-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathStorage.csv
We can make this file beautiful and searchable if this error is corrected: Any value after quoted field isn't allowed in line 1.
57 lines (57 loc) · 19.7 KB
/
Storage.csv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
"DisplayName";"Description";"Path"
"Configure diagnostic settings for Storage Accounts to Log Analytics workspace";"Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/AccountStorageLogsToWorkspace_DINE.json"
"Azure NetApp Files SMB Volumes should use SMB3 encryption";"Disallow the creation of SMB Volumes without SMB3 encryption to ensure data integrity and data privacy.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/ANF_SMBVolumesShouldUseSMB3Encryption.json"
"Azure NetApp Files Volumes should not use NFSv3 protocol type";"Disallow the use of NFSv3 protocol type to prevent unsecure access to volumes. NFSv4.1 with Kerberos protocol should be used to access NFS volumes to ensure data integrity and encryption.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/ANF_VolumesShouldNotUseNFSv3.json"
"Azure NetApp Files Volumes of type NFSv4.1 should use Kerberos data encryption";"Only allow the use of Kerberos privacy (5p) security mode to ensure data is encrypted.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/ANF_VolumesShouldUseKerberosEncryption.json"
"Azure NetApp Files Volumes of type NFSv4.1 should use Kerberos data integrity or data privacy";"Ensure that at least either Kerberos integrity (krb5i) or Kerberos privacy (krb5p) is selected to ensure data integrity and data privacy.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/ANF_VolumesShouldUseKerberosIntegrityPrivacy.json"
"Configure diagnostic settings for Blob Services to Log Analytics workspace";"Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/BlobServicesLogsToWorkspace_DINE.json"
"Configure diagnostic settings for File Services to Log Analytics workspace";"Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/FileServicesLogsToWorkspace_DINE.json"
"Configure diagnostic settings for Queue Services to Log Analytics workspace";"Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/QueueServicesLogsToWorkspace_DINE.json"
"Configure your Storage account public access to be disallowed";"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StorageAccountDisablePublicBlobAccess_Modify.json"
"Storage account keys should not be expired";"Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StorageAccountKeysExpired_Restrict.json"
"Configure Storage account to use a private link connection";"Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your storage account, you can reduce data leakage risks. Learn more about private links at - https://aka.ms/azureprivatelinkoverview";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StorageAccountPrivateEndpointEnabled_DeployIfNotExists.json"
"Storage accounts should have shared access signature (SAS) policies configured";"Ensure storage accounts have shared access signature (SAS) expiration policy enabled. Users use a SAS to delegate access to resources in Azure Storage account. And SAS expiration policy recommend upper expiration limit when a user creates a SAS token.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StorageAccountSasPolicy_Restrict.json"
"Configure secure transfer of data on a storage account";"Secure transfer is an option that forces storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StorageAccountSecureTransfer_Modify.json"
"Deploy Advanced Threat Protection on storage accounts";"This policy enables Advanced Threat Protection on storage accounts.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StorageAdvancedThreatProtection_Deploy.json"
"HPC Cache accounts should use customer-managed key for encryption";"Manage encryption at rest of Azure HPC Cache with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StorageCache_CMKEnabled.json"
"Configure a private DNS Zone ID for blob groupID";"Configure private DNS zone group to override the DNS resolution for a blob groupID private endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StoragePrivateDnsZoneGroup_Blob.json"
"Configure a private DNS Zone ID for blob_secondary groupID";"Configure private DNS zone group to override the DNS resolution for a blob_secondary groupID private endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StoragePrivateDnsZoneGroup_BlobSecondary.json"
"Configure a private DNS Zone ID for dfs groupID";"Configure private DNS zone group to override the DNS resolution for a dfs groupID private endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StoragePrivateDnsZoneGroup_DFS.json"
"Configure a private DNS Zone ID for dfs_secondary groupID";"Configure private DNS zone group to override the DNS resolution for a dfs_secondary groupID private endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StoragePrivateDnsZoneGroup_DFSSecondary.json"
"Configure a private DNS Zone ID for file groupID";"Configure private DNS zone group to override the DNS resolution for a file groupID private endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StoragePrivateDnsZoneGroup_File.json"
"Configure a private DNS Zone ID for queue groupID";"Configure private DNS zone group to override the DNS resolution for a queue groupID private endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StoragePrivateDnsZoneGroup_Queue.json"
"Configure a private DNS Zone ID for queue_secondary groupID";"Configure private DNS zone group to override the DNS resolution for a queue_secondary groupID private endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StoragePrivateDnsZoneGroup_QueueSecondary.json"
"Configure a private DNS Zone ID for table groupID";"Configure private DNS zone group to override the DNS resolution for a table groupID private endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StoragePrivateDnsZoneGroup_Table.json"
"Configure a private DNS Zone ID for table_secondary groupID";"Configure private DNS zone group to override the DNS resolution for a table_secondary groupID private endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StoragePrivateDnsZoneGroup_TableSecondary.json"
"Configure a private DNS Zone ID for web groupID";"Configure private DNS zone group to override the DNS resolution for a web groupID private endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StoragePrivateDnsZoneGroup_Web.json"
"Configure a private DNS Zone ID for web_secondary groupID";"Configure private DNS zone group to override the DNS resolution for a web_secondary groupID private endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StoragePrivateDnsZoneGroup_WebSecondary.json"
"Configure storage accounts to disable public network access";"To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StoragePublicNetworkAccess_Modify.json"
"Modify - Configure Azure File Sync to disable public network access";"The Azure File Sync's internet-accessible public endpoint are disabled by your organizational policy. You may still access the Storage Sync Service via its private endpoint(s).";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StorageSync_IncomingTrafficPolicy_Modify.json"
"Configure Azure File Sync to use private DNS zones";"To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StorageSync_PrivateDNSZone_DeployIfNotExists.json"
"Configure Azure File Sync with private endpoints";"A private endpoint is deployed for the indicated Storage Sync Service resource. This enables you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. The existence of one or more private endpoints by themselves does not disable the public endpoint.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/StorageSync_PrivateEndpoint_DeployIfNotExists.json"
"Configure diagnostic settings for Table Services to Log Analytics workspace";"Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/TableServicesLogsToWorkspace_DINE.json"
"Storage Account - Access Key Setting DENY";"This Azure Policy denies the deployment of an Azure Storage Account when the 'Allow storage account key access' setting is not set to 'Disabled'.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/deny-storage-account-access-key-setting/azurepolicy.json"
"Storage Account - Customer Managed Keys Blob and File Storage DENY";"This Azure Policy denies the deployment of an Azure Storage Account when the 'Encryption type' setting is not set to 'Customer-managed keys'.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/deny-storage-account-cmk-blob-file-storage/azurepolicy.json"
"Storage Account - Customer Managed Keys Queue and Table Storage DENY";"This Azure Policy denies the deployment of an Azure Storage Account when the 'Enable support for customer-managed keys' setting is set to 'Blobs and files only'.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/deny-storage-account-cmk-queue-table-storage/azurepolicy.json"
"deny-storage-account-firewall-ip-rules-may-only-contain-ips-from-a-list-of-approved-ips";"deny-storage-account-firewall-ip-rules-may-only-contain-ips-from-a-list-of-approved-ips";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/deny-storage-account-firewall-ip-rules-may-only-contain-ips-from-a-list-of-approved-ips/azurepolicy.json"
"Storage Account - Firewall Settings DENY";"This Azure Policy denies the deployment of an Azure Storage Account when the 'Allow access from' setting is not set to 'Selected networks' and when the Firewall does contain any IP addresses outside of the approved ones.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/deny-storage-account-firewall-settings/azurepolicy.json"
"Storage Account - Read Access Logs and Metrics DENY";"This Azure Policy denies the deployment of an Azure Storage Account when the 'Allow read access to storage logging from any network' and 'Allow read access to storage metrics from any network' settings are 'Enabled'.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/deny-storage-account-read-logs-metrics/azurepolicy.json"
"Storage Account - TLS Setting DENY";"This Azure Policy denies the deployment of an Azure Storage Account when the 'Minimum TLS version' setting is not set to 'Version 1.2'.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/deny-storage-account-tls-setting/azurepolicy.json"
"Storage Account - Trusted Azure Services DENY";"This Azure Policy denies the deployment of an Azure Storage Account when the 'Allow Azure services on the trusted services list to access this storage account' setting is set to 'Enabled'.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/deny-storage-account-trusted-azure-services/azurepolicy.json"
"Deploy 'Geo-redundant' replication on Storage Account";"This policy set geo-redundancy on storage accounts.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/deploy-geo-redundant-replication/azurepolicy.json"
"Storage Account - Diagnostic Settings DINE";"This Azure Policy creates a deployment to send all logs and metrics to a specified Log Analytics Workspace.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/deploy-storage-account-diagnostic-settings/azurepolicy.json"
"deploy-storage-account-lifecycle-management";"deploy-storage-account-lifecycle-management";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/deploy-storage-account-lifecycle-management/azurepolicy.json"
"deploy-storage-atp-exempt-tagged-resources";"deploy-storage-atp-exempt-tagged-resources";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/deploy-storage-atp-exempt-tagged-resources/azurepolicy.json"
"Deploy Diagnostic Settings for Azure Storage, including blobs, files, tables, and queues to a Log Analytics workspace";"Deploys the diagnostic settings for Azure Storage, including blobs, files, tables, and queues to stream to a regional Log Analytics workspace when any Azure Storage which is missing this diagnostic settings is created or updated.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/deploy-storage-monitoring-log-analytics/azurepolicy.json"
"Deploy Diagnostic Settings for Azure Storage blobs to Log Analytics workspace";"Deploys the diagnostic settings for Azure Storage blobs to stream to a regional Log Analytics workspace when any Azure Storage which is missing this diagnostic settings is created or updated.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/deploy-storage-monitoring-log-analytics/blobservices/azurepolicy.json"
"Deploy Diagnostic Settings for Azure Storage files to Log Analytics workspace";"Deploys the diagnostic settings for Azure Storage files to stream to a regional Log Analytics workspace when any Azure Storage which is missing this diagnostic settings is created or updated.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/deploy-storage-monitoring-log-analytics/fileservices/azurepolicy.json"
"Deploy Diagnostic Settings for Azure Storage queues to Log Analytics workspace";"Deploys the diagnostic settings for Azure Storage queues to stream to a regional Log Analytics workspace when any Azure Storage which is missing this diagnostic settings is created or updated.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/deploy-storage-monitoring-log-analytics/queueservices/azurepolicy.json"
"Deploy Diagnostic Settings for Azure Storage to Log Analytics workspace";"Deploys the diagnostic settings for Azure Storage to stream to a regional Log Analytics workspace when any Azure Storage which is missing this diagnostic settings is created or updated.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/deploy-storage-monitoring-log-analytics/storageaccounts/azurepolicy.json"
"Deploy Diagnostic Settings for Azure Storage tables to Log Analytics workspace";"Deploys the diagnostic settings for Azure Storage tables to stream to a regional Log Analytics workspace when any Azure Storage which is missing this diagnostic settings is created or updated.";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/deploy-storage-monitoring-log-analytics/tableservices/azurepolicy.json"
"disable-storage-atp-based-on-tag";"disable-storage-atp-based-on-tag";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/disable-storage-atp-based-on-tag/azurepolicy.json"
"enable-blob-softdelete-30days";"enable-blob-softdelete-30days";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/enable-blob-softdelete-30days/azurepolicy.json"
"Enforce storage account public firewall blocking access";"Enforce storage account public firewall blocking access";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/Enforce storage account public firewall blocking access/azurepolicy.json"
"restrict-container-immutability-period";"restrict-container-immutability-period";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/restrict-container-immutability-period/azurepolicy.json"
"Storage account public access should be disallowed";"Storage account public access should be disallowed";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/Storage account public access should be disallowed/azurepolicy.json"
"Storage accounts should have minimal TLS version 1.2";"Storage accounts should have minimal TLS version 1.2";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/Storage accounts should have minimal TLS version 1.2/azurepolicy.json"
"storage-account-access-tier";"storage-account-access-tier";"https://github.com/Azure/Community-Policy/tree/master/Policies/Storage/storage-account-access-tier/azurepolicy.json"