Cognitive Services - oWretch/policy GitHub Wiki
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Cognitive Services |
[Deprecated]: Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |
Deny Disabled Audit |
||||||||
| Cognitive Services |
[Deprecated]: Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. |
Audit Disabled |
||||||||
| Cognitive Services |
Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK) Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. |
Deny Disabled Audit |
Deny Disabled Audit |
Disabled Deny Audit |
||||||
| Cognitive Services |
Cognitive Services accounts should use a managed identity Assigning a managed identity to your Cognitive Service account helps ensure secure authentication. This identity is used by this Cognitive service account to communicate with other Azure services, like Azure Key Vault, in a secure way without you having to manage any credentials. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Cognitive Services |
Cognitive Services accounts should use customer owned storage Use customer owned storage to control the data stored at rest in Cognitive Services. To learn more about customer owned storage, visit https://aka.ms/cogsvc-cmk. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Cognitive Services |
Configure Cognitive Services accounts to disable local authentication methods Disable local authentication methods so that your Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. |
Modify Disabled |
Modify Disabled |
|||||||
| Cognitive Services |
Configure Cognitive Services accounts to disable public network access Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. |
Modify Disabled |
Modify Disabled |
|||||||
| Cognitive Services |
Configure Cognitive Services accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://go.microsoft.com/fwlink/?linkid=2110097. |
DeployIfNotExists Disabled |
||||||||
| Cognitive Services |
Network ACLs should be restricted for Cognitive Services Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Cognitive Services |
Outbound network access should be restricted for Cognitive Services Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service. |
Deny Disabled Audit |
Deny Disabled Audit |
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Cognitive Services |
Configure Cognitive Services accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://go.microsoft.com/fwlink/?linkid=2110097. |
azureCognitiveServicesPrivateDnsZoneId = --DNSZonePrefix--privatelink.cognitives...
|