AzInitiativeAdvertizer

last sync: 2024-Nov-25 18:54:43 UTC

[Preview]: SWIFT CSP-CSCF v2021

Azure BuiltIn Policy Initiative (PolicySet)

Source

Azure Portal

Display name

[Preview]: SWIFT CSP-CSCF v2021

abf84fac-f817-a70c-14b5-47eec767458a

Version

4.11.0-preview
Details on versioning

Versioning

Versions supported for Versioning: 8
4.4.0-preview
4.5.0-preview
4.6.0-preview
4.7.0-preview
4.8.0-preview
4.9.0-preview
4.10.0-preview
4.11.0-preview
Built-in Versioning [Preview]

Category

Regulatory Compliance
Microsoft Learn

Description

This initiative includes policies that address a subset of the SWIFT Customer Security Program's Customer Security Controls Framework v2021 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift2021-init.

Type

BuiltIn

Deprecated

False

Preview

True

Policy count

Total Policies: 127
Builtin Policies: 127
Static Policies: 0

Policy used

Policy DisplayName	Policy Id	Category	Effect	Roles#	Roles	State
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall	fc5e4038-4584-4632-8c85-c0448d374b2c	Network	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview
[Preview]: Container Registry should use a virtual network service endpoint	c4857be7-912a-4c75-87e6-e30292bcdf78	Network	Default Audit Allowed Audit, Disabled	0		Preview
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images	32133ab0-ee4b-4b44-98d6-042180979d50	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines	04c4380f-3fae-46e8-96c9-30193528f602	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines	2f2ee1de-44aa-4762-b6bd-0893fc3f306d	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview
A maximum of 3 owners should be designated for your subscription	4f11b553-d42e-4e3a-89be-32ca364cad4c	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Accounts with owner permissions on Azure resources should be MFA enabled	e3e008c3-56b9-4133-8fd7-d3347377402a	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Accounts with read permissions on Azure resources should be MFA enabled	81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Accounts with write permissions on Azure resources should be MFA enabled	931e118d-50a1-4457-a5e4-78550e086c52	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Activity log should be retained for at least one year	b02aacc0-b073-424e-8298-42b22829ee0a	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities	3cf2ab00-13f1-4d0c-8971-2ac904541a7e	Guest Configuration	Fixed modify	1	Contributor	GA
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity	497dff13-db2a-4c0f-8603-28fa3b331ab6	Guest Configuration	Fixed modify	1	Contributor	GA
All network ports should be restricted on network security groups associated to your virtual machine	9daedab3-fb2d-461e-b861-71790eead4f6	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
An Azure Active Directory administrator should be provisioned for SQL servers	1f314764-cb73-4fc9-b863-8eca98ac36e9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should have Client Certificates (Incoming client certificates) enabled	19dd1db6-f442-49cf-a838-b0786b4401ef	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should have remote debugging turned off	cb510bfd-1cba-4d9f-a230-cb0976f4bb71	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should not have CORS configured to allow every resource to access your apps	5744710e-cc2f-4ee8-8809-3b11e89f4bc9	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should only be accessible over HTTPS	a4af4a39-4135-47fb-b175-47fbdf85311d	App Service	Default Audit Allowed Audit, Disabled, Deny	0		GA
App Service apps should use a virtual network service endpoint	2d21331d-a4c2-4def-a9ad-ee4e1e023beb	Network	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should use managed identity	2b9ad585-36bc-4615-b300-fd4435808332	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should use the latest TLS version	f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Linux machines that allow remote connections from accounts without passwords	ea53dbee-c6c9-4f0e-9f9e-de0039b78023	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Linux machines that do not have the passwd file permissions set to 0644	e6955644-301c-44b5-a4c4-528577de6861	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Linux machines that have accounts without passwords	f6ec09a3-78bf-4f8f-99dc-6c77182d0f99	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit virtual machines without disaster recovery configured	0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56	Compute	Fixed auditIfNotExists	0		GA
Audit VMs that do not use managed disks	06a78e20-9358-41c9-923c-fb736d382a4d	Compute	Fixed audit	0		GA
Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	5b054a0d-39e2-4d53-bea3-9734cad2c69b	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that contain certificates expiring within the specified number of days	1417908b-4bff-46ee-a2a6-4acc899320ab	Guest Configuration	Fixed auditIfNotExists	0		GA
Audit Windows machines that do not have the maximum password age set to specified number of days	4ceb8dc2-559c-478b-a15b-733fbf1e3738	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that do not have the minimum password age set to specified number of days	237b38db-ca4d-4259-9e47-7882441ca2c0	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that do not have the password complexity setting enabled	bf16e0bb-31e1-4646-8202-60a235cc7e74	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that do not restrict the minimum password length to specified number of characters	a2d0e922-65d0-40c4-8f87-ea6da2d307a2	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that do not store passwords using reversible encryption	da0f98fe-a24b-4ad5-af69-bd0400233661	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows VMs with a pending reboot	4221adbc-5c0f-474f-88b7-037a99e6114c	Guest Configuration	Fixed auditIfNotExists	0		GA
Auditing on SQL server should be enabled	a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Authentication to Linux machines should require SSH keys	630c64f9-8b6b-4c64-b511-6544ceff6fd6	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Authorized IP ranges should be defined on Kubernetes Services	0e246bcf-5f6f-4f87-bc6f-775d4712c7ea	Security Center	Default Audit Allowed Audit, Disabled	0		GA
Automation account variables should be encrypted	3657f5a0-770e-44a3-b44e-9431ba1e9735	Automation	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure Backup should be enabled for Virtual Machines	013e242c-8828-4970-87b3-ab247555486d	Backup	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure DDoS Protection should be enabled	a7aca53f-2ed4-4466-a25e-0b45ade68efd	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Defender for App Service should be enabled	2913021d-f2fd-4f3d-b958-22354e2bdbcb	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Defender for Azure SQL Database servers should be enabled	7fe3b40f-802b-4cdd-8bd4-fd799c948cc2	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Defender for Key Vault should be enabled	0e6763cc-5078-4e64-889d-ff4d9a839047	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Defender for servers should be enabled	4da35fc9-c9e7-4960-aec9-797fe7d9051d	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Defender for SQL servers on machines should be enabled	6581d072-105e-4418-827f-bd446d56421b	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Key Vault should have firewall enabled	55615ac9-af46-4a59-874e-391cc3dfb490	Key Vault	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure Key Vaults should use private link	a6abeaec-4d90-4a02-805f-6b26c4d3fbe9	Key Vault	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'	1a4e592a-6a6e-44a5-9814-e36264ca96e7	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Monitor should collect activity logs from all regions	41388f1c-2db0-4c25-95b2-35d7f5ccbfa9	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure SQL Database should be running TLS version 1.2 or newer	32e6bbec-16b6-44c2-be37-c5b672d103cf	SQL	Default Audit Allowed Audit, Disabled, Deny	0		GA
Blocked accounts with owner permissions on Azure resources should be removed	0cfea604-3201-4e14-88fc-fae4c427a6c5	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Blocked accounts with read and write permissions on Azure resources should be removed	8d7e1fde-fe26-4b5f-8108-f8e432cbc2be	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys	7d7be79c-23ba-4033-84dd-45e2a5ccdd67	Kubernetes	Default Audit Allowed Audit, Deny, Disabled	0		GA
Container registries should be encrypted with a customer-managed key	5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580	Container Registry	Default Audit Allowed Audit, Deny, Disabled	0		GA
Container registries should use private link	e8eef0a8-67cf-4eb4-9386-14b0e78733d4	Container Registry	Default Audit Allowed Audit, Disabled	0		GA
Cosmos DB should use a virtual network service endpoint	e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9	Network	Default Audit Allowed Audit, Disabled	0		GA
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs	331e8ea8-378a-410f-a2e5-ae22f38bb0da	Guest Configuration	Fixed deployIfNotExists	1	Contributor	GA
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs	385f5831-96d4-41db-9a3c-cd3af78aaae6	Guest Configuration	Fixed deployIfNotExists	1	Contributor	GA
Disconnections should be logged for PostgreSQL database servers.	eb6f77b9-bd53-4e35-a23d-7f65d5f0e446	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Email notification for high severity alerts should be enabled	6e2593d9-add6-4083-9c9b-4b7d2188c899	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Email notification to subscription owner for high severity alerts should be enabled	0b15565f-aa9e-48ba-8619-45960f2c314d	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Enforce SSL connection should be enabled for MySQL database servers	e802a67a-daf5-4436-9ea6-f6d821dd0c5d	SQL	Default Audit Allowed Audit, Disabled	0		GA
Enforce SSL connection should be enabled for PostgreSQL database servers	d158790f-bfb0-486c-8631-2dc6b4e8e6af	SQL	Default Audit Allowed Audit, Disabled	0		GA
Event Hub should use a virtual network service endpoint	d63edb4a-c612-454d-b47d-191a724fcbf0	Network	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Function apps should have remote debugging turned off	0e60b895-3786-45da-8377-9c6b4b6ac5f9	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Function apps should not have CORS configured to allow every resource to access your apps	0820b7b9-23aa-4725-a1ce-ae4558f718e5	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Function apps should only be accessible over HTTPS	6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab	App Service	Default Audit Allowed Audit, Disabled, Deny	0		GA
Function apps should use managed identity	0da106f2-4ca3-48e8-bc85-c638fe6aea8f	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Function apps should use the latest TLS version	f9d614c5-c173-4d56-95a7-b4437057d193	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Geo-redundant backup should be enabled for Azure Database for MariaDB	0ec47710-77ff-4a3d-9181-6aa50af424d0	SQL	Default Audit Allowed Audit, Disabled	0		GA
Geo-redundant backup should be enabled for Azure Database for MySQL	82339799-d096-41ae-8538-b108becf0970	SQL	Default Audit Allowed Audit, Disabled	0		GA
Geo-redundant backup should be enabled for Azure Database for PostgreSQL	48af4db5-9b8b-401c-8e74-076be876a430	SQL	Default Audit Allowed Audit, Disabled	0		GA
Geo-redundant storage should be enabled for Storage Accounts	bf045164-79ba-4215-8f95-f8048dc1780b	Storage	Default Audit Allowed Audit, Disabled	0		GA
Guest accounts with owner permissions on Azure resources should be removed	339353f6-2387-4a45-abe4-7f529d121046	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Guest accounts with read permissions on Azure resources should be removed	e9ac8f8e-ce22-4355-8f04-99b911d6be52	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Guest accounts with write permissions on Azure resources should be removed	94e1c2ac-cbbe-4cac-a2b5-389c812dee87	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Internet-facing virtual machines should be protected with network security groups	f6de0be7-9a8a-4b8a-b349-43cf02d22f7c	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
IP Forwarding on your virtual machine should be disabled	bd352bd5-2853-4985-bf0d-73806b4a5744	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Key Vault should use a virtual network service endpoint	ea4d6841-2173-4317-9747-ff522a45120f	Network	Default Audit Allowed Audit, Disabled	0		GA
Key vaults should have deletion protection enabled	0b60c0b2-2dc2-4e1c-b5c9-abbed971de53	Key Vault	Default Audit Allowed Audit, Deny, Disabled	0		GA
Kubernetes clusters should be accessible only over HTTPS	1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d	Kubernetes	Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images	5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Long-term geo-redundant backup should be enabled for Azure SQL Databases	d38fc420-0735-4ef3-ac11-c806f651a570	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Management ports of virtual machines should be protected with just-in-time network access control	b0f33259-77d7-4c9e-aac6-3aabcfae693c	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Microsoft Antimalware for Azure should be configured to automatically update protection signatures	c43e4a30-77cb-48ab-a4dd-93f175c63b57	Compute	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Microsoft Defender for Storage should be enabled	640d2586-54d2-465f-877f-9ffc1d2109f4	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Microsoft IaaSAntimalware extension should be deployed on Windows servers	9b597639-28e4-48eb-b506-56b05d366257	Compute	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Network Watcher should be enabled	b6e2945c-0b7b-40f5-9233-7a5323b5cdc6	Network	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Only secure connections to your Azure Cache for Redis should be enabled	22bee202-a82f-4305-9a2a-6d7f44d4dedb	Cache	Default Audit Allowed Audit, Deny, Disabled	0		GA
Private endpoint connections on Azure SQL Database should be enabled	7698e800-9299-47a6-b3b6-5a0fee576eed	SQL	Default Audit Allowed Audit, Disabled	0		GA
Private endpoint should be enabled for MariaDB servers	0a1302fb-a631-4106-9753-f3d494733990	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Private endpoint should be enabled for MySQL servers	7595c971-233d-4bcf-bd18-596129188c49	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Private endpoint should be enabled for PostgreSQL servers	0564d078-92f5-4f97-8398-b9f58a51f70b	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Public network access on Azure SQL Database should be disabled	1b8ca024-1d5c-4dec-8995-b1a932b41780	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA
Public network access should be disabled for MariaDB servers	fdccbe47-f3e3-4213-ad5d-ea459b2fa077	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA
Public network access should be disabled for MySQL servers	d9844e8a-1437-4aeb-a32c-0c992f056095	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA
Public network access should be disabled for PostgreSQL servers	b52376f7-9612-48a1-81cd-1ffe4b61032c	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA
Resource logs in Azure Data Lake Store should be enabled	057ef27e-665e-4328-8ea3-04b3122bd9fb	Data Lake	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in Azure Stream Analytics should be enabled	f9be5368-9bf5-4b84-9e0a-7850da98bb46	Stream Analytics	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in Batch accounts should be enabled	428256e6-1fac-4f48-a757-df34c2b3336d	Batch	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in Data Lake Analytics should be enabled	c95c74d9-38fe-4f0d-af86-0c7d626a315c	Data Lake	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in Event Hub should be enabled	83a214f7-d01a-484b-91a9-ed54470c9a6a	Event Hub	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in IoT Hub should be enabled	383856f8-de7f-44a2-81fc-e5135b5c2aa4	Internet of Things	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in Key Vault should be enabled	cf820ca0-f99e-4f3e-84fb-66e913812d21	Key Vault	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in Logic Apps should be enabled	34f95f76-5386-4de7-b824-0d8478470c9d	Logic Apps	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in Search services should be enabled	b4330a05-a843-4bc8-bf9a-cacce50c67f4	Search	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Resource logs in Service Bus should be enabled	f8d36e2f-389b-4ee4-898d-21aeb69a0f45	Service Bus	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Secure transfer to storage accounts should be enabled	404c3081-a854-4457-ae30-26a93ef643f9	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign	617c02be-7f02-4efd-8836-3180d47b6c68	Service Fabric	Default Audit Allowed Audit, Deny, Disabled	0		GA
Service Fabric clusters should only use Azure Active Directory for client authentication	b54ed75b-3e1a-44ac-a333-05ba39b99ff0	Service Fabric	Default Audit Allowed Audit, Deny, Disabled	0		GA
SQL databases should have vulnerability findings resolved	feedbf84-6b99-488c-acc2-71c829aa5ffc	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
SQL Managed Instance should have the minimal TLS version of 1.2	a8793640-60f7-487c-b5c3-1d37215905c4	SQL	Default Audit Allowed Audit, Disabled	0		GA
SQL Server should use a virtual network service endpoint	ae5d2f14-d830-42b6-9899-df6cfe9c71a3	Network	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher	89099bee-89e0-4b26-a5f4-165451757743	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Storage accounts should restrict network access	34c877ad-507e-4c82-993e-3452a6e0ad3c	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA
Storage Accounts should use a virtual network service endpoint	60d21c4f-21a3-4d94-85f4-b924e6aeeda4	Network	Default Audit Allowed Audit, Disabled	0		GA
Subnets should be associated with a Network Security Group	e71308d3-144b-4262-b144-efdc3cc90517	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Subscriptions should have a contact email address for security issues	4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
The Log Analytics extension should be installed on Virtual Machine Scale Sets	efbde977-ba53-4479-b8e9-10b957924fbf	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
There should be more than one owner assigned to your subscription	09024ccc-0c5f-475e-9457-b7c0d9ed487b	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Transparent Data Encryption on SQL databases should be enabled	17k78e20-9358-41c9-923c-fb736d382a12	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Virtual machines should have the Log Analytics extension installed	a70ca396-0a34-413a-88e1-b956c1e683be	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
VM Image Builder templates should use private link	2154edb9-244f-4741-9970-660785bccdaa	VM Image Builder	Default Audit Allowed Audit, Disabled, Deny	0		GA
Vulnerabilities in security configuration on your machines should be remediated	e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Vulnerability assessment should be enabled on SQL Managed Instance	1b7aa243-30e4-4c9e-bca8-d0d3022b634a	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Vulnerability assessment should be enabled on your SQL servers	ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Windows machines should be configured to use secure communication protocols	5752e6d6-1206-46d8-8ab1-ecc2f71a8112	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA

Roles used

Total Roles usage: 4
Total Roles unique usage: 1

Role	Role Id	Policies count	Policies
Contributor	b24988ac-6180-42a0-ab88-20f7382dd24c	4	Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities, Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity, Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs, Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs

History

Date/Time (UTC ymd) (i)	Changes
2024-10-15 17:53:51	Version change: '4.9.0-preview' to '4.11.0-preview' remove Policy [Deprecated]: System updates should be installed on your machines (86b3d65f-7626-441e-b690-81a8b71cff60) remove Policy Azure Monitor solution 'Security and Audit' must be deployed (3e596b57-105f-48a6-be97-03e9243bad6e) remove Policy [Deprecated]: System updates on virtual machine scale sets should be installed (c3f317a7-a95c-4547-b7e7-11017ebdf2fe)
2024-09-05 17:48:45	Version change: '4.8.0-preview' to '4.9.0-preview' remove Policy [Deprecated]: Adaptive application controls for defining safe applications should be enabled on your machines (47a6b606-51aa-4496-8bb7-64b11cf66adc) remove Policy [Deprecated]: Adaptive network hardening recommendations should be applied on internet facing virtual machines (08e6af2d-db70-460a-bfe9-d5bd474ba9d6) remove Policy [Deprecated]: Auto provisioning of the Log Analytics agent should be enabled on your subscription (475aae12-b88a-4572-8b36-9b712b2b3a17) remove Policy [Deprecated]: Vulnerabilities in container security configurations should be remediated (e8cbc669-f12d-49eb-93e7-9273119e9933) remove Policy [Deprecated]: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated (3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4)
2024-08-29 17:47:54	Version change: '4.7.0-preview' to '4.8.0-preview' remove Policy [Deprecated]: Endpoint protection solution should be installed on virtual machine scale sets (26a828e1-e88f-464e-bbb3-c134a282b9de) remove Policy [Deprecated]: Monitor missing Endpoint Protection in Azure Security Center (af6cd1bd-1635-48cb-bde7-5b15693900b9)
2024-06-06 18:16:34	Version change: '4.6.0-preview' to '4.7.0-preview' remove Policy [Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources (0961003e-5a0a-4549-abde-af6a37f2724d)
2023-12-12 19:47:53	add Policy App Service apps should have Client Certificates (Incoming client certificates) enabled (19dd1db6-f442-49cf-a838-b0786b4401ef) Version change: '4.5.0-preview' to '4.6.0-preview' remove Policy [Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled (5bb220d9-2698-4ee4-8404-b9c30c9df609)
2023-12-07 18:54:02	add Policy Microsoft Defender for Storage should be enabled (640d2586-54d2-465f-877f-9ffc1d2109f4) Version change: '4.4.0-preview' to '4.5.0-preview' remove Policy [Deprecated]: Microsoft Defender for Storage (Classic) should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa)
2023-05-04 17:45:12	add Policy Blocked accounts with owner permissions on Azure resources should be removed (0cfea604-3201-4e14-88fc-fae4c427a6c5) add Policy Guest accounts with read permissions on Azure resources should be removed (e9ac8f8e-ce22-4355-8f04-99b911d6be52) add Policy Blocked accounts with read and write permissions on Azure resources should be removed (8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) add Policy Guest accounts with owner permissions on Azure resources should be removed (339353f6-2387-4a45-abe4-7f529d121046) add Policy Guest accounts with write permissions on Azure resources should be removed (94e1c2ac-cbbe-4cac-a2b5-389c812dee87) add Policy Accounts with write permissions on Azure resources should be MFA enabled (931e118d-50a1-4457-a5e4-78550e086c52) add Policy Accounts with read permissions on Azure resources should be MFA enabled (81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4) add Policy Accounts with owner permissions on Azure resources should be MFA enabled (e3e008c3-56b9-4133-8fd7-d3347377402a) Version change: '4.3.0-preview' to '4.4.0-preview' remove Policy [Deprecated]: MFA should be enabled for accounts with write permissions on your subscription (9297c21d-2ed6-4474-b48f-163f75654ce3) remove Policy [Deprecated]: MFA should be enabled on accounts with read permissions on your subscription (e3576e28-8b17-4677-84c3-db2990658d64) remove Policy [Deprecated]: Deprecated accounts should be removed from your subscription (6b1cbf55-e8b6-442f-ba4c-7246b6381474) remove Policy [Deprecated]: External accounts with write permissions should be removed from your subscription (5c607a2e-c700-4744-8254-d77e7c9eb5e4) remove Policy [Deprecated]: External accounts with owner permissions should be removed from your subscription (f8456c1c-aa66-4dfb-861a-25d127b775c9) remove Policy [Deprecated]: External accounts with read permissions should be removed from your subscription (5f76cf89-fbf2-47fd-a3f4-b891fa780b60) remove Policy [Deprecated]: MFA should be enabled on accounts with owner permissions on your subscription (aa633080-8b72-40c4-a2d7-d00c03e80bed) remove Policy [Deprecated]: Deprecated accounts with owner permissions should be removed from your subscription (ebb62a0c-3560-49e1-89ed-27e074e9f8ad)
2023-02-21 18:41:21	add Policy Azure Key Vaults should use private link (a6abeaec-4d90-4a02-805f-6b26c4d3fbe9) Version change: '4.1.0-preview' to '4.3.0-preview' remove Policy [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled (7c1b1214-f927-48bf-8882-84f0af6588b1) remove Policy [Deprecated]: Private endpoint should be configured for Key Vault (5f0bc445-3935-4915-9981-011aa2b46147)
2023-01-19 18:07:18	Version change: '4.0.0-preview' to '4.1.0-preview' remove Policy [Deprecated]: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports (057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9)
2022-07-07 16:32:14	Version change: '3.0.0-preview' to '4.0.0-preview' remove Policy [Deprecated]: Remote debugging should be turned off for API Apps (e9c8d085-d9cc-4b17-9cdc-059f1f01f19e) remove Policy [Deprecated]: CORS should not allow every resource to access your API App (358c20a6-3f9e-4f0e-97ff-c6ce485e2aac) remove Policy [Deprecated]: Latest TLS version should be used in your API App (8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e) remove Policy [Deprecated]: Managed identity should be used in your API App (c4d441f8-f9d9-4a9e-9cef-e82117cb3eef)
2022-06-10 16:31:22	Version change: '2.0.1-preview' to '3.0.0-preview' remove Policy [Deprecated]: API App should only be accessible over HTTPS (b7ddfbdc-1260-477d-91fd-98bd9be789a6)
2022-06-02 16:30:53	Version change: '2.0.0-preview' to '2.0.1-preview'
2022-05-31 16:32:27	Description change: 'This initiative includes policies that address a subset of SWIFT Customer Security Controls Framework v2021 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift2021-init.' to 'This initiative includes policies that address a subset of the SWIFT Customer Security Program's Customer Security Controls Framework v2021 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift2021-init.' Name change: '[Preview]: SWIFT CSCF v2021' to '[Preview]: SWIFT CSP-CSCF v2021'
2022-05-05 21:31:21	Version change: '1.0.0-preview' to '2.0.0-preview' remove Policy [Deprecated]: Azure Cache for Redis should reside within a virtual network (7d092e0a-7acd-40d2-a975-dca21cae48c4)
2022-04-14 16:55:59	add Initiative abf84fac-f817-a70c-14b5-47eec767458a

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC