant devices,CMA_0062 - Configure actions for noncompliant devices,"PCI_DSS_v4.0_1.2.1,PCI_DSS_v4.0_2.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2927e340-60e4-43ad-6b5f-7a1468232cc2,,BuiltIn,Regulatory Compliance,Configure detection whitelist,CMA_0068 - Configure detection whitelist,"PCI_DSS_v4.0_12.4.2,PCI_DSS_v4.0_12.4.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +26daf649-22d1-97e9-2a8a-01b182194d59,,BuiltIn,Regulatory Compliance,Configure workstations to check for digital certificates,CMA_0073 - Configure workstations to check for digital certificates,"PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +59bedbdc-0ba9-39b9-66bb-1d1c192384e6,,BuiltIn,Regulatory Compliance,Control information flow,CMA_0079 - Control information flow,"PCI_DSS_v4.0_1.4.1,PCI_DSS_v4.0_1.4.2,PCI_DSS_v4.0_1.4.3,PCI_DSS_v4.0_1.4.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +55a7f9a0-6397-7589-05ef-5ed59a8149e7,,BuiltIn,Regulatory Compliance,Control physical access,CMA_0081 - Control physical access,"PCI_DSS_v4.0_3.2.1,PCI_DSS_v4.0_9.2.2,PCI_DSS_v4.0_9.2.3,PCI_DSS_v4.0_9.2.4,PCI_DSS_v4.0_9.3.1,PCI_DSS_v4.0_9.3.1.1,PCI_DSS_v4.0_9.3.2,PCI_DSS_v4.0_9.3.3,PCI_DSS_v4.0_9.3.4,PCI_DSS_v4.0_9.5.1,PCI_DSS_v4.0_9.5.1.2,PCI_DSS_v4.0_9.5.1.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +10874318-0bf7-a41f-8463-03e395482080,,BuiltIn,Regulatory Compliance,Correlate audit records,CMA_0087 - Correlate audit records,"PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +043c1e56-5a16-52f8-6af8-583098ff3e60,,BuiltIn,Regulatory Compliance,Create a data inventory,CMA_0096 - Create a data inventory,"PCI_DSS_v4.0_12.5.2.1,PCI_DSS_v4.0_9.4.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +cc2f7339-2fac-1ea9-9ca3-cd530fbb0da2,,BuiltIn,Regulatory Compliance,Create alternative actions for identified anomalies,CMA_C1711 - Create alternative actions for identified anomalies,"PCI_DSS_v4.0_10.7.1,PCI_DSS_v4.0_10.7.2,PCI_DSS_v4.0_10.7.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7,,BuiltIn,Regulatory Compliance,Define a physical key management process,CMA_0115 - Define a physical key management process,"PCI_DSS_v4.0_3.6.1,PCI_DSS_v4.0_3.6.1.1,PCI_DSS_v4.0_3.6.1.2,PCI_DSS_v4.0_3.6.1.3,PCI_DSS_v4.0_3.6.1.4,PCI_DSS_v4.0_3.7.1,PCI_DSS_v4.0_3.7.2,PCI_DSS_v4.0_3.7.3,PCI_DSS_v4.0_3.7.4,PCI_DSS_v4.0_3.7.5,PCI_DSS_v4.0_3.7.6,PCI_DSS_v4.0_3.7.7,PCI_DSS_v4.0_3.7.8,PCI_DSS_v4.0_3.7.9,PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f7eb1d0b-6d4f-2d59-1591-7563e11a9313,,BuiltIn,Regulatory Compliance,Define and enforce conditions for shared and group accounts,CMA_0117 - Define and enforce conditions for shared and group accounts,PCI_DSS_v4.0_8.2.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2af4640d-11a6-a64b-5ceb-a468f4341c0c,,BuiltIn,Regulatory Compliance,Define and enforce inactivity log policy,CMA_C1017 - Define and enforce inactivity log policy,PCI_DSS_v4.0_8.2.8,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +c4ccd607-702b-8ae6-8eeb-fc3339cd4b42,,BuiltIn,Regulatory Compliance,Define cryptographic use,CMA_0120 - Define cryptographic use,"PCI_DSS_v4.0_3.6.1,PCI_DSS_v4.0_3.6.1.1,PCI_DSS_v4.0_3.6.1.2,PCI_DSS_v4.0_3.6.1.3,PCI_DSS_v4.0_3.6.1.4,PCI_DSS_v4.0_3.7.1,PCI_DSS_v4.0_3.7.2,PCI_DSS_v4.0_3.7.3,PCI_DSS_v4.0_3.7.4,PCI_DSS_v4.0_3.7.5,PCI_DSS_v4.0_3.7.6,PCI_DSS_v4.0_3.7.7,PCI_DSS_v4.0_3.7.8,PCI_DSS_v4.0_3.7.9,PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +623b5f0a-8cbd-03a6-4892-201d27302f0c,,BuiltIn,Regulatory Compliance,Define information system account types,CMA_0121 - Define information system account types,"PCI_DSS_v4.0_7.2.5,PCI_DSS_v4.0_8.6.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +d661e9eb-4e15-5ba1-6f02-cdc467db0d6c,,BuiltIn,Regulatory Compliance,Define organizational requirements for cryptographic key management,CMA_0123 - Define organizational requirements for cryptographic key management,"PCI_DSS_v4.0_3.6.1,PCI_DSS_v4.0_3.6.1.1,PCI_DSS_v4.0_3.6.1.2,PCI_DSS_v4.0_3.6.1.3,PCI_DSS_v4.0_3.6.1.4,PCI_DSS_v4.0_3.7.1,PCI_DSS_v4.0_3.7.2,PCI_DSS_v4.0_3.7.3,PCI_DSS_v4.0_3.7.4,PCI_DSS_v4.0_3.7.5,PCI_DSS_v4.0_3.7.6,PCI_DSS_v4.0_3.7.7,PCI_DSS_v4.0_3.7.8,PCI_DSS_v4.0_3.7.9,PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2b2f3a72-9e68-3993-2b69-13dcdecf8958,,BuiltIn,Regulatory Compliance,Define requirements for supplying goods and services,CMA_0126 - Define requirements for supplying goods and services,"PCI_DSS_v4.0_12.8.3,PCI_DSS_v4.0_12.8.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +52375c01-4d4c-7acc-3aa4-5b3d53a047ec,,BuiltIn,Regulatory Compliance,Define the duties of processors,CMA_0127 - Define the duties of processors,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.9.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8e49107c-3338-40d1-02aa-d524178a2afe,,BuiltIn,Regulatory Compliance,Deliver security assessment results,CMA_C1147 - Deliver security assessment results,PCI_DSS_v4.0_12.4.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +03b6427e-6072-4226-4bd9-a410ab65317e,,BuiltIn,Regulatory Compliance,Design an access control model,CMA_0129 - Design an access control model,"PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.2,PCI_DSS_v4.0_7.2.3,PCI_DSS_v4.0_7.2.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +7a0ecd94-3699-5273-76a5-edb8499f655a,,BuiltIn,Regulatory Compliance,Determine assertion requirements,CMA_0136 - Determine assertion requirements,"PCI_DSS_v4.0_3.6.1,PCI_DSS_v4.0_3.6.1.1,PCI_DSS_v4.0_3.6.1.2,PCI_DSS_v4.0_3.6.1.3,PCI_DSS_v4.0_3.6.1.4,PCI_DSS_v4.0_3.7.1,PCI_DSS_v4.0_3.7.2,PCI_DSS_v4.0_3.7.3,PCI_DSS_v4.0_3.7.4,PCI_DSS_v4.0_3.7.5,PCI_DSS_v4.0_3.7.6,PCI_DSS_v4.0_3.7.7,PCI_DSS_v4.0_3.7.8,PCI_DSS_v4.0_3.7.9,PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2f67e567-03db-9d1f-67dc-b6ffb91312f4,,BuiltIn,Regulatory Compliance,Determine auditable events,CMA_0137 - Determine auditable events,"PCI_DSS_v4.0_10.2.1,PCI_DSS_v4.0_10.2.1.1,PCI_DSS_v4.0_10.2.1.3,PCI_DSS_v4.0_10.2.1.4,PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_10.2.1.6,PCI_DSS_v4.0_10.2.1.7,PCI_DSS_v4.0_10.2.2,PCI_DSS_v4.0_5.3.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +67ada943-8539-083d-35d0-7af648974125,,BuiltIn,Regulatory Compliance,Determine supplier contract obligations,CMA_0140 - Determine supplier contract obligations,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.3,PCI_DSS_v4.0_12.8.4,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +42116f15-5665-a52a-87bb-b40e64c74b6c,,BuiltIn,Regulatory Compliance,Develop acceptable use policies and procedures,CMA_0143 - Develop acceptable use policies and procedures,PCI_DSS_v4.0_12.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +59f7feff-02aa-6539-2cf7-bea75b762140,,BuiltIn,Regulatory Compliance,Develop access control policies and procedures,CMA_0144 - Develop access control policies and procedures,"PCI_DSS_v4.0_7.1.1,PCI_DSS_v4.0_7.1.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2b4e134f-1e4c-2bff-573e-082d85479b6e,,BuiltIn,Regulatory Compliance,Develop an incident response plan,CMA_0145 - Develop an incident response plan,"PCI_DSS_v4.0_11.5.1,PCI_DSS_v4.0_11.5.1.1,PCI_DSS_v4.0_12.10.2,PCI_DSS_v4.0_12.10.5,PCI_DSS_v4.0_12.10.7",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +055da733-55c6-9e10-8194-c40731057ec4,,BuiltIn,Regulatory Compliance,Develop and maintain a vulnerability management standard,CMA_0152 - Develop and maintain a vulnerability management standard,"PCI_DSS_v4.0_1.2.2,PCI_DSS_v4.0_5.3.5,PCI_DSS_v4.0_6.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2f20840e-7925-221c-725d-757442753e7c,,BuiltIn,Regulatory Compliance,Develop and maintain baseline configurations,CMA_0153 - Develop and maintain baseline configurations,"PCI_DSS_v4.0_1.2.1,PCI_DSS_v4.0_2.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +a28323fe-276d-3787-32d2-cef6395764c4,,BuiltIn,Regulatory Compliance,Develop audit and accountability policies and procedures,CMA_0154 - Develop audit and accountability policies and procedures,PCI_DSS_v4.0_10.1.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +af227964-5b8b-22a2-9364-06d2cb9d6d7c,,BuiltIn,Regulatory Compliance,Develop information security policies and procedures,CMA_0158 - Develop information security policies and procedures,PCI_DSS_v4.0_10.1.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +477bd136-7dd9-55f8-48ac-bae096b86a07,,BuiltIn,Regulatory Compliance,Develop POA&M,CMA_C1156 - Develop POA&M,PCI_DSS_v4.0_12.4.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +1c258345-5cd4-30c8-9ef3-5ee4dd5231d6,,BuiltIn,Regulatory Compliance,Develop security assessment plan,CMA_C1144 - Develop security assessment plan,"PCI_DSS_v4.0_12.4.1,PCI_DSS_v4.0_12.4.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +423f6d9c-0c73-9cc6-64f4-b52242490368,,BuiltIn,Regulatory Compliance,Develop security safeguards,CMA_0161 - Develop security safeguards,PCI_DSS_v4.0_12.10.7,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +d9d48ffb-0d8c-0bd5-5f31-5a5826d19f10,,BuiltIn,Regulatory Compliance,Disable authenticators upon termination,CMA_0169 - Disable authenticators upon termination,PCI_DSS_v4.0_8.2.6,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +9c93ef57-7000-63fb-9b74-88f2e17ca5d2,,BuiltIn,Regulatory Compliance,Disseminate security alerts to personnel,CMA_C1705 - Disseminate security alerts to personnel,"PCI_DSS_v4.0_12.3.4,PCI_DSS_v4.0_6.3.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +098dcde7-016a-06c3-0985-0daaf3301d3a,,BuiltIn,Regulatory Compliance,Distribute authenticators,CMA_0184 - Distribute authenticators,PCI_DSS_v4.0_8.3.11,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +0803eaa7-671c-08a7-52fd-ac419f775e75,,BuiltIn,Regulatory Compliance,Document acquisition contract acceptance criteria,CMA_0187 - Document acquisition contract acceptance criteria,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +04b3e7f6-4841-888d-4799-cda19a0084f6,,BuiltIn,Regulatory Compliance,Document and implement wireless access guidelines,CMA_0190 - Document and implement wireless access guidelines,"PCI_DSS_v4.0_1.3.3,PCI_DSS_v4.0_11.2.2,PCI_DSS_v4.0_2.3.1,PCI_DSS_v4.0_2.3.2,PCI_DSS_v4.0_4.2.1.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +83dfb2b8-678b-20a0-4c44-5c75ada023e6,,BuiltIn,Regulatory Compliance,Document mobility training,CMA_0191 - Document mobility training,"PCI_DSS_v4.0_1.5.1,PCI_DSS_v4.0_8.4.2,PCI_DSS_v4.0_8.4.3,PCI_DSS_v4.0_8.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +271a3e58-1b38-933d-74c9-a580006b80aa,,BuiltIn,Regulatory Compliance,Document personnel acceptance of privacy requirements,CMA_0193 - Document personnel acceptance of privacy requirements,PCI_DSS_v4.0_12.6.3,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f9ec3263-9562-1768-65a1-729793635a8d,,BuiltIn,Regulatory Compliance,Document protection of personal data in acquisition contracts,CMA_0194 - Document protection of personal data in acquisition contracts,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +d78f95ba-870a-a500-6104-8a5ce2534f19,,BuiltIn,Regulatory Compliance,Document protection of security information in acquisition contracts,CMA_0195 - Document protection of security information in acquisition contracts,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +3d492600-27ba-62cc-a1c3-66eb919f6a0d,,BuiltIn,Regulatory Compliance,Document remote access guidelines,CMA_0196 - Document remote access guidelines,"PCI_DSS_v4.0_1.5.1,PCI_DSS_v4.0_8.4.2,PCI_DSS_v4.0_8.4.3,PCI_DSS_v4.0_8.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +0ba211ef-0e85-2a45-17fc-401d1b3f8f85,,BuiltIn,Regulatory Compliance,Document requirements for the use of shared data in contracts,CMA_0197 - Document requirements for the use of shared data in contracts,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +524e7136-9f6a-75ba-9089-501018151346,,BuiltIn,Regulatory Compliance,Document security and privacy training activities,CMA_0198 - Document security and privacy training activities,PCI_DSS_v4.0_12.6.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +13efd2d7-3980-a2a4-39d0-527180c009e8,,BuiltIn,Regulatory Compliance,Document security assurance requirements in acquisition contracts,CMA_0199 - Document security assurance requirements in acquisition contracts,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +a465e8e9-0095-85cb-a05f-1dd4960d02af,,BuiltIn,Regulatory Compliance,Document security documentation requirements in acquisition contract,CMA_0200 - Document security documentation requirements in acquisition contract,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +57927290-8000-59bf-3776-90c468ac5b4b,,BuiltIn,Regulatory Compliance,Document security functional requirements in acquisition contracts,CMA_0201 - Document security functional requirements in acquisition contracts,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ebb0ba89-6d8c-84a7-252b-7393881e43de,,BuiltIn,Regulatory Compliance,Document security strength requirements in acquisition contracts,CMA_0203 - Document security strength requirements in acquisition contracts,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5,PCI_DSS_v4.0_8.3.6,PCI_DSS_v4.0_8.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +c148208b-1a6f-a4ac-7abc-23b1d41121b1,,BuiltIn,Regulatory Compliance,Document the information system environment in acquisition contracts,CMA_0205 - Document the information system environment in acquisition contracts,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +79c75b38-334b-1a69-65e0-a9d929a42f75,,BuiltIn,Regulatory Compliance,Document the legal basis for processing personal information,CMA_0206 - Document the legal basis for processing personal information,"PCI_DSS_v4.0_3.2.1,PCI_DSS_v4.0_3.3.1,PCI_DSS_v4.0_3.3.1.1,PCI_DSS_v4.0_3.3.1.2,PCI_DSS_v4.0_3.3.1.3,PCI_DSS_v4.0_3.3.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +77acc53d-0f67-6e06-7d04-5750653d4629,,BuiltIn,Regulatory Compliance,Document the protection of cardholder data in third party contracts,CMA_0207 - Document the protection of cardholder data in third party contracts,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +eaaae23f-92c9-4460-51cf-913feaea4d52,,BuiltIn,Regulatory Compliance,Employ a media sanitization mechanism,CMA_0208 - Employ a media sanitization mechanism,"PCI_DSS_v4.0_9.4.6,PCI_DSS_v4.0_9.4.7",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +1b8a7ec3-11cc-a2d3-8cd0-eedf074424a4,,BuiltIn,Regulatory Compliance,Employ automatic shutdown/restart when violations are detected,CMA_C1715 - Employ automatic shutdown/restart when violations are detected,"PCI_DSS_v4.0_11.5.2,PCI_DSS_v4.0_11.6.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +79365f13-8ba4-1f6c-2ac4-aa39929f56d0,,BuiltIn,Regulatory Compliance,Employ flow control mechanisms of encrypted information,CMA_0211 - Employ flow control mechanisms of encrypted information,"PCI_DSS_v4.0_1.4.1,PCI_DSS_v4.0_1.4.2,PCI_DSS_v4.0_1.4.3,PCI_DSS_v4.0_1.4.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +611ebc63-8600-50b6-a0e3-fef272457132,,BuiltIn,Regulatory Compliance,Employ independent team for penetration testing,CMA_C1171 - Employ independent team for penetration testing,"PCI_DSS_v4.0_11.4.1,PCI_DSS_v4.0_11.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +1bc7fd64-291f-028e-4ed6-6e07886e163f,,BuiltIn,Regulatory Compliance,Employ least privilege access,CMA_0212 - Employ least privilege access,"PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.2,PCI_DSS_v4.0_7.2.3,PCI_DSS_v4.0_7.2.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2c843d78-8f64-92b5-6a9b-e8186c0e7eb6,,BuiltIn,Regulatory Compliance,Enable dual or joint authorization,CMA_0226 - Enable dual or joint authorization,"PCI_DSS_v4.0_10.3.1,PCI_DSS_v4.0_10.3.2,PCI_DSS_v4.0_10.3.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8c255136-994b-9616-79f5-ae87810e0dcf,,BuiltIn,Regulatory Compliance,Enable network protection,CMA_0238 - Enable network protection,"PCI_DSS_v4.0_12.10.5,PCI_DSS_v4.0_12.10.7",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b4409bff-2287-8407-05fd-c73175a68302,,BuiltIn,Regulatory Compliance,Enforce a limit of consecutive failed login attempts,CMA_C1044 - Enforce a limit of consecutive failed login attempts,PCI_DSS_v4.0_8.3.4,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8cd815bf-97e1-5144-0735-11f6ddb50a59,,BuiltIn,Regulatory Compliance,Enforce and audit access restrictions,CMA_C1203 - Enforce and audit access restrictions,PCI_DSS_v4.0_1.2.8,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +10c4210b-3ec9-9603-050d-77e4d26c7ebb,,BuiltIn,Regulatory Compliance,Enforce logical access,CMA_0245 - Enforce logical access,"PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.3,PCI_DSS_v4.0_7.2.6,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2,PCI_DSS_v4.0_7.3.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b1666a13-8f67-9c47-155e-69e027ff6823,,BuiltIn,Regulatory Compliance,Enforce mandatory and discretionary access control policies,CMA_0246 - Enforce mandatory and discretionary access control policies,"PCI_DSS_v4.0_10.6.3,PCI_DSS_v4.0_7.1.1,PCI_DSS_v4.0_7.1.2,PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.2,PCI_DSS_v4.0_7.2.3,PCI_DSS_v4.0_7.2.6,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2,PCI_DSS_v4.0_7.3.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +509552f5-6528-3540-7959-fbeae4832533,,BuiltIn,Regulatory Compliance,Enforce rules of behavior and access agreements,CMA_0248 - Enforce rules of behavior and access agreements,PCI_DSS_v4.0_12.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +058e9719-1ff9-3653-4230-23f76b6492e0,,BuiltIn,Regulatory Compliance,Enforce security configuration settings,CMA_0249 - Enforce security configuration settings,"PCI_DSS_v4.0_1.2.1,PCI_DSS_v4.0_2.2.1,PCI_DSS_v4.0_2.2.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +e336d5f4-4d8f-0059-759c-ae10f63d1747,,BuiltIn,Regulatory Compliance,Enforce user uniqueness,CMA_0250 - Enforce user uniqueness,PCI_DSS_v4.0_8.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +37dbe3dc-0e9c-24fa-36f2-11197cbfa207,,BuiltIn,Regulatory Compliance,Ensure authorized users protect provided authenticators,CMA_C1339 - Ensure authorized users protect provided authenticators,PCI_DSS_v4.0_8.3.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +54a9c072-4a93-2a03-6a43-a060d30383d7,,BuiltIn,Regulatory Compliance,Eradicate contaminated information,CMA_0253 - Eradicate contaminated information,PCI_DSS_v4.0_12.10.7,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +7380631c-5bf5-0e3a-4509-0873becd8a63,,BuiltIn,Regulatory Compliance,Establish a configuration control board,CMA_0254 - Establish a configuration control board,"PCI_DSS_v4.0_1.2.1,PCI_DSS_v4.0_2.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +3c9aa856-6b86-35dc-83f4-bc72cec74dea,,BuiltIn,Regulatory Compliance,Establish a data leakage management procedure,CMA_0255 - Establish a data leakage management procedure,"PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_3.5.1.1,PCI_DSS_v4.0_3.5.1.2,PCI_DSS_v4.0_3.5.1.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +d8bbd80e-3bb1-5983-06c2-428526ec6a63,,BuiltIn,Regulatory Compliance,Establish a password policy,CMA_0256 - Establish a password policy,"PCI_DSS_v4.0_8.3.6,PCI_DSS_v4.0_8.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +39eb03c1-97cc-11ab-0960-6209ed2869f7,,BuiltIn,Regulatory Compliance,Establish a privacy program,CMA_0257 - Establish a privacy program,"PCI_DSS_v4.0_12.4.1,PCI_DSS_v4.0_3.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +d36700f2-2f0d-7c2a-059c-bdadd1d79f70,,BuiltIn,Regulatory Compliance,Establish a risk management strategy,CMA_0258 - Establish a risk management strategy,"PCI_DSS_v4.0_1.2.2,PCI_DSS_v4.0_5.3.5,PCI_DSS_v4.0_6.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b0e3035d-6366-2e37-796e-8bcab9c649e6,,BuiltIn,Regulatory Compliance,Establish a threat intelligence program,CMA_0260 - Establish a threat intelligence program,"PCI_DSS_v4.0_12.3.4,PCI_DSS_v4.0_6.3.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +84245967-7882-54f6-2d34-85059f725b47,,BuiltIn,Regulatory Compliance,Establish an information security program,CMA_0263 - Establish an information security program,"PCI_DSS_v4.0_12.1.2,PCI_DSS_v4.0_12.4.1,PCI_DSS_v4.0_12.5.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +526ed90e-890f-69e7-0386-ba5c0f1f784f,,BuiltIn,Regulatory Compliance,Establish and document a configuration management plan,CMA_0264 - Establish and document a configuration management plan,"PCI_DSS_v4.0_1.2.1,PCI_DSS_v4.0_2.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +bd4dc286-2f30-5b95-777c-681f3a7913d3,,BuiltIn,Regulatory Compliance,Establish and document change control processes,CMA_0265 - Establish and document change control processes,"PCI_DSS_v4.0_1.2.2,PCI_DSS_v4.0_1.2.8,PCI_DSS_v4.0_5.3.5,PCI_DSS_v4.0_6.5.1,PCI_DSS_v4.0_6.5.3,PCI_DSS_v4.0_6.5.4,PCI_DSS_v4.0_6.5.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0,,BuiltIn,Regulatory Compliance,Establish authenticator types and processes,CMA_0267 - Establish authenticator types and processes,"PCI_DSS_v4.0_8.3.1,PCI_DSS_v4.0_8.3.11,PCI_DSS_v4.0_8.3.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +4f23967c-a74b-9a09-9dc2-f566f61a87b9,,BuiltIn,Regulatory Compliance,Establish backup policies and procedures,CMA_0268 - Establish backup policies and procedures,PCI_DSS_v4.0_10.3.3,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8747b573-8294-86a0-8914-49e9b06a5ace,,BuiltIn,Regulatory Compliance,Establish configuration management requirements for developers,CMA_0270 - Establish configuration management requirements for developers,"PCI_DSS_v4.0_1.2.2,PCI_DSS_v4.0_5.3.5,PCI_DSS_v4.0_6.5.1,PCI_DSS_v4.0_6.5.3,PCI_DSS_v4.0_6.5.4,PCI_DSS_v4.0_6.5.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b544f797-a73b-1be3-6d01-6b1a085376bc,,BuiltIn,Regulatory Compliance,Establish information security workforce development and improvement program,CMA_C1752 - Establish information security workforce development and improvement program,PCI_DSS_v4.0_12.6.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +9150259b-617b-596d-3bf5-5ca3fce20335,,BuiltIn,Regulatory Compliance,Establish policies for supply chain risk management,CMA_0275 - Establish policies for supply chain risk management,"PCI_DSS_v4.0_12.8.3,PCI_DSS_v4.0_12.8.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b3c8cc83-20d3-3890-8bc8-5568777670f4,,BuiltIn,Regulatory Compliance,Establish requirements for audit review and reporting,CMA_0277 - Establish requirements for audit review and reporting,"PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ba78efc6-795c-64f4-7a02-91effbd34af9,,BuiltIn,Regulatory Compliance,Execute actions in response to information spills,CMA_0281 - Execute actions in response to information spills,PCI_DSS_v4.0_12.10.7,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +333b4ada-4a02-0648-3d4d-d812974f1bb2,,BuiltIn,Regulatory Compliance,Govern and monitor audit processing activities,CMA_0289 - Govern and monitor audit processing activities,"PCI_DSS_v4.0_10.7.1,PCI_DSS_v4.0_10.7.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +1a2a03a4-9992-5788-5953-d8f6615306de,,BuiltIn,Regulatory Compliance,Govern policies and procedures,CMA_0292 - Govern policies and procedures,"PCI_DSS_v4.0_10.1.1,PCI_DSS_v4.0_7.1.1,PCI_DSS_v4.0_7.1.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ae5345d5-8dab-086a-7290-db43a3272198,,BuiltIn,Regulatory Compliance,Identify and authenticate network devices,CMA_0296 - Identify and authenticate network devices,"PCI_DSS_v4.0_2.3.1,PCI_DSS_v4.0_2.3.2,PCI_DSS_v4.0_4.2.1.2,PCI_DSS_v4.0_8.2.3,PCI_DSS_v4.0_8.3.1,PCI_DSS_v4.0_8.3.11,PCI_DSS_v4.0_8.4.2,PCI_DSS_v4.0_8.4.3,PCI_DSS_v4.0_8.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +e1379836-3492-6395-451d-2f5062e14136,,BuiltIn,Regulatory Compliance,Identify and authenticate non-organizational users,CMA_C1346 - Identify and authenticate non-organizational users,PCI_DSS_v4.0_8.2.7,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +46ab2c5e-6654-1f58-8c83-e97a44f39308,,BuiltIn,Regulatory Compliance,Identify external service providers,CMA_C1591 - Identify external service providers,PCI_DSS_v4.0_1.2.5,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +015b4935-448a-8684-27c0-d13086356c33,,BuiltIn,Regulatory Compliance,Implement a threat awareness program,CMA_C1758 - Implement a threat awareness program,PCI_DSS_v4.0_12.6.3.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +33832848-42ab-63f3-1a55-c0ad309d44cd,,BuiltIn,Regulatory Compliance,Implement an automated configuration management tool,CMA_0311 - Implement an automated configuration management tool,"PCI_DSS_v4.0_1.2.1,PCI_DSS_v4.0_2.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +35de8462-03ff-45b3-5746-9d4603c74c56,,BuiltIn,Regulatory Compliance,Implement an insider threat program,CMA_C1751 - Implement an insider threat program,PCI_DSS_v4.0_12.6.3.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +e435f7e3-0dd9-58c9-451f-9b44b96c0232,,BuiltIn,Regulatory Compliance,Implement controls to secure all media,CMA_0314 - Implement controls to secure all media,"PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_3.5.1.1,PCI_DSS_v4.0_3.5.1.2,PCI_DSS_v4.0_3.5.1.3,PCI_DSS_v4.0_9.4.1,PCI_DSS_v4.0_9.4.1.1,PCI_DSS_v4.0_9.4.2,PCI_DSS_v4.0_9.4.3,PCI_DSS_v4.0_9.4.4,PCI_DSS_v4.0_9.4.6,PCI_DSS_v4.0_9.4.7",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e,,BuiltIn,Regulatory Compliance,Implement controls to secure alternate work sites,CMA_0315 - Implement controls to secure alternate work sites,"PCI_DSS_v4.0_1.5.1,PCI_DSS_v4.0_8.4.2,PCI_DSS_v4.0_8.4.3,PCI_DSS_v4.0_8.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +10c3a1b1-29b0-a2d5-8f4c-a284b0f07830,,BuiltIn,Regulatory Compliance,Implement cryptographic mechanisms,CMA_C1419 - Implement cryptographic mechanisms,PCI_DSS_v4.0_2.2.7,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +433de59e-7a53-a766-02c2-f80f8421469a,,BuiltIn,Regulatory Compliance,Implement incident handling,CMA_0318 - Implement incident handling,"PCI_DSS_v4.0_12.10.2,PCI_DSS_v4.0_12.10.5,PCI_DSS_v4.0_12.10.7",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b262e1dd-08e9-41d4-963a-258909ad794b,,BuiltIn,Regulatory Compliance,Implement managed interface for each external service,CMA_C1626 - Implement managed interface for each external service,"PCI_DSS_v4.0_1.4.1,PCI_DSS_v4.0_1.4.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +3b30aa25-0f19-6c04-5ca4-bd3f880a763d,,BuiltIn,Regulatory Compliance,Implement parameters for memorized secret verifiers,CMA_0321 - Implement parameters for memorized secret verifiers,"PCI_DSS_v4.0_8.3.6,PCI_DSS_v4.0_8.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +e0c480bf-0d68-a42d-4cbb-b60f851f8716,,BuiltIn,Regulatory Compliance,Implement personnel screening,CMA_0322 - Implement personnel screening,PCI_DSS_v4.0_12.7.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +05ec66a2-137c-14b8-8e75-3d7a2bef07f8,,BuiltIn,Regulatory Compliance,"Implement physical security for offices, working areas, and secure areas","CMA_0323 - Implement physical security for offices, working areas, and secure areas","PCI_DSS_v4.0_9.2.3,PCI_DSS_v4.0_9.2.4,PCI_DSS_v4.0_9.3.2,PCI_DSS_v4.0_9.3.3,PCI_DSS_v4.0_9.3.4,PCI_DSS_v4.0_9.5.1,PCI_DSS_v4.0_9.5.1.2,PCI_DSS_v4.0_9.5.1.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +06f84330-4c27-21f7-72cd-7488afd50244,,BuiltIn,Regulatory Compliance,Implement privacy notice delivery methods,CMA_0324 - Implement privacy notice delivery methods,"PCI_DSS_v4.0_3.3.1,PCI_DSS_v4.0_3.3.1.1,PCI_DSS_v4.0_3.3.1.2,PCI_DSS_v4.0_3.3.1.3,PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_3.4.1,PCI_DSS_v4.0_3.4.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +26d178a4-9261-6f04-a100-47ed85314c6e,,BuiltIn,Regulatory Compliance,Implement security directives,CMA_C1706 - Implement security directives,PCI_DSS_v4.0_6.3.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +01ae60e2-38bb-0a32-7b20-d3a091423409,,BuiltIn,Regulatory Compliance,Implement system boundary protection,CMA_0328 - Implement system boundary protection,"PCI_DSS_v4.0_1.4.1,PCI_DSS_v4.0_1.4.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +e4b00788-7e1c-33ec-0418-d048508e095b,,BuiltIn,Regulatory Compliance,Implement training for protecting authenticators,CMA_0329 - Implement training for protecting authenticators,"PCI_DSS_v4.0_8.3.8,PCI_DSS_v4.0_8.6.2,PCI_DSS_v4.0_8.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +834b7a4a-83ab-2188-1a26-9c5033d8173b,,BuiltIn,Regulatory Compliance,Incorporate security and data privacy practices in research processing,CMA_0331 - Incorporate security and data privacy practices in research processing,PCI_DSS_v4.0_6.5.5,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f741c4e6-41eb-15a4-25a2-61ac7ca232f0,,BuiltIn,Regulatory Compliance,"Integrate audit review, analysis, and reporting","CMA_0339 - Integrate audit review, analysis, and reporting","PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +9fdde4a9-85fa-7850-6df4-ae9c4a2e56f9,,BuiltIn,Regulatory Compliance,Integrate cloud app security with a siem,CMA_0340 - Integrate cloud app security with a siem,"PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +97d91b33-7050-237b-3e23-a77d57d84e13,,BuiltIn,Regulatory Compliance,Issue public key certificates,CMA_0347 - Issue public key certificates,"PCI_DSS_v4.0_3.6.1,PCI_DSS_v4.0_3.6.1.1,PCI_DSS_v4.0_3.6.1.2,PCI_DSS_v4.0_3.6.1.3,PCI_DSS_v4.0_3.6.1.4,PCI_DSS_v4.0_3.7.1,PCI_DSS_v4.0_3.7.2,PCI_DSS_v4.0_3.7.3,PCI_DSS_v4.0_3.7.4,PCI_DSS_v4.0_3.7.5,PCI_DSS_v4.0_3.7.6,PCI_DSS_v4.0_3.7.7,PCI_DSS_v4.0_3.7.8,PCI_DSS_v4.0_3.7.9,PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2af551d5-1775-326a-0589-590bfb7e9eb2,,BuiltIn,Regulatory Compliance,Limit privileges to make changes in production environment,CMA_C1206 - Limit privileges to make changes in production environment,"PCI_DSS_v4.0_6.5.3,PCI_DSS_v4.0_6.5.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +3ad7f0bc-3d03-0585-4d24-529779bb02c2,,BuiltIn,Regulatory Compliance,Maintain availability of information,CMA_C1644 - Maintain availability of information,"PCI_DSS_v4.0_3.7.3,PCI_DSS_v4.0_4.2.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +0fd1ca29-677b-2f12-1879-639716459160,,BuiltIn,Regulatory Compliance,Maintain data breach records,CMA_0351 - Maintain data breach records,PCI_DSS_v4.0_12.10.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +37546841-8ea1-5be0-214d-8ac599588332,,BuiltIn,Regulatory Compliance,Maintain incident response plan,CMA_0352 - Maintain incident response plan,"PCI_DSS_v4.0_12.10.2,PCI_DSS_v4.0_12.10.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +92ede480-154e-0e22-4dca-8b46a74a3a51,,BuiltIn,Regulatory Compliance,Maintain records of processing of personal data,CMA_0353 - Maintain records of processing of personal data,"PCI_DSS_v4.0_1.2.4,PCI_DSS_v4.0_12.5.2,PCI_DSS_v4.0_12.5.2.1,PCI_DSS_v4.0_9.4.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +29363ae1-68cd-01ca-799d-92c9197c8404,,BuiltIn,Regulatory Compliance,Manage authenticator lifetime and reuse,CMA_0355 - Manage authenticator lifetime and reuse,"PCI_DSS_v4.0_8.3.10,PCI_DSS_v4.0_8.3.10.1,PCI_DSS_v4.0_8.3.9,PCI_DSS_v4.0_8.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +4aacaec9-0628-272c-3e83-0d68446694e0,,BuiltIn,Regulatory Compliance,Manage Authenticators,CMA_C1321 - Manage Authenticators,PCI_DSS_v4.0_2.2.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +4e400494-53a5-5147-6f4d-718b539c7394,,BuiltIn,Regulatory Compliance,Manage compliance activities,CMA_0358 - Manage compliance activities,PCI_DSS_v4.0_12.4.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +63f63e71-6c3f-9add-4c43-64de23e554a7,,BuiltIn,Regulatory Compliance,Manage gateways,CMA_0363 - Manage gateways,"PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_5.3.1,PCI_DSS_v4.0_5.3.3,PCI_DSS_v4.0_5.4.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +9c276cf3-596f-581a-7fbd-f5e46edaa0f4,,BuiltIn,Regulatory Compliance,Manage symmetric cryptographic keys,CMA_0367 - Manage symmetric cryptographic keys,"PCI_DSS_v4.0_3.6.1,PCI_DSS_v4.0_3.6.1.1,PCI_DSS_v4.0_3.6.1.2,PCI_DSS_v4.0_3.6.1.3,PCI_DSS_v4.0_3.6.1.4,PCI_DSS_v4.0_3.7.1,PCI_DSS_v4.0_3.7.2,PCI_DSS_v4.0_3.7.3,PCI_DSS_v4.0_3.7.4,PCI_DSS_v4.0_3.7.5,PCI_DSS_v4.0_3.7.6,PCI_DSS_v4.0_3.7.7,PCI_DSS_v4.0_3.7.8,PCI_DSS_v4.0_3.7.9,PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +34d38ea7-6754-1838-7031-d7fd07099821,,BuiltIn,Regulatory Compliance,Manage system and admin accounts,CMA_0368 - Manage system and admin accounts,"PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +e603da3a-8af7-4f8a-94cb-1bcc0e0333d2,,BuiltIn,Regulatory Compliance,"Manage the input, output, processing, and storage of data","CMA_0369 - Manage the input, output, processing, and storage of data","PCI_DSS_v4.0_3.2.1,PCI_DSS_v4.0_9.5.1,PCI_DSS_v4.0_9.5.1.2,PCI_DSS_v4.0_9.5.1.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +4ac81669-00e2-9790-8648-71bc11bc91eb,,BuiltIn,Regulatory Compliance,Manage the transportation of assets,CMA_0370 - Manage the transportation of assets,"PCI_DSS_v4.0_9.4.3,PCI_DSS_v4.0_9.4.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +48c816c5-2190-61fc-8806-25d6f3df162f,,BuiltIn,Regulatory Compliance,Monitor access across the organization,CMA_0376 - Monitor access across the organization,"PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +7b28ba4f-0a87-46ac-62e1-46b7c09202a8,,BuiltIn,Regulatory Compliance,Monitor account activity,CMA_0377 - Monitor account activity,"PCI_DSS_v4.0_10.2.1.2,PCI_DSS_v4.0_10.2.1.3,PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_10.2.1.6,PCI_DSS_v4.0_10.6.3,PCI_DSS_v4.0_7.2.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ed87d27a-9abf-7c71-714c-61d881889da4,,BuiltIn,Regulatory Compliance,Monitor privileged role assignment,CMA_0378 - Monitor privileged role assignment,"PCI_DSS_v4.0_10.2.1.2,PCI_DSS_v4.0_10.2.1.3,PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_10.2.1.6,PCI_DSS_v4.0_10.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +18e9d748-73d4-0c96-55ab-b108bfbd5bc3,,BuiltIn,Regulatory Compliance,Notify personnel of any failed security verification tests,CMA_C1710 - Notify personnel of any failed security verification tests,"PCI_DSS_v4.0_10.7.1,PCI_DSS_v4.0_10.7.2,PCI_DSS_v4.0_10.7.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8489ff90-8d29-61df-2d84-f9ab0f4c5e84,,BuiltIn,Regulatory Compliance,Notify when account is not needed,CMA_0383 - Notify when account is not needed,"PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +3f1216b0-30ee-1ac9-3899-63eb744e85f5,,BuiltIn,Regulatory Compliance,Obtain Admin documentation,CMA_C1580 - Obtain Admin documentation,PCI_DSS_v4.0_6.3.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +069101ac-4578-31da-0cd4-ff083edd3eb4,,BuiltIn,Regulatory Compliance,Obtain consent prior to collection or processing of personal data,CMA_0385 - Obtain consent prior to collection or processing of personal data,"PCI_DSS_v4.0_3.2.1,PCI_DSS_v4.0_3.3.1,PCI_DSS_v4.0_3.3.1.1,PCI_DSS_v4.0_3.3.1.2,PCI_DSS_v4.0_3.3.1.3,PCI_DSS_v4.0_3.3.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ca6d7878-3189-1833-4620-6c7254ed1607,,BuiltIn,Regulatory Compliance,Obtain continuous monitoring plan for security controls,CMA_C1577 - Obtain continuous monitoring plan for security controls,PCI_DSS_v4.0_12.8.4,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +22a02c9a-49e4-5dc9-0d14-eb35ad717154,,BuiltIn,Regulatory Compliance,Obtain design and implementation information for the security controls,CMA_C1576 - Obtain design and implementation information for the security controls,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +44b71aa8-099d-8b97-1557-0e853ec38e0d,,BuiltIn,Regulatory Compliance,Obtain functional properties of security controls,CMA_C1575 - Obtain functional properties of security controls,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.8.5",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +d18af1ac-0086-4762-6dc8-87cdded90e39,,BuiltIn,Regulatory Compliance,Perform a privacy impact assessment,CMA_0387 - Perform a privacy impact assessment,"PCI_DSS_v4.0_1.2.2,PCI_DSS_v4.0_5.3.5,PCI_DSS_v4.0_6.5.1,PCI_DSS_v4.0_6.5.3,PCI_DSS_v4.0_6.5.4,PCI_DSS_v4.0_6.5.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8c5d3d8d-5cba-0def-257c-5ab9ea9644dc,,BuiltIn,Regulatory Compliance,Perform a risk assessment,CMA_0388 - Perform a risk assessment,"PCI_DSS_v4.0_1.2.2,PCI_DSS_v4.0_12.3.1,PCI_DSS_v4.0_12.3.2,PCI_DSS_v4.0_5.2.3.1,PCI_DSS_v4.0_5.3.5,PCI_DSS_v4.0_6.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +50e81644-923d-33fc-6ebb-9733bc8d1a06,,BuiltIn,Regulatory Compliance,Perform a trend analysis on threats,CMA_0389 - Perform a trend analysis on threats,"PCI_DSS_v4.0_11.5.1,PCI_DSS_v4.0_12.10.7,PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_5.3.1,PCI_DSS_v4.0_5.3.3,PCI_DSS_v4.0_5.4.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +1282809c-9001-176b-4a81-260a085f4872,,BuiltIn,Regulatory Compliance,Perform audit for configuration change control,CMA_0390 - Perform audit for configuration change control,"PCI_DSS_v4.0_1.2.2,PCI_DSS_v4.0_5.3.5,PCI_DSS_v4.0_6.5.1,PCI_DSS_v4.0_6.5.3,PCI_DSS_v4.0_6.5.4,PCI_DSS_v4.0_6.5.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b5a4be05-3997-1731-3260-98be653610f6,,BuiltIn,Regulatory Compliance,Perform disposition review,CMA_0391 - Perform disposition review,"PCI_DSS_v4.0_3.2.1,PCI_DSS_v4.0_3.3.1,PCI_DSS_v4.0_3.3.1.1,PCI_DSS_v4.0_3.3.1.3,PCI_DSS_v4.0_9.4.6,PCI_DSS_v4.0_9.4.7",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f30edfad-4e1d-1eef-27ee-9292d6d89842,,BuiltIn,Regulatory Compliance,Perform security function verification at a defined frequency,CMA_C1709 - Perform security function verification at a defined frequency,"PCI_DSS_v4.0_10.7.1,PCI_DSS_v4.0_10.7.2,PCI_DSS_v4.0_10.7.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f,,BuiltIn,Regulatory Compliance,Perform vulnerability scans,CMA_0393 - Perform vulnerability scans,"PCI_DSS_v4.0_11.3.1,PCI_DSS_v4.0_11.3.1.1,PCI_DSS_v4.0_11.3.1.3,PCI_DSS_v4.0_11.3.2,PCI_DSS_v4.0_11.3.2.1,PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_5.3.1,PCI_DSS_v4.0_5.3.3,PCI_DSS_v4.0_5.4.1,PCI_DSS_v4.0_6.4.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +70a7a065-a060-85f8-7863-eb7850ed2af9,,BuiltIn,Regulatory Compliance,Produce Security Assessment report,CMA_C1146 - Produce Security Assessment report,PCI_DSS_v4.0_12.4.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +de077e7e-0cc8-65a6-6e08-9ab46c827b05,,BuiltIn,Regulatory Compliance,"Produce, control and distribute asymmetric cryptographic keys","CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys",PCI_DSS_v4.0_4.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +16c54e01-9e65-7524-7c33-beda48a75779,,BuiltIn,Regulatory Compliance,"Produce, control and distribute symmetric cryptographic keys","CMA_C1645 - Produce, control and distribute symmetric cryptographic keys","PCI_DSS_v4.0_3.6.1.2,PCI_DSS_v4.0_3.7.2,PCI_DSS_v4.0_3.7.3,PCI_DSS_v4.0_4.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +0e696f5a-451f-5c15-5532-044136538491,,BuiltIn,Regulatory Compliance,Protect audit information,CMA_0401 - Protect audit information,"PCI_DSS_v4.0_10.3.1,PCI_DSS_v4.0_10.3.2,PCI_DSS_v4.0_10.3.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b11697e8-9515-16f1-7a35-477d5c8a1344,,BuiltIn,Regulatory Compliance,Protect data in transit using encryption,CMA_0403 - Protect data in transit using encryption,"PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_3.5.1.1,PCI_DSS_v4.0_3.5.1.2,PCI_DSS_v4.0_3.5.1.3,PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2401b496-7f23-79b2-9f80-89bb5abf3d4a,,BuiltIn,Regulatory Compliance,Protect incident response plan,CMA_0405 - Protect incident response plan,PCI_DSS_v4.0_12.10.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b2d3e5a2-97ab-5497-565a-71172a729d93,,BuiltIn,Regulatory Compliance,Protect passwords with encryption,CMA_0408 - Protect passwords with encryption,"PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.2,PCI_DSS_v4.0_8.3.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +a315c657-4a00-8eba-15ac-44692ad24423,,BuiltIn,Regulatory Compliance,Protect special information,CMA_0409 - Protect special information,"PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_3.5.1.1,PCI_DSS_v4.0_3.5.1.2,PCI_DSS_v4.0_3.5.1.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +d42a8f69-a193-6cbc-48b9-04a9e29961f1,,BuiltIn,Regulatory Compliance,Protect wireless access,CMA_0411 - Protect wireless access,"PCI_DSS_v4.0_1.3.3,PCI_DSS_v4.0_11.2.2,PCI_DSS_v4.0_2.3.1,PCI_DSS_v4.0_2.3.2,PCI_DSS_v4.0_4.2.1.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2d4d0e90-32d9-4deb-2166-a00d51ed57c0,,BuiltIn,Regulatory Compliance,Provide information spillage training,CMA_0413 - Provide information spillage training,"PCI_DSS_v4.0_12.10.4,PCI_DSS_v4.0_12.10.4.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +9ac8621d-9acd-55bf-9f99-ee4212cc3d85,,BuiltIn,Regulatory Compliance,Provide periodic role-based security training,CMA_C1095 - Provide periodic role-based security training,"PCI_DSS_v4.0_12.6.3,PCI_DSS_v4.0_6.2.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +516be556-1353-080d-2c2f-f46f000d5785,,BuiltIn,Regulatory Compliance,Provide periodic security awareness training,CMA_C1091 - Provide periodic security awareness training,PCI_DSS_v4.0_12.6.3,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +098a7b84-1031-66d8-4e78-bd15b5fd2efb,,BuiltIn,Regulatory Compliance,Provide privacy notice,CMA_0414 - Provide privacy notice,"PCI_DSS_v4.0_3.3.1,PCI_DSS_v4.0_3.3.1.1,PCI_DSS_v4.0_3.3.1.2,PCI_DSS_v4.0_3.3.1.3,PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_3.4.1,PCI_DSS_v4.0_3.4.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +518eafdd-08e5-37a9-795b-15a8d798056d,,BuiltIn,Regulatory Compliance,Provide privacy training,CMA_0415 - Provide privacy training,"PCI_DSS_v4.0_1.5.1,PCI_DSS_v4.0_12.6.3,PCI_DSS_v4.0_8.4.2,PCI_DSS_v4.0_8.4.3,PCI_DSS_v4.0_8.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +4c385143-09fd-3a34-790c-a5fd9ec77ddc,,BuiltIn,Regulatory Compliance,Provide role-based security training,CMA_C1094 - Provide role-based security training,PCI_DSS_v4.0_12.6.3,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2b05dca2-25ec-9335-495c-29155f785082,,BuiltIn,Regulatory Compliance,Provide security training before providing access,CMA_0418 - Provide security training before providing access,"PCI_DSS_v4.0_12.6.3,PCI_DSS_v4.0_12.6.3.2,PCI_DSS_v4.0_6.2.2,PCI_DSS_v4.0_9.5.1.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +1cb7bf71-841c-4741-438a-67c65fdd7194,,BuiltIn,Regulatory Compliance,Provide security training for new users,CMA_0419 - Provide security training for new users,"PCI_DSS_v4.0_12.6.3,PCI_DSS_v4.0_12.6.3.1,PCI_DSS_v4.0_12.6.3.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +d136ae80-54dd-321c-98b4-17acf4af2169,,BuiltIn,Regulatory Compliance,Provide updated security awareness training,CMA_C1090 - Provide updated security awareness training,"PCI_DSS_v4.0_12.6.2,PCI_DSS_v4.0_12.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8b1da407-5e60-5037-612e-2caa1b590719,,BuiltIn,Regulatory Compliance,Record disclosures of PII to third parties,CMA_0422 - Record disclosures of PII to third parties,"PCI_DSS_v4.0_12.8.2,PCI_DSS_v4.0_12.9.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +3ae68d9a-5696-8c32-62d3-c6f9c52e437c,,BuiltIn,Regulatory Compliance,Refresh authenticators,CMA_0425 - Refresh authenticators,"PCI_DSS_v4.0_8.3.10,PCI_DSS_v4.0_8.3.10.1,PCI_DSS_v4.0_8.3.9,PCI_DSS_v4.0_8.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +2f204e72-1896-3bf8-75c9-9128b8683a36,,BuiltIn,Regulatory Compliance,Reissue authenticators for changed groups and accounts,CMA_0426 - Reissue authenticators for changed groups and accounts,PCI_DSS_v4.0_8.2.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +be38a620-000b-21cf-3cb3-ea151b704c3b,,BuiltIn,Regulatory Compliance,Remediate information system flaws,CMA_0427 - Remediate information system flaws,"PCI_DSS_v4.0_11.3.1,PCI_DSS_v4.0_11.3.1.1,PCI_DSS_v4.0_11.3.1.3,PCI_DSS_v4.0_11.3.2,PCI_DSS_v4.0_11.3.2.1,PCI_DSS_v4.0_12.3.4,PCI_DSS_v4.0_2.2.5,PCI_DSS_v4.0_6.3.1,PCI_DSS_v4.0_6.4.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +de770ba6-50dd-a316-2932-e0d972eaa734,,BuiltIn,Regulatory Compliance,Require approval for account creation,CMA_0431 - Require approval for account creation,"PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.3,PCI_DSS_v4.0_7.2.6,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2,PCI_DSS_v4.0_7.3.3,PCI_DSS_v4.0_8.2.4,PCI_DSS_v4.0_8.6.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +725164e5-3b21-1ec2-7e42-14f077862841,,BuiltIn,Regulatory Compliance,Require compliance with intellectual property rights,CMA_0432 - Require compliance with intellectual property rights,PCI_DSS_v4.0_12.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f6da5cca-5795-60ff-49e1-4972567815fe,,BuiltIn,Regulatory Compliance,"Require developer to identify SDLC ports, protocols, and services","CMA_C1578 - Require developer to identify SDLC ports, protocols, and services",PCI_DSS_v4.0_1.2.5,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b33d61c1-7463-7025-0ec0-a47585b59147,,BuiltIn,Regulatory Compliance,Require developers to manage change integrity,CMA_C1595 - Require developers to manage change integrity,PCI_DSS_v4.0_6.5.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +4e45863d-9ea9-32b4-a204-2680bc6007a6,,BuiltIn,Regulatory Compliance,Require external service providers to comply with security requirements,CMA_C1586 - Require external service providers to comply with security requirements,"PCI_DSS_v4.0_12.8.1,PCI_DSS_v4.0_12.8.3,PCI_DSS_v4.0_12.8.4,PCI_DSS_v4.0_12.9.1,PCI_DSS_v4.0_12.9.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +08ad71d0-52be-6503-4908-e015460a16ae,,BuiltIn,Regulatory Compliance,Require use of individual authenticators,CMA_C1305 - Require use of individual authenticators,PCI_DSS_v4.0_8.2.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +c6aeb800-0b19-944d-92dc-59b893722329,,BuiltIn,Regulatory Compliance,Rescreen individuals at a defined frequency,CMA_C1512 - Rescreen individuals at a defined frequency,PCI_DSS_v4.0_12.7.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8d140e8b-76c7-77de-1d46-ed1b2e112444,,BuiltIn,Regulatory Compliance,Restrict access to private keys,CMA_0445 - Restrict access to private keys,"PCI_DSS_v4.0_3.6.1,PCI_DSS_v4.0_3.6.1.1,PCI_DSS_v4.0_3.6.1.2,PCI_DSS_v4.0_3.6.1.3,PCI_DSS_v4.0_3.6.1.4,PCI_DSS_v4.0_3.7.1,PCI_DSS_v4.0_3.7.2,PCI_DSS_v4.0_3.7.3,PCI_DSS_v4.0_3.7.4,PCI_DSS_v4.0_3.7.5,PCI_DSS_v4.0_3.7.6,PCI_DSS_v4.0_3.7.7,PCI_DSS_v4.0_3.7.8,PCI_DSS_v4.0_3.7.9,PCI_DSS_v4.0_4.2.1,PCI_DSS_v4.0_4.2.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +873895e8-0e3a-6492-42e9-22cd030e9fcd,,BuiltIn,Regulatory Compliance,Restrict access to privileged accounts,CMA_0446 - Restrict access to privileged accounts,"PCI_DSS_v4.0_10.2.1.2,PCI_DSS_v4.0_10.2.1.3,PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_10.2.1.6,PCI_DSS_v4.0_10.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +5020f3f4-a579-2f28-72a8-283c5a0b15f9,,BuiltIn,Regulatory Compliance,Restrict communications,CMA_0449 - Restrict communications,"PCI_DSS_v4.0_3.3.1,PCI_DSS_v4.0_3.3.1.1,PCI_DSS_v4.0_3.3.1.2,PCI_DSS_v4.0_3.3.1.3,PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_3.4.1,PCI_DSS_v4.0_3.4.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +efef28d0-3226-966a-a1e8-70e89c1b30bc,,BuiltIn,Regulatory Compliance,Retain security policies and procedures,CMA_0454 - Retain security policies and procedures,"PCI_DSS_v4.0_10.5.1,PCI_DSS_v4.0_5.3.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +7c7032fe-9ce6-9092-5890-87a1a3755db1,,BuiltIn,Regulatory Compliance,Retain terminated user data,CMA_0455 - Retain terminated user data,"PCI_DSS_v4.0_10.5.1,PCI_DSS_v4.0_5.3.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +03d550b4-34ee-03f4-515f-f2e2faf7a413,,BuiltIn,Regulatory Compliance,Review access control policies and procedures,CMA_0457 - Review access control policies and procedures,PCI_DSS_v4.0_7.1.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +a830fe9e-08c9-a4fb-420c-6f6bf1702395,,BuiltIn,Regulatory Compliance,Review account provisioning logs,CMA_0460 - Review account provisioning logs,"PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3,PCI_DSS_v4.0_7.2.4",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f27a298f-9443-014a-0d40-fef12adf0259,,BuiltIn,Regulatory Compliance,Review administrator assignments weekly,CMA_0461 - Review administrator assignments weekly,"PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +eb8a8df9-521f-3ccd-7e2c-3d1fcc812340,,BuiltIn,Regulatory Compliance,Review and update configuration management policies and procedures,CMA_C1175 - Review and update configuration management policies and procedures,"PCI_DSS_v4.0_1.1.1,PCI_DSS_v4.0_2.1.1,PCI_DSS_v4.0_6.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +29acfac0-4bb4-121b-8283-8943198b1549,,BuiltIn,Regulatory Compliance,Review and update identification and authentication policies and procedures,CMA_C1299 - Review and update identification and authentication policies and procedures,PCI_DSS_v4.0_8.1.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +6bededc0-2985-54d5-4158-eb8bad8070a0,,BuiltIn,Regulatory Compliance,Review and update information integrity policies and procedures,CMA_C1667 - Review and update information integrity policies and procedures,"PCI_DSS_v4.0_11.1.1,PCI_DSS_v4.0_5.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +b4e19d22-8c0e-7cad-3219-c84c62dc250f,,BuiltIn,Regulatory Compliance,Review and update media protection policies and procedures,CMA_C1427 - Review and update media protection policies and procedures,PCI_DSS_v4.0_9.1.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +91cf132e-0c9f-37a8-a523-dc6a92cd2fb2,,BuiltIn,Regulatory Compliance,Review and update physical and environmental policies and procedures,CMA_C1446 - Review and update physical and environmental policies and procedures,PCI_DSS_v4.0_9.1.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +adf517f3-6dcd-3546-9928-34777d0c277e,,BuiltIn,Regulatory Compliance,Review and update system and communications protection policies and procedures,CMA_C1616 - Review and update system and communications protection policies and procedures,"PCI_DSS_v4.0_1.1.1,PCI_DSS_v4.0_11.1.1,PCI_DSS_v4.0_3.1.1,PCI_DSS_v4.0_4.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f49925aa-9b11-76ae-10e2-6e973cc60f37,,BuiltIn,Regulatory Compliance,Review and update system and services acquisition policies and procedures,CMA_C1560 - Review and update system and services acquisition policies and procedures,PCI_DSS_v4.0_6.1.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +6625638f-3ba1-7404-5983-0ea33d719d34,,BuiltIn,Regulatory Compliance,Review audit data,CMA_0466 - Review audit data,"PCI_DSS_v4.0_10.2.1,PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +c246d146-82b0-301f-32e7-1065dcd248b7,,BuiltIn,Regulatory Compliance,Review changes for any unauthorized changes,CMA_C1204 - Review changes for any unauthorized changes,PCI_DSS_v4.0_1.2.8,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +8aec4343-9153-9641-172c-defb201f56b3,,BuiltIn,Regulatory Compliance,Review cloud identity report overview,CMA_0468 - Review cloud identity report overview,"PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ffea18d9-13de-6505-37f3-4c1f88070ad7,,BuiltIn,Regulatory Compliance,Review cloud service provider's compliance with policies and agreements,CMA_0469 - Review cloud service provider's compliance with policies and agreements,"PCI_DSS_v4.0_12.8.4,PCI_DSS_v4.0_12.9.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f48b60c6-4b37-332f-7288-b6ea50d300eb,,BuiltIn,Regulatory Compliance,Review controlled folder access events,CMA_0471 - Review controlled folder access events,"PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ef718fe4-7ceb-9ddf-3198-0ee8f6fe9cba,,BuiltIn,Regulatory Compliance,Review file and folder activity,CMA_0473 - Review file and folder activity,"PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +e23444b9-9662-40f3-289e-6d25c02b48fa,,BuiltIn,Regulatory Compliance,Review label activity and analytics,CMA_0474 - Review label activity and analytics,PCI_DSS_v4.0_3.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +4a6f5cbd-6c6b-006f-2bb1-091af1441bce,,BuiltIn,Regulatory Compliance,Review malware detections report weekly,CMA_0475 - Review malware detections report weekly,"PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_5.3.1,PCI_DSS_v4.0_5.3.3,PCI_DSS_v4.0_5.4.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +70fe686f-1f91-7dab-11bf-bca4201e183b,,BuiltIn,Regulatory Compliance,Review role group changes weekly,CMA_0476 - Review role group changes weekly,"PCI_DSS_v4.0_10.4.1,PCI_DSS_v4.0_10.4.1.1,PCI_DSS_v4.0_10.4.2,PCI_DSS_v4.0_10.4.2.1,PCI_DSS_v4.0_10.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +a4493012-908c-5f48-a468-1e243be884ce,,BuiltIn,Regulatory Compliance,Review security assessment and authorization policies and procedures,CMA_C1143 - Review security assessment and authorization policies and procedures,PCI_DSS_v4.0_11.1.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +fad161f5-5261-401a-22dd-e037bae011bd,,BuiltIn,Regulatory Compliance,Review threat protection status weekly,CMA_0479 - Review threat protection status weekly,"PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_5.3.3,PCI_DSS_v4.0_5.4.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +79f081c7-1634-01a1-708e-376197999289,,BuiltIn,Regulatory Compliance,Review user accounts,CMA_0480 - Review user accounts,PCI_DSS_v4.0_7.2.4,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +eb1c944e-0e94-647b-9b7e-fdb8d2af0838,,BuiltIn,Regulatory Compliance,Review user groups and applications with access to sensitive data,CMA_0481 - Review user groups and applications with access to sensitive data,"PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.3,PCI_DSS_v4.0_7.2.6,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_7.3.2,PCI_DSS_v4.0_7.3.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f96d2186-79df-262d-3f76-f371e3b71798,,BuiltIn,Regulatory Compliance,Review user privileges,CMA_C1039 - Review user privileges,PCI_DSS_v4.0_7.2.4,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +32f22cfa-770b-057c-965b-450898425519,,BuiltIn,Regulatory Compliance,Revoke privileged roles as appropriate,CMA_0483 - Revoke privileged roles as appropriate,"PCI_DSS_v4.0_10.2.1.2,PCI_DSS_v4.0_10.2.1.3,PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_10.2.1.6,PCI_DSS_v4.0_10.6.3,PCI_DSS_v4.0_8.2.6",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +056a723b-4946-9d2a-5243-3aa27c4d31a1,,BuiltIn,Regulatory Compliance,Satisfy token quality requirements,CMA_0487 - Satisfy token quality requirements,"PCI_DSS_v4.0_8.2.3,PCI_DSS_v4.0_8.3.1,PCI_DSS_v4.0_8.3.11,PCI_DSS_v4.0_8.4.2,PCI_DSS_v4.0_8.4.3,PCI_DSS_v4.0_8.5.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ff1efad2-6b09-54cc-01bf-d386c4d558a8,,BuiltIn,Regulatory Compliance,Secure the interface to external systems,CMA_0491 - Secure the interface to external systems,"PCI_DSS_v4.0_1.4.1,PCI_DSS_v4.0_1.4.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +f78fc35e-1268-0bca-a798-afcba9d2330a,,BuiltIn,Regulatory Compliance,Select additional testing for security control assessments,CMA_C1149 - Select additional testing for security control assessments,PCI_DSS_v4.0_12.4.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +60ee1260-97f0-61bb-8155-5d8b75743655,,BuiltIn,Regulatory Compliance,Separate duties of individuals,CMA_0492 - Separate duties of individuals,PCI_DSS_v4.0_6.2.3.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +af38215f-70c4-0cd6-40c2-c52d86690a45,,BuiltIn,Regulatory Compliance,Set automated notifications for new and trending cloud applications in your organization,CMA_0495 - Set automated notifications for new and trending cloud applications in your organization,"PCI_DSS_v4.0_11.5.1,PCI_DSS_v4.0_11.5.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +1d39b5d9-0392-8954-8359-575ce1957d1a,,BuiltIn,Regulatory Compliance,Support personal verification credentials issued by legal authorities,CMA_0507 - Support personal verification credentials issued by legal authorities,PCI_DSS_v4.0_8.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +76d66b5c-85e4-93f5-96a5-ebb2fad61dc6,,BuiltIn,Regulatory Compliance,Terminate customer controlled account credentials,CMA_C1022 - Terminate customer controlled account credentials,PCI_DSS_v4.0_8.2.2,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +4502e506-5f35-0df4-684f-b326e3cc7093,,BuiltIn,Regulatory Compliance,Terminate user session automatically,CMA_C1054 - Terminate user session automatically,PCI_DSS_v4.0_8.2.8,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +77cc89bb-774f-48d7-8a84-fb8c322c3000,,BuiltIn,Regulatory Compliance,Track software license usage,CMA_C1235 - Track software license usage,PCI_DSS_v4.0_12.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +5fc24b95-53f7-0ed1-2330-701b539b97fe,,BuiltIn,Regulatory Compliance,Turn on sensors for endpoint security solution,CMA_0514 - Turn on sensors for endpoint security solution,"PCI_DSS_v4.0_12.4.2,PCI_DSS_v4.0_12.4.2.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +9b55929b-0101-47c0-a16e-d6ac5c7d21f8,,BuiltIn,Regulatory Compliance,Undergo independent security review,CMA_0515 - Undergo independent security review,"PCI_DSS_v4.0_12.4.2,PCI_DSS_v4.0_12.4.2.1,PCI_DSS_v4.0_12.8.4,PCI_DSS_v4.0_12.9.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65,,BuiltIn,Regulatory Compliance,Update antivirus definitions,CMA_0517 - Update antivirus definitions,"PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_5.3.1,PCI_DSS_v4.0_5.3.3,PCI_DSS_v4.0_5.4.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +5226dee6-3420-711b-4709-8e675ebd828f,,BuiltIn,Regulatory Compliance,Update information security policies,CMA_0518 - Update information security policies,"PCI_DSS_v4.0_10.1.1,PCI_DSS_v4.0_12.1.2,PCI_DSS_v4.0_12.5.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +cc057769-01d9-95ad-a36f-1e62a7f9540b,,BuiltIn,Regulatory Compliance,Update POA&M items,CMA_C1157 - Update POA&M items,PCI_DSS_v4.0_12.4.2.1,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +96333008-988d-4add-549b-92b3a8c42063,,BuiltIn,Regulatory Compliance,"Update privacy plan, policies, and procedures","CMA_C1807 - Update privacy plan, policies, and procedures","PCI_DSS_v4.0_12.4.1,PCI_DSS_v4.0_3.1.1",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +e714b481-8fac-64a2-14a9-6f079b2501a4,,BuiltIn,Regulatory Compliance,Use privileged identity management,CMA_0533 - Use privileged identity management,"PCI_DSS_v4.0_10.2.1.2,PCI_DSS_v4.0_10.2.1.3,PCI_DSS_v4.0_10.2.1.5,PCI_DSS_v4.0_10.2.1.6,PCI_DSS_v4.0_10.6.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +1ee4c7eb-480a-0007-77ff-4ba370776266,,BuiltIn,Regulatory Compliance,Use system clocks for audit records,CMA_0535 - Use system clocks for audit records,"PCI_DSS_v4.0_10.6.1,PCI_DSS_v4.0_10.6.2",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +72889284-15d2-90b2-4b39-a1e9541e1152,,BuiltIn,Regulatory Compliance,Verify identity before distributing authenticators,CMA_0538 - Verify identity before distributing authenticators,PCI_DSS_v4.0_8.3.11,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +c6b877a6-5d6d-1862-4b7f-3ccc30b25b63,,BuiltIn,Regulatory Compliance,Verify personal data is deleted at the end of processing,CMA_0540 - Verify personal data is deleted at the end of processing,"PCI_DSS_v4.0_3.2.1,PCI_DSS_v4.0_3.3.1,PCI_DSS_v4.0_3.3.1.1,PCI_DSS_v4.0_3.3.1.3,PCI_DSS_v4.0_9.4.6,PCI_DSS_v4.0_9.4.7",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +ece8bb17-4080-5127-915f-dc7267ee8549,,BuiltIn,Regulatory Compliance,Verify security functions,CMA_C1708 - Verify security functions,"PCI_DSS_v4.0_10.7.1,PCI_DSS_v4.0_10.7.2,PCI_DSS_v4.0_10.7.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +db28735f-518f-870e-15b4-49623cbe3aa0,,BuiltIn,Regulatory Compliance,"Verify software, firmware and information integrity","CMA_0542 - Verify software, firmware and information integrity","PCI_DSS_v4.0_11.5.2,PCI_DSS_v4.0_11.6.1,PCI_DSS_v4.0_6.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +0123edae-3567-a05a-9b05-b53ebe9d3e7e,,BuiltIn,Regulatory Compliance,View and configure system diagnostic data,CMA_0544 - View and configure system diagnostic data,"PCI_DSS_v4.0_11.5.2,PCI_DSS_v4.0_11.6.1,PCI_DSS_v4.0_6.4.3",PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +98145a9b-428a-7e81-9d14-ebb154a24f93,,BuiltIn,Regulatory Compliance,View and investigate restricted users,CMA_0545 - View and investigate restricted users,PCI_DSS_v4.0_12.10.7,PCI-DSS: Manual (Policy Default),"Manual,Disabled",Manual,Manual,, +4f11b553-d42e-4e3a-89be-32ca364cad4c,,BuiltIn,Security Center,A maximum of 3 owners should be designated for your subscription,It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.,"PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.2",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +501541f7-f7e7-4cd6-868c-4190fdad3ac9,,BuiltIn,Security Center,A vulnerability assessment solution should be enabled on your virtual machines,"Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.","PCI_DSS_v4.0_11.3.1,PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_6.3.3,PCI_DSS_v4.0_6.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +e3e008c3-56b9-4133-8fd7-d3347377402a,,BuiltIn,Security Center,Accounts with owner permissions on Azure resources should be MFA enabled,Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.,"PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_8.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +931e118d-50a1-4457-a5e4-78550e086c52,,BuiltIn,Security Center,Accounts with write permissions on Azure resources should be MFA enabled,Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.,"PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_8.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +9daedab3-fb2d-461e-b861-71790eead4f6,,BuiltIn,Security Center,All network ports should be restricted on network security groups associated to your virtual machine,Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.,"PCI_DSS_v4.0_1.3.2,PCI_DSS_v4.0_1.4.2",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +0cfea604-3201-4e14-88fc-fae4c427a6c5,,BuiltIn,Security Center,Blocked accounts with owner permissions on Azure resources should be removed,Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.,"PCI_DSS_v4.0_8.2.4,PCI_DSS_v4.0_8.2.5,PCI_DSS_v4.0_8.2.7",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +8d7e1fde-fe26-4b5f-8108-f8e432cbc2be,,BuiltIn,Security Center,Blocked accounts with read and write permissions on Azure resources should be removed,Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.,"PCI_DSS_v4.0_8.2.4,PCI_DSS_v4.0_8.2.5,PCI_DSS_v4.0_8.2.7",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +339353f6-2387-4a45-abe4-7f529d121046,,BuiltIn,Security Center,Guest accounts with owner permissions on Azure resources should be removed,External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.,"PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_8.2.4,PCI_DSS_v4.0_8.2.7,PCI_DSS_v4.0_8.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +e9ac8f8e-ce22-4355-8f04-99b911d6be52,,BuiltIn,Security Center,Guest accounts with read permissions on Azure resources should be removed,External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.,"PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_8.2.4,PCI_DSS_v4.0_8.2.7,PCI_DSS_v4.0_8.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +94e1c2ac-cbbe-4cac-a2b5-389c812dee87,,BuiltIn,Security Center,Guest accounts with write permissions on Azure resources should be removed,External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.,"PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_8.2.4,PCI_DSS_v4.0_8.2.7,PCI_DSS_v4.0_8.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +af6cd1bd-1635-48cb-bde7-5b15693900b9,,BuiltIn,Security Center,Monitor missing Endpoint Protection in Azure Security Center,Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations,"PCI_DSS_v4.0_11.3.1,PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_6.3.3,PCI_DSS_v4.0_6.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +feedbf84-6b99-488c-acc2-71c829aa5ffc,,BuiltIn,Security Center,SQL databases should have vulnerability findings resolved,Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.,"PCI_DSS_v4.0_11.3.1,PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_6.3.3,PCI_DSS_v4.0_6.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +86b3d65f-7626-441e-b690-81a8b71cff60,,BuiltIn,Security Center,System updates should be installed on your machines,Missing security system updates on your servers will be monitored by Azure Security Center as recommendations,"PCI_DSS_v4.0_11.3.1,PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_6.3.3,PCI_DSS_v4.0_6.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +09024ccc-0c5f-475e-9457-b7c0d9ed487b,,BuiltIn,Security Center,There should be more than one owner assigned to your subscription,It is recommended to designate more than one subscription owner in order to have administrator access redundancy.,"PCI_DSS_v4.0_7.2.1,PCI_DSS_v4.0_7.2.2",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +0961003e-5a0a-4549-abde-af6a37f2724d,,BuiltIn,Security Center,"Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources","By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison","PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_6.2.4",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15,,BuiltIn,Security Center,Vulnerabilities in security configuration on your machines should be remediated,Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations,"PCI_DSS_v4.0_11.3.1,PCI_DSS_v4.0_5.2.1,PCI_DSS_v4.0_5.2.2,PCI_DSS_v4.0_5.2.3,PCI_DSS_v4.0_6.3.3,PCI_DSS_v4.0_6.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +617c02be-7f02-4efd-8836-3180d47b6c68,,BuiltIn,Service Fabric,Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign,"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed","PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_6.2.4",PCI-DSS: Audit (Policy Default),"Disabled,Deny,Audit",Audit,Audit,, +1f314764-cb73-4fc9-b863-8eca98ac36e9,,BuiltIn,SQL,An Azure Active Directory administrator should be provisioned for SQL servers,Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services,"PCI_DSS_v4.0_3.3.3,PCI_DSS_v4.0_7.3.1,PCI_DSS_v4.0_8.4.1",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9,,BuiltIn,SQL,Auditing on SQL server should be enabled,Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.,"PCI_DSS_v4.0_10.2.2,PCI_DSS_v4.0_10.3.3",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +17k78e20-9358-41c9-923c-fb736d382a12,,BuiltIn,SQL,Transparent Data Encryption on SQL databases should be enabled,Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements,"PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_6.2.4",PCI-DSS: AuditIfNotExists (Policy Default),"AuditIfNotExists,Disabled",AuditIfNotExists,AuditIfNotExists,, +404c3081-a854-4457-ae30-26a93ef643f9,,BuiltIn,Storage,Secure transfer to storage accounts should be enabled,"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking","PCI_DSS_v4.0_3.5.1,PCI_DSS_v4.0_6.2.4",PCI-DSS: Audit (Policy Default),"Disabled,Deny,Audit",Audit,Audit,, +37e0d2fe-28a5-43d6-a273-67d37d1f5606,,BuiltIn,Storage,Storage accounts should be migrated to new Azure Resource Manager resources,"Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management","PCI_DSS_v4.0_10.2.2,PCI_DSS_v4.0_10.3.3",PCI-DSS: Audit (Policy Default),"Disabled,Deny,Audit",Audit,Audit,, +34c877ad-507e-4c82-993e-3452a6e0ad3c,,BuiltIn,Storage,Storage accounts should restrict network access,"Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges","PCI_DSS_v4.0_1.3.2,PCI_DSS_v4.0_1.4.2",PCI-DSS: Audit (Policy Default),"Disabled,Deny,Audit",Audit,Audit,, diff --git a/StarterKit/hkDefinitions/policyAssignments/pci-dss4.jsonc b/StarterKit/hkDefinitions/policyAssignments/pci-dss4.jsonc new file mode 100644 index 00000000..912939b4 --- /dev/null +++ b/StarterKit/hkDefinitions/policyAssignments/pci-dss4.jsonc @@ -0,0 +1,51 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-assignment-schema.json", + "nodeName": "/Security/", + "parameterFile": "pci-dss-effects.csv", + "definitionEntry": { + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/c676748e-3af9-4e22-bc28-50feed564afb", + "displayName": "Microsoft cloud security benchmark", + "assignment": { + "append": true, + "name": "PCI-DSSv4", + "displayName": "PCI DSS Version 4", + "description": "PCI DSS Version 4 initiative." + } + }, + "children": [ + { + "nodeName": "Prod/", + "assignment": { + "name": "pr-", + "displayName": "Prod ", + "description": "Prod Environment controls enforcement with " + }, + "parameterSelector": "PROD", + "scope": { + "epac-dev": [ + "/providers/Microsoft.Management/managementGroups/mg-epac-dev-prod" + ], + "tenant": [ + "/providers/Microsoft.Management/managementGroups/mg-prod" + ] + } + }, + { + "nodeName": "Nonprod/", + "assignment": { + "name": "tst-", + "displayName": "Nonprod ", + "description": "Nonprod Environment controls enforcement with " + }, + "parameterSelector": "NONPROD", + "scope": { + "epac-dev": [ + "/providers/Microsoft.Management/managementGroups/epac-dev-nonprod" + ], + "tenant": [ + "/providers/Microsoft.Management/managementGroups/mg-nonprod" + ] + } + } + ] +} \ No newline at end of file diff --git a/StarterKit/hkDefinitions/policyAssignments/security-baseline-assignments.jsonc b/StarterKit/hkDefinitions/policyAssignments/security-baseline-assignments.jsonc new file mode 100644 index 00000000..db5b8e90 --- /dev/null +++ b/StarterKit/hkDefinitions/policyAssignments/security-baseline-assignments.jsonc @@ -0,0 +1,63 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-assignment-schema.json", + "nodeName": "/Security/", + "parameterFile": "security-baseline-parameters.csv", + "definitionEntryList": [ + { + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", + "displayName": "Azure Security Benchmark", + "assignment": { + "append": true, + "name": "asb", + "displayName": "Azure Security Benchmark", + "description": "Azure Security Benchmark Initiative." + } + }, + { + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f", + "displayName": "NIST SP 800-53 Rev. 5", + "assignment": { + "append": true, + "name": "nist-800-53-r5", + "displayName": "NIST SP 800-53 Rev. 5", + "description": "NIST SP 800-53 Rev. 5 Initiative." + } + } + ], + "children": [ + { + "nodeName": "Prod/", + "assignment": { + "name": "pr-", + "displayName": "Prod ", + "description": "Prod Environment controls enforcement with " + }, + "parameterSelector": "prod", + "scope": { + "epac-dev": [ + "/providers/Microsoft.Management/managementGroups/mg-epac-dev-prod" + ], + "tenant": [ + "/providers/Microsoft.Management/managementGroups/mg-prod" + ] + } + }, + { + "nodeName": "Nonprod/", + "assignment": { + "name": "tst-", + "displayName": "Nonprod ", + "description": "Nonprod Environment controls enforcement with " + }, + "parameterSelector": "nonprod", + "scope": { + "epac-dev": [ + "/providers/Microsoft.Management/managementGroups/epac-dev-nonprod" + ], + "tenant": [ + "/providers/Microsoft.Management/managementGroups/mg-nonprod" + ] + } + } + ] +} \ No newline at end of file diff --git a/StarterKit/hkDefinitions/policyAssignments/security-baseline-parameters.csv b/StarterKit/hkDefinitions/policyAssignments/security-baseline-parameters.csv new file mode 100644 index 00000000..9b1e18fd --- /dev/null +++ b/StarterKit/hkDefinitions/policyAssignments/security-baseline-parameters.csv @@ -0,0 +1,1953 @@ +"name","referencePath","policyType","category","displayName","description","groupNames","policySets","allowedEffects","prodEffect","nonprodEffect","prodParameters","nonprodParameters" +"051cba44-2429-45b9-9649-46cec11c7119","","BuiltIn","API for FHIR","Azure API for FHIR should use a customer-managed key to encrypt data at rest","Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (Policy Default)","override: + Audit, + Disabled","Audit","Audit","","" +"1ee56206-5dd1-42ab-b02d-8aae8b1634ce","","BuiltIn","API for FHIR","Azure API for FHIR should use private link","Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink.","NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","NIST-800-53: Audit (Policy Default)","override: + Audit, + Disabled","Audit","Audit","","" +"ee7495e7-3ba7-40b6-bfee-c29e22cc75d4","","BuiltIn","API Management","API Management APIs should use only encrypted protocols","To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS.","Azure_Security_Benchmark_v3.0_DP-3","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"c15dcc82-b93c-4dcb-9332-fbf121685b54","","BuiltIn","API Management","API Management calls to API backends should be authenticated","Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.","Azure_Security_Benchmark_v3.0_IM-4","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"92bb331d-ac71-416a-8c91-02f2cb734ce4","","BuiltIn","API Management","API Management calls to API backends should not bypass certificate thumbprint or name validation","To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation.","Azure_Security_Benchmark_v3.0_IM-4","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"b741306c-968e-4b67-b916-5675e5c709f4","","BuiltIn","API Management","API Management direct management endpoint should not be enabled","The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.","Azure_Security_Benchmark_v3.0_PV-2","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"549814b6-3212-4203-bdc8-1548d342fb67","","BuiltIn","API Management","API Management minimum API version should be set to 2019-12-01 or higher","To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher.","Azure_Security_Benchmark_v3.0_IM-8, +Azure_Security_Benchmark_v3.0_PV-2","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"f1cc7827-022c-473e-836e-5a51cae0b249","","BuiltIn","API Management","API Management secret named values should be stored in Azure Key Vault","Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret named values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies.","Azure_Security_Benchmark_v3.0_IM-8, +Azure_Security_Benchmark_v3.0_DP-6","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"ef619a2c-cc4d-4d03-b2ba-8c94a834d85b","","BuiltIn","API Management","API Management services should use a virtual network","Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: aPIManagementServicesShouldUseAVirtualNetworkMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""aPIManagementServicesShouldUseAVirtualNetworkEvaluatedSkuNames"":[""Developer"",""Premium""],""evaluatedSkuNames-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b"":[""Developer"",""Premium""]}","{""aPIManagementServicesShouldUseAVirtualNetworkEvaluatedSkuNames"":[""Developer"",""Premium""],""evaluatedSkuNames-ef619a2c-cc4d-4d03-b2ba-8c94a834d85b"":[""Developer"",""Premium""]}" +"df73bd95-24da-4a4f-96b9-4e8b94b402bd","","BuiltIn","API Management","API Management should disable public network access to the service configuration endpoints","To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.","Azure_Security_Benchmark_v3.0_NS-2","ASB: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"3aa03346-d8c5-4994-a5bc-7652c2a2aef1","","BuiltIn","API Management","API Management subscriptions should not be scoped to all APIs","API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure.","Azure_Security_Benchmark_v3.0_PA-7","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"1dc2fc00-2245-4143-99f4-874c937f13ef","","BuiltIn","API Management","Azure API Management platform version should be stv2","Azure API Management stv1 compute platform version will be retired effective 31 August 2024, and these instances should be migrated to stv2 compute platform for continued support. Learn more at https://learn.microsoft.com/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024","Azure_Security_Benchmark_v3.0_PV-2, +Azure_Security_Benchmark_v3.0_AM-2","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"ca610c1d-041c-4332-9d88-7ed3094967c7","","BuiltIn","App Configuration","App Configuration should use private link","Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: AuditIfNotExists (default: appConfigurationShouldUsePrivateLinkMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"af35e2a4-ef96-44e7-a9ae-853dd97032c4","","BuiltIn","App Platform","Azure Spring Cloud should use network injection","Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1)","ASB: Audit (default: azureSpringCloudShouldUseNetworkInjectionMonitoringEffect), +NIST-800-53: Audit (default: effect-af35e2a4-ef96-44e7-a9ae-853dd97032c4)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""evaluatedSkuNames-af35e2a4-ef96-44e7-a9ae-853dd97032c4"":[""Standard""]}","{""evaluatedSkuNames-af35e2a4-ef96-44e7-a9ae-853dd97032c4"":[""Standard""]}" +"eaebaea7-8013-4ceb-9d14-7eb32271373c","","BuiltIn","App Service","[Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled","Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_CM-6","ASB: Audit (default: functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect), +NIST-800-53: Disabled (Policy Default)","parameter: + Audit, + Disabled","Audit","Audit","","" +"19dd1db6-f442-49cf-a838-b0786b4401ef","","BuiltIn","App Service","App Service apps should have Client Certificates (Incoming client certificates) enabled","Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_CM-6","ASB: AuditIfNotExists (Policy Default), +NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"cb510bfd-1cba-4d9f-a230-cb0976f4bb71","","BuiltIn","App Service","App Service apps should have remote debugging turned off","Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_CM-6","ASB: AuditIfNotExists (default: webAppDisableRemoteDebuggingMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"91a78b24-f231-4a8a-8da9-02c35b2b6510","","BuiltIn","App Service","App Service apps should have resource logs enabled","Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.","Azure_Security_Benchmark_v3.0_LT-3, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1)","ASB: AuditIfNotExists (default: diagnosticLogsInAppServicesShouldBeEnabledMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"5744710e-cc2f-4ee8-8809-3b11e89f4bc9","","BuiltIn","App Service","App Service apps should not have CORS configured to allow every resource to access your apps","Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_CM-6","ASB: AuditIfNotExists (default: webAppRestrictCORSAccessMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"a4af4a39-4135-47fb-b175-47fbdf85311d","","BuiltIn","App Service","App Service apps should only be accessible over HTTPS","Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","Azure_Security_Benchmark_v3.0_DP-3, +NIST_SP_800-53_R5_SC-8, +NIST_SP_800-53_R5_SC-8(1)","ASB: Audit (default: webAppEnforceHttpsMonitoringEffectV2), +NIST-800-53: Audit (Policy Default)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b","","BuiltIn","App Service","App Service apps should require FTPS only","Enable FTPS enforcement for enhanced security.","Azure_Security_Benchmark_v3.0_DP-3, +NIST_SP_800-53_R5_SC-8, +NIST_SP_800-53_R5_SC-8(1)","ASB: AuditIfNotExists (default: fTPSShouldBeRequiredInYourWebAppMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"8c122334-9d20-4eb8-89ea-ac9a705b74ae","","BuiltIn","App Service","App Service apps should use latest 'HTTP Version'","Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.","NIST_SP_800-53_R5_SI-2, +NIST_SP_800-53_R5_SI-2(6)","NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"2b9ad585-36bc-4615-b300-fd4435808332","","BuiltIn","App Service","App Service apps should use managed identity","Use a managed identity for enhanced authentication security","Azure_Security_Benchmark_v3.0_IM-3, +NIST_SP_800-53_R5_AC-2, +NIST_SP_800-53_R5_AC-3, +NIST_SP_800-53_R5_IA-2, +NIST_SP_800-53_R5_IA-4","ASB: AuditIfNotExists (default: managedIdentityShouldBeUsedInYourWebAppMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b","","BuiltIn","App Service","App Service apps should use the latest TLS version","Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.","Azure_Security_Benchmark_v3.0_NS-8, +Azure_Security_Benchmark_v3.0_DP-3, +NIST_SP_800-53_R5_SC-8, +NIST_SP_800-53_R5_SC-8(1)","ASB: AuditIfNotExists (default: latestTLSVersionShouldBeUsedInYourWebAppMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"fb74e86f-d351-4b8d-b034-93da7391c01f","","BuiltIn","App Service","App Service Environment should have internal encryption enabled","Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption.","NIST_SP_800-53_R5_SC-28, +NIST_SP_800-53_R5_SC-28(1)","NIST-800-53: Audit (Policy Default)","override: + Audit, + Disabled","Audit","Audit","","" +"0e60b895-3786-45da-8377-9c6b4b6ac5f9","","BuiltIn","App Service","Function apps should have remote debugging turned off","Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_CM-6","ASB: AuditIfNotExists (default: functionAppDisableRemoteDebuggingMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"0820b7b9-23aa-4725-a1ce-ae4558f718e5","","BuiltIn","App Service","Function apps should not have CORS configured to allow every resource to access your apps","Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_CM-6","ASB: AuditIfNotExists (default: functionAppRestrictCORSAccessMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab","","BuiltIn","App Service","Function apps should only be accessible over HTTPS","Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","Azure_Security_Benchmark_v3.0_DP-3, +NIST_SP_800-53_R5_SC-8, +NIST_SP_800-53_R5_SC-8(1)","ASB: Audit (default: functionAppEnforceHttpsMonitoringEffectV2), +NIST-800-53: Audit (Policy Default)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"399b2637-a50f-4f95-96f8-3a145476eb15","","BuiltIn","App Service","Function apps should require FTPS only","Enable FTPS enforcement for enhanced security.","Azure_Security_Benchmark_v3.0_DP-3, +NIST_SP_800-53_R5_SC-8, +NIST_SP_800-53_R5_SC-8(1)","ASB: AuditIfNotExists (default: fTPSOnlyShouldBeRequiredInYourFunctionAppMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"e2c1c086-2d84-4019-bff3-c44ccd95113c","","BuiltIn","App Service","Function apps should use latest 'HTTP Version'","Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.","NIST_SP_800-53_R5_SI-2, +NIST_SP_800-53_R5_SI-2(6)","NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"0da106f2-4ca3-48e8-bc85-c638fe6aea8f","","BuiltIn","App Service","Function apps should use managed identity","Use a managed identity for enhanced authentication security","Azure_Security_Benchmark_v3.0_IM-3, +NIST_SP_800-53_R5_AC-2, +NIST_SP_800-53_R5_AC-3, +NIST_SP_800-53_R5_IA-2, +NIST_SP_800-53_R5_IA-4","ASB: AuditIfNotExists (default: managedIdentityShouldBeUsedInYourFunctionAppMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"f9d614c5-c173-4d56-95a7-b4437057d193","","BuiltIn","App Service","Function apps should use the latest TLS version","Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.","Azure_Security_Benchmark_v3.0_NS-8, +Azure_Security_Benchmark_v3.0_DP-3, +NIST_SP_800-53_R5_SC-8, +NIST_SP_800-53_R5_SC-8(1)","ASB: AuditIfNotExists (default: latestTLSVersionShouldBeUsedInYourFunctionAppMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"3657f5a0-770e-44a3-b44e-9431ba1e9735","","BuiltIn","Automation","Automation account variables should be encrypted","It is important to enable encryption of Automation account variable assets when storing sensitive data","Azure_Security_Benchmark_v3.0_DP-4, +NIST_SP_800-53_R5_SC-28, +NIST_SP_800-53_R5_SC-28(1)","ASB: Audit (default: encryptionOfAutomationAccountMonitoringEffect), +NIST-800-53: Audit (default: effect-3657f5a0-770e-44a3-b44e-9431ba1e9735)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"56a5ee18-2ae6-4810-86f7-18e39ce5629b","","BuiltIn","Automation","Azure Automation accounts should use customer-managed keys to encrypt data at rest","Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (default: effect-56a5ee18-2ae6-4810-86f7-18e39ce5629b)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"71ef260a-8f18-47b7-abcb-62d0673d94dc","","BuiltIn","Azure Ai Services","Azure AI Services resources should have key access disabled (disable local authentication)","Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth","Azure_Security_Benchmark_v3.0_IM-1, +NIST_SP_800-53_R5_AC-2, +NIST_SP_800-53_R5_AC-2(1), +NIST_SP_800-53_R5_AC-2(7), +NIST_SP_800-53_R5_AC-3, +NIST_SP_800-53_R5_IA-2, +NIST_SP_800-53_R5_IA-4","ASB: Audit (Policy Default), +NIST-800-53: Audit (default: effect-71ef260a-8f18-47b7-abcb-62d0673d94dc)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"037eea7a-bd0a-46c5-9a66-03aea78705d3","","BuiltIn","Azure Ai Services","Azure AI Services resources should restrict network access","By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: cognitiveServicesAccountsShouldRestrictNetworkAccessMonitoringEffect), +NIST-800-53: Audit (default: effect-037eea7a-bd0a-46c5-9a66-03aea78705d3)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"81e74cea-30fd-40d5-802f-d72103c2aaaa","","BuiltIn","Azure Data Explorer","Azure Data Explorer encryption at rest should use a customer-managed key","Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (default: effect-81e74cea-30fd-40d5-802f-d72103c2aaaa)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"f4b53539-8df9-40e4-86c6-6b607703bd4e","","BuiltIn","Azure Data Explorer","Disk encryption should be enabled on Azure Data Explorer","Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.","NIST_SP_800-53_R5_SC-28, +NIST_SP_800-53_R5_SC-28(1)","NIST-800-53: Audit (default: effect-f4b53539-8df9-40e4-86c6-6b607703bd4e)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"ec068d99-e9c7-401f-8cef-5bdde4e6ccf1","","BuiltIn","Azure Data Explorer","Double encryption should be enabled on Azure Data Explorer","Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys.","NIST_SP_800-53_R5_SC-28, +NIST_SP_800-53_R5_SC-28(1)","NIST-800-53: Audit (default: effect-ec068d99-e9c7-401f-8cef-5bdde4e6ccf1)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"51c1490f-3319-459c-bbbc-7f391bbed753","","BuiltIn","Azure Databricks","Azure Databricks Clusters should disable public IP","Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity.","Azure_Security_Benchmark_v3.0_NS-2","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"9c25c9e4-ee12-4882-afd2-11fb9d87893f","","BuiltIn","Azure Databricks","Azure Databricks Workspaces should be in a virtual network","Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject.","Azure_Security_Benchmark_v3.0_NS-2","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"0e7849de-b939-4c50-ab48-fc6b0f5eeba2","","BuiltIn","Azure Databricks","Azure Databricks Workspaces should disable public network access","Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link. ","Azure_Security_Benchmark_v3.0_NS-2","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"258823f2-4595-4b52-b333-cc96192710d8","","BuiltIn","Azure Databricks","Azure Databricks Workspaces should use private link","Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe.","Azure_Security_Benchmark_v3.0_NS-2","ASB: Audit (Policy Default)","override: + Audit, + Disabled","Audit","Audit","","" +"138ff14d-b687-4faa-a81c-898c91a87fa2","","BuiltIn","Azure Databricks","Resource logs in Azure Databricks Workspaces should be enabled","Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.","Azure_Security_Benchmark_v3.0_LT-3","ASB: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"b4ac1030-89c5-4697-8e00-28b5ba6a8811","","BuiltIn","Azure Stack Edge","Azure Stack Edge devices should use double-encryption","To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device.","NIST_SP_800-53_R5_SC-28, +NIST_SP_800-53_R5_SC-28(1)","NIST-800-53: audit (default: effect-b4ac1030-89c5-4697-8e00-28b5ba6a8811)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"bd876905-5b84-4f73-ab2d-2e7a7c4568d9","","BuiltIn","Azure Update Manager","Machines should be configured to periodically check for missing system updates","To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.","Azure_Security_Benchmark_v3.0_PV-6","ASB: Audit (default: systemUpdatesAutoAssessmentModeEffect)","parameter: + Audit, + Disabled","Audit","Audit","","" +"2e94d99a-8a36-4563-bc77-810d8893b671","","BuiltIn","Backup","[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data","Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (default: effect-2e94d99a-8a36-4563-bc77-810d8893b671)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""enableDoubleEncryption-2e94d99a-8a36-4563-bc77-810d8893b671"":true}","{""enableDoubleEncryption-2e94d99a-8a36-4563-bc77-810d8893b671"":true}" +"013e242c-8828-4970-87b3-ab247555486d","","BuiltIn","Backup","Azure Backup should be enabled for Virtual Machines","Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.","Azure_Security_Benchmark_v3.0_BR-1, +Azure_Security_Benchmark_v3.0_BR-2, +NIST_SP_800-53_R5_CP-9","ASB: AuditIfNotExists (default: azureBackupShouldBeEnabledForVirtualMachinesMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"99e9ccd8-3db9-4592-b0d1-14b1715a4d8a","","BuiltIn","Batch","Azure Batch account should use customer-managed keys to encrypt data","Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (default: effect-99e9ccd8-3db9-4592-b0d1-14b1715a4d8a)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"428256e6-1fac-4f48-a757-df34c2b3336d","","BuiltIn","Batch","Resource logs in Batch accounts should be enabled","Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised","Azure_Security_Benchmark_v3.0_LT-3, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1)","ASB: AuditIfNotExists (default: diagnosticsLogsInBatchAccountMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","{""diagnosticsLogsInBatchAccountRetentionDays"":""1""}","{""diagnosticsLogsInBatchAccountRetentionDays"":""1""}" +"51522a96-0869-4791-82f3-981000c2c67f","","BuiltIn","Bot Service","Bot Service should be encrypted with a customer-managed key","Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption.","NIST_SP_800-53_R5_SC-12","NIST-800-53: audit (default: effect-51522a96-0869-4791-82f3-981000c2c67f)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"7803067c-7d34-46e3-8c79-0ca68fc4036d","","BuiltIn","Cache","Azure Cache for Redis should use private link","Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: AuditIfNotExists (default: azureCacheForRedisShouldUsePrivateEndpointMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"22bee202-a82f-4305-9a2a-6d7f44d4dedb","","BuiltIn","Cache","Only secure connections to your Azure Cache for Redis should be enabled","Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking","Azure_Security_Benchmark_v3.0_DP-3, +NIST_SP_800-53_R5_SC-8, +NIST_SP_800-53_R5_SC-8(1)","ASB: Audit (default: diagnosticsLogsInRedisCacheMonitoringEffect), +NIST-800-53: Audit (default: effect-22bee202-a82f-4305-9a2a-6d7f44d4dedb)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"0725b4dd-7e76-479c-a735-68e7ee23d5ca","","BuiltIn","Cognitive Services","Cognitive Services accounts should disable public network access","To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: publicNetworkAccessShouldBeDisabledForCognitiveServicesAccountsMonitoringEffect), +NIST-800-53: Audit (default: effect-0725b4dd-7e76-479c-a735-68e7ee23d5ca)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"67121cc7-ff39-4ab8-b7e3-95b84dab487d","","BuiltIn","Cognitive Services","Cognitive Services accounts should enable data encryption with a customer-managed key","Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321.","Azure_Security_Benchmark_v3.0_DP-5, +NIST_SP_800-53_R5_SC-12","ASB: Disabled (default: cognitiveServicesAccountsShouldEnableDataEncryptionWithACustomerManagedKeyMonitoringEffect), +NIST-800-53: Audit (default: effect-67121cc7-ff39-4ab8-b7e3-95b84dab487d)","parameter: + Deny, + Audit, + Disabled","Disabled","Disabled","","" +"cddd188c-4b82-4c48-a19d-ddf74ee66a01","","BuiltIn","Cognitive Services","Cognitive Services should use private link","Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (Policy Default), +NIST-800-53: Audit (Policy Default)","override: + Audit, + Disabled","Audit","Audit","","" +"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56","","BuiltIn","Compute","Audit virtual machines without disaster recovery configured","Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc.","NIST_SP_800-53_R5_CP-7","NIST-800-53: auditIfNotExists (Policy Fixed)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"f39f5f49-4abf-44de-8c70-0756997bfb51","","BuiltIn","Compute","Disk access resources should use private link","Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. ","NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"ca91455f-eace-4f96-be59-e6e2c35b4816","","BuiltIn","Compute","Managed disks should be double encrypted with both platform-managed and customer-managed keys","High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (default: effect-ca91455f-eace-4f96-be59-e6e2c35b4816)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"702dd420-7fcc-42c5-afe8-4026edd20fe0","","BuiltIn","Compute","OS and data disks should be encrypted with a customer-managed key","Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (default: effect-702dd420-7fcc-42c5-afe8-4026edd20fe0)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"fc4d8e41-e223-45ea-9bf5-eada37891d87","","BuiltIn","Compute","Virtual machines and virtual machine scale sets should have encryption at host enabled","Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe.","Azure_Security_Benchmark_v3.0_DP-4, +NIST_SP_800-53_R5_SC-28, +NIST_SP_800-53_R5_SC-28(1)","ASB: Audit (Policy Default), +NIST-800-53: Audit (default: effect-fc4d8e41-e223-45ea-9bf5-eada37891d87)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"1d84d5fb-01f6-4d12-ba4f-4a26081d403d","","BuiltIn","Compute","Virtual machines should be migrated to new Azure Resource Manager resources","Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management","Azure_Security_Benchmark_v3.0_AM-2, +NIST_SP_800-53_R5_AC-3","ASB: Audit (default: classicComputeVMsMonitoringEffect), +NIST-800-53: Audit (default: effect-1d84d5fb-01f6-4d12-ba4f-4a26081d403d)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"0aa61e00-0a01-4a3c-9945-e93cffedf0e6","","BuiltIn","Container Instance","Azure Container Instance container group should use customer-managed key for encryption","Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (default: effect-0aa61e00-0a01-4a3c-9945-e93cffedf0e6)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580","","BuiltIn","Container Registry","Container registries should be encrypted with a customer-managed key","Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK.","Azure_Security_Benchmark_v3.0_DP-5, +NIST_SP_800-53_R5_SC-12","ASB: Disabled (default: containerRegistriesShouldBeEncryptedWithACustomerManagedKeyMonitoringEffect), +NIST-800-53: Audit (default: effect-5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580)","parameter: + Deny, + Audit, + Disabled","Disabled","Disabled","","" +"d0793b48-0edc-4296-a390-4c75d1bdfd71","","BuiltIn","Container Registry","Container registries should not allow unrestricted network access","Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: containerRegistriesShouldNotAllowUnrestrictedNetworkAccessMonitoringEffect), +NIST-800-53: Audit (default: effect-d0793b48-0edc-4296-a390-4c75d1bdfd71)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"e8eef0a8-67cf-4eb4-9386-14b0e78733d4","","BuiltIn","Container Registry","Container registries should use private link","Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: containerRegistriesShouldUsePrivateLinkMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Audit, + Disabled","Audit","Audit","","" +"862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb","","BuiltIn","Cosmos DB","Azure Cosmos DB accounts should have firewall rules","Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: azureCosmosDBAccountsShouldHaveFirewallRulesMonitoringEffect), +NIST-800-53: Audit (default: effect-862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"1f905d99-2ab7-462c-a6b0-f709acca6c8f","","BuiltIn","Cosmos DB","Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest","Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk.","Azure_Security_Benchmark_v3.0_DP-5, +NIST_SP_800-53_R5_SC-12","ASB: disabled (default: azureCosmosDbAccountsShouldUseCustomerManagedKeysToEncryptDataAtRestMonitoringEffect), +NIST-800-53: audit (default: effect-1f905d99-2ab7-462c-a6b0-f709acca6c8f)","parameter: + Deny, + Audit, + Disabled","Disabled","Disabled","","" +"797b37f7-06b8-444c-b1ad-fc62867f335a","","BuiltIn","Cosmos DB","Azure Cosmos DB should disable public network access","Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation.","Azure_Security_Benchmark_v3.0_NS-2","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"5450f5bd-9c72-4390-a9c4-a7aba4edfdd2","","BuiltIn","Cosmos DB","Cosmos DB database accounts should have local authentication methods disabled","Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth.","Azure_Security_Benchmark_v3.0_IM-1","ASB: Audit (default: azureCosmosDbAccountsShouldHaveLocalAuthenticationMethodsDisabledMonitoringEffect)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"58440f8a-10c5-4151-bdce-dfbaad4a20b7","","BuiltIn","Cosmos DB","CosmosDB accounts should use private link","Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (Policy Default), +NIST-800-53: Audit (Policy Default)","override: + Audit, + Disabled","Audit","Audit","","" +"c349d81b-9985-44ae-a8da-ff98d108ede8","","BuiltIn","Data Box","Azure Data Box jobs should enable double encryption for data at rest on the device","Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption.","NIST_SP_800-53_R5_SC-28, +NIST_SP_800-53_R5_SC-28(1)","NIST-800-53: Audit (default: effect-c349d81b-9985-44ae-a8da-ff98d108ede8)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""supportedSKUs-c349d81b-9985-44ae-a8da-ff98d108ede8"":[""DataBox"",""DataBoxHeavy""]}","{""supportedSKUs-c349d81b-9985-44ae-a8da-ff98d108ede8"":[""DataBox"",""DataBoxHeavy""]}" +"86efb160-8de7-451d-bc08-5d475b0aadae","","BuiltIn","Data Box","Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password","Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (default: effect-86efb160-8de7-451d-bc08-5d475b0aadae)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""supportedSKUs-86efb160-8de7-451d-bc08-5d475b0aadae"":[""DataBox"",""DataBoxHeavy""]}","{""supportedSKUs-86efb160-8de7-451d-bc08-5d475b0aadae"":[""DataBox"",""DataBoxHeavy""]}" +"4ec52d6d-beb7-40c4-9a9e-fe753254690e","","BuiltIn","Data Factory","Azure data factories should be encrypted with a customer-managed key","Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (default: effect-4ec52d6d-beb7-40c4-9a9e-fe753254690e)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"8b0323be-cc25-4b61-935d-002c3798c6ea","","BuiltIn","Data Factory","Azure Data Factory should use private link","Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link.","NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"057ef27e-665e-4328-8ea3-04b3122bd9fb","","BuiltIn","Data Lake","Resource logs in Azure Data Lake Store should be enabled","Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised","Azure_Security_Benchmark_v3.0_LT-3, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1)","ASB: AuditIfNotExists (default: diagnosticsLogsInDataLakeStoreMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","{""diagnosticsLogsInDataLakeStoreRetentionDays"":""1""}","{""diagnosticsLogsInDataLakeStoreRetentionDays"":""1""}" +"c95c74d9-38fe-4f0d-af86-0c7d626a315c","","BuiltIn","Data Lake","Resource logs in Data Lake Analytics should be enabled","Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised","Azure_Security_Benchmark_v3.0_LT-3, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1)","ASB: AuditIfNotExists (default: diagnosticsLogsInDataLakeAnalyticsMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","{""diagnosticsLogsInDataLakeAnalyticsRetentionDays"":""1""}","{""diagnosticsLogsInDataLakeAnalyticsRetentionDays"":""1""}" +"9830b652-8523-49cc-b1b3-e17dce1127ca","","BuiltIn","Event Grid","Azure Event Grid domains should use private link","Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: azureEventGridDomainsShouldUsePrivateLinkMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Audit, + Disabled","Audit","Audit","","" +"4b90e17e-8448-49db-875e-bd83fb6f804f","","BuiltIn","Event Grid","Azure Event Grid topics should use private link","Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: azureEventGridTopicsShouldUsePrivateLinkMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Audit, + Disabled","Audit","Audit","","" +"a1ad735a-e96f-45d2-a7b2-9a4932cab7ec","","BuiltIn","Event Hub","Event Hub namespaces should use a customer-managed key for encryption","Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (Policy Default)","override: + Audit, + Disabled","Audit","Audit","","" +"b8564268-eb4a-4337-89be-a19db070c59d","","BuiltIn","Event Hub","Event Hub namespaces should use private link","Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service.","NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"83a214f7-d01a-484b-91a9-ed54470c9a6a","","BuiltIn","Event Hub","Resource logs in Event Hub should be enabled","Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised","Azure_Security_Benchmark_v3.0_LT-3, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1)","ASB: AuditIfNotExists (default: diagnosticsLogsInEventHubMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","{""diagnosticsLogsInEventHubRetentionDays"":""1""}","{""diagnosticsLogsInEventHubRetentionDays"":""1""}" +"a451c1ef-c6ca-483d-87ed-f49761e3ffb5","","BuiltIn","General","Audit usage of custom RBAC roles","Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling","Azure_Security_Benchmark_v3.0_PA-7, +NIST_SP_800-53_R5_AC-2, +NIST_SP_800-53_R5_AC-2(7), +NIST_SP_800-53_R5_AC-6, +NIST_SP_800-53_R5_AC-6(7)","ASB: Audit (default: useRbacRulesMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Audit, + Disabled","Audit","Audit","","" +"ca88aadc-6e2b-416c-9de2-5a0f01d1693f","","BuiltIn","Guest Configuration","[Preview]: Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost.","By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.","Azure_Security_Benchmark_v3.0_DP-4","ASB: AuditIfNotExists (default: gcLinuxDiskEncryptionMonitoringEffect)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"3dc5edcd-002d-444c-b216-e123bbfa37c0","","BuiltIn","Guest Configuration","[Preview]: Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost.","By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.","Azure_Security_Benchmark_v3.0_DP-4","ASB: AuditIfNotExists (default: gcWindowsDiskEncryptionMonitoringEffect)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"3cf2ab00-13f1-4d0c-8971-2ac904541a7e","","BuiltIn","Guest Configuration","Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities","This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.","NIST_SP_800-53_R5_AC-3, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_IA-5, +NIST_SP_800-53_R5_IA-5(1)","NIST-800-53: modify (Policy Fixed)","override: + Modify, + Audit, + Disabled","Modify","Modify","","" +"497dff13-db2a-4c0f-8603-28fa3b331ab6","","BuiltIn","Guest Configuration","Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity","This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.","NIST_SP_800-53_R5_AC-3, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_IA-5, +NIST_SP_800-53_R5_IA-5(1)","NIST-800-53: modify (Policy Fixed)","override: + Modify, + Audit, + Disabled","Modify","Modify","","" +"ea53dbee-c6c9-4f0e-9f9e-de0039b78023","","BuiltIn","Guest Configuration","Audit Linux machines that allow remote connections from accounts without passwords","Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords","NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1)","NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"e6955644-301c-44b5-a4c4-528577de6861","","BuiltIn","Guest Configuration","Audit Linux machines that do not have the passwd file permissions set to 0644","Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644","NIST_SP_800-53_R5_IA-5, +NIST_SP_800-53_R5_IA-5(1)","NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"f6ec09a3-78bf-4f8f-99dc-6c77182d0f99","","BuiltIn","Guest Configuration","Audit Linux machines that have accounts without passwords","Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords","NIST_SP_800-53_R5_AC-3","NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"5b054a0d-39e2-4d53-bea3-9734cad2c69b","","BuiltIn","Guest Configuration","Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords","Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24","NIST_SP_800-53_R5_IA-5(1)","NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"4ceb8dc2-559c-478b-a15b-733fbf1e3738","","BuiltIn","Guest Configuration","Audit Windows machines that do not have the maximum password age set to specified number of days","Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days","NIST_SP_800-53_R5_IA-5(1)","NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"237b38db-ca4d-4259-9e47-7882441ca2c0","","BuiltIn","Guest Configuration","Audit Windows machines that do not have the minimum password age set to specified number of days","Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day","NIST_SP_800-53_R5_IA-5(1)","NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"bf16e0bb-31e1-4646-8202-60a235cc7e74","","BuiltIn","Guest Configuration","Audit Windows machines that do not have the password complexity setting enabled","Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled","NIST_SP_800-53_R5_IA-5(1)","NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"a2d0e922-65d0-40c4-8f87-ea6da2d307a2","","BuiltIn","Guest Configuration","Audit Windows machines that do not restrict the minimum password length to specified number of characters","Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters","NIST_SP_800-53_R5_IA-5(1)","NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"da0f98fe-a24b-4ad5-af69-bd0400233661","","BuiltIn","Guest Configuration","Audit Windows machines that do not store passwords using reversible encryption","Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption","NIST_SP_800-53_R5_IA-5, +NIST_SP_800-53_R5_IA-5(1)","NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"630c64f9-8b6b-4c64-b511-6544ceff6fd6","","BuiltIn","Guest Configuration","Authentication to Linux machines should require SSH keys","Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.","Azure_Security_Benchmark_v3.0_IM-6, +NIST_SP_800-53_R5_AC-3, +NIST_SP_800-53_R5_IA-5","ASB: AuditIfNotExists (default: authenticationToLinuxMachinesShouldRequireSSHKeysMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"331e8ea8-378a-410f-a2e5-ae22f38bb0da","","BuiltIn","Guest Configuration","Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs","This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.","NIST_SP_800-53_R5_AC-3, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_IA-5, +NIST_SP_800-53_R5_IA-5(1)","NIST-800-53: deployIfNotExists (Policy Fixed)","override: + DeployIfNotExists, + AuditIfNotExists, + Disabled","DeployIfNotExists","DeployIfNotExists","","" +"385f5831-96d4-41db-9a3c-cd3af78aaae6","","BuiltIn","Guest Configuration","Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs","This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.","NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_IA-5, +NIST_SP_800-53_R5_IA-5(1)","NIST-800-53: deployIfNotExists (Policy Fixed)","override: + DeployIfNotExists, + AuditIfNotExists, + Disabled","DeployIfNotExists","DeployIfNotExists","","" +"1e7fed80-8321-4605-b42c-65fc300f23a3","","BuiltIn","Guest Configuration","Linux machines should have Log Analytics agent installed on Azure Arc","Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server.","Azure_Security_Benchmark_v3.0_LT-5","ASB: AuditIfNotExists (default: ArcLinuxMonitoringEffect)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"fc9b3da7-8347-4380-8e70-0a0361d8dedd","","BuiltIn","Guest Configuration","Linux machines should meet requirements for the Azure compute security baseline","Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.","Azure_Security_Benchmark_v3.0_PV-4, +NIST_SP_800-53_R5_CM-6","ASB: AuditIfNotExists (default: linuxGuestConfigBaselinesMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"bed48b13-6647-468e-aa2f-1af1d3f4dd40","","BuiltIn","Guest Configuration","Windows Defender Exploit Guard should be enabled on your machines","Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).","Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2, +Azure_Security_Benchmark_v3.0_ES-2, +NIST_SP_800-53_R5_SC-3, +NIST_SP_800-53_R5_SI-3, +NIST_SP_800-53_R5_SI-16","ASB: AuditIfNotExists (default: windowsDefenderExploitGuardMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","{""windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsIncludeArcMachines"":""true"",""NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40"":""Compliant""}","{""windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsIncludeArcMachines"":""true"",""NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40"":""Compliant""}" +"5752e6d6-1206-46d8-8ab1-ecc2f71a8112","","BuiltIn","Guest Configuration","Windows machines should be configured to use secure communication protocols","To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines.","Azure_Security_Benchmark_v3.0_DP-3, +NIST_SP_800-53_R5_SC-8, +NIST_SP_800-53_R5_SC-8(1)","ASB: AuditIfNotExists (default: windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","{""MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112"":""1.2"",""windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsMinimumTLSVersion"":""1.2""}","{""MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112"":""1.2"",""windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsMinimumTLSVersion"":""1.2""}" +"4078e558-bda6-41fb-9b3c-361e8875200d","","BuiltIn","Guest Configuration","Windows machines should have Log Analytics agent installed on Azure Arc","Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server.","Azure_Security_Benchmark_v3.0_LT-5","ASB: AuditIfNotExists (default: ArcWindowsMonitoringEffect)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"72650e9f-97bc-4b2a-ab5f-9781a9fcecbc","","BuiltIn","Guest Configuration","Windows machines should meet requirements of the Azure compute security baseline","Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.","Azure_Security_Benchmark_v3.0_PV-4, +NIST_SP_800-53_R5_CM-6","ASB: AuditIfNotExists (default: windowsGuestConfigBaselinesMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","{""IncludeArcMachines"":""false""}","{""IncludeArcMachines"":""false""}" +"64d314f6-6062-4780-a861-c23e8951bee5","","BuiltIn","HDInsight","Azure HDInsight clusters should use customer-managed keys to encrypt data at rest","Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (default: effect-64d314f6-6062-4780-a861-c23e8951bee5)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6","","BuiltIn","HDInsight","Azure HDInsight clusters should use encryption at host to encrypt data at rest","Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (default: effect-1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"d9da03a1-f3c3-412a-9709-947156872263","","BuiltIn","HDInsight","Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes","Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission.","NIST_SP_800-53_R5_SC-8, +NIST_SP_800-53_R5_SC-8(1)","NIST-800-53: Audit (default: effect-d9da03a1-f3c3-412a-9709-947156872263)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"47031206-ce96-41f8-861b-6a915f3de284","","BuiltIn","Internet of Things","[Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)","Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at https://aka.ms/dps/CMK.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (default: effect-47031206-ce96-41f8-861b-6a915f3de284)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"df39c015-56a4-45de-b4a3-efe77bed320d","","BuiltIn","Internet of Things","IoT Hub device provisioning service instances should use private link","Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet.","NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","NIST-800-53: Audit (Policy Default)","override: + Audit, + Disabled","Audit","Audit","","" +"383856f8-de7f-44a2-81fc-e5135b5c2aa4","","BuiltIn","Internet of Things","Resource logs in IoT Hub should be enabled","Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised","Azure_Security_Benchmark_v3.0_LT-3, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1)","ASB: AuditIfNotExists (default: diagnosticsLogsInIoTHubMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","{""diagnosticsLogsInIoTHubRetentionDays"":""1"",""requiredRetentionDays"":""365""}","{""diagnosticsLogsInIoTHubRetentionDays"":""1"",""requiredRetentionDays"":""365""}" +"55615ac9-af46-4a59-874e-391cc3dfb490","","BuiltIn","Key Vault","Azure Key Vault should have firewall enabled","Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security","Azure_Security_Benchmark_v3.0_NS-2, +Azure_Security_Benchmark_v3.0_DP-8, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: firewallShouldBeEnabledOnKeyVaultMonitoringEffect), +NIST-800-53: Audit (default: effect-55615ac9-af46-4a59-874e-391cc3dfb490)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"a6abeaec-4d90-4a02-805f-6b26c4d3fbe9","","BuiltIn","Key Vault","Azure Key Vaults should use private link","Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink.","Azure_Security_Benchmark_v3.0_NS-2, +Azure_Security_Benchmark_v3.0_DP-8, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: privateEndpointShouldBeConfiguredForKeyVaultMonitoringEffect), +NIST-800-53: Audit (default: effect-a6abeaec-4d90-4a02-805f-6b26c4d3fbe9)","parameter: + Audit, + Disabled","Audit","Audit","","" +"0a075868-4c26-42ef-914c-5bc007359560","","BuiltIn","Key Vault","Certificates should have the specified maximum validity period","Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault.","Azure_Security_Benchmark_v3.0_DP-7, +NIST_SP_800-53_R5_IA-5","ASB: disabled (default: certificatesValidityPeriodMonitoringEffect), +NIST-800-53: audit (default: effect-0a075868-4c26-42ef-914c-5bc007359560)","parameter: + Deny, + Audit, + Disabled","Disabled","Disabled","{""maximumValidityInMonths-0a075868-4c26-42ef-914c-5bc007359560"":12,""certificatesValidityPeriodInMonths"":12}","{""maximumValidityInMonths-0a075868-4c26-42ef-914c-5bc007359560"":12,""certificatesValidityPeriodInMonths"":12}" +"152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0","","BuiltIn","Key Vault","Key Vault keys should have an expiration date","Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.","Azure_Security_Benchmark_v3.0_DP-6, +NIST_SP_800-53_R5_IA-5","ASB: Disabled (default: keysExpirationSetEffect), +NIST-800-53: Audit (default: effect-152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0)","parameter: + Deny, + Audit, + Disabled","Disabled","Disabled","","" +"98728c90-32c7-4049-8429-847dc0f4fe37","","BuiltIn","Key Vault","Key Vault secrets should have an expiration date","Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.","Azure_Security_Benchmark_v3.0_DP-6, +NIST_SP_800-53_R5_IA-5","ASB: Disabled (default: secretsExpirationSetEffect), +NIST-800-53: Audit (default: effect-98728c90-32c7-4049-8429-847dc0f4fe37)","parameter: + Deny, + Audit, + Disabled","Disabled","Disabled","","" +"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","","BuiltIn","Key Vault","Key vaults should have deletion protection enabled","Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default.","Azure_Security_Benchmark_v3.0_DP-8, +NIST_SP_800-53_R5_CP-9","ASB: Audit (default: keyVaultsShouldHavePurgeProtectionEnabledMonitoringEffect), +NIST-800-53: Audit (default: effect-0b60c0b2-2dc2-4e1c-b5c9-abbed971de53)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d","","BuiltIn","Key Vault","Key vaults should have soft delete enabled","Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.","Azure_Security_Benchmark_v3.0_DP-8, +NIST_SP_800-53_R5_CP-9","ASB: Audit (default: keyVaultsShouldHaveSoftDeleteEnabledMonitoringEffect), +NIST-800-53: Audit (default: effect-1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"cf820ca0-f99e-4f3e-84fb-66e913812d21","","BuiltIn","Key Vault","Resource logs in Key Vault should be enabled","Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised","Azure_Security_Benchmark_v3.0_DP-8, +Azure_Security_Benchmark_v3.0_LT-3, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1)","ASB: AuditIfNotExists (default: diagnosticsLogsInKeyVaultMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","{""diagnosticsLogsInKeyVaultRetentionDays"":""1""}","{""diagnosticsLogsInKeyVaultRetentionDays"":""1""}" +"8dfab9c4-fe7b-49ad-85e4-1e9be085358f","","BuiltIn","Kubernetes","[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed","Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc.","Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2, +NIST_SP_800-53_R5_AC-2(12), +NIST_SP_800-53_R5_AU-6, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: arcEnabledKubernetesClustersShouldHaveAzureDefendersExtensionInstalled), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"6b2122c1-8120-4ff5-801b-17625a355590","","BuiltIn","Kubernetes","Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed","The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc.","Azure_Security_Benchmark_v3.0_PV-2","ASB: AuditIfNotExists (default: arcEnabledKubernetesClustersShouldHaveAzurePolicyExtensionInstalledEffect)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"a1840de2-8088-4ea8-b153-b4c723e9cb01","","BuiltIn","Kubernetes","Azure Kubernetes Service clusters should have Defender profile enabled","Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks","Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2","ASB: Audit (default: azureKubernetesServiceClustersShouldHaveSecurityProfileEnabled)","parameter: + Audit, + Disabled","Audit","Audit","","" +"0a15ec92-a229-4763-bb14-0ea34a568f8d","","BuiltIn","Kubernetes","Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters","Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_CM-6","ASB: Audit (default: azurePolicyAddonStatusEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Audit, + Disabled","Audit","Audit","","" +"7d7be79c-23ba-4033-84dd-45e2a5ccdd67","","BuiltIn","Kubernetes","Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys","Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (default: effect-7d7be79c-23ba-4033-84dd-45e2a5ccdd67)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"e345eecc-fa47-480f-9e88-67dcc122b164","","BuiltIn","Kubernetes","Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits","Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_CM-6","ASB: Audit (default: memoryAndCPULimitsInKubernetesClusterEffect), +NIST-800-53: audit (default: effect-e345eecc-fa47-480f-9e88-67dcc122b164)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164"":""0"",""cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164"":""0"",""memoryInKubernetesClusterLimit"":""64Gi"",""memoryAndCPULimitsInKubernetesClusterNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""],""memoryAndCPULimitsInKubernetesClusterLabelSelector"":{},""CPUInKubernetesClusterLimit"":""32""}","{""memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164"":""0"",""cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164"":""0"",""memoryInKubernetesClusterLimit"":""64Gi"",""memoryAndCPULimitsInKubernetesClusterNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""],""memoryAndCPULimitsInKubernetesClusterLabelSelector"":{},""CPUInKubernetesClusterLimit"":""32""}" +"47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8","","BuiltIn","Kubernetes","Kubernetes cluster containers should not share host process ID or host IPC namespace","Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_CM-6","ASB: Audit (default: NoSharingSensitiveHostNamespacesInKubernetesEffect), +NIST-800-53: audit (default: effect-47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""NoSharingSensitiveHostNamespacesInKubernetesLabelSelector"":{},""NoSharingSensitiveHostNamespacesInKubernetesNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azure-extensions-usage-system""]}","{""NoSharingSensitiveHostNamespacesInKubernetesLabelSelector"":{},""NoSharingSensitiveHostNamespacesInKubernetesNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azure-extensions-usage-system""]}" +"511f5417-5d12-434d-ab2e-816901e72a5e","","BuiltIn","Kubernetes","Kubernetes cluster containers should only use allowed AppArmor profiles","Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_CM-6","ASB: Audit (default: AllowedAppArmorProfilesInKubernetesClusterEffect), +NIST-800-53: audit (default: effect-511f5417-5d12-434d-ab2e-816901e72a5e)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""AllowedAppArmorProfilesInKubernetesClusterList"":[""runtime/default""],""AllowedAppArmorProfilesInKubernetesClusterNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""],""allowedProfiles-511f5417-5d12-434d-ab2e-816901e72a5e"":[],""AllowedAppArmorProfilesInKubernetesClusterLabelSelector"":{}}","{""AllowedAppArmorProfilesInKubernetesClusterList"":[""runtime/default""],""AllowedAppArmorProfilesInKubernetesClusterNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""],""allowedProfiles-511f5417-5d12-434d-ab2e-816901e72a5e"":[],""AllowedAppArmorProfilesInKubernetesClusterLabelSelector"":{}}" +"c26596ff-4d70-4e6a-9a30-c2506bd2f80c","","BuiltIn","Kubernetes","Kubernetes cluster containers should only use allowed capabilities","Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_CM-6","ASB: Audit (default: AllowedCapabilitiesInKubernetesClusterEffect), +NIST-800-53: audit (default: effect-c26596ff-4d70-4e6a-9a30-c2506bd2f80c)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""requiredDropCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c"":[],""AllowedCapabilitiesInKubernetesClusterList"":[],""AllowedCapabilitiesInKubernetesClusterLabelSelector"":{},""allowedCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c"":[],""DropCapabilitiesInKubernetesClusterList"":[],""AllowedCapabilitiesInKubernetesClusterNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""]}","{""requiredDropCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c"":[],""AllowedCapabilitiesInKubernetesClusterList"":[],""AllowedCapabilitiesInKubernetesClusterLabelSelector"":{},""allowedCapabilities-c26596ff-4d70-4e6a-9a30-c2506bd2f80c"":[],""DropCapabilitiesInKubernetesClusterList"":[],""AllowedCapabilitiesInKubernetesClusterNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""]}" +"febd0533-8e55-448f-b837-bd0e06f16469","","BuiltIn","Kubernetes","Kubernetes cluster containers should only use allowed images","Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_CM-6","ASB: Audit (default: allowedContainerImagesInKubernetesClusterEffect), +NIST-800-53: audit (default: effect-febd0533-8e55-448f-b837-bd0e06f16469)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469"":""^(.+){0}$"",""namespaces"":[],""allowedContainerImagesLabelSelector"":{},""allowedContainerImagesNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""],""labelSelector"":{},""excludedNamespaces"":[""kube-system"",""gatekeeper-system"",""azure-arc""],""allowedContainerImagesInKubernetesClusterRegex"":""^(.+){0}$""}","{""allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469"":""^(.+){0}$"",""namespaces"":[],""allowedContainerImagesLabelSelector"":{},""allowedContainerImagesNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""],""labelSelector"":{},""excludedNamespaces"":[""kube-system"",""gatekeeper-system"",""azure-arc""],""allowedContainerImagesInKubernetesClusterRegex"":""^(.+){0}$""}" +"df49d893-a74c-421d-bc95-c663042e5b80","","BuiltIn","Kubernetes","Kubernetes cluster containers should run with a read only root file system","Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_CM-6","ASB: Audit (default: ReadOnlyRootFileSystemInKubernetesClusterEffect), +NIST-800-53: audit (default: effect-df49d893-a74c-421d-bc95-c663042e5b80)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""ReadOnlyRootFileSystemInKubernetesClusterNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""],""ReadOnlyRootFileSystemInKubernetesClusterLabelSelector"":{}}","{""ReadOnlyRootFileSystemInKubernetesClusterNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""],""ReadOnlyRootFileSystemInKubernetesClusterLabelSelector"":{}}" +"098fc59e-46c7-4d99-9b16-64990e543d75","","BuiltIn","Kubernetes","Kubernetes cluster pod hostPath volumes should only use allowed host paths","Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_CM-6","ASB: Audit (default: AllowedHostPathVolumesInKubernetesClusterEffect), +NIST-800-53: audit (default: effect-098fc59e-46c7-4d99-9b16-64990e543d75)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""AllowedHostPathVolumesInKubernetesClusterLabelSelector"":{},""allowedHostPaths-098fc59e-46c7-4d99-9b16-64990e543d75"":{""paths"":[]},""AllowedHostPathVolumesInKubernetesClusterList"":{""paths"":[]},""AllowedHostPathVolumesInKubernetesClusterNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""]}","{""AllowedHostPathVolumesInKubernetesClusterLabelSelector"":{},""allowedHostPaths-098fc59e-46c7-4d99-9b16-64990e543d75"":{""paths"":[]},""AllowedHostPathVolumesInKubernetesClusterList"":{""paths"":[]},""AllowedHostPathVolumesInKubernetesClusterNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""]}" +"f06ddb64-5fa3-4b77-b166-acb36f7f6042","","BuiltIn","Kubernetes","Kubernetes cluster pods and containers should only run with approved user and group IDs","Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_CM-6","ASB: Audit (default: MustRunAsNonRootNamespaceEffect), +NIST-800-53: audit (default: effect-f06ddb64-5fa3-4b77-b166-acb36f7f6042)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042"":""RunAsAny"",""MustRunAsNonRootNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""],""runAsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042"":{""ranges"":[]},""runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042"":""RunAsAny"",""MustRunAsNonRootLabelSelector"":{},""runAsUserRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042"":{""ranges"":[]},""runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042"":""MustRunAsNonRoot"",""supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042"":""RunAsAny"",""fsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042"":{""ranges"":[]},""supplementalGroupsRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042"":{""ranges"":[]}}","{""fsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042"":""RunAsAny"",""MustRunAsNonRootNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""],""runAsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042"":{""ranges"":[]},""runAsGroupRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042"":""RunAsAny"",""MustRunAsNonRootLabelSelector"":{},""runAsUserRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042"":{""ranges"":[]},""runAsUserRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042"":""MustRunAsNonRoot"",""supplementalGroupsRule-f06ddb64-5fa3-4b77-b166-acb36f7f6042"":""RunAsAny"",""fsGroupRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042"":{""ranges"":[]},""supplementalGroupsRanges-f06ddb64-5fa3-4b77-b166-acb36f7f6042"":{""ranges"":[]}}" +"82985f06-dc18-4a48-bc1c-b9f4f0098cfe","","BuiltIn","Kubernetes","Kubernetes cluster pods should only use approved host network and port range","Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_CM-6","ASB: Audit (default: AllowedHostNetworkingAndPortsInKubernetesClusterEffect), +NIST-800-53: audit (default: effect-82985f06-dc18-4a48-bc1c-b9f4f0098cfe)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""AllowHostNetworkingInKubernetesCluster"":false,""maxPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe"":0,""minPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe"":0,""allowHostNetwork-82985f06-dc18-4a48-bc1c-b9f4f0098cfe"":false,""AllowedHostNetworkingAndPortsInKubernetesClusterNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azure-extensions-usage-system""],""AllowedHostMaxPortInKubernetesCluster"":0,""AllowedHostNetworkingAndPortsInKubernetesClusterLabelSelector"":{},""AllowedHostMinPortInKubernetesCluster"":0}","{""AllowHostNetworkingInKubernetesCluster"":false,""maxPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe"":0,""minPort-82985f06-dc18-4a48-bc1c-b9f4f0098cfe"":0,""allowHostNetwork-82985f06-dc18-4a48-bc1c-b9f4f0098cfe"":false,""AllowedHostNetworkingAndPortsInKubernetesClusterNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azure-extensions-usage-system""],""AllowedHostMaxPortInKubernetesCluster"":0,""AllowedHostNetworkingAndPortsInKubernetesClusterLabelSelector"":{},""AllowedHostMinPortInKubernetesCluster"":0}" +"233a2a17-77ca-4fb1-9b6b-69223d272a44","","BuiltIn","Kubernetes","Kubernetes cluster services should listen only on allowed ports","Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_CM-6","ASB: Audit (default: allowedServicePortsInKubernetesClusterEffect), +NIST-800-53: audit (default: effect-233a2a17-77ca-4fb1-9b6b-69223d272a44)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""allowedServicePortsInKubernetesClusterLabelSelector"":{},""allowedServicePortsInKubernetesClusterNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azure-extensions-usage-system""],""allowedservicePortsInKubernetesClusterPorts"":[""-1""],""allowedServicePortsList-233a2a17-77ca-4fb1-9b6b-69223d272a44"":[]}","{""allowedServicePortsInKubernetesClusterLabelSelector"":{},""allowedServicePortsInKubernetesClusterNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azure-extensions-usage-system""],""allowedservicePortsInKubernetesClusterPorts"":[""-1""],""allowedServicePortsList-233a2a17-77ca-4fb1-9b6b-69223d272a44"":[]}" +"95edb821-ddaf-4404-9732-666045e056b4","","BuiltIn","Kubernetes","Kubernetes cluster should not allow privileged containers","Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_CM-6","ASB: Audit (default: privilegedContainersShouldBeAvoidedEffect), +NIST-800-53: audit (default: effect-95edb821-ddaf-4404-9732-666045e056b4)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""excludedImagesInKubernetesCluster"":[],""privilegedContainerNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""],""excludedContainers-95edb821-ddaf-4404-9732-666045e056b4"":[],""privilegedContainerLabelSelector"":{}}","{""excludedImagesInKubernetesCluster"":[],""privilegedContainerNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""],""excludedContainers-95edb821-ddaf-4404-9732-666045e056b4"":[],""privilegedContainerLabelSelector"":{}}" +"1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d","","BuiltIn","Kubernetes","Kubernetes clusters should be accessible only over HTTPS","Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc","Azure_Security_Benchmark_v3.0_DP-3, +NIST_SP_800-53_R5_SC-8, +NIST_SP_800-53_R5_SC-8(1)","ASB: Audit (default: kubernetesClustersShouldBeAccessibleOnlyOverHTTPSMonitoringEffect), +NIST-800-53: audit (default: effect-1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""kubernetesClustersShouldBeAccessibleOnlyOverHTTPSExcludedNamespaces"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azure-extensions-usage-system""],""kubernetesClustersShouldBeAccessibleOnlyOverHTTPSLabelSelector"":{}}","{""kubernetesClustersShouldBeAccessibleOnlyOverHTTPSExcludedNamespaces"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azure-extensions-usage-system""],""kubernetesClustersShouldBeAccessibleOnlyOverHTTPSLabelSelector"":{}}" +"423dd1ba-798e-40e4-9c4d-b6902674b423","","BuiltIn","Kubernetes","Kubernetes clusters should disable automounting API credentials","Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.","Azure_Security_Benchmark_v3.0_PV-2","ASB: Audit (default: KubernetesClustersShouldDisableAutomountingAPICredentialsMonitoringEffect)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""KubernetesClustersShouldDisableAutomountingAPICredentialsMonitoringNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""],""KubernetesClustersShouldDisableAutomountingAPICredentialsMonitoringLabelSelector"":{}}","{""KubernetesClustersShouldDisableAutomountingAPICredentialsMonitoringNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""],""KubernetesClustersShouldDisableAutomountingAPICredentialsMonitoringLabelSelector"":{}}" +"1c6e92c9-99f0-4e55-9cf2-0c234dc48f99","","BuiltIn","Kubernetes","Kubernetes clusters should not allow container privilege escalation","Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.","Azure_Security_Benchmark_v3.0_PV-2, +NIST_SP_800-53_R5_CM-6","ASB: Audit (default: NoPrivilegeEscalationInKubernetesClusterEffect), +NIST-800-53: audit (default: effect-1c6e92c9-99f0-4e55-9cf2-0c234dc48f99)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""NoPrivilegeEscalationInKubernetesClusterNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azure-extensions-usage-system""],""NoPrivilegeEscalationInKubernetesClusterLabelSelector"":{}}","{""NoPrivilegeEscalationInKubernetesClusterNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azure-extensions-usage-system""],""NoPrivilegeEscalationInKubernetesClusterLabelSelector"":{}}" +"d2e7ea85-6b44-4317-a0be-1b951587f626","","BuiltIn","Kubernetes","Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities","To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.","Azure_Security_Benchmark_v3.0_PV-2","ASB: Audit (default: KubernetesClustersShouldNotGrantCAPSYSADMINSecurityCapabilitiesMonitoringEffect)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""KubernetesClustersShouldNotGrantCAPSYSADMINSecurityCapabilitiesMonitoringLabelSelector"":{},""KubernetesClustersShouldNotGrantCAPSYSADMINSecurityCapabilitiesMonitoringNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""]}","{""KubernetesClustersShouldNotGrantCAPSYSADMINSecurityCapabilitiesMonitoringLabelSelector"":{},""KubernetesClustersShouldNotGrantCAPSYSADMINSecurityCapabilitiesMonitoringNamespaceExclusion"":[""kube-system"",""gatekeeper-system"",""azure-arc"",""azuredefender"",""mdc"",""azure-extensions-usage-system""]}" +"9f061a12-e40d-4183-a00e-171812443373","","BuiltIn","Kubernetes","Kubernetes clusters should not use the default namespace","Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc.","Azure_Security_Benchmark_v3.0_PV-2","ASB: Audit (default: KubernetesClustersShouldNotUseTheDefaultNamespaceMonitoringEffect)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","{""KubernetesClustersShouldNotUseTheDefaultNamespaceMonitoringLabelSelector"":{}}","{""KubernetesClustersShouldNotUseTheDefaultNamespaceMonitoringLabelSelector"":{}}" +"245fc9df-fa96-4414-9a0b-3738c2f7341c","","BuiltIn","Kubernetes","Resource logs in Azure Kubernetes Service should be enabled","Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed","Azure_Security_Benchmark_v3.0_LT-3","ASB: AuditIfNotExists (default: diagnosticsLogsInKubernetesMonitoringEffect)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","{""diagnosticsLogsInKubernetesRetentionDays"":""1""}","{""diagnosticsLogsInKubernetesRetentionDays"":""1""}" +"41425d9f-d1a5-499a-9932-f8ed8453932c","","BuiltIn","Kubernetes","Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host","To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards.","NIST_SP_800-53_R5_SC-28, +NIST_SP_800-53_R5_SC-28(1)","NIST-800-53: Audit (default: effect-41425d9f-d1a5-499a-9932-f8ed8453932c)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5","","BuiltIn","Logic Apps","Logic Apps Integration Service Environment should be encrypted with customer-managed keys","Deploy into Integration Service Environment to manage encryption at rest of Logic Apps data using customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (default: effect-1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"34f95f76-5386-4de7-b824-0d8478470c9d","","BuiltIn","Logic Apps","Resource logs in Logic Apps should be enabled","Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised","Azure_Security_Benchmark_v3.0_LT-3, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1)","ASB: AuditIfNotExists (default: diagnosticsLogsInLogicAppsMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","{""diagnosticsLogsInLogicAppsRetentionDays"":""1""}","{""diagnosticsLogsInLogicAppsRetentionDays"":""1""}" +"f110a506-2dcb-422e-bcea-d533fc8c35e2","","BuiltIn","Machine Learning","Azure Machine Learning compute instances should be recreated to get the latest software updates","Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/.","Azure_Security_Benchmark_v3.0_PV-2","ASB: Audit (Policy Default)","override: + Audit, + Disabled","Audit","Audit","","" +"7804b5c7-01dc-4723-969b-ae300cc07ff1","","BuiltIn","Machine Learning","Azure Machine Learning Computes should be in a virtual network","Azure Virtual Networks provide enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access. When a compute is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network.","Azure_Security_Benchmark_v3.0_NS-2","ASB: Audit (Policy Default)","override: + Audit, + Disabled","Audit","Audit","","" +"e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f","","BuiltIn","Machine Learning","Azure Machine Learning Computes should have local authentication methods disabled","Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy.","Azure_Security_Benchmark_v3.0_IM-1","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"ba769a63-b8cc-4b2d-abf6-ac33c7204be8","","BuiltIn","Machine Learning","Azure Machine Learning workspaces should be encrypted with a customer-managed key","Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk.","Azure_Security_Benchmark_v3.0_DP-5, +NIST_SP_800-53_R5_SC-12","ASB: Disabled (default: azureMachineLearningWorkspacesShouldBeEncryptedWithACustomerManagedKeyMonitoringEffect), +NIST-800-53: Audit (default: effect-ba769a63-b8cc-4b2d-abf6-ac33c7204be8)","parameter: + Deny, + Audit, + Disabled","Disabled","Disabled","","" +"438c38d2-3772-465a-a9cc-7a6666a275ce","","BuiltIn","Machine Learning","Azure Machine Learning Workspaces should disable public network access","Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal.","Azure_Security_Benchmark_v3.0_NS-2","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"45e05259-1eb5-4f70-9574-baf73e9d219b","","BuiltIn","Machine Learning","Azure Machine Learning workspaces should use private link","Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: azureMachineLearningWorkspacesShouldUsePrivateLinkMonitoringEffect), +NIST-800-53: Audit (default: effect-45e05259-1eb5-4f70-9574-baf73e9d219b)","parameter: + Audit, + Disabled","Audit","Audit","","" +"afe0c3be-ba3b-4544-ba52-0c99672a8ad6","","BuiltIn","Machine Learning","Resource logs in Azure Machine Learning Workspaces should be enabled","Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.","Azure_Security_Benchmark_v3.0_LT-3","ASB: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"842c54e8-c2f9-4d79-ae8d-38d8b8019373","","BuiltIn","Monitoring","[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines","This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed.","Azure_Security_Benchmark_v3.0_LT-5, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: ArcLinuxMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e","","BuiltIn","Monitoring","[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines","This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed.","Azure_Security_Benchmark_v3.0_LT-5, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: ArcWindowsMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"04c4380f-3fae-46e8-96c9-30193528f602","","BuiltIn","Monitoring","[Preview]: Network traffic data collection agent should be installed on Linux virtual machines","Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.","Azure_Security_Benchmark_v3.0_LT-4, +NIST_SP_800-53_R5_AU-6, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: ASCDependencyAgentAuditLinuxEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"2f2ee1de-44aa-4762-b6bd-0893fc3f306d","","BuiltIn","Monitoring","[Preview]: Network traffic data collection agent should be installed on Windows virtual machines","Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.","Azure_Security_Benchmark_v3.0_LT-4, +NIST_SP_800-53_R5_AU-6, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: ASCDependencyAgentAuditWindowsEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"ea0dfaed-95fb-448c-934e-d6e713ce393d","","BuiltIn","Monitoring","Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)","To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview.","NIST_SP_800-53_R5_SC-28, +NIST_SP_800-53_R5_SC-28(1)","NIST-800-53: audit (default: effect-ea0dfaed-95fb-448c-934e-d6e713ce393d)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"1f68a601-6e6d-4e42-babf-3f643a047ea2","","BuiltIn","Monitoring","Azure Monitor Logs clusters should be encrypted with customer-managed key","Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys.","NIST_SP_800-53_R5_SC-12","NIST-800-53: audit (default: effect-1f68a601-6e6d-4e42-babf-3f643a047ea2)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"fa298e57-9444-42ba-bf04-86e8470e32c7","","BuiltIn","Monitoring","Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption","Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries.","NIST_SP_800-53_R5_SC-12","NIST-800-53: audit (default: effect-fa298e57-9444-42ba-bf04-86e8470e32c7)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"fc5e4038-4584-4632-8c85-c0448d374b2c","","BuiltIn","Network","[Preview]: All Internet traffic should be routed via your deployed Azure Firewall","Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall","Azure_Security_Benchmark_v3.0_NS-3, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3), +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: AzureFirewallEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"055aa869-bc98-4af8-bafc-23f1ab6ffe2c","","BuiltIn","Network","Azure Web Application Firewall should be enabled for Azure Front Door entry-points","Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.","Azure_Security_Benchmark_v3.0_NS-6, +NIST_SP_800-53_R5_SC-5, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: webApplicationFirewallShouldBeEnabledForAzureFrontDoorServiceServiceMonitoringEffect), +NIST-800-53: Audit (default: effect-055aa869-bc98-4af8-bafc-23f1ab6ffe2c)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6","","BuiltIn","Network","Network Watcher should be enabled","Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.","Azure_Security_Benchmark_v3.0_IR-4, +NIST_SP_800-53_R5_AU-6, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: networkWatcherShouldBeEnabledMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","{""networkWatcherShouldBeEnabledResourceGroupName"":""NetworkWatcherRG"",""resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6"":""NetworkWatcherRG""}","{""networkWatcherShouldBeEnabledResourceGroupName"":""NetworkWatcherRG"",""resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6"":""NetworkWatcherRG""}" +"21a6bc25-125e-4d13-b82d-2e19b7208ab7","","BuiltIn","Network","VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users","Disabling local authentication methods improves security by ensuring that VPN Gateways use only Azure Active Directory identities for authentication. Learn more about Azure AD authentication at https://docs.microsoft.com/azure/vpn-gateway/openvpn-azure-ad-tenant","Azure_Security_Benchmark_v3.0_IM-1","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"564feb30-bf6a-4854-b4bb-0d2d2d1e6c66","","BuiltIn","Network","Web Application Firewall (WAF) should be enabled for Application Gateway","Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.","Azure_Security_Benchmark_v3.0_NS-6, +NIST_SP_800-53_R5_SC-5, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: webApplicationFirewallShouldBeEnabledForApplicationGatewayMonitoringEffect), +NIST-800-53: Audit (default: effect-564feb30-bf6a-4854-b4bb-0d2d2d1e6c66)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"a049bf77-880b-470f-ba6d-9f21c530cf83","","BuiltIn","Search","Azure Cognitive Search service should use a SKU that supports private link","With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.","NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","NIST-800-53: Audit (default: effect-a049bf77-880b-470f-ba6d-9f21c530cf83)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"ee980b6d-0eca-4501-8d54-f6290fd512c3","","BuiltIn","Search","Azure Cognitive Search services should disable public network access","Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.","NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","NIST-800-53: Audit (default: effect-ee980b6d-0eca-4501-8d54-f6290fd512c3)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"0fda3595-9f2b-4592-8675-4231d6fa82fe","","BuiltIn","Search","Azure Cognitive Search services should use private link","Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.","NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","NIST-800-53: Audit (Policy Default)","override: + Audit, + Disabled","Audit","Audit","","" +"b4330a05-a843-4bc8-bf9a-cacce50c67f4","","BuiltIn","Search","Resource logs in Search services should be enabled","Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised","Azure_Security_Benchmark_v3.0_LT-3, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1)","ASB: AuditIfNotExists (default: diagnosticsLogsInSearchServiceMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","{""diagnosticsLogsInSearchServiceRetentionDays"":""1""}","{""diagnosticsLogsInSearchServiceRetentionDays"":""1""}" +"672fe5a1-2fcd-42d7-b85d-902b6e28c6ff","","BuiltIn","Security Center","[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines","Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines.","Azure_Security_Benchmark_v3.0_PV-4","ASB: AuditIfNotExists (default: GuestAttestationExtensionShouldBeInstalledOnSupportedLinuxVirtualMachinesMonitoringEffect)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"a21f8c92-9e22-4f09-b759-50500d1d2dda","","BuiltIn","Security Center","[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets","Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets.","Azure_Security_Benchmark_v3.0_PV-4","ASB: AuditIfNotExists (default: GuestAttestationExtensionShouldBeInstalledOnSupportedLinuxVirtualMachinesScaleSetsMonitoringEffect)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"1cb4d9c2-f88f-4069-bee0-dba239a57b09","","BuiltIn","Security Center","[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines","Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines.","Azure_Security_Benchmark_v3.0_PV-4","ASB: AuditIfNotExists (default: GuestAttestationExtensionShouldBeInstalledOnSupportedWindowsVirtualMachinesMonitoringEffect)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"f655e522-adff-494d-95c2-52d4f6d56a42","","BuiltIn","Security Center","[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets","Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets.","Azure_Security_Benchmark_v3.0_PV-4","ASB: AuditIfNotExists (default: GuestAttestationExtensionShouldBeInstalledOnSupportedWindowsVirtualMachinesScaleSetsMonitoringEffect)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"13a6c84f-49a5-410a-b5df-5b880c3fe009","","BuiltIn","Security Center","[Preview]: Linux virtual machines should use only signed and trusted boot components","All OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Defender for Cloud has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allow list or remove the identified components.","Azure_Security_Benchmark_v3.0_PV-4","ASB: AuditIfNotExists (default: LinuxVirtualMachineShouldUseSignedAndTrustedBootComponentEffect)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"97566dd7-78ae-4997-8b36-1c7bfe0d8121","","BuiltIn","Security Center","[Preview]: Secure Boot should be enabled on supported Windows virtual machines","Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.","Azure_Security_Benchmark_v3.0_PV-4","ASB: Audit (default: SecureBootShouldBeEnabledOnSupportedWindowsVirtualMachinesMonitoringEffect)","parameter: + Audit, + Disabled","Audit","Audit","","" +"f85bf3e0-d513-442e-89c3-1784ad63382b","","BuiltIn","Security Center","[Preview]: System updates should be installed on your machines (powered by Update Center)","Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.","Azure_Security_Benchmark_v3.0_PV-6","ASB: AuditIfNotExists (default: systemUpdatesV2MonitoringEffect)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"1c30f9cd-b84c-49cc-aa2c-9288447cc3b3","","BuiltIn","Security Center","[Preview]: vTPM should be enabled on supported virtual machines","Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.","Azure_Security_Benchmark_v3.0_PV-4","ASB: Audit (default: VtpmShouldBeEnabledOnSupportedVirtualMachinesMonitoringEffect)","parameter: + Audit, + Disabled","Audit","Audit","","" +"4f11b553-d42e-4e3a-89be-32ca364cad4c","","BuiltIn","Security Center","A maximum of 3 owners should be designated for your subscription","It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.","Azure_Security_Benchmark_v3.0_PA-1, +NIST_SP_800-53_R5_AC-2, +NIST_SP_800-53_R5_AC-6, +NIST_SP_800-53_R5_AC-6(7)","ASB: AuditIfNotExists (default: identityDesignateLessThanOwnersMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"501541f7-f7e7-4cd6-868c-4190fdad3ac9","","BuiltIn","Security Center","A vulnerability assessment solution should be enabled on your virtual machines","Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.","Azure_Security_Benchmark_v3.0_PV-5, +NIST_SP_800-53_R5_RA-5, +NIST_SP_800-53_R5_SI-2","ASB: AuditIfNotExists (default: serverVulnerabilityAssessmentEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"e3e008c3-56b9-4133-8fd7-d3347377402a","","BuiltIn","Security Center","Accounts with owner permissions on Azure resources should be MFA enabled","Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.","Azure_Security_Benchmark_v3.0_IM-6, +NIST_SP_800-53_R5_AC-3, +NIST_SP_800-53_R5_IA-2, +NIST_SP_800-53_R5_IA-2(1)","ASB: AuditIfNotExists (default: identityEnableMFAForOwnerPermissionsMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4","","BuiltIn","Security Center","Accounts with read permissions on Azure resources should be MFA enabled","Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.","Azure_Security_Benchmark_v3.0_IM-6, +NIST_SP_800-53_R5_AC-3, +NIST_SP_800-53_R5_IA-2, +NIST_SP_800-53_R5_IA-2(2)","ASB: AuditIfNotExists (default: identityEnableMFAForReadPermissionsMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"931e118d-50a1-4457-a5e4-78550e086c52","","BuiltIn","Security Center","Accounts with write permissions on Azure resources should be MFA enabled","Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.","Azure_Security_Benchmark_v3.0_IM-6, +NIST_SP_800-53_R5_AC-3, +NIST_SP_800-53_R5_IA-2, +NIST_SP_800-53_R5_IA-2(1)","ASB: AuditIfNotExists (default: identityEnableMFAForWritePermissionsMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"47a6b606-51aa-4496-8bb7-64b11cf66adc","","BuiltIn","Security Center","Adaptive application controls for defining safe applications should be enabled on your machines","Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.","Azure_Security_Benchmark_v3.0_AM-5, +NIST_SP_800-53_R5_CM-7, +NIST_SP_800-53_R5_CM-7(2), +NIST_SP_800-53_R5_CM-7(5), +NIST_SP_800-53_R5_CM-10, +NIST_SP_800-53_R5_CM-11","ASB: AuditIfNotExists (default: adaptiveApplicationControlsMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"08e6af2d-db70-460a-bfe9-d5bd474ba9d6","","BuiltIn","Security Center","Adaptive network hardening recommendations should be applied on internet facing virtual machines","Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface","Azure_Security_Benchmark_v3.0_NS-1, +Azure_Security_Benchmark_v3.0_NS-7, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-4(3), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: AuditIfNotExists (default: adaptiveNetworkHardeningsMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"9daedab3-fb2d-461e-b861-71790eead4f6","","BuiltIn","Security Center","All network ports should be restricted on network security groups associated to your virtual machine","Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.","Azure_Security_Benchmark_v3.0_NS-1, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: AuditIfNotExists (default: nextGenerationFirewallMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"123a3936-f020-408a-ba0c-47873faf1534","","BuiltIn","Security Center","Allowlist rules in your adaptive application control policy should be updated","Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.","Azure_Security_Benchmark_v3.0_AM-5, +NIST_SP_800-53_R5_CM-7, +NIST_SP_800-53_R5_CM-7(2), +NIST_SP_800-53_R5_CM-7(5), +NIST_SP_800-53_R5_CM-10, +NIST_SP_800-53_R5_CM-11","ASB: AuditIfNotExists (default: adaptiveApplicationControlsUpdateMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"8ac833bd-f505-48d5-887e-c993a1d3eea0","","BuiltIn","Security Center","API endpoints in Azure API Management should be authenticated","API endpoints published within Azure API Management should enforce authentication to help minimize security risk. Authentication mechanisms are sometimes implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. Learn More about the OWASP API Threat for Broken User Authentication here: https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats#broken-user-authentication","Azure_Security_Benchmark_v3.0_IM-4","ASB: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"c8acafaf-3d23-44d1-9624-978ef0f8652c","","BuiltIn","Security Center","API endpoints that are unused should be disabled and removed from the Azure API Management service","As a security best practice, API endpoints that haven't received traffic for 30 days are considered unused and should be removed from the Azure API Management service. Keeping unused API endpoints may pose a security risk to your organization. These may be APIs that should have been deprecated from the Azure API Management service but may have been accidentally left active. Such APIs typically do not receive the most up to date security coverage.","Azure_Security_Benchmark_v3.0_AM-3","ASB: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea","","BuiltIn","Security Center","Authorized IP ranges should be defined on Kubernetes Services","Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: kubernetesServiceAuthorizedIPRangesEnabledMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Audit, + Disabled","Audit","Audit","","" +"475aae12-b88a-4572-8b36-9b712b2b3a17","","BuiltIn","Security Center","Auto provisioning of the Log Analytics agent should be enabled on your subscription","To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.","Azure_Security_Benchmark_v3.0_LT-5, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: autoProvisioningOfTheLogAnalyticsAgentShouldBeEnabledOnYourSubscriptionMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"a7aca53f-2ed4-4466-a25e-0b45ade68efd","","BuiltIn","Security Center","Azure DDoS Protection should be enabled","DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.","Azure_Security_Benchmark_v3.0_NS-5, +NIST_SP_800-53_R5_SC-5","ASB: AuditIfNotExists (default: vnetEnableDDoSProtectionMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"2913021d-f2fd-4f3d-b958-22354e2bdbcb","","BuiltIn","Security Center","Azure Defender for App Service should be enabled","Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.","Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2, +Azure_Security_Benchmark_v3.0_IR-3, +Azure_Security_Benchmark_v3.0_IR-5, +NIST_SP_800-53_R5_AC-2(12), +NIST_SP_800-53_R5_AU-6, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_IR-4, +NIST_SP_800-53_R5_IR-5, +NIST_SP_800-53_R5_RA-5, +NIST_SP_800-53_R5_SI-2, +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: appServicesAdvancedThreatProtectionMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"7fe3b40f-802b-4cdd-8bd4-fd799c948cc2","","BuiltIn","Security Center","Azure Defender for Azure SQL Database servers should be enabled","Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.","Azure_Security_Benchmark_v3.0_DP-2, +Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2, +Azure_Security_Benchmark_v3.0_IR-3, +Azure_Security_Benchmark_v3.0_IR-5, +NIST_SP_800-53_R5_AC-2(12), +NIST_SP_800-53_R5_AU-6, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_IR-4, +NIST_SP_800-53_R5_IR-5, +NIST_SP_800-53_R5_RA-5, +NIST_SP_800-53_R5_SI-2, +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: sqlServersAdvancedDataSecurityMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"0e6763cc-5078-4e64-889d-ff4d9a839047","","BuiltIn","Security Center","Azure Defender for Key Vault should be enabled","Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.","Azure_Security_Benchmark_v3.0_DP-8, +Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2, +Azure_Security_Benchmark_v3.0_IR-3, +Azure_Security_Benchmark_v3.0_IR-5, +NIST_SP_800-53_R5_AC-2(12), +NIST_SP_800-53_R5_AU-6, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_IR-4, +NIST_SP_800-53_R5_IR-5, +NIST_SP_800-53_R5_RA-5, +NIST_SP_800-53_R5_SI-2, +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: keyVaultsAdvancedDataSecurityMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"0a9fbe0d-c5c4-4da8-87d8-f4fd77338835","","BuiltIn","Security Center","Azure Defender for open-source relational databases should be enabled","Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center","Azure_Security_Benchmark_v3.0_DP-2, +Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2, +Azure_Security_Benchmark_v3.0_IR-3, +Azure_Security_Benchmark_v3.0_IR-5","ASB: AuditIfNotExists (default: AzureDefenderForOpenSourceRelationalDatabasesShouldBeEnabledMonitoringEffect)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"c3d20c29-b36d-48fe-808b-99a87530ad99","","BuiltIn","Security Center","Azure Defender for Resource Manager should be enabled","Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .","Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2, +Azure_Security_Benchmark_v3.0_IR-3, +Azure_Security_Benchmark_v3.0_IR-5, +NIST_SP_800-53_R5_AC-2(12), +NIST_SP_800-53_R5_AU-6, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_IR-4, +NIST_SP_800-53_R5_IR-5, +NIST_SP_800-53_R5_RA-5, +NIST_SP_800-53_R5_SI-2, +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: AzureDefenderForResourceManagerShouldBeEnabledMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"4da35fc9-c9e7-4960-aec9-797fe7d9051d","","BuiltIn","Security Center","Azure Defender for servers should be enabled","Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.","Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2, +Azure_Security_Benchmark_v3.0_ES-1, +Azure_Security_Benchmark_v3.0_IR-3, +Azure_Security_Benchmark_v3.0_IR-5, +NIST_SP_800-53_R5_AC-2(12), +NIST_SP_800-53_R5_AU-6, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_CM-7, +NIST_SP_800-53_R5_IR-4, +NIST_SP_800-53_R5_IR-5, +NIST_SP_800-53_R5_RA-5, +NIST_SP_800-53_R5_SC-3, +NIST_SP_800-53_R5_SI-2, +NIST_SP_800-53_R5_SI-3, +NIST_SP_800-53_R5_SI-4, +NIST_SP_800-53_R5_SI-16","ASB: AuditIfNotExists (default: virtualMachinesAdvancedThreatProtectionMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"6581d072-105e-4418-827f-bd446d56421b","","BuiltIn","Security Center","Azure Defender for SQL servers on machines should be enabled","Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.","Azure_Security_Benchmark_v3.0_DP-2, +Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2, +Azure_Security_Benchmark_v3.0_IR-3, +Azure_Security_Benchmark_v3.0_IR-5, +NIST_SP_800-53_R5_AC-2(12), +NIST_SP_800-53_R5_AU-6, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_IR-4, +NIST_SP_800-53_R5_IR-5, +NIST_SP_800-53_R5_RA-5, +NIST_SP_800-53_R5_SI-2, +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: sqlServersVirtualMachinesAdvancedDataSecurityMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"d38668f5-d155-42c7-ab3d-9b57b50f8fbf","","BuiltIn","Security Center","Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers","Audit PostgreSQL flexible servers without Advanced Data Security","Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2, +Azure_Security_Benchmark_v3.0_IR-3, +Azure_Security_Benchmark_v3.0_IR-5","ASB: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"090c7b07-b4ed-4561-ad20-e9075f3ccaff","","BuiltIn","Security Center","Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)","Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment.","Azure_Security_Benchmark_v3.0_PV-6, +Azure_Security_Benchmark_v3.0_DS-6","ASB: AuditIfNotExists (default: azureContainerRegistryVulnerabilityAssessmentEffect)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457","","BuiltIn","Security Center","Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services","To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.","Azure_Security_Benchmark_v3.0_PA-7, +NIST_SP_800-53_R5_AC-3(7)","ASB: Audit (default: kubernetesServiceRbacEnabledMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Audit, + Disabled","Audit","Audit","","" +"17f4b1cc-c55c-4d94-b1f9-2978f6ac2957","","BuiltIn","Security Center","Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)","Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads.","Azure_Security_Benchmark_v3.0_PV-6, +Azure_Security_Benchmark_v3.0_DS-6","ASB: AuditIfNotExists (default: kubernetesRunningImagesVulnerabilityMDVMAssessmentEffect)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"0cfea604-3201-4e14-88fc-fae4c427a6c5","","BuiltIn","Security Center","Blocked accounts with owner permissions on Azure resources should be removed","Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.","Azure_Security_Benchmark_v3.0_PA-1, +Azure_Security_Benchmark_v3.0_PA-4, +NIST_SP_800-53_R5_AC-2","ASB: AuditIfNotExists (default: identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"8d7e1fde-fe26-4b5f-8108-f8e432cbc2be","","BuiltIn","Security Center","Blocked accounts with read and write permissions on Azure resources should be removed","Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.","Azure_Security_Benchmark_v3.0_PA-4, +NIST_SP_800-53_R5_AC-2","ASB: AuditIfNotExists (default: identityRemoveDeprecatedAccountMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"6e2593d9-add6-4083-9c9b-4b7d2188c899","","BuiltIn","Security Center","Email notification for high severity alerts should be enabled","To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.","Azure_Security_Benchmark_v3.0_IR-2, +NIST_SP_800-53_R5_IR-4, +NIST_SP_800-53_R5_IR-5, +NIST_SP_800-53_R5_IR-6(2), +NIST_SP_800-53_R5_SI-4(12)","ASB: AuditIfNotExists (default: emailNotificationForHighSeverityAlertsShouldBeEnabledMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"0b15565f-aa9e-48ba-8619-45960f2c314d","","BuiltIn","Security Center","Email notification to subscription owner for high severity alerts should be enabled","To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.","Azure_Security_Benchmark_v3.0_IR-2, +NIST_SP_800-53_R5_IR-4, +NIST_SP_800-53_R5_IR-5, +NIST_SP_800-53_R5_IR-6(2), +NIST_SP_800-53_R5_SI-4(12)","ASB: AuditIfNotExists (default: emailNotificationToSubscriptionOwnerForHighSeverityAlertsShouldBeEnabledMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2","","BuiltIn","Security Center","Endpoint protection health issues should be resolved on your machines","Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.","Azure_Security_Benchmark_v3.0_ES-2, +Azure_Security_Benchmark_v3.0_ES-3","ASB: AuditIfNotExists (default: endpointProtectionHealthIssuesMonitoringEffect)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"1f7c564c-0a90-4d44-b7e1-9d456cffaee8","","BuiltIn","Security Center","Endpoint protection should be installed on your machines","To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.","Azure_Security_Benchmark_v3.0_ES-2","ASB: AuditIfNotExists (default: installEndpointProtectionMonitoringEffect)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"26a828e1-e88f-464e-bbb3-c134a282b9de","","BuiltIn","Security Center","Endpoint protection solution should be installed on virtual machine scale sets","Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.","Azure_Security_Benchmark_v3.0_ES-2, +NIST_SP_800-53_R5_SC-3, +NIST_SP_800-53_R5_SI-3","ASB: AuditIfNotExists (default: vmssEndpointProtectionMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"339353f6-2387-4a45-abe4-7f529d121046","","BuiltIn","Security Center","Guest accounts with owner permissions on Azure resources should be removed","External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.","Azure_Security_Benchmark_v3.0_PA-1, +Azure_Security_Benchmark_v3.0_PA-4, +NIST_SP_800-53_R5_AC-2","ASB: AuditIfNotExists (default: identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"e9ac8f8e-ce22-4355-8f04-99b911d6be52","","BuiltIn","Security Center","Guest accounts with read permissions on Azure resources should be removed","External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.","Azure_Security_Benchmark_v3.0_PA-4, +NIST_SP_800-53_R5_AC-2","ASB: AuditIfNotExists (default: identityRemoveExternalAccountWithReadPermissionsMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"94e1c2ac-cbbe-4cac-a2b5-389c812dee87","","BuiltIn","Security Center","Guest accounts with write permissions on Azure resources should be removed","External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.","Azure_Security_Benchmark_v3.0_PA-4, +NIST_SP_800-53_R5_AC-2","ASB: AuditIfNotExists (default: identityRemoveExternalAccountWithWritePermissionsMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"ae89ebca-1c92-4898-ac2c-9f63decb045c","","BuiltIn","Security Center","Guest Configuration extension should be installed on your machines","To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.","Azure_Security_Benchmark_v3.0_PV-4, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: azurePolicyforWindowsMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c","","BuiltIn","Security Center","Internet-facing virtual machines should be protected with network security groups","Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc","Azure_Security_Benchmark_v3.0_NS-1, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: AuditIfNotExists (default: networkSecurityGroupsOnVirtualMachinesMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"bd352bd5-2853-4985-bf0d-73806b4a5744","","BuiltIn","Security Center","IP Forwarding on your virtual machine should be disabled","Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.","Azure_Security_Benchmark_v3.0_NS-3, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-5, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: AuditIfNotExists (default: disableIPForwardingMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"fb893a29-21bb-418c-a157-e99480ec364c","","BuiltIn","Security Center","Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version","Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+","NIST_SP_800-53_R5_SI-2, +NIST_SP_800-53_R5_SI-2(6)","NIST-800-53: Audit (Policy Default)","override: + Audit, + Disabled","Audit","Audit","","" +"a4fe33eb-e377-4efb-ab31-0784311bc499","","BuiltIn","Security Center","Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring","This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats","Azure_Security_Benchmark_v3.0_LT-5, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: installLogAnalyticsAgentOnVmMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"a3a6ea0c-e018-4933-9ef0-5aaa1501449b","","BuiltIn","Security Center","Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring","Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.","Azure_Security_Benchmark_v3.0_LT-5, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: installLogAnalyticsAgentOnVmssMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"3ac7c827-eea2-4bde-acc7-9568cd320efa","","BuiltIn","Security Center","Machines should have secret findings resolved","Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines.","Azure_Security_Benchmark_v3.0_PV-5, +Azure_Security_Benchmark_v3.0_IM-8","ASB: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"b0f33259-77d7-4c9e-aac6-3aabcfae693c","","BuiltIn","Security Center","Management ports of virtual machines should be protected with just-in-time network access control","Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations","Azure_Security_Benchmark_v3.0_NS-3, +Azure_Security_Benchmark_v3.0_PA-2, +NIST_SP_800-53_R5_AC-2(12), +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-4(3), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: AuditIfNotExists (default: jitNetworkAccessMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"22730e10-96f6-4aac-ad84-9383d35b5917","","BuiltIn","Security Center","Management ports should be closed on your virtual machines","Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.","Azure_Security_Benchmark_v3.0_NS-3, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: AuditIfNotExists (default: restrictAccessToManagementPortsMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"1f90fc71-a595-4066-8974-d4d0802e8ef0","","BuiltIn","Security Center","Microsoft Defender CSPM should be enabled","Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud.","Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2, +Azure_Security_Benchmark_v3.0_IR-3, +Azure_Security_Benchmark_v3.0_IR-5","ASB: AuditIfNotExists (default: MicrosoftDefenderCSPMShouldBeEnabledMonitoringEffect)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"7926a6d1-b268-4586-8197-e8ae90c877d7","","BuiltIn","Security Center","Microsoft Defender for APIs should be enabled","Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations.","Azure_Security_Benchmark_v3.0_DP-1, +Azure_Security_Benchmark_v3.0_DP-2, +Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_IR-3, +Azure_Security_Benchmark_v3.0_IR-5","ASB: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"1c988dd6-ade4-430f-a608-2a3e5b0a6d38","","BuiltIn","Security Center","Microsoft Defender for Containers should be enabled","Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.","Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2, +Azure_Security_Benchmark_v3.0_IR-3, +Azure_Security_Benchmark_v3.0_IR-5, +NIST_SP_800-53_R5_AC-2(12), +NIST_SP_800-53_R5_AU-6, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_IR-4, +NIST_SP_800-53_R5_IR-5, +NIST_SP_800-53_R5_RA-5, +NIST_SP_800-53_R5_SI-2, +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: containersAdvancedThreatProtectionMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"d31e5c31-63b2-4f12-887b-e49456834fa1","","BuiltIn","Security Center","Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces","Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.","Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2, +Azure_Security_Benchmark_v3.0_IR-3, +Azure_Security_Benchmark_v3.0_IR-5","ASB: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"938c4981-c2c9-4168-9cd6-972b8675f906","","BuiltIn","Security Center","Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers","Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection.","Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2, +Azure_Security_Benchmark_v3.0_IR-3, +Azure_Security_Benchmark_v3.0_IR-5","ASB: Audit (default: arcEnabledSqlServerDefenderStatusEffect)","parameter: + Audit, + Disabled","Audit","Audit","","" +"640d2586-54d2-465f-877f-9ffc1d2109f4","","BuiltIn","Security Center","Microsoft Defender for Storage should be enabled","Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs.","Azure_Security_Benchmark_v3.0_DP-2, +Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2, +Azure_Security_Benchmark_v3.0_IR-3, +Azure_Security_Benchmark_v3.0_IR-5, +NIST_SP_800-53_R5_AC-2(12), +NIST_SP_800-53_R5_AU-6, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_IR-4, +NIST_SP_800-53_R5_IR-5, +NIST_SP_800-53_R5_RA-5, +NIST_SP_800-53_R5_SI-2, +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (Policy Default), +NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"af6cd1bd-1635-48cb-bde7-5b15693900b9","","BuiltIn","Security Center","Monitor missing Endpoint Protection in Azure Security Center","Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations","Azure_Security_Benchmark_v3.0_ES-2, +NIST_SP_800-53_R5_SC-3, +NIST_SP_800-53_R5_SI-3","ASB: AuditIfNotExists (default: endpointProtectionMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"bb91dfba-c30d-4263-9add-9c2384e659a6","","BuiltIn","Security Center","Non-internet-facing virtual machines should be protected with network security groups","Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc","Azure_Security_Benchmark_v3.0_NS-1, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: AuditIfNotExists (default: networkSecurityGroupsOnInternalVirtualMachinesMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"feedbf84-6b99-488c-acc2-71c829aa5ffc","","BuiltIn","Security Center","SQL databases should have vulnerability findings resolved","Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.","Azure_Security_Benchmark_v3.0_PV-6, +NIST_SP_800-53_R5_RA-5, +NIST_SP_800-53_R5_SI-2","ASB: AuditIfNotExists (default: sqlDbVulnerabilityAssesmentMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"c6283572-73bb-4deb-bf2c-7a2b8f7462cb","","BuiltIn","Security Center","SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan","To ensure your SQL VMs and Arc-enabled SQL Servers are protected, ensure the SQL-targeted Azure Monitoring Agent is configured to automatically deploy. This is also necessary if you've previously configured autoprovisioning of the Microsoft Monitoring Agent, as that component is being deprecated. Learn more: https://aka.ms/SQLAMAMigration","Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2, +Azure_Security_Benchmark_v3.0_IR-3, +Azure_Security_Benchmark_v3.0_IR-5","ASB: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"6ba6d016-e7c3-4842-b8f2-4992ebc0d72d","","BuiltIn","Security Center","SQL servers on machines should have vulnerability findings resolved","SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.","Azure_Security_Benchmark_v3.0_PV-6, +NIST_SP_800-53_R5_RA-5","ASB: AuditIfNotExists (default: serverSqlDbVulnerabilityAssesmentMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"e71308d3-144b-4262-b144-efdc3cc90517","","BuiltIn","Security Center","Subnets should be associated with a Network Security Group","Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.","Azure_Security_Benchmark_v3.0_NS-1, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Disabled (default: networkSecurityGroupsOnSubnetsMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","Disabled","Disabled","","" +"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7","","BuiltIn","Security Center","Subscriptions should have a contact email address for security issues","To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.","Azure_Security_Benchmark_v3.0_IR-2, +NIST_SP_800-53_R5_IR-4, +NIST_SP_800-53_R5_IR-5, +NIST_SP_800-53_R5_IR-6(2), +NIST_SP_800-53_R5_SI-4(12)","ASB: AuditIfNotExists (default: subscriptionsShouldHaveAContactEmailAddressForSecurityIssuesMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"c3f317a7-a95c-4547-b7e7-11017ebdf2fe","","BuiltIn","Security Center","System updates on virtual machine scale sets should be installed","Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.","Azure_Security_Benchmark_v3.0_PV-6, +NIST_SP_800-53_R5_SI-2","ASB: AuditIfNotExists (default: vmssSystemUpdatesMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"86b3d65f-7626-441e-b690-81a8b71cff60","","BuiltIn","Security Center","System updates should be installed on your machines","Missing security system updates on your servers will be monitored by Azure Security Center as recommendations","Azure_Security_Benchmark_v3.0_PV-6, +NIST_SP_800-53_R5_SI-2","ASB: AuditIfNotExists (default: systemUpdatesMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"09024ccc-0c5f-475e-9457-b7c0d9ed487b","","BuiltIn","Security Center","There should be more than one owner assigned to your subscription","It is recommended to designate more than one subscription owner in order to have administrator access redundancy.","Azure_Security_Benchmark_v3.0_PA-1, +NIST_SP_800-53_R5_AC-5","ASB: AuditIfNotExists (default: identityDesignateMoreThanOneOwnerMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"0961003e-5a0a-4549-abde-af6a37f2724d","","BuiltIn","Security Center","Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources","By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison","Azure_Security_Benchmark_v3.0_DP-4, +NIST_SP_800-53_R5_SC-28, +NIST_SP_800-53_R5_SC-28(1)","ASB: AuditIfNotExists (default: diskEncryptionMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"d26f7642-7545-4e18-9b75-8c9bbdee3a9a","","BuiltIn","Security Center","Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity","The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol","Azure_Security_Benchmark_v3.0_IM-3, +Azure_Security_Benchmark_v3.0_PV-4, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: gcExtOnVMWithNoSAMIMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"e8cbc669-f12d-49eb-93e7-9273119e9933","","BuiltIn","Security Center","Vulnerabilities in container security configurations should be remediated","Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.","Azure_Security_Benchmark_v3.0_PV-6, +Azure_Security_Benchmark_v3.0_DS-6, +NIST_SP_800-53_R5_RA-5","ASB: AuditIfNotExists (default: containerBenchmarkMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15","","BuiltIn","Security Center","Vulnerabilities in security configuration on your machines should be remediated","Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations","Azure_Security_Benchmark_v3.0_PV-6, +NIST_SP_800-53_R5_RA-5, +NIST_SP_800-53_R5_SI-2","ASB: AuditIfNotExists (default: systemConfigurationsMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4","","BuiltIn","Security Center","Vulnerabilities in security configuration on your virtual machine scale sets should be remediated","Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.","Azure_Security_Benchmark_v3.0_PV-6, +NIST_SP_800-53_R5_RA-5, +NIST_SP_800-53_R5_SI-2","ASB: AuditIfNotExists (default: vmssOsVulnerabilitiesMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"1c06e275-d63d-4540-b761-71f364c2111d","","BuiltIn","Service Bus","Azure Service Bus namespaces should use private link","Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service.","NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"f8d36e2f-389b-4ee4-898d-21aeb69a0f45","","BuiltIn","Service Bus","Resource logs in Service Bus should be enabled","Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised","Azure_Security_Benchmark_v3.0_LT-3, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1)","ASB: AuditIfNotExists (default: diagnosticsLogsInServiceBusMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","{""diagnosticsLogsInServiceBusRetentionDays"":""1""}","{""diagnosticsLogsInServiceBusRetentionDays"":""1""}" +"295fc8b1-dc9f-4f53-9c61-3f313ceab40a","","BuiltIn","Service Bus","Service Bus Premium namespaces should use a customer-managed key for encryption","Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (Policy Default)","override: + Audit, + Disabled","Audit","Audit","","" +"617c02be-7f02-4efd-8836-3180d47b6c68","","BuiltIn","Service Fabric","Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign","Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed","Azure_Security_Benchmark_v3.0_DP-4, +NIST_SP_800-53_R5_SC-28, +NIST_SP_800-53_R5_SC-28(1)","ASB: Audit (default: clusterProtectionLevelInServiceFabricMonitoringEffect), +NIST-800-53: Audit (default: effect-617c02be-7f02-4efd-8836-3180d47b6c68)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"b54ed75b-3e1a-44ac-a333-05ba39b99ff0","","BuiltIn","Service Fabric","Service Fabric clusters should only use Azure Active Directory for client authentication","Audit usage of client authentication only via Azure Active Directory in Service Fabric","Azure_Security_Benchmark_v3.0_IM-1, +NIST_SP_800-53_R5_AC-2, +NIST_SP_800-53_R5_AC-2(1), +NIST_SP_800-53_R5_AC-2(7), +NIST_SP_800-53_R5_AC-3, +NIST_SP_800-53_R5_IA-2, +NIST_SP_800-53_R5_IA-4","ASB: Audit (default: aadAuthenticationInServiceFabricMonitoringEffect), +NIST-800-53: Audit (default: effect-b54ed75b-3e1a-44ac-a333-05ba39b99ff0)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"2393d2cf-a342-44cd-a2e2-fe0188fd1234","","BuiltIn","SignalR","Azure SignalR Service should use private link","Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: azureSignalRServiceShouldUsePrivateLinkMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Audit, + Disabled","Audit","Audit","","" +"146412e9-005c-472b-9e48-c87b72ac229e","","BuiltIn","SQL","A Microsoft Entra administrator should be provisioned for MySQL servers","Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services","Azure_Security_Benchmark_v3.0_DP-4","ASB: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"b4dec045-250a-48c2-b5cc-e0c4eec8b5b4","","BuiltIn","SQL","A Microsoft Entra administrator should be provisioned for PostgreSQL servers","Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services","Azure_Security_Benchmark_v3.0_IM-1","ASB: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"1f314764-cb73-4fc9-b863-8eca98ac36e9","","BuiltIn","SQL","An Azure Active Directory administrator should be provisioned for SQL servers","Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services","Azure_Security_Benchmark_v3.0_IM-1, +NIST_SP_800-53_R5_AC-2, +NIST_SP_800-53_R5_AC-2(1), +NIST_SP_800-53_R5_AC-2(7), +NIST_SP_800-53_R5_AC-3, +NIST_SP_800-53_R5_IA-2, +NIST_SP_800-53_R5_IA-4","ASB: AuditIfNotExists (default: aadAuthenticationInSqlServerMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9","","BuiltIn","SQL","Auditing on SQL server should be enabled","Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.","Azure_Security_Benchmark_v3.0_LT-3, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1)","ASB: AuditIfNotExists (default: sqlServerAuditingMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","{""setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9"":""enabled""}","{""setting-a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9"":""enabled""}" +"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9","","BuiltIn","SQL","Azure Defender for SQL should be enabled for unprotected Azure SQL servers","Audit SQL servers without Advanced Data Security","Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2, +Azure_Security_Benchmark_v3.0_IR-3, +Azure_Security_Benchmark_v3.0_IR-5, +NIST_SP_800-53_R5_AC-16, +NIST_SP_800-53_R5_AU-6, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_IR-4, +NIST_SP_800-53_R5_IR-5, +NIST_SP_800-53_R5_RA-5, +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: sqlServerAdvancedDataSecurityMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9","","BuiltIn","SQL","Azure Defender for SQL should be enabled for unprotected SQL Managed Instances","Audit each SQL Managed Instance without advanced data security.","Azure_Security_Benchmark_v3.0_DP-2, +Azure_Security_Benchmark_v3.0_LT-1, +Azure_Security_Benchmark_v3.0_LT-2, +Azure_Security_Benchmark_v3.0_IR-3, +Azure_Security_Benchmark_v3.0_IR-5, +NIST_SP_800-53_R5_AC-2(12), +NIST_SP_800-53_R5_AC-16, +NIST_SP_800-53_R5_AU-6, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1), +NIST_SP_800-53_R5_IR-4, +NIST_SP_800-53_R5_IR-5, +NIST_SP_800-53_R5_RA-5, +NIST_SP_800-53_R5_SI-4","ASB: AuditIfNotExists (default: sqlManagedInstanceAdvancedDataSecurityMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"40e85574-ef33-47e8-a854-7a65c7500560","","BuiltIn","SQL","Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled","Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure MySQL flexible server can exclusively be accessed by Microsoft Entra identities.","Azure_Security_Benchmark_v3.0_DP-4","ASB: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"32e6bbec-16b6-44c2-be37-c5b672d103cf","","BuiltIn","SQL","Azure SQL Database should be running TLS version 1.2 or newer","Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.","Azure_Security_Benchmark_v3.0_DP-3, +Azure_Security_Benchmark_v3.0_IM-4","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"b3a22bc9-66de-45fb-98fa-00f5df42f41a","","BuiltIn","SQL","Azure SQL Database should have Microsoft Entra-only authentication enabled","Require Azure SQL logical servers to use Microsoft Entra-only authentication. This policy doesn't block servers from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate.","Azure_Security_Benchmark_v3.0_IM-1","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"abda6d70-9778-44e7-84a8-06713e6db027","","BuiltIn","SQL","Azure SQL Database should have Microsoft Entra-only authentication enabled during creation","Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate.","Azure_Security_Benchmark_v3.0_IM-1","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"0c28c3fb-c244-42d5-a9bf-f35f2999577b","","BuiltIn","SQL","Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled","Require Azure SQL Managed Instance to use Microsoft Entra-only authentication. This policy doesn't block Azure SQL Managed instances from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate.","Azure_Security_Benchmark_v3.0_IM-1","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"9dfea752-dd46-4766-aed1-c355fa93fb91","","BuiltIn","SQL","Azure SQL Managed Instances should disable public network access","Disabling public network access (public endpoint) on Azure SQL Managed Instances improves security by ensuring that they can only be accessed from inside their virtual networks or via Private Endpoints. To learn more about public network access, visit https://aka.ms/mi-public-endpoint.","Azure_Security_Benchmark_v3.0_NS-2","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"78215662-041e-49ed-a9dd-5385911b3a1f","","BuiltIn","SQL","Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation","Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate.","Azure_Security_Benchmark_v3.0_IM-1","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"e802a67a-daf5-4436-9ea6-f6d821dd0c5d","","BuiltIn","SQL","Enforce SSL connection should be enabled for MySQL database servers","Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.","Azure_Security_Benchmark_v3.0_DP-3, +NIST_SP_800-53_R5_SC-8, +NIST_SP_800-53_R5_SC-8(1)","ASB: Audit (default: enforceSSLConnectionShouldBeEnabledForMysqlDatabaseServersMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Audit, + Disabled","Audit","Audit","","" +"d158790f-bfb0-486c-8631-2dc6b4e8e6af","","BuiltIn","SQL","Enforce SSL connection should be enabled for PostgreSQL database servers","Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.","Azure_Security_Benchmark_v3.0_DP-3, +NIST_SP_800-53_R5_SC-8, +NIST_SP_800-53_R5_SC-8(1)","ASB: Audit (default: enforceSSLConnectionShouldBeEnabledForPostgresqlDatabaseServersMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Audit, + Disabled","Audit","Audit","","" +"0ec47710-77ff-4a3d-9181-6aa50af424d0","","BuiltIn","SQL","Geo-redundant backup should be enabled for Azure Database for MariaDB","Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","Azure_Security_Benchmark_v3.0_BR-1, +Azure_Security_Benchmark_v3.0_BR-2, +NIST_SP_800-53_R5_CP-6, +NIST_SP_800-53_R5_CP-6(1), +NIST_SP_800-53_R5_CP-9","ASB: Audit (default: georedundantBackupShouldBeEnabledForAzureDatabaseForMariadbMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Audit, + Disabled","Audit","Audit","","" +"82339799-d096-41ae-8538-b108becf0970","","BuiltIn","SQL","Geo-redundant backup should be enabled for Azure Database for MySQL","Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","Azure_Security_Benchmark_v3.0_BR-1, +Azure_Security_Benchmark_v3.0_BR-2, +NIST_SP_800-53_R5_CP-6, +NIST_SP_800-53_R5_CP-6(1), +NIST_SP_800-53_R5_CP-9","ASB: Audit (default: georedundantBackupShouldBeEnabledForAzureDatabaseForMysqlMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Audit, + Disabled","Audit","Audit","","" +"48af4db5-9b8b-401c-8e74-076be876a430","","BuiltIn","SQL","Geo-redundant backup should be enabled for Azure Database for PostgreSQL","Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","Azure_Security_Benchmark_v3.0_BR-1, +Azure_Security_Benchmark_v3.0_BR-2, +NIST_SP_800-53_R5_CP-6, +NIST_SP_800-53_R5_CP-6(1), +NIST_SP_800-53_R5_CP-9","ASB: Audit (default: georedundantBackupShouldBeEnabledForAzureDatabaseForPostgresqlMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Audit, + Disabled","Audit","Audit","","" +"3a58212a-c829-4f13-9872-6371df2fd0b4","","BuiltIn","SQL","Infrastructure encryption should be enabled for Azure Database for MySQL servers","Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys.","NIST_SP_800-53_R5_SC-28, +NIST_SP_800-53_R5_SC-28(1)","NIST-800-53: Audit (default: effect-3a58212a-c829-4f13-9872-6371df2fd0b4)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"24fba194-95d6-48c0-aea7-f65bf859c598","","BuiltIn","SQL","Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers","Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys","NIST_SP_800-53_R5_SC-28, +NIST_SP_800-53_R5_SC-28(1)","NIST-800-53: Audit (default: effect-24fba194-95d6-48c0-aea7-f65bf859c598)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"d38fc420-0735-4ef3-ac11-c806f651a570","","BuiltIn","SQL","Long-term geo-redundant backup should be enabled for Azure SQL Databases","This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled.","NIST_SP_800-53_R5_CP-6, +NIST_SP_800-53_R5_CP-6(1)","NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"83cef61d-dbd1-4b20-a4fc-5fbc7da10833","","BuiltIn","SQL","MySQL servers should use customer-managed keys to encrypt data at rest","Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","Azure_Security_Benchmark_v3.0_DP-5, +NIST_SP_800-53_R5_SC-12","ASB: Disabled (default: bringYourOwnKeyDataProtectionShouldBeEnabledForMySqlServersMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","Disabled","Disabled","","" +"18adea5e-f416-4d0f-8aa8-d24321e3e274","","BuiltIn","SQL","PostgreSQL servers should use customer-managed keys to encrypt data at rest","Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","Azure_Security_Benchmark_v3.0_DP-5, +NIST_SP_800-53_R5_SC-12","ASB: Disabled (default: bringYourOwnKeyDataProtectionShouldBeEnabledForPostgreSqlServersMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","Disabled","Disabled","","" +"7698e800-9299-47a6-b3b6-5a0fee576eed","","BuiltIn","SQL","Private endpoint connections on Azure SQL Database should be enabled","Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: privateEndpointConnectionsOnAzureSQLDatabaseShouldBeEnabledMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Audit, + Disabled","Audit","Audit","","" +"0a1302fb-a631-4106-9753-f3d494733990","","BuiltIn","SQL","Private endpoint should be enabled for MariaDB servers","Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: AuditIfNotExists (default: privateEndpointShouldBeEnabledForMariadbServersMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"7595c971-233d-4bcf-bd18-596129188c49","","BuiltIn","SQL","Private endpoint should be enabled for MySQL servers","Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: AuditIfNotExists (default: privateEndpointShouldBeEnabledForMysqlServersMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"0564d078-92f5-4f97-8398-b9f58a51f70b","","BuiltIn","SQL","Private endpoint should be enabled for PostgreSQL servers","Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: AuditIfNotExists (default: privateEndpointShouldBeEnabledForPostgresqlServersMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"1b8ca024-1d5c-4dec-8995-b1a932b41780","","BuiltIn","SQL","Public network access on Azure SQL Database should be disabled","Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: publicNetworkAccessOnAzureSQLDatabaseShouldBeDisabledMonitoringEffect), +NIST-800-53: Audit (default: effect-1b8ca024-1d5c-4dec-8995-b1a932b41780)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"fdccbe47-f3e3-4213-ad5d-ea459b2fa077","","BuiltIn","SQL","Public network access should be disabled for MariaDB servers","Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: publicNetworkAccessShouldBeDisabledForMariaDbServersMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"d9844e8a-1437-4aeb-a32c-0c992f056095","","BuiltIn","SQL","Public network access should be disabled for MySQL servers","Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: publicNetworkAccessShouldBeDisabledForMySqlServersMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"b52376f7-9612-48a1-81cd-1ffe4b61032c","","BuiltIn","SQL","Public network access should be disabled for PostgreSQL servers","Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: publicNetworkAccessShouldBeDisabledForPostgreSqlServersMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"ac01ad65-10e5-46df-bdd9-6b0cad13e1d2","","BuiltIn","SQL","SQL managed instances should use customer-managed keys to encrypt data at rest","Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.","Azure_Security_Benchmark_v3.0_DP-5, +NIST_SP_800-53_R5_SC-12","ASB: Disabled (default: ensureManagedInstanceTDEIsEncryptedWithYourOwnKeyWithDenyMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Deny, + Audit, + Disabled","Disabled","Disabled","","" +"0a370ff3-6cab-4e85-8995-295fd854c5b8","","BuiltIn","SQL","SQL servers should use customer-managed keys to encrypt data at rest","Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.","Azure_Security_Benchmark_v3.0_DP-5, +NIST_SP_800-53_R5_SC-12","ASB: Disabled (default: ensureServerTDEIsEncryptedWithYourOwnKeyWithDenyMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Deny, + Audit, + Disabled","Disabled","Disabled","","" +"89099bee-89e0-4b26-a5f4-165451757743","","BuiltIn","SQL","SQL servers with auditing to storage account destination should be configured with 90 days retention or higher","For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards.","Azure_Security_Benchmark_v3.0_LT-6, +NIST_SP_800-53_R5_AU-11","ASB: AuditIfNotExists (default: sQLServersShouldBeConfiguredWithAuditingRetentionDaysGreaterThan90DaysMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"17k78e20-9358-41c9-923c-fb736d382a12","","BuiltIn","SQL","Transparent Data Encryption on SQL databases should be enabled","Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements","Azure_Security_Benchmark_v3.0_DP-4, +NIST_SP_800-53_R5_SC-28, +NIST_SP_800-53_R5_SC-28(1)","ASB: AuditIfNotExists (default: sqlDbEncryptionMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"1b7aa243-30e4-4c9e-bca8-d0d3022b634a","","BuiltIn","SQL","Vulnerability assessment should be enabled on SQL Managed Instance","Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.","Azure_Security_Benchmark_v3.0_PV-5, +NIST_SP_800-53_R5_RA-5","ASB: AuditIfNotExists (default: vulnerabilityAssessmentOnManagedInstanceMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9","","BuiltIn","SQL","Vulnerability assessment should be enabled on your SQL servers","Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.","Azure_Security_Benchmark_v3.0_PV-5, +NIST_SP_800-53_R5_RA-5","ASB: AuditIfNotExists (default: vulnerabilityAssessmentOnServerMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"dad3a6b9-4451-492f-a95c-69efc6f3fada","","BuiltIn","Stack HCI","[Preview]: Azure Stack HCI servers should have consistently enforced application control policies","At a minimum, apply the Microsoft WDAC base policy in enforced mode on all Azure Stack HCI servers. Applied Windows Defender Application Control (WDAC) policies must be consistent across servers in the same cluster.","Azure_Security_Benchmark_v3.0_PV-4","ASB: AuditIfNotExists (Policy Default)","override: + Audit, + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"5e6bf724-0154-49bc-985f-27b2e07e636b","","BuiltIn","Stack HCI","[Preview]: Azure Stack HCI servers should meet Secured-core requirements","Ensure that all Azure Stack HCI servers meet the Secured-core requirements. To enable the Secured-core server requirements: 1. From the Azure Stack HCI clusters page, go to Windows Admin Center and select Connect. 2. Go to the Security extension and select Secured-core. 3. Select any setting that is not enabled and click Enable.","Azure_Security_Benchmark_v3.0_PV-4","ASB: AuditIfNotExists (Policy Default)","override: + Audit, + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"ee8ca833-1583-4d24-837e-96c2af9488a4","","BuiltIn","Stack HCI","[Preview]: Azure Stack HCI systems should have encrypted volumes","Use BitLocker to encrypt the OS and data volumes on Azure Stack HCI systems.","Azure_Security_Benchmark_v3.0_DP-5","ASB: AuditIfNotExists (Policy Default)","override: + Audit, + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"36f0d6bc-a253-4df8-b25b-c3a5023ff443","","BuiltIn","Stack HCI","[Preview]: Host and VM networking should be protected on Azure Stack HCI systems","Protect data on the Azure Stack HCI hosts network and on virtual machine network connections.","Azure_Security_Benchmark_v3.0_DP-3","ASB: AuditIfNotExists (Policy Default)","override: + Audit, + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"4fa4b6c0-31ca-4c0d-b10d-24b96f62a751","","BuiltIn","Storage","[Preview]: Storage account public access should be disallowed","Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: audit (default: disallowPublicBlobAccessEffect), +NIST-800-53: audit (default: effect-4fa4b6c0-31ca-4c0d-b10d-24b96f62a751)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"1d320205-c6a1-4ac6-873d-46224024e8e2","","BuiltIn","Storage","Azure File Sync should use private link","Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint.","NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"bf045164-79ba-4215-8f95-f8048dc1780b","","BuiltIn","Storage","Geo-redundant storage should be enabled for Storage Accounts","Use geo-redundancy to create highly available applications","NIST_SP_800-53_R5_CP-6, +NIST_SP_800-53_R5_CP-6(1)","NIST-800-53: Audit (Policy Default)","override: + Audit, + Disabled","Audit","Audit","","" +"970f84d8-71b6-4091-9979-ace7e3fb6dbb","","BuiltIn","Storage","HPC Cache accounts should use customer-managed key for encryption","Manage encryption at rest of Azure HPC Cache with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (default: effect-970f84d8-71b6-4091-9979-ace7e3fb6dbb)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"404c3081-a854-4457-ae30-26a93ef643f9","","BuiltIn","Storage","Secure transfer to storage accounts should be enabled","Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking","Azure_Security_Benchmark_v3.0_DP-3, +NIST_SP_800-53_R5_SC-8, +NIST_SP_800-53_R5_SC-8(1)","ASB: Audit (default: secureTransferToStorageAccountMonitoringEffect), +NIST-800-53: Audit (default: effect-404c3081-a854-4457-ae30-26a93ef643f9)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"b5ec538c-daa0-4006-8596-35468b9148e8","","BuiltIn","Storage","Storage account encryption scopes should use customer-managed keys to encrypt data at rest","Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about storage account encryption scopes at https://aka.ms/encryption-scopes-overview.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (default: effect-b5ec538c-daa0-4006-8596-35468b9148e8)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"37e0d2fe-28a5-43d6-a273-67d37d1f5606","","BuiltIn","Storage","Storage accounts should be migrated to new Azure Resource Manager resources","Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management","Azure_Security_Benchmark_v3.0_AM-2, +NIST_SP_800-53_R5_AC-3","ASB: Audit (default: classicStorageAccountsMonitoringEffect), +NIST-800-53: Audit (default: effect-37e0d2fe-28a5-43d6-a273-67d37d1f5606)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"4733ea7b-a883-42fe-8cac-97454c2a9e4a","","BuiltIn","Storage","Storage accounts should have infrastructure encryption","Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice.","NIST_SP_800-53_R5_SC-28, +NIST_SP_800-53_R5_SC-28(1)","NIST-800-53: Audit (default: effect-4733ea7b-a883-42fe-8cac-97454c2a9e4a)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54","","BuiltIn","Storage","Storage accounts should prevent shared key access","Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft.","Azure_Security_Benchmark_v3.0_IM-1","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"34c877ad-507e-4c82-993e-3452a6e0ad3c","","BuiltIn","Storage","Storage accounts should restrict network access","Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Disabled (default: disableUnrestrictedNetworkToStorageAccountMonitoringEffect), +NIST-800-53: Audit (default: effect-34c877ad-507e-4c82-993e-3452a6e0ad3c)","parameter: + Deny, + Audit, + Disabled","Disabled","Disabled","","" +"2a1a9cdf-e04d-429a-8416-3bfb72a1b26f","","BuiltIn","Storage","Storage accounts should restrict network access using virtual network rules","Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: storageAccountsShouldRestrictNetworkAccessUsingVirtualNetworkRulesMonitoringEffect), +NIST-800-53: Audit (default: effect-2a1a9cdf-e04d-429a-8416-3bfb72a1b26f)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"6fac406b-40ca-413b-bf8e-0bf964659c25","","BuiltIn","Storage","Storage accounts should use customer-managed key for encryption","Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.","Azure_Security_Benchmark_v3.0_DP-5, +NIST_SP_800-53_R5_SC-12","ASB: Disabled (default: storageAccountsShouldUseCustomerManagedKeyForEncryptionMonitoringEffect), +NIST-800-53: Audit (Policy Default)","parameter: + Audit, + Disabled","Disabled","Disabled","","" +"6edd7eda-6dd8-40f7-810d-67160c639cd9","","BuiltIn","Storage","Storage accounts should use private link","Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: AuditIfNotExists (default: storageAccountShouldUseAPrivateLinkConnectionMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"87ba29ef-1ab3-4d82-b763-87fcd4f531f7","","BuiltIn","Stream Analytics","Azure Stream Analytics jobs should use customer-managed keys to encrypt data","Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.","NIST_SP_800-53_R5_SC-12","NIST-800-53: audit (default: effect-87ba29ef-1ab3-4d82-b763-87fcd4f531f7)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"f9be5368-9bf5-4b84-9e0a-7850da98bb46","","BuiltIn","Stream Analytics","Resource logs in Azure Stream Analytics should be enabled","Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised","Azure_Security_Benchmark_v3.0_LT-3, +NIST_SP_800-53_R5_AU-6(4), +NIST_SP_800-53_R5_AU-6(5), +NIST_SP_800-53_R5_AU-12, +NIST_SP_800-53_R5_AU-12(1)","ASB: AuditIfNotExists (default: diagnosticsLogsInStreamAnalyticsMonitoringEffect), +NIST-800-53: AuditIfNotExists (Policy Default)","parameter: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","{""diagnosticsLogsInStreamAnalyticsRetentionDays"":""1""}","{""diagnosticsLogsInStreamAnalyticsRetentionDays"":""1""}" +"f7d52b2d-e161-4dfa-a82b-55e564167385","","BuiltIn","Synapse","Azure Synapse workspaces should use customer-managed keys to encrypt data at rest","Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.","NIST_SP_800-53_R5_SC-12","NIST-800-53: Audit (default: effect-f7d52b2d-e161-4dfa-a82b-55e564167385)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"72d11df1-dd8a-41f7-8925-b05b960ebafc","","BuiltIn","Synapse","Azure Synapse workspaces should use private link","Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links.","NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","NIST-800-53: Audit (Policy Default)","override: + Audit, + Disabled","Audit","Audit","","" +"6ea81a52-5ca7-4575-9669-eaa910b7edf8","","BuiltIn","Synapse","Synapse Workspaces should have Microsoft Entra-only authentication enabled","Require Synapse Workspaces to use Microsoft Entra-only authentication. This policy doesn't block workspaces from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse.","Azure_Security_Benchmark_v3.0_IM-1","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"2158ddbe-fefa-408e-b43f-d4faef8ff3b8","","BuiltIn","Synapse","Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation","Require Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse.","Azure_Security_Benchmark_v3.0_IM-1","ASB: Audit (Policy Default)","override: + Deny, + Audit, + Disabled","Audit","Audit","","" +"0049a6b3-a662-4f3e-8635-39cf44ace45a","","BuiltIn","Synapse","Vulnerability assessment should be enabled on your Synapse workspaces","Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces.","NIST_SP_800-53_R5_RA-5","NIST-800-53: AuditIfNotExists (Policy Default)","override: + AuditIfNotExists, + Disabled","AuditIfNotExists","AuditIfNotExists","","" +"2154edb9-244f-4741-9970-660785bccdaa","","BuiltIn","VM Image Builder","VM Image Builder templates should use private link","Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet.","Azure_Security_Benchmark_v3.0_NS-2, +NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","ASB: Audit (default: vmImageBuilderTemplatesShouldUsePrivateLinkMonitoringEffect), +NIST-800-53: Audit (default: effect-2154edb9-244f-4741-9970-660785bccdaa)","parameter: + Deny, + Audit, + Disabled","Audit","Audit","","" +"eb907f70-7514-460d-92b3-a5ae93b4f917","","BuiltIn","Web PubSub","Azure Web PubSub Service should use private link","Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink.","NIST_SP_800-53_R5_AC-4, +NIST_SP_800-53_R5_AC-17, +NIST_SP_800-53_R5_AC-17(1), +NIST_SP_800-53_R5_SC-7, +NIST_SP_800-53_R5_SC-7(3)","NIST-800-53: Audit (Policy Default)","override: + Audit, + Disabled","Audit","Audit","","" diff --git a/StarterKit/hkDefinitions/policyAssignments/tag-assignments.jsonc b/StarterKit/hkDefinitions/policyAssignments/tag-assignments.jsonc new file mode 100644 index 00000000..11a9b008 --- /dev/null +++ b/StarterKit/hkDefinitions/policyAssignments/tag-assignments.jsonc @@ -0,0 +1,125 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-assignment-schema.json", + // Modify Policies for required tags --- use this comment to trigger deployment + "nodeName": "/Tags/", + "parameters": { + "excludedRG": [ + "synapseworkspace-managedrg-*", + "databricks-rg-*", + "managed*", + "DefaultResourceGroup*", + "NetworkWatcherRG*", + "LogAnalyticsDefaultR*", + "Orca-Security*", + "rg-terraform*", + "cloud-shell-storage*" + ] + }, + "children": [ + { + "nodeName": "required-and-inherit/", + "scope": { + "epac-dev": [ + "/providers/Microsoft.Management/managementGroups/mg-epac-dev" + ], + "tenant": [ + "/providers/Microsoft.Management/managementGroups/mg-enterprise" + ] + }, + "definitionEntryList": [ + { + "policyName": "7ce92201-8036-4d55-938e-0dce0a5bc475", + "displayName": "Require Tag on Resource Group with dynamic notScope", + "assignment": { + "name": "rgtag-", + "displayName": "Require Tag on Resource Group - ", + "description": "Require Tag for Resource Groups when any resource group (not listed in in excludedRg) is created or updated - " + } + }, + { + "policyName": "5cc2cbfc-e306-4ec6-a141-eea3c79bb2ae", + "displayName": "Inherit Tag from Resource Group with dynamic notScope", + "assignment": { + "name": "taginh-", + "displayName": "Inherit Tag from Resource Group - ", + "description": "Modify Tag to comply with governance goal of enforcing Tags by inheriting Tags from RG - " + } + } + ], + "children": [ + { + "nodeName": "Example", + "assignment": { + "name": "Example", + "displayName": "Example", + "description": "Example" + }, + "parameters": { + "tagName": "Example" + } + }, + { + "nodeName": "Environment", + "assignment": { + "name": "Environment", + "displayName": "Environment", + "description": "Environment" + }, + "parameters": { + "tagName": "Environment" + } + } + ] + }, + { + "nodeName": "Environment/", + "definitionEntry": { + "policyName": "2076e19d-45f9-4564-a459-bb5a0aeaff85", + "displayName": "Add/Replace Tag on Resource Group with dynamic notScope" + }, + "parameters": { + "tagName": "Environment" + }, + "children": [ + { + "nodeName": "PROD", + "assignment": { + "name": "prod-env-tag", + "displayName": "Prod Environment Tag", + "description": "Set Tag Environment to PROD" + }, + "parameters": { + "tagValue": "PROD" + }, + "scope": { + "epac-dev": [ + "/providers/Microsoft.Management/managementGroups/mg-epac-dev-prod" + ], + "tenant": [ + "/providers/Microsoft.Management/managementGroups/mg-prod" + ] + } + }, + { + "nodeName": "NONPROD", + "assignment": { + "name": "prod-env-tag", + "displayName": "NonProd Environment Tag", + "description": "Set Tag Environment to NONPROD" + }, + "parameters": { + "tagValue": "NONPROD" + }, + "scope": { + "epac-dev": [ + "/providers/Microsoft.Management/managementGroups/mg-epac-dev-nonprod" + ], + "tenant": [ + "/providers/Microsoft.Management/managementGroups/mg-nonprod" + ] + } + } + ] + } + ] +} \ No newline at end of file diff --git a/StarterKit/hkDefinitions/policyDefinitions/Defender/mdc-workload-protection-enrollment.json b/StarterKit/hkDefinitions/policyDefinitions/Defender/mdc-workload-protection-enrollment.json new file mode 100644 index 00000000..ab5ac7ba --- /dev/null +++ b/StarterKit/hkDefinitions/policyDefinitions/Defender/mdc-workload-protection-enrollment.json @@ -0,0 +1,88 @@ +{ + "name": "90c1d98c-7ad3-4ea3-89c4-6abd261e437", + "properties": { + "displayName": "MDC Workload Protection Enrollment", + "mode": "All", + "description": "Enroll subscriptions in a specific Microsoft Defender for Cloud Workload Protection.", + "metadata": { + "version": "1.0.2", + "category": "Security Center" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Deploy the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "workLoadProtection": { + "type": "String", + "metadata": { + "displayName": "Defender workload protection name", + "description": "Valid choices (om 7/27/2023) are: AppServices, Arm, ContainerRegistry, Containers, CloudPosture, Dns, KeyVaults, KubernetesService, OpenSourceRelationalDatabases, VirtualMachines. Do not use this Policy (use built-in Policies instead) for SQL and Storage" + }, + "defaultValue": "Arm" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Security/pricings", + "deploymentScope": "Subscription", + "existenceScope": "Subscription", + "name": "[parameters('workLoadProtection')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "existenceCondition": { + "field": "Microsoft.Security/pricings/pricingTier", + "equals": "Standard" + }, + "deployment": { + "location": "eastus2", + "properties": { + "mode": "incremental", + "parameters": { + "workLoadProtection": { + "value": "[parameters('workLoadProtection')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceProvider": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "[parameters('workLoadProtection')]", + "properties": { + "pricingTier": "Standard" + } + } + ] + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/StarterKit/hkDefinitions/policyDefinitions/Tagging/resources-inherit-rg-tag-dynamic-notscope.json b/StarterKit/hkDefinitions/policyDefinitions/Tagging/resources-inherit-rg-tag-dynamic-notscope.json new file mode 100644 index 00000000..f23abcb4 --- /dev/null +++ b/StarterKit/hkDefinitions/policyDefinitions/Tagging/resources-inherit-rg-tag-dynamic-notscope.json @@ -0,0 +1,123 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-definition-schema.json", + "name": "5cc2cbfc-e306-4ec6-a141-eea3c79bb2ae", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Inherit Tag from Resource Group with dynamic notScope", + "policyType": "Custom", + "description": "Resources inherit a tag from the resource group. It allows for resource groups and resource types to be excluded from this.", + "mode": "Indexed", + "metadata": { + "version": "1.0.1", + "category": "Tags" + }, + "parameters": { + "effect": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Disabled", + "Audit", + "Deny", + "Modify" + ], + "defaultValue": "Modify" + }, + "tagName": { + "type": "String", + "metadata": { + "displayName": "Tag Name", + "description": "Name of the tag, such as 'environment'" + } + }, + "excludedRG": { + "type": "Array", + "metadata": { + "displayName": "Excluded Resource Groups", + "description": "This array contains all excluded RGs from this policy" + }, + "defaultValue": [ + "synapseworkspace-managedrg-*", + "databricks*", + "managed-rg-*", + "LogAnalyticsDefaultR*", + "DefaultResourceGroup*", + "NetworkWatcherRG*", + "Orca-Security*" + ] + }, + "excludedResourceTypes": { + "type": "Array", + "metadata": { + "displayName": "Excluded Resource Types", + "description": "Exclude certain resource types from this policy" + }, + "defaultValue": [ + "Microsoft.Network/firewallPolicies", + "Microsoft.Media/mediaservices/liveevents", + "Microsoft.Sql/virtualclusters", + "Microsoft.Logic/integrationServiceEnvironments/managedApis", + "Microsoft.ManagedIdentity/userAssignedIdentities", + "microsoft.sql/servers/databases", + "microsoft.sql/managedinstances/databases", + "microsoft.compute/virtualmachines/extensions", + "Microsoft.OperationsManagement/solutions" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "count": { + "value": "[parameters('excludedResourceTypes')]", + "name": "excludedResourceTypes", + "where": { + "field": "type", + "like": "[current('excludedResourceTypes')]" + } + }, + "equals": 0 + }, + { + "field": "[concat('tags[', parameters('tagName'), ']')]", + "notEquals": "[resourceGroup().tags[parameters('tagName')]]" + }, + { + "value": "[resourceGroup().tags[parameters('tagName')]]", + "notEquals": "" + }, + { + "count": { + "value": "[parameters('excludedRG')]", + "name": "excludedRG", + "where": { + "value": "[resourceGroup().name]", + "like": "[current('excludedRG')]" + } + }, + "equals": 0 + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "operations": [ + { + "operation": "addOrReplace", + "field": "[concat('tags[', parameters('tagName'), ']')]", + "value": "[resourceGroup().tags[parameters('tagName')]]" + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/StarterKit/hkDefinitions/policyDefinitions/Tagging/resources-required-tag-dynamic-notscope.jsonc b/StarterKit/hkDefinitions/policyDefinitions/Tagging/resources-required-tag-dynamic-notscope.jsonc new file mode 100644 index 00000000..aecefd68 --- /dev/null +++ b/StarterKit/hkDefinitions/policyDefinitions/Tagging/resources-required-tag-dynamic-notscope.jsonc @@ -0,0 +1,131 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-definition-schema.json", + "name": "c0e2f9e2-c21d-4197-a54d-4a0c38738704", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Resources Require Tag on resources with Exclusions", + "policyType": "Custom", + "mode": "Indexed", + "description": "Resources require tag if type listed in resourceTypeList. It allows for resource groups and resource types to be excluded from this.", + "metadata": { + "version": "1.0.0", + "category": "Tags" + }, + "parameters": { + "tagName": { + "type": "String", + "metadata": { + "displayName": "Tag Name", + "description": "Name of the tag, such as 'environment'" + } + }, + "resourceTypeList": { + "type": "array", + "metadata": { + "displayName": "Resource Types to Deploy Diagnostics", + "description": "List of Resource Types included for deployment. An empty list is equivalent to all Resource Types", + "strongType": "resourceTypes" + }, + "defaultValue": [] + }, + "excludedResourceTypes": { + "type": "Array", + "metadata": { + "displayName": "Excluded Resource Types", + "description": "Exclude certain resource types from this policy, if all resourceTypes are selected by using an empty resourceTypeList" + }, + "defaultValue": [ + "Microsoft.Network/firewallPolicies", + "Microsoft.Media/mediaservices/liveevents", + "Microsoft.Sql/virtualclusters", + "Microsoft.Logic/integrationServiceEnvironments/managedApis", + "Microsoft.ManagedIdentity/userAssignedIdentities", + "microsoft.sql/servers/databases", + "microsoft.sql/managedinstances/databases", + "microsoft.compute/virtualmachines/extensions", + "Microsoft.OperationsManagement/solutions" + ] + }, + "excludedRG": { + "type": "Array", + "metadata": { + "displayName": "Excluded Resource Groups", + "description": "This array contains all excluded RGs from this policy" + }, + "defaultValue": [ + "synapseworkspace-managedrg-*", + "managed-rg-*", + "databricks-*", + "DefaultResourceGroup*", + "NetworkWatcherRG", + "LogAnalyticsDefault*", + "cloud-shell-storage*" + ] + }, + "effect": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "anyOf": [ + { + "field": "type", + "in": "[parameters('resourceTypeList')]" + }, + { + "allOf": [ + { + "value": "[length(parameters('resourceTypeList'))]", + "equals": 0 + }, + { + "count": { + "value": "[parameters('excludedResourceTypes')]", + "name": "excludedResourceTypes", + "where": { + "field": "type", + "like": "[current('excludedResourceTypes')]" + } + }, + "equals": 0 + } + ] + } + ] + }, + { + "field": "[concat('tags[', parameters('tagName'), ']')]", + "exists": "true" + }, + { + "count": { + "value": "[parameters('excludedRG')]", + "name": "excludedRG", + "where": { + "value": "[resourceGroup().name]", + "like": "[current('excludedRG')]" + } + }, + "equals": 0 + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/StarterKit/hkDefinitions/policyDefinitions/Tagging/rg-addreplace-tag-dynamic-notscope.json b/StarterKit/hkDefinitions/policyDefinitions/Tagging/rg-addreplace-tag-dynamic-notscope.json new file mode 100644 index 00000000..f7ef855d --- /dev/null +++ b/StarterKit/hkDefinitions/policyDefinitions/Tagging/rg-addreplace-tag-dynamic-notscope.json @@ -0,0 +1,100 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-definition-schema.json", + "name": "2076e19d-45f9-4564-a459-bb5a0aeaff85", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Add/Replace Tag on Resource Group with dynamic notScope", + "policyType": "Custom", + "mode": "All", + "description": "Adds or replaces the specified tag and value when any resource group (not listed in in excludedRg) is created or updated. Existing resource groups can be remediated by triggering a remediation task. ", + "metadata": { + "version": "1.0.1", + "category": "Tags" + }, + "parameters": { + "effect": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Modify", + "Disabled" + ], + "defaultValue": "Modify" + }, + "tagName": { + "type": "String", + "metadata": { + "displayName": "Tag Name", + "description": "Name of the tag, such as 'environment'" + } + }, + "tagValue": { + "type": "String", + "metadata": { + "displayName": "Tag Value", + "description": "Value of the tag, such as 'production'" + } + }, + "excludedRG": { + "type": "Array", + "metadata": { + "displayName": "Excluded Resource Groups", + "description": "This array contains all dynamically excluded RGs from this policy" + }, + "defaultValue": [ + "synapseworkspace-managedrg-*", + "databricks*", + "managed-rg-*", + "DefaultResourceGroup*", + "LogAnalyticsDefaultR*", + "NetworkWatcherRG*" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions/resourceGroups" + }, + { + "field": "[concat('tags[', parameters('tagName'), ']')]", + "notEquals": "[parameters('tagValue')]" + }, + { + "count": { + "value": "[parameters('excludedRG')]", + "name": "excludedRG", + "where": { + "field": "name", + "like": "[current('excludedRG')]" + } + }, + "equals": 0 + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "operations": [ + { + "operation": "addOrReplace", + "field": "[concat('tags[', parameters('tagName'), ']')]", + "value": "[parameters('tagValue')]" + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/StarterKit/hkDefinitions/policyDefinitions/Tagging/rg-required-tag-dynamic-notscope.json b/StarterKit/hkDefinitions/policyDefinitions/Tagging/rg-required-tag-dynamic-notscope.json new file mode 100644 index 00000000..95d11c56 --- /dev/null +++ b/StarterKit/hkDefinitions/policyDefinitions/Tagging/rg-required-tag-dynamic-notscope.json @@ -0,0 +1,80 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-definition-schema.json", + "name": "7ce92201-8036-4d55-938e-0dce0a5bc475", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Require Tag on Resource Group with dynamic notScope", + "policyType": "Custom", + "mode": "All", + "description": "This policy requires a tag on resource groups when any resource group (not listed in in excludedRg) is created or updated.", + "metadata": { + "version": "1.0.1", + "category": "Tags" + }, + "parameters": { + "tagName": { + "type": "String", + "metadata": { + "displayName": "Tag Name", + "description": "Name of the tag, such as 'environment'" + } + }, + "excludedRG": { + "type": "Array", + "metadata": { + "displayName": "Excluded Resource Groups", + "description": "This array contains all excluded RGs from this policy" + }, + "defaultValue": [ + "synapseworkspace-managedrg-*", + "databricks*", + "LogAnalyticsDefaultR*", + "managed-rg-*", + "DefaultResourceGroup*", + "NetworkWatcherRG*" + ] + }, + "effect": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions/resourceGroups" + }, + { + "field": "[concat('tags[', parameters('tagName'), ']')]", + "exists": "true" + }, + { + "count": { + "value": "[parameters('excludedRG')]", + "name": "ExcludedRG", + "where": { + "field": "name", + "like": "[current('excludedRG')]" + } + }, + "equals": 0 + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/StarterKit/hkDefinitions/policyDocumentations/contoso.jsonc b/StarterKit/hkDefinitions/policyDocumentations/contoso.jsonc new file mode 100644 index 00000000..44715e0b --- /dev/null +++ b/StarterKit/hkDefinitions/policyDocumentations/contoso.jsonc @@ -0,0 +1,72 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-documentation-schema.json", + "documentAssignments": { + "environmentCategories": [ + { + "pacEnvironment": "tenant", + "environmentCategory": "prod", + "scopes": [ + "Management Group: Contoso-Prod" + ], + "representativeAssignments": [ + { + "shortName": "ASB", + "id": "/providers/Microsoft.Management/managementGroups/mg-prod/providers/Microsoft.Authorization/policyAssignments/pr-asb" + }, + { + "shortName": "NIST-800-53", + "id": "/providers/Microsoft.Management/managementGroups/mg-prod/providers/Microsoft.Authorization/policyAssignments/pr-nist-800-53-r5" + } + ] + }, + { + "pacEnvironment": "tenant", + "environmentCategory": "nonprod", + "scopes": [ + "Management Group: Contoso-NonProd" + ], + "representativeAssignments": [ + { + "shortName": "ASB", + "id": "/providers/Microsoft.Management/managementGroups/mg-nonprod/providers/Microsoft.Authorization/policyAssignments/np-asb" + }, + { + "shortName": "NIST-800-53", + "id": "/providers/Microsoft.Management/managementGroups/mg-nonprod/providers/Microsoft.Authorization/policyAssignments/np-nist-800-53-r5" + } + ] + } + ], + "documentationSpecifications": [ + { + "fileNameStem": "contoso-policy-effects", + "environmentCategories": [ + "prod", + "nonprod" + ], + "title": "Contoso Policy effects" + } + ] + }, + "documentPolicySets": [ + { + "pacEnvironment": "epac-dev", + "fileNameStem": "contoso-compliance-initiatives", + "title": "Document Initiatives", + "policySets": [ + { + "shortName": "ASB", + "id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8" + }, + { + "shortName": "NIST-800-53", + "id": "/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f" + } + ], + "environmentColumnsInCsv": [ + "prod", + "nonprod" + ] + } + ] +} \ No newline at end of file