Guides

Policy Changes as per Release

Suggest Edits

Release 2502

Policies with Changed Descriptions

Following is the list of policies with changed descriptions:

  • Azure Audit Snapshots Public Access Prohibited
  • Azure Audit Security Monitoring Agent Installed On Linux VMSS
  • Azure Audit Load Balancer Deletion Protection Enabled
  • Azure Audit CDN Enabled
  • Azure Audit Activitylog Delete NSG Event
  • Azure Audit MySQLServers Public Access Check
  • Azure Audit FunctionApp using Latest Java
  • Azure Audit Activitylog CreateorUpdate NSG Event
  • Azure Audit HTTPS Port Unrestricted
  • Azure Audit Managed Disks Should Use A Specific Set Of Disk Encryption Sets For The CME
  • Azure Audit Storage Blob Service Diagnostic Settings Enabled
  • Azure Audit KeyVault Enabled For All Subscriptions
  • Azure Audit FunctionApp using Latest DotNetFramework
  • Azure Audit Disk Snapshot
  • Azure Audit IAM Availability
  • Azure Audit Virtual Machine osType
  • Azure Audit Enable Locking Storage Account
  • Azure Audit SignalR Service Should Use Private Link
  • Azure Audit WebApp using Latest Java
  • Azure Audit Age of Snapshot
  • Azure Audit Auto Registration Enabled In DNS Zone
  • Azure Audit Deprecated Account
  • Azure Audit WebApp using Latest Python
  • Azure Audit Managed Disks Should Be Double Encrypted With Both Platform Managed And Customer Managed Keys
  • Azure Audit Hybrid Enabled
  • Azure Audit RDP Port Unrestricted
  • Azure Audit Workspace in Operation
  • Azure Audit WebApp FTPS Enforcement
  • Azure Audit Network Security Group Attached To Network Interface
  • Azure Audit Budget Enabled At Subscription
  • Azure Audit Disk not having Snapshot
  • Azure Audit Image By BlobUri
  • Azure Audit MSSQL Port Unrestricted
  • Azure Audit Activitylog Delete NSGrule Event
  • Azure Audit Virtual Machine Using IAM Role
  • Azure Audit Allowlist Rules In Your Adaptive Application Control Policy Should Be Updated
  • Azure Audit FunctionApp using Latest Python
  • Azure Audit Application Gateway Health Probe Required
  • Azure Audit Unused Ssh Key
  • Azure Audit Defender Set On Container Registries
  • Azure Audit Patch mode of Linux Virtual Machine
  • Azure Audit Resource Logs In Azure Key Vault Managed HSM Should Be Enabled
  • Azure Audit PublicIP Address Attached To Network Interface
  • Azure Audit Virtual Machine Without Spot Feature
  • Azure Audit Defender Set On For Kubernetes Cluster
  • Azure Audit Ensure That UDP Services Are Restricted From The Internet
  • Azure Audit Activitylog CreateorUpdate NSGrule Event
  • Azure Audit Virtual Machine Tenancy
  • Azure Audit Virtual Machine CPU Credit Consumed
  • Azure Audit Unattached Storage Disk Encrypted With CMK
  • Azure Audit WebApp using Latest TLS
  • Azure Audit Adaptive Application Controls Defining Safe Applications Should Be Enabled On Your VirtualMachines
  • Azure Audit Key Vault Managed HSM Should Disable Public Network Access
  • Azure Audit Storage Account Replication Enabled
  • Azure Audit Image Encryption
  • Azure Audit Key Vault Not Scheduled For Deletion
  • Azure Audit Virtual Machine Applications Required
  • Azure Audit IAM Role Storage Account
  • Azure Audit Storage Policy Grantee Check
  • Azure Audit Optimised Virtual Machine
  • Azure Audit Versioning enabled in Storage Account
  • Azure Audit RPC Port Unrestricted
  • Azure Audit Network Data Collection Linux
  • Azure Audit MySQL Port Unrestricted
  • Azure Audit Oracle Database port unrestricted
  • Azure Audit Log Monitoring Enabled in Virtual Machine
  • Azure Audit AutoScaling Enabled Integrated With Azure Monitor In VirtualMachine Scaleset
  • Azure Audit Virtual Machine Association Compliance Status Check
  • Azure Audit HTTP Port Unrestricted
  • Azure Audit Automation Settings Check
  • Azure Audit Port 9200 ElasticSearch Unrestricted
  • Azure Audit Ensure That StorageAccount AccessKeys Are Periodically Regenerated
  • Azure Audit Site Recovery Enabled On Virtual Machine
  • Azure Audit WebApp using Latest DotNetFramework
  • Azure Audit Ensure That VHDs Are Encrypted
  • Azure Audit Automation Public Network Access Allowed
  • Azure Audit Key Vault Should Disable Public Network Access
  • Azure Audit Storage Table Service Diagnostic Settings Enabled
  • Azure Audit Diagonisticlogs ServiceFabric VMSS
  • Azure Audit Untagged Automation
  • Azure Audit Virtual Machine CPU Credit Remaining 0
  • Azure Audit MongoDB port Unrestricted
  • Azure Audit Availability Zones Enabled In Virtual Machine
  • Azure Audit WebApp using Latest PHP
  • Azure Audit Patch mode of Windows Virtual Machine
  • Azure Audit Automation Connected To Virtual Network
  • Azure Network SecurityGroup Inbound Port Violation
  • Azure Monitor Unencrypted SQLdb
  • Azure Monitor Missing Endpoint Protection On VM
  • Azure Audit Windows VirtualMachine does not have EndpointProtectionInstalled

Deprecated Policies

The following set of policies are disabled since they were found to be duplicate of already existing policy:

  • Azure Audit Storage Accounts Should Use A Virtual Network Service Endpoint CS Policy
  • Azure Advisor Consider AzureDataexplorer reserved capacity CS Policy
  • Azure Advisor Inherit Tag From The ResourceGroup Using AzurePolicy. CS Policy
  • Azure Audit Interfaces PublicIP CS Policy
  • Azure Audit Web Application Firewall WAF should be enabled for Application Gateway
  • Azure Audit SCP Log Analytics Custom Workspace
  • Azure Audit APIService using Virtual Network ServiceEndPt
  • Azure Audit Log Analytics Agent Deployed VM Image OS Unlisted
  • Azure Audit Webports Restricted NSG
  • AWS Audit API CloudWatch Logs
  • AWS Audit EBS Snapshots Not Accessible All
  • AWS Audit EC2 Security Group Rules Count Within limits
  • AWS Audit ElasticSearch Domain Encryption Enabled
  • Azure Audit Virtual Machine SKUs
  • Azure Monitor Unencrypted SQLdb
  • Azure Audit SQL managed instances without Advanced Data Security
  • Azure Audit Enable GeoRedundant Backup MariaDB
  • Azure Audit Restrict NetworkPorts on NetworkSecurityGroups VM

Release 2404

Please refer to the table below for a comprehensive list of any display name changes that have been applied to platform policies.

This list can be considered as up-to-date with the latest release version.

Former Policy Display NameCurrent Display Name
AWS Amazon DocumentDB Audit DBInstance Encrypted CS PolicyAWS Audit DocumentDB Instance Encryption Enabled
AWS Amazon DocumentDB Audit DB Cluster Encrypted CS PolicyAWS Audit DocumentDB DB Cluster Storage Encryption Enabled
AWS Athena Audit WorkGroup Encrypted CS PolicyAWS Audit Athena WorkGroup Query Results Encryption Enabled
AWS DMS Audit ReplicationInstances Encrypted CS PolicyAWS Audit DMS Replication Instances Encryption Enabled
AWS Lambda Audit Functions Encrypted CS PolicyAWS Audit Lambda Functions Environment Variables Encryption Enabled
AWS Storage Gateway Audit CachedISCSIVolume Encrypted CS PolicyAWS Audit Storage Gateway Cached ISCSI Volume Encryption Enabled
AWS ALB Http to Https Redirection CheckAWS Audit ELBv2 ALB HTTP to HTTPS Redirection
AWS Audit ACM Cert Renew 30days before ExpirationAWS Audit ACM Certificate Not Expiring Before 30 Days
AWS Audit ACM Cert Renew 45days before ExpirationAWS Audit ACM Certificate Not Expiring Before 45 Days
AWS Audit ACM Certificates with Wildcard Domain NamesAWS Audit ACM Certificate With Wildcard Domain Names Not Used
AWS Audit API Detailed CloudWatch MetricsAWS Audit API Gateway CloudWatch Metrics Enabled
AWS Audit API Gateway Without WAFAWS Audit API Gateway Integrated With WAF
AWS Audit API Gateway Cache EncryptionAWS Audit API Gateway Cache Encryption Enabled
AWS Audit API Gateway Integrated With AWS WAFAWS Audit API Gateway Integrated With WAF
AWS Audit AWS CloudWatch Events In UseAWS Audit CloudWatch Events Configured
AWS Audit AWS Organizations Changes AlarmAWS Audit Organizations Changes Alarm Configured
AWS Audit Add SSL TLS Server Certificates to App-Tier ELBsAWS Audit ELB App-Tier Uses SSL/TLS Certificates
AWS Audit Add SSL TLS Server Certificates to Web-Tier ELBsAWS Audit ELB Web-Tier Uses SSL/TLS Certificates
AWS Audit App-Tier ELB Security PolicyAWS Audit ELB App-Tier Uses Security Policy
AWS Audit AppTier AutoScaling Group Associated ELBAWS Audit Auto Scaling Group Of App-tier Associated With ELB
AWS Audit App Tier EBS EncryptedAWS Audit EBS Volume App-Tier Encryption Enabled
AWS Audit App Tier ELB Listener SecurityAWS Audit ELB App-Tier Listeners HTTPS/SSL Protocol Enabled
AWS Audit App Tier Publicly Shared AMIAWS Audit AMI Of App-Tier Not Publicly Shared
AWS Audit Auto Scaling Group Cooldown PeriodAWS Audit Auto Scaling Group Cooldown Period Utilized
AWS Audit Auto Scaling Group Referencing Missing ELBAWS Audit Auto Scaling Group Referencing Active ELB
AWS Audit CMK Should Be Created For Lambda Env VariblesAWS Audit Lambda Environment Variables Encrypted with CMK
AWS Audit Check for ASG with integrated ELBAWS Audit Auto Scaling Group Associated With ELB
AWS Audit ELB Without WAFAWS Audit ELBv2 ALB Integrated With WAF
AWS Audit ELB Security PolicyAWS Audit ELB Uses Security Policy
AWS Audit ELB With HTTPS RedirectAWS Audit ELBv2 ALB HTTP to HTTPS Redirection
AWS Audit ELB With Valid Security GroupsAWS Audit ELB With Valid Security Group
AWS Audit ELBv2 ALB Listener SecurityAWS Audit ELBv2 ALB Listeners HTTPS/SSL Protocol Enabled
AWS Audit ELBv2 ALB Security GroupAWS Audit ELBv2 ALB With Valid Security Group
AWS Audit ELBv2 ALB Security PolicyAWS Audit ELBv2 ALB Uses Security Policy
AWS Audit ELBv2 Access LogAWS Audit ELBv2 Access Logging Enabled
AWS Audit ElasticSearch Encryption At RestAWS Audit ElasticSearch Domain Encryption Enabled
AWS Audit ElasticSearch NodeToNode EncryptionAWS Audit ElasticSearch NodeToNode Encryption Enabled
AWS Audit Internet Facing ELBsAWS Audit ELB Non Internet Facing
AWS Audit KMS Customer Master Key for EFS EncryptionAWS Audit EFS Encrypted With KMS CMK
AWS Audit Queue Server Side EncryptionAWS Audit SQS Server Side Encryption Enabled
AWS Audit RDS Encrypted With KMS Customer Master KeysAWS Audit RDS Instance Encrypted With KMS CMK
AWS Audit S3 Buckets Encrypted with Customer Provided CMKsAWS Audit S3 Bucket Encrypted With KMS CMK
AWS Audit S3 Default Encryption KMSAWS Audit S3 Bucket Encrypted With KMS
AWS Audit SNS Encrypted KMSAWS Audit SNS Topic KMS Encryption Enabled
AWS Audit SNS Topic EncryptedAWS Audit SNS Topic Encryption Enabled
AWS Audit SNS Topic Encrypted KMS CustomerMasterKeysAWS Audit SNS Topic Encrypted With KMS CMK
AWS Audit SQS Dead Letter QueueAWS Audit SQS Dead Letter Queue Enabled
AWS Audit SQS Encrypted With KMS Customer MasterKeysAWS Audit SQS Encrypted With KMS CMK
AWS Audit SQS Queue ExposedAWS Audit SQS Queue Public Access Disabled
AWS Audit SSL TLS Certificate Expiry 30 DaysAWS Audit IAM Server Certificate Not Expiring Before 30 Days
AWS Audit SSL TLS Certificate Expiry 45 DaysAWS Audit IAM Server Certificate Not Expiring Before 45 Days
AWS Audit SSL TLS Certificate Expiry 7 DaysAWS Audit IAM Server Certificate Not Expiring Before 7 Days
AWS Audit SSM Parameter EncryptionAWS Audit SSM Parameter Encryption Enabled
AWS Audit Sagemaker Endpoint Configuration KMS Key ConfiguredAWS Audit SageMaker Endpoint configured with KMS
AWS Audit SecurityHub EnabledAWS Audit Security Hub Enabled
AWS Audit Security Group Rules CountsAWS Audit EC2 Security Group Rules Count Within limits
AWS Audit Support PlanAWS Audit Support Plan Enabled
AWS Audit Suspende Auto Scaling GroupsAWS Audit Auto Scaling Group Without Suspended Processes
AWS Audit Unrestricted MsSQL AccessAWS Audit Security Group Has No Unrestricted Access To MSSQL
AWS Audit Unrestricted MySQL AccessAWS Audit Security Group Has No Unrestricted Access To MYSQL
AWS Audit Web-Tier ELB Listener SecurityAWS Audit ELB Web-Tier Listeners HTTPS/SSL Protocol Enabled
AWS Audit Web-Tier ELB Security PolicyAWS Audit ELB Web-Tier Uses Security Policy
AWS Audit Web Tier Auto Scaling Group associated ELBAWS Audit Auto Scaling Group Associated With ELB
AWS Audit WorkSpaces Storage EncryptionAWS Audit WorkSpaces Storage Encryption Enabled
AWS Autoscaling Group ELB Healthcheck RequiredAWS Audit Auto Scaling Group ELB Health Check Enabled
AWS EC2 Instance Detailed Monitoring EnabledAWS Audit EC2 Instance Detailed Monitoring Enabled
AWS ELB ACM Certificate RequiredAWS Audit ELB Uses ACM Certificate
AWS ELB Custom Security Policy SSL CheckAWS Audit ELB With No Custom Security Policy
AWS RDS Storage EncryptedAWS Audit RDS Storage Encryption Enabled
AWS S3 BUCKET REPLICATION ENABLEDAWS Audit S3 Bucket Replication Enabled
AWS Audit ACM Cert Validate CS PolicyAWS Audit ACM Certificate Not Expired Or Pending Validation
AWS Aduit Check High Vulnerability Exists In A Virtual Machine CS PolicyAWS Audit EC2 Instance With No High Vulnerabilities
AWS Audit EBS Not Encrypted With CMK CS PolicyAWS Audit EBS Volume Encrypted With KMS CMK
AWS Audit ELB Listeners HTTPS SSL CS PolicyAWS Audit ELB Listener HTTPS/SSL Protocol Enabled
AWS Audit SNS Topics Exposed CS PolicyAWS Audit SNS Topics Exposed CS Policy
AWS Advisor_ELB Listener Security CS PolicyAWS Advisor Audit ELB Listener With Security Configurations
AWS Advisor ELB Security Groups CS PolicyAWS Advisor Audit ELB With Valid Security Group
AWS Audit ACM Cert Renew 45days before Expiration CS PolicyAWS Audit ACM Certificate Not Expiring Before 45 Days
AWS Audit ACM Cert Renew 7days before Expiration CS PolicyAWS Audit ACM Certificate Not Expiring Before 7 Days
AWS Audit ALB Http to Https Redirection Check CS PolicyAWS Audit ELBv2 ALB HTTP to HTTPS Redirection
AWS Audit API CloudWatch Logs CS PolicyAWS Audit API Gateway CloudWatch Logging Enabled
AWS Audit API Detailed CloudWatch Metrics CS PolicyAWS Audit API Gateway CloudWatch Metrics Enabled
AWS Audit Alert Configuration For IAM Policy Changes CS PolicyAWS Audit IAM Policy Alert Configuration Enabled
AWS Audit Alert Configuration For Unauthorized API Call CS PolicyAWS Audit Cloudwatch Alarm Configured For Unauthorized API Calls
AWS Audit App-Tier ELB Security Policy CS PolicyAWS Audit ELB App-Tier Uses Security Policy
AWS Audit App Tier ELB Listener Security CS PolicyAWS Audit ELB App-Tier Listener HTTPS/SSL Protocol Enabled
AWS AUDIT AUTOSCALING GROUP ELB HEALTHCHECK REQUIRED CS POLICYAWS Audit Auto Scaling Group ELB Health Check Enabled
AWS Audit Check EMR Data Encryption AtRest CS PolicyAWS Audit EMR Cluster Data Encryption Enabled
AWS Audit Check EMR Data Encryption At Transit CS PolicyAWS Audit EMR Cluster Data Encryption In Transit Enabled
AWS Audit Check ElastiCache Encryption CS PolicyAWS Audit ElastiCache Redis Cluster Encryption Enabled
AWS Audit Check RDS Cluster Encryption CS PolicyAWS Audit RDS Cluster Encryption Enabled
AWS Audit Check RDS Snapshot Encryption CS PolicyAWS Audit RDS Snapshot Encryption Enabled
AWS Audit DynamoDB Table Encryption Enabled CS PolicyAWS Audit DynamoDB Table Encryption Enabled
AWS Audit EC2 EBS Encryption by Default CS PolicyAWS Audit EBS Volume Default Encryption Enabled
AWS Audit EFS Encryption CS PolicyAWS Audit EFS Encryption Enabled
AWS Audit ELB Insecure SSL Protocols CS PolicyAWS Audit ELB Uses Security Policy
AWS Audit ELB With Valid Security Groups CS PolicyAWS Audit ELB With Valid Security Group
AWS Audit ELBv2 ALB Listener Security CS PolicyAWS Audit ELBv2 ALB Listeners HTTPS/SSL Protocol Enabled
AWS Audit ELBv2 ALB Security Group CS PolicyAWS Audit ELBv2 ALB With Valid Security Group
AWS Audit ELBv2 Access Log CS PolicyAWS Audit ELBv2 Access Logging Enabled
AWS Audit ElasticSearch Encryption In Transit CS PolicyAWS Audit ElasticSearch NodeToNode Encryption At Transit Enabled
AWS Audit ElasticSearch NodeToNode Encryption CS PolicyAWS Audit ElasticSearch NodeToNode Encryption Enabled
AWS Audit Encrypted Volumes CS PolicyAWS Audit EBS Volume Encryption Enabled
AWS Audit Fsx For Lustre Rest Encrypted Using Kms Cmks CS PolicyAWS Audit FSx Lustre Encrypted With KMS CMK
AWS Audit Fsx For Ontap Rest Encrypted Using Kms Cmks CS PolicyAWS Audit FSx Ontap Encrypted With KMS CMK
AWS Audit Fsx For Openzfs Rest Encrypted Using Kms Cmks CS PolicyAWS Audit FSx OpenZFS Encrypted With KMS CMK
AWS Audit Fsx For Windows Fs Date At Rest Encrypted With Kms Cmks CS PolicyAWS Audit FSx Windows File System Encrypted With KMS CMK
AWS RDS Storage Encrypted CS PolicyAWS Audit RDS Storage Encryption Enabled
AWS Audit SNS Cross Account Access CS PolicyAWS Audit SNS With No Cross Account Access
AWS Audit SSM Parameter Encryption CS PolicyAWS Audit SSM Parameter Encryption Enabled
AWS Audit Sg Virtual Tapes Encrypted By Kms Cmks CS PolicyAWS Audit Storage Gateway Virtual Tapes Encrypted With KMS CMK
AWS Audit VPC Endpoints Encryption CS PolicyAWS Audit VPC Endpoints Encryption Enabled
AWS Audit Web-Tier ELB Security Policy CS PolicyAWS Audit ELB Web-Tier Uses Security Policy
AWS Audit Web-Tier ELB Listener Security CS PolicyAWS Audit ELB Web-Tier Listener HTTPS/SSL Protocol Enabled

Updated 1 day ago