Created
March 30, 2023 02:11
-
-
Save anwather/fe51681a45703dde523f46f95f9f7638 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Microsoft Cloud Security Benchmark | |
| Auto-generated Policy effect documentation across environments 'Production' sorted by Policy category and Policy display name. | |
| ## Table of contents | |
| - [Environments](#environments) | |
| - [Policy effects across environments](#policy-effects-across-environment) | |
| ## <a id="environments"></a>Environments | |
| ### **Production environment** | |
| Scopes | |
| - Management Group: Root | |
| Assignment | |
| - PolicySet: Azure Security Benchmark | |
| - Type: BuiltIn | |
| - Category: Security Center | |
| - Description: The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v3, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud. | |
| <br/> | |
| ## <a id='policy-effects-across-environment'></a>Policy effects across environment | |
| <br/> | |
| | Category | Policy | Production | | |
| | :------- | :----- | :-----: | | |
| | API Management | **API Management services should use a virtual network**<br/>Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled* | | |
| | App Configuration | **App Configuration should use private link**<br/>Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | App Platform | **Azure Spring Cloud should use network injection**<br/>Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | App Service | **App Service apps should have 'Client Certificates (Incoming client certificates)' enabled**<br/>Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Audit**<br/>*Disabled* | | |
| | App Service | **App Service apps should have remote debugging turned off**<br/>Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | App Service | **App Service apps should have resource logs enabled**<br/>Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | App Service | **App Service apps should not have CORS configured to allow every resource to access your apps**<br/>Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | App Service | **App Service apps should only be accessible over HTTPS**<br/>Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-3 | **Audit**<br/>*Disabled* | | |
| | App Service | **App Service apps should require FTPS only**<br/>Enable FTPS enforcement for enhanced security.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | App Service | **App Service apps should use managed identity**<br/>Use a managed identity for enhanced authentication security<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IM-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | App Service | **App Service apps should use the latest TLS version**<br/>Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-3<br/> Azure_Security_Benchmark_v3.0_NS-8 | **AuditIfNotExists**<br/>*Disabled* | | |
| | App Service | **App Service apps that use Java should use the latest 'Java version'**<br/>Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | App Service | **App Service apps that use PHP should use the latest 'PHP version'**<br/>Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | App Service | **App Service apps that use Python should use the latest 'Python version'**<br/>Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | App Service | **Function apps should have 'Client Certificates (Incoming client certificates)' enabled**<br/>Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Audit**<br/>*Disabled* | | |
| | App Service | **Function apps should have remote debugging turned off**<br/>Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | App Service | **Function apps should not have CORS configured to allow every resource to access your apps**<br/>Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | App Service | **Function apps should only be accessible over HTTPS**<br/>Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-3 | **Audit**<br/>*Disabled* | | |
| | App Service | **Function apps should require FTPS only**<br/>Enable FTPS enforcement for enhanced security.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | App Service | **Function apps should use managed identity**<br/>Use a managed identity for enhanced authentication security<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IM-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | App Service | **Function apps should use the latest TLS version**<br/>Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-3<br/> Azure_Security_Benchmark_v3.0_NS-8 | **AuditIfNotExists**<br/>*Disabled* | | |
| | App Service | **Function apps that use Java should use the latest 'Java version'**<br/>Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | App Service | **Function apps that use Python should use the latest 'Python version'**<br/>Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps since Python is not supported on Windows apps.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Automation | **Automation account variables should be encrypted**<br/>It is important to enable encryption of Automation account variable assets when storing sensitive data<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-4 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | Backup | **Azure Backup should be enabled for Virtual Machines**<br/>Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_BR-1<br/> Azure_Security_Benchmark_v3.0_BR-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Batch | **Resource logs in Batch accounts should be enabled**<br/>Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Cache | **Azure Cache for Redis should use private link**<br/>Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Cache | **Only secure connections to your Azure Cache for Redis should be enabled**<br/>Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-3 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | Cognitive Services | **Cognitive Services accounts should disable public network access**<br/>To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | Cognitive Services | **Cognitive Services accounts should enable data encryption with a customer-managed key**<br/>Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-5 | **Disabled**<br/>*Audit*<br/>*Deny* | | |
| | Cognitive Services | **Cognitive Services accounts should restrict network access**<br/>Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | Compute | **Virtual machines should be migrated to new Azure Resource Manager resources**<br/>Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_AM-2 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | Container Registry | **Container registries should be encrypted with a customer-managed key**<br/>Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-5 | **Disabled**<br/>*Audit*<br/>*Deny* | | |
| | Container Registry | **Container registries should not allow unrestricted network access**<br/>Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled* | | |
| | Container Registry | **Container registries should use private link**<br/>Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled* | | |
| | Cosmos DB | **Azure Cosmos DB accounts should have firewall rules**<br/>Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | Cosmos DB | **Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest**<br/>Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-5 | **disabled**<br/>*audit*<br/>*deny* | | |
| | Cosmos DB | **Cosmos DB database accounts should have local authentication methods disabled**<br/>Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IM-1 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | Data Lake | **Resource logs in Azure Data Lake Store should be enabled**<br/>Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Data Lake | **Resource logs in Data Lake Analytics should be enabled**<br/>Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Event Grid | **Azure Event Grid domains should use private link**<br/>Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled* | | |
| | Event Grid | **Azure Event Grid topics should use private link**<br/>Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled* | | |
| | Event Hub | **Resource logs in Event Hub should be enabled**<br/>Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | General | **Audit usage of custom RBAC roles**<br/>Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PA-7 | **Audit**<br/>*Disabled* | | |
| | Guest Configuration | **[Preview]: Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost.**<br/>By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Guest Configuration | **[Preview]: Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost.**<br/>By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Guest Configuration | **Authentication to Linux machines should require SSH keys**<br/>Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IM-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Guest Configuration | **Linux machines should have Log Analytics agent installed on Azure Arc**<br/>Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-5 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Guest Configuration | **Linux machines should meet requirements for the Azure compute security baseline**<br/>Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Guest Configuration | **Windows Defender Exploit Guard should be enabled on your machines**<br/>Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_ES-2<br/> Azure_Security_Benchmark_v3.0_LT-1<br/> Azure_Security_Benchmark_v3.0_LT-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Guest Configuration | **Windows machines should have Log Analytics agent installed on Azure Arc**<br/>Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-5 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Guest Configuration | **Windows machines should meet requirements of the Azure compute security baseline**<br/>Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Guest Configuration | **Windows web servers should be configured to use secure communication protocols**<br/>To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Internet of Things | **Resource logs in IoT Hub should be enabled**<br/>Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Key Vault | **[Preview]: Certificates should have the specified maximum validity period**<br/>Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-7 | **disabled**<br/>*audit*<br/>*deny* | | |
| | Key Vault | **Azure Key Vault should have firewall enabled**<br/>Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-8<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled* | | |
| | Key Vault | **Azure Key Vaults should use private link**<br/>Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-8<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled* | | |
| | Key Vault | **Key Vault keys should have an expiration date**<br/>Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-6 | **Disabled**<br/>*Audit*<br/>*Deny* | | |
| | Key Vault | **Key Vault secrets should have an expiration date**<br/>Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-6 | **Disabled**<br/>*Audit*<br/>*Deny* | | |
| | Key Vault | **Key vaults should have purge protection enabled**<br/>Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-8 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | Key Vault | **Key vaults should have soft delete enabled**<br/>Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-8 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | Key Vault | **Resource logs in Key Vault should be enabled**<br/>Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-8<br/> Azure_Security_Benchmark_v3.0_LT-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Kubernetes | **[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed**<br/>Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-1<br/> Azure_Security_Benchmark_v3.0_LT-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Kubernetes | **[Preview]: Kubernetes clusters should gate deployment of vulnerable images**<br/>Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Disabled**<br/>*Audit*<br/>*Deny* | | |
| | Kubernetes | **Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed**<br/>The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Kubernetes | **Azure Kubernetes Service clusters should have Defender profile enabled**<br/>Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-1<br/> Azure_Security_Benchmark_v3.0_LT-2 | **Audit**<br/>*Disabled* | | |
| | Kubernetes | **Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters**<br/>Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Audit**<br/>*Disabled* | | |
| | Kubernetes | **Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits**<br/>Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Audit**<br/>*disabled*<br/>*audit*<br/>*deny* | | |
| | Kubernetes | **Kubernetes cluster containers should not share host process ID or host IPC namespace**<br/>Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Audit**<br/>*disabled*<br/>*audit*<br/>*deny* | | |
| | Kubernetes | **Kubernetes cluster containers should only use allowed AppArmor profiles**<br/>Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Audit**<br/>*disabled*<br/>*audit*<br/>*deny* | | |
| | Kubernetes | **Kubernetes cluster containers should only use allowed capabilities**<br/>Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Audit**<br/>*disabled*<br/>*audit*<br/>*deny* | | |
| | Kubernetes | **Kubernetes cluster containers should only use allowed images**<br/>Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Audit**<br/>*disabled*<br/>*audit*<br/>*deny* | | |
| | Kubernetes | **Kubernetes cluster containers should run with a read only root file system**<br/>Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Audit**<br/>*disabled*<br/>*audit*<br/>*deny* | | |
| | Kubernetes | **Kubernetes cluster pod hostPath volumes should only use allowed host paths**<br/>Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Audit**<br/>*disabled*<br/>*audit*<br/>*deny* | | |
| | Kubernetes | **Kubernetes cluster pods and containers should only run with approved user and group IDs**<br/>Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Audit**<br/>*disabled*<br/>*audit*<br/>*deny* | | |
| | Kubernetes | **Kubernetes cluster pods should only use approved host network and port range**<br/>Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Audit**<br/>*disabled*<br/>*audit*<br/>*deny* | | |
| | Kubernetes | **Kubernetes cluster services should listen only on allowed ports**<br/>Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Audit**<br/>*disabled*<br/>*audit*<br/>*deny* | | |
| | Kubernetes | **Kubernetes cluster should not allow privileged containers**<br/>Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Audit**<br/>*disabled*<br/>*audit*<br/>*deny* | | |
| | Kubernetes | **Kubernetes clusters should be accessible only over HTTPS**<br/>Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-3 | **Audit**<br/>*disabled*<br/>*audit*<br/>*deny* | | |
| | Kubernetes | **Kubernetes clusters should disable automounting API credentials**<br/>Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Audit**<br/>*disabled*<br/>*audit*<br/>*deny* | | |
| | Kubernetes | **Kubernetes clusters should not allow container privilege escalation**<br/>Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Audit**<br/>*disabled*<br/>*audit*<br/>*deny* | | |
| | Kubernetes | **Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities**<br/>To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Audit**<br/>*disabled*<br/>*audit*<br/>*deny* | | |
| | Kubernetes | **Kubernetes clusters should not use the default namespace**<br/>Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-2 | **Audit**<br/>*disabled*<br/>*audit*<br/>*deny* | | |
| | Kubernetes | **Resource logs in Azure Kubernetes Service should be enabled**<br/>Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed | **AuditIfNotExists**<br/>*Disabled* | | |
| | Logic Apps | **Resource logs in Logic Apps should be enabled**<br/>Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Machine Learning | **Azure Machine Learning workspaces should be encrypted with a customer-managed key**<br/>Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-5 | **Disabled**<br/>*Audit*<br/>*Deny* | | |
| | Machine Learning | **Azure Machine Learning workspaces should use private link**<br/>Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled* | | |
| | Monitoring | **[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines**<br/>This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-5 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Monitoring | **[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines**<br/>This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-5 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Monitoring | **[Preview]: Network traffic data collection agent should be installed on Linux virtual machines**<br/>Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Monitoring | **[Preview]: Network traffic data collection agent should be installed on Windows virtual machines**<br/>Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Network | **[Preview]: All Internet traffic should be routed via your deployed Azure Firewall**<br/>Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Network | **Azure Web Application Firewall should be enabled for Azure Front Door entry-points**<br/>Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-6 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | Network | **Network Watcher should be enabled**<br/>Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IR-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Network | **Web Application Firewall (WAF) should be enabled for Application Gateway**<br/>Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-6 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | Search | **Resource logs in Search services should be enabled**<br/>Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines**<br/>Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets**<br/>Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines**<br/>Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets**<br/>Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **[Preview]: Secure Boot should be enabled on supported Windows virtual machines**<br/>Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-4 | **Audit**<br/>*Disabled* | | |
| | Security Center | **[Preview]: System updates should be installed on your machines (powered by Update Center)**<br/>Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **[Preview]: vTPM should be enabled on supported virtual machines**<br/>Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-4 | **Audit**<br/>*Disabled* | | |
| | Security Center | **A maximum of 3 owners should be designated for your subscription**<br/>It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PA-1 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **A vulnerability assessment solution should be enabled on your virtual machines**<br/>Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-5 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Accounts with owner permissions on Azure resources should be MFA enabled**<br/>Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IM-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Accounts with read permissions on Azure resources should be MFA enabled**<br/>Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IM-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Accounts with write permissions on Azure resources should be MFA enabled**<br/>Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IM-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Adaptive application controls for defining safe applications should be enabled on your machines**<br/>Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_AM-5 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Adaptive network hardening recommendations should be applied on internet facing virtual machines**<br/>Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-1<br/> Azure_Security_Benchmark_v3.0_NS-7 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **All network ports should be restricted on network security groups associated to your virtual machine**<br/>Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-1 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Allowlist rules in your adaptive application control policy should be updated**<br/>Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_AM-5 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Authorized IP ranges should be defined on Kubernetes Services**<br/>Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled* | | |
| | Security Center | **Auto provisioning of the Log Analytics agent should be enabled on your subscription**<br/>To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-5 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Azure DDoS Protection Standard should be enabled**<br/>DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-5 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Azure Defender for App Service should be enabled**<br/>Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IR-3<br/> Azure_Security_Benchmark_v3.0_IR-5<br/> Azure_Security_Benchmark_v3.0_LT-1<br/> Azure_Security_Benchmark_v3.0_LT-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Azure Defender for Azure SQL Database servers should be enabled**<br/>Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-2<br/> Azure_Security_Benchmark_v3.0_IR-3<br/> Azure_Security_Benchmark_v3.0_IR-5<br/> Azure_Security_Benchmark_v3.0_LT-1<br/> Azure_Security_Benchmark_v3.0_LT-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Azure Defender for DNS should be enabled**<br/>Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IR-3<br/> Azure_Security_Benchmark_v3.0_IR-5<br/> Azure_Security_Benchmark_v3.0_LT-1<br/> Azure_Security_Benchmark_v3.0_LT-2<br/> Azure_Security_Benchmark_v3.0_NS-10 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Azure Defender for Key Vault should be enabled**<br/>Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-8<br/> Azure_Security_Benchmark_v3.0_IR-3<br/> Azure_Security_Benchmark_v3.0_IR-5<br/> Azure_Security_Benchmark_v3.0_LT-1<br/> Azure_Security_Benchmark_v3.0_LT-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Azure Defender for open-source relational databases should be enabled**<br/>Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-2<br/> Azure_Security_Benchmark_v3.0_IR-3<br/> Azure_Security_Benchmark_v3.0_IR-5<br/> Azure_Security_Benchmark_v3.0_LT-1<br/> Azure_Security_Benchmark_v3.0_LT-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Azure Defender for Resource Manager should be enabled**<br/>Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IR-3<br/> Azure_Security_Benchmark_v3.0_IR-5<br/> Azure_Security_Benchmark_v3.0_LT-1<br/> Azure_Security_Benchmark_v3.0_LT-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Azure Defender for servers should be enabled**<br/>Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_ES-1<br/> Azure_Security_Benchmark_v3.0_IR-3<br/> Azure_Security_Benchmark_v3.0_IR-5<br/> Azure_Security_Benchmark_v3.0_LT-1<br/> Azure_Security_Benchmark_v3.0_LT-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Azure Defender for SQL servers on machines should be enabled**<br/>Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-2<br/> Azure_Security_Benchmark_v3.0_IR-3<br/> Azure_Security_Benchmark_v3.0_IR-5<br/> Azure_Security_Benchmark_v3.0_LT-1<br/> Azure_Security_Benchmark_v3.0_LT-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Azure Defender for Storage should be enabled**<br/>Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-2<br/> Azure_Security_Benchmark_v3.0_IR-3<br/> Azure_Security_Benchmark_v3.0_IR-5<br/> Azure_Security_Benchmark_v3.0_LT-1<br/> Azure_Security_Benchmark_v3.0_LT-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Blocked accounts with owner permissions on Azure resources should be removed**<br/>Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PA-1<br/> Azure_Security_Benchmark_v3.0_PA-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Blocked accounts with read and write permissions on Azure resources should be removed**<br/>Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PA-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Container registry images should have vulnerability findings resolved**<br/>Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DS-6<br/> Azure_Security_Benchmark_v3.0_PV-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Deprecated accounts should be removed from your subscription**<br/>Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PA-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Deprecated accounts with owner permissions should be removed from your subscription**<br/>Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PA-1<br/> Azure_Security_Benchmark_v3.0_PA-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Email notification for high severity alerts should be enabled**<br/>To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IR-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Email notification to subscription owner for high severity alerts should be enabled**<br/>To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IR-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Endpoint protection health issues should be resolved on your machines**<br/>Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_ES-2<br/> Azure_Security_Benchmark_v3.0_ES-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Endpoint protection should be installed on your machines**<br/>To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_ES-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Endpoint protection solution should be installed on virtual machine scale sets**<br/>Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_ES-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **External accounts with owner permissions should be removed from your subscription**<br/>External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PA-1<br/> Azure_Security_Benchmark_v3.0_PA-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **External accounts with read permissions should be removed from your subscription**<br/>External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PA-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **External accounts with write permissions should be removed from your subscription**<br/>External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PA-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Guest accounts with owner permissions on Azure resources should be removed**<br/>External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PA-1<br/> Azure_Security_Benchmark_v3.0_PA-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Guest accounts with read permissions on Azure resources should be removed**<br/>External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PA-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Guest accounts with write permissions on Azure resources should be removed**<br/>External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PA-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Guest Configuration extension should be installed on your machines**<br/>To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Internet-facing virtual machines should be protected with network security groups**<br/>Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-1 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **IP Forwarding on your virtual machine should be disabled**<br/>Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring**<br/>This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-5 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring**<br/>Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-5 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Management ports of virtual machines should be protected with just-in-time network access control**<br/>Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-3<br/> Azure_Security_Benchmark_v3.0_PA-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Management ports should be closed on your virtual machines**<br/>Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **MFA should be enabled for accounts with write permissions on your subscription**<br/>Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IM-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **MFA should be enabled on accounts with owner permissions on your subscription**<br/>Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IM-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **MFA should be enabled on accounts with read permissions on your subscription**<br/>Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IM-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Microsoft Defender CSPM should be enabled**<br/>Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IR-3<br/> Azure_Security_Benchmark_v3.0_IR-5<br/> Azure_Security_Benchmark_v3.0_LT-1<br/> Azure_Security_Benchmark_v3.0_LT-2 | **Disabled**<br/>*AuditIfNotExists* | | |
| | Security Center | **Microsoft Defender for Containers should be enabled**<br/>Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IR-3<br/> Azure_Security_Benchmark_v3.0_IR-5<br/> Azure_Security_Benchmark_v3.0_LT-1<br/> Azure_Security_Benchmark_v3.0_LT-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers**<br/>Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IR-3<br/> Azure_Security_Benchmark_v3.0_IR-5<br/> Azure_Security_Benchmark_v3.0_LT-1<br/> Azure_Security_Benchmark_v3.0_LT-2 | **Audit**<br/>*Disabled* | | |
| | Security Center | **Monitor missing Endpoint Protection in Azure Security Center**<br/>Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_ES-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Non-internet-facing virtual machines should be protected with network security groups**<br/>Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-1 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Role-Based Access Control (RBAC) should be used on Kubernetes Services**<br/>To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PA-7 | **Audit**<br/>*Disabled* | | |
| | Security Center | **Running container images should have vulnerability findings resolved**<br/>Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DS-6<br/> Azure_Security_Benchmark_v3.0_PV-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **SQL databases should have vulnerability findings resolved**<br/>Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **SQL servers on machines should have vulnerability findings resolved**<br/>SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Subnets should be associated with a Network Security Group**<br/>Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-1 | **Disabled**<br/>*AuditIfNotExists* | | |
| | Security Center | **Subscriptions should have a contact email address for security issues**<br/>To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IR-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **System updates on virtual machine scale sets should be installed**<br/>Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **System updates should be installed on your machines**<br/>Missing security system updates on your servers will be monitored by Azure Security Center as recommendations<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **There should be more than one owner assigned to your subscription**<br/>It is recommended to designate more than one subscription owner in order to have administrator access redundancy.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PA-1 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources**<br/>By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity**<br/>The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IM-3<br/> Azure_Security_Benchmark_v3.0_PV-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Vulnerabilities in container security configurations should be remediated**<br/>Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DS-6<br/> Azure_Security_Benchmark_v3.0_PV-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Vulnerabilities in security configuration on your machines should be remediated**<br/>Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Security Center | **Vulnerabilities in security configuration on your virtual machine scale sets should be remediated**<br/>Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Service Bus | **Resource logs in Service Bus should be enabled**<br/>Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Service Fabric | **Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign**<br/>Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-4 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | Service Fabric | **Service Fabric clusters should only use Azure Active Directory for client authentication**<br/>Audit usage of client authentication only via Azure Active Directory in Service Fabric<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IM-1 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | SignalR | **Azure SignalR Service should use private link**<br/>Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled* | | |
| | SQL | **An Azure Active Directory administrator should be provisioned for MySQL servers**<br/>Audit provisioning of an Azure Active Directory administrator for your MySQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | SQL | **An Azure Active Directory administrator should be provisioned for PostgreSQL servers**<br/>Audit provisioning of an Azure Active Directory administrator for your PostgreSQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | SQL | **An Azure Active Directory administrator should be provisioned for SQL servers**<br/>Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IM-1 | **AuditIfNotExists**<br/>*Disabled* | | |
| | SQL | **Auditing on SQL server should be enabled**<br/>Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | SQL | **Azure Defender for SQL should be enabled for unprotected Azure SQL servers**<br/>Audit SQL servers without Advanced Data Security<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_IR-3<br/> Azure_Security_Benchmark_v3.0_IR-5<br/> Azure_Security_Benchmark_v3.0_LT-1<br/> Azure_Security_Benchmark_v3.0_LT-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | SQL | **Azure Defender for SQL should be enabled for unprotected SQL Managed Instances**<br/>Audit each SQL Managed Instance without advanced data security.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-2<br/> Azure_Security_Benchmark_v3.0_IR-3<br/> Azure_Security_Benchmark_v3.0_IR-5<br/> Azure_Security_Benchmark_v3.0_LT-1<br/> Azure_Security_Benchmark_v3.0_LT-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | SQL | **Azure SQL Database should have Azure Active Directory Only Authentication enabled**<br/>Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Databases can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-4 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | SQL | **Azure SQL Managed Instance should have Azure Active Directory Only Authentication enabled**<br/>Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Managed Instances can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-4 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | SQL | **Enforce SSL connection should be enabled for MySQL database servers**<br/>Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-3 | **Audit**<br/>*Disabled* | | |
| | SQL | **Enforce SSL connection should be enabled for PostgreSQL database servers**<br/>Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-3 | **Audit**<br/>*Disabled* | | |
| | SQL | **Geo-redundant backup should be enabled for Azure Database for MariaDB**<br/>Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_BR-1<br/> Azure_Security_Benchmark_v3.0_BR-2 | **Audit**<br/>*Disabled* | | |
| | SQL | **Geo-redundant backup should be enabled for Azure Database for MySQL**<br/>Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_BR-1<br/> Azure_Security_Benchmark_v3.0_BR-2 | **Audit**<br/>*Disabled* | | |
| | SQL | **Geo-redundant backup should be enabled for Azure Database for PostgreSQL**<br/>Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_BR-1<br/> Azure_Security_Benchmark_v3.0_BR-2 | **Audit**<br/>*Disabled* | | |
| | SQL | **MySQL servers should use customer-managed keys to encrypt data at rest**<br/>Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-5 | **Disabled**<br/>*AuditIfNotExists* | | |
| | SQL | **PostgreSQL servers should use customer-managed keys to encrypt data at rest**<br/>Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-5 | **Disabled**<br/>*AuditIfNotExists* | | |
| | SQL | **Private endpoint connections on Azure SQL Database should be enabled**<br/>Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled* | | |
| | SQL | **Private endpoint should be enabled for MariaDB servers**<br/>Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | SQL | **Private endpoint should be enabled for MySQL servers**<br/>Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | SQL | **Private endpoint should be enabled for PostgreSQL servers**<br/>Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | SQL | **Public network access on Azure SQL Database should be disabled**<br/>Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | SQL | **Public network access should be disabled for MariaDB servers**<br/>Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled* | | |
| | SQL | **Public network access should be disabled for MySQL servers**<br/>Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled* | | |
| | SQL | **Public network access should be disabled for PostgreSQL servers**<br/>Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled* | | |
| | SQL | **SQL managed instances should use customer-managed keys to encrypt data at rest**<br/>Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-5 | **Disabled**<br/>*Audit*<br/>*Deny* | | |
| | SQL | **SQL servers should use customer-managed keys to encrypt data at rest**<br/>Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-5 | **Disabled**<br/>*Audit*<br/>*Deny* | | |
| | SQL | **SQL servers with auditing to storage account destination should be configured with 90 days retention or higher**<br/>For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-6 | **AuditIfNotExists**<br/>*Disabled* | | |
| | SQL | **Transparent Data Encryption on SQL databases should be enabled**<br/>Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-4 | **AuditIfNotExists**<br/>*Disabled* | | |
| | SQL | **Vulnerability assessment should be enabled on SQL Managed Instance**<br/>Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-5 | **AuditIfNotExists**<br/>*Disabled* | | |
| | SQL | **Vulnerability assessment should be enabled on your SQL servers**<br/>Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-5 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Storage | **[Preview]: Storage account public access should be disallowed**<br/>Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **audit**<br/>*disabled*<br/>*deny* | | |
| | Storage | **Secure transfer to storage accounts should be enabled**<br/>Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-3 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | Storage | **Storage accounts should be migrated to new Azure Resource Manager resources**<br/>Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_AM-2 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | Storage | **Storage accounts should restrict network access**<br/>Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Disabled**<br/>*Audit*<br/>*Deny* | | |
| | Storage | **Storage accounts should restrict network access using virtual network rules**<br/>Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | Storage | **Storage accounts should use customer-managed key for encryption**<br/>Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-5 | **Disabled**<br/>*Audit* | | |
| | Storage | **Storage accounts should use private link**<br/>Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Stream Analytics | **Resource logs in Azure Stream Analytics should be enabled**<br/>Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_LT-3 | **AuditIfNotExists**<br/>*Disabled* | | |
| | Synapse | **Synapse Workspaces should use only Azure Active Directory identities for authentication**<br/>Azure Active Directory (AAD) only authentication methods improves security by ensuring that Synapse Workspaces exclusively require AAD identities for authentication. Learn more at: https://aka.ms/Synapse.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_DP-4 | **Audit**<br/>*Disabled*<br/>*Deny* | | |
| | Update Management Center | **[Preview]: Machines should be configured to periodically check for missing system updates**<br/>To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_PV-6 | **Audit**<br/>*Disabled* | | |
| | VM Image Builder | **VM Image Builder templates should use private link**<br/>Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet.<br/>*Compliance:*<br/> Azure_Security_Benchmark_v3.0_NS-2 | **Audit**<br/>*Disabled* | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment