Governance Policies Azure AI Cognitive Services - Azure/az-prototype GitHub Wiki
Governance policies for Cognitive Services
Domain: azure-ai
| Name | Description |
|---|---|
| Cognitive Services with private endpoint and RBAC | Secure Cognitive Services deployment with no public access, managed identity, and diagnostics |
| Description | Instead |
|---|---|
| Do not use API key authentication for Cognitive Services | Set disableLocalAuth=true and use managed identity with Cognitive Services User role |
| Do not deploy without a customSubDomainName | Always set customSubDomainName — it is required for Entra auth and private endpoints |
| Check | Severity | Description |
|---|---|---|
| AZ-CS-001 | Required | Deploy Cognitive Services with managed identity, disabled local auth, and no public access |
| AZ-CS-002 | Required | Set customSubDomainName on all Cognitive Services accounts |
| AZ-CS-003 | Recommended | Enable customer-managed key encryption for accounts processing sensitive data |
Deploy Cognitive Services with managed identity, disabled local auth, and no public access
Severity: Required
Rationale: API keys are shared secrets that cannot be scoped; managed identity provides auditable, per-service access
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.CognitiveServices/accounts
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateEndpoints | pe-cognitive | Private endpoint for Cognitive Services to eliminate public network exposure |
| Microsoft.Network/privateDnsZones | privatelink.cognitiveservices.azure.com | Private DNS zone for Cognitive Services private endpoint resolution |
| Microsoft.Insights/diagnosticSettings | diag-cognitive | Diagnostic settings to route audit and request logs to Log Analytics |
| Microsoft.Authorization/roleAssignments | Cognitive Services User | RBAC role assignment granting consuming identity the Cognitive Services User role |
Set customSubDomainName on all Cognitive Services accounts
Severity: Required
Rationale: Custom subdomain is required for Microsoft Entra authentication and private endpoints
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.CognitiveServices/accounts
Enable customer-managed key encryption for accounts processing sensitive data
Severity: Recommended
Rationale: CMK provides additional control over data-at-rest encryption beyond platform-managed keys
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.CognitiveServices/accounts