Policy
Centralized logging policies
| Policy | Effect Type |
|---|---|
| SGS Centralized Logging Diagnostic logs Azure Kubernetes Service | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs App Services | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Azure API Management Service | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Application Gateway | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Automation Account | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Azure Firewall | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Azure Database for MySQL | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Azure Database for PostgreSQL | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Azure Database for PostgreSQL v2 | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Bastion | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Container Registry | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Cosmos DB | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Data Lake Analytics | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Data Lake Store | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Event Hub | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Key Vault | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Load Balancer | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Logic App | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Network Security Group | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Public IP | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Service Bus | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs SQL DB | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Synapse DB | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Traffic Manager | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs Virtual Network | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs AI Services | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs ML Services | DeployIfNotExists |
| SGS Centralized Logging Diagnostic logs SQL Managed Instance | DeployIfNotExists |
HCC policies
SGS HCC Attack Surface Policy Audit
| Policy | Effect Type |
|---|---|
| SGS HCC Policy Storage Account Access Should be Private | Audit |
| SGS HCC Policy Databases should have network restrictions in place | Audit |
SGS HCC Encryption Policy Audit
| Policy | Effect Type |
|---|---|
| SGS HCC Policy Object storage should be encrypted in transit | Audit |
| SGS HCC Policy App Services should only allow HTTPS traffic | Audit |
| SGS HCC Policy App Gateways should use minimum TLSv1.2 | Audit |
| SGS HCC Policy Databases should be encrypted at rest | AuditIfNotExists |
SGS HCC Virtual Machines
| Policy | Effect Type |
|---|---|
| SGS HCC Policy Virtual Machines should use a gateway of some kind rather than being open to public ip | Audit |
| SGS HCC VMs should use a gateway rather than open to public ip | Audit |
SGS HCC Network Policy Audit
| Policy | Effect Type |
|---|---|
| SGS HCC Policy Network Security Group Should Not Allow Port 22 | Deny |
| SGS HCC Policy Network Security Group Should Not Allow Port 21 | Deny |
| SGS HCC Policy Network Security Group Should Not Allow Port 5432 | Deny |
| SGS HCC Policy Network Security Group Should Not Allow Port 4333 | Deny |
| SGS HCC Policy Network Security Group Should Not Allow Port 3389 | Deny |
| SGS HCC Policy Network Security Group Should Not Allow Port 3306 | Deny |
| SGS HCC Policy Network Security Group Should Not Allow Port 1434 | Deny |
| SGS HCC Policy Network Security Group Should Not Allow Port 1433 | Deny |
| SGS HCC Policy Network Security Group Should Not Allow Port 445 | Deny |
| SGS HCC Policy Network Security Group Should Not Allow Port 139 | Deny |
| SGS HCC Policy Network Security Group Should Not Allow Port 138 | Deny |
| SGS HCC Policy Network Security Group Should Not Allow Port 137 | Deny |
| SGS HCC Policy Network Security Group Should Not Allow Port 135 | Deny |
| SGS HCC Policy Network Security Group Should Not Allow Port 53 | Deny |
| SGS HCC Policy Network Security Group Should Not Allow Port 25 | Deny |
| SGS HCC Policy Network Security Group Should Not Allow Port 23 | Deny |
| SGS HCC Policy Network Security Group Should Not Allow Port 20 | Deny |
SGS HCC Logging Policy Audit
| Policy | Effect Type |
|---|---|
| SGS HCC Policy NSG flow logs should be enabled | Audit |
| SGS HCC Policy SQL audit logging should be enabled | AuditIfNotExists |
SGS HCC VPN Policy Audit
| Policy | Effect Type |
|---|---|
| SGS HCC Policy VPN should use custom cryptography | Audit |
Launchpad policies
SGS Optum Policy Umbrella
| Policy | Effect Type |
|---|---|
| SGS LP Policy Audit VMs that do not use managed disks | Audit |
| SGS LP Policy Adaptive application controls for defining safe applications should be enabled on your machines | AuditIfNotExists |
| [Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution | Disabled |
| SGS LP Policy Require encryption on Data Lake Store accounts | Deny |
| SGS LP Policy Audit Storage Accounts without a Firewall | Audit |
| SGS LP Policy Audit unallowed resources | Audit |
| SGS LP Policy Audit security rules that allow port ranges inbound | Audit |
| SGS LP Policy Audit all non-gateway subnets require an attached NSG | Audit |
| SGS LP Policy Allowed Resource Types All types currently allowed | |
| SGS LP Policy Qualys Vulnerability Assessment Solution on VM | |
| SGS LP Policy RBAC Direct User Access | Audit |
| SGS LP Policy US Region Group Allowed Regions | Restricted to US Regions |
| SGS LP Ensures file encryption for storage accounts | |
| SGS HCC Policy Deploy Azure Defender on Storage Accounts | DeployIfNotExists |
| SGS HCC Policy Prevent Azure Defender on Storage Accounts from being disabled | Deny |
AI Policies
SGS Artificial Intelligence Initiative Policies
| Policy | Effect Type |
|---|---|
| Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK) | Audit |
| Azure AI Services resources should have key access disabled (disable local authentication) | Audit |
| Azure AI Services resources should restrict network access | Deny |
| Azure AI Services resources should use Azure Private Link | Audit |
| Cognitive Services accounts should use a managed identity | Audit |
| Cognitive Services accounts should use customer owned storage | Audit |
ML Policies
SGS Machine Learning Initiative Policies
| Policy | Effect Type |
|---|---|
| Azure Machine Learning and Ai Studio should use Allow Only Approved Outbound Managed Vnet mode | Deny |
| Azure Machine Learning Compute Instance should have idle shutdown | Audit |
| Azure Machine Learning compute instances should be recreated to get the latest software updates | Audit |
| Azure Machine Learning Computes should be in a virtual network | Audit |
| Azure Machine Learning Computes should have local authentication methods disabled | Deny |
| Azure Machine Learning workspaces should be encrypted with a customer-managed key | Audit |
| Azure Machine Learning Workspaces should disable public network access | Deny |
| Azure Machine Learning workspaces should enable V1LegacyMode to support network isolation backward compatibility | Audit |
| Azure Machine Learning workspaces should use private link | Audit |
| Azure Machine Learning workspaces should use user-assigned managed identity | Audit |