Governance Policies Azure AI Azure AI Search - Azure/az-prototype GitHub Wiki
Governance policies for Azure Ai Search
Domain: azure-ai
| Name | Description |
|---|---|
| Azure AI Search with private endpoint and RBAC | Secure search service with no public access, managed identity, and private connectivity |
| Description | Instead |
|---|---|
| Do not use API key authentication for Azure AI Search | Set disableLocalAuth=true and use RBAC with Search Index Data Reader/Contributor roles |
| Do not leave publicNetworkAccess enabled | Set publicNetworkAccess to disabled and use private endpoints |
| Check | Severity | Description |
|---|---|---|
| AZ-AIS-001 | Required | Deploy Azure AI Search with managed identity, disabled API key auth, and no public access |
| AZ-AIS-002 | Recommended | Configure semantic ranking and vector search with appropriate dimensions |
| AZ-AIS-003 | Recommended | Enable customer-managed key encryption for indexes containing sensitive data |
Deploy Azure AI Search with managed identity, disabled API key auth, and no public access
Severity: Required
Rationale: API keys cannot be scoped or audited; managed identity with RBAC provides fine-grained access control
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Search/searchServices
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateEndpoints | pe-search | Private endpoint for Azure AI Search to eliminate public network exposure |
| Microsoft.Network/privateDnsZones | privatelink.search.windows.net | Private DNS zone for Azure AI Search private endpoint resolution |
| Microsoft.Insights/diagnosticSettings | diag-search | Diagnostic settings to route operational and query logs to Log Analytics |
| Microsoft.Authorization/roleAssignments | Search Index Data Reader / Contributor | RBAC role assignment granting consuming identity the appropriate Search data-plane role |
Configure semantic ranking and vector search with appropriate dimensions
Severity: Recommended
Rationale: Semantic ranker improves relevance; vector dimensions must match the embedding model
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.Search/searchServices
Enable customer-managed key encryption for indexes containing sensitive data
Severity: Recommended
Rationale: CMK encryption provides an additional layer of control over data-at-rest encryption
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Search/searchServices