Compute - oWretch/policy GitHub Wiki
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Compute |
Configure disk access resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://aka.ms/disksprivatelinksdoc. |
DeployIfNotExists Disabled |
||||||||
| Compute |
Deploy Virtual Machine Auto Shutdown Schedule Deploys an auto shutdown schedule to a virtual machine |
deployIfNotExists | ||||||||
| Compute |
Deploy VM CPU Alert Policy to audit/deploy VM CPU Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM Data Disk Read Latency Alert Policy to audit/deploy VM dataDiskReadLatency Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM Data Disk Space Alert Policy to audit/deploy VM data Disk Space Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM Data Disk Write Latency Alert Policy to audit/deploy VM dataDiskWriteLatency Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM HeartBeat Alert Policy to audit/deploy VM HeartBeat Alert for all VMs in the subscription |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM Memory Alert Policy to audit/deploy VM Memory Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM Network Read Alert Policy to audit/deploy VM Network Read Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM Network Write Alert Policy to audit/deploy VM Network Out Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM OS Disk Read Latency Alert Policy to audit/deploy VM OSDiskreadLatency Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM OS Disk Space Alert Policy to audit/deploy VM OSDiskSpace Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Deploy VM OS Disk Write Latency Alert Policy to audit/deploy VM OSDiskwriteLatency Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
|||||||
| Compute |
Managed disks should be double encrypted with both platform-managed and customer-managed keys High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Compute |
Managed disks should disable public network access Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. |
Audit Disabled |
||||||||
| Compute |
OS and data disks should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Compute |
Virtual machines and virtual machine scale sets should have encryption at host enabled Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Compute |
Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |
Audit Deny Disabled |
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Compute |
Configure disk access resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://aka.ms/disksprivatelinksdoc. |
azureDiskAccessPrivateDnsZoneId = --DNSZonePrefix--privatelink.blob.core....
|
||||||||
| Compute |
Deploy VM CPU Alert Policy to audit/deploy VM CPU Alert |
VMPercentCPUThreshold = 85VMPercentCPUOperator = GreaterThanVMPercentCPUAlertState = trueVMPercentCPUFailingPeriods = 1VMPercentCPUAutoResolveTime = 00:10:00VMPercentCPUTimeAggregation = CountVMPercentCPUWindowSize = PT15MVMPercentCPUAutoMitigate = trueVMPercentCPUAutoResolve = trueVMPercentCPUEvaluationFrequency = PT5MVMPercentCPUAlertSeverity = 2
|
VMPercentCPUThreshold = 85VMPercentCPUOperator = GreaterThanVMPercentCPUAlertState = trueVMPercentCPUFailingPeriods = 1VMPercentCPUAutoResolveTime = 00:10:00VMPercentCPUTimeAggregation = CountVMPercentCPUWindowSize = PT15MVMPercentCPUAutoMitigate = trueVMPercentCPUAutoResolve = trueVMPercentCPUEvaluationFrequency = PT5MVMPercentCPUAlertSeverity = 2
|
|||||||
| Compute |
Deploy VM Data Disk Read Latency Alert Policy to audit/deploy VM dataDiskReadLatency Alert |
VMDataDiskReadLatencyEvaluationPeriods = 1VMDataDiskReadLatencyEvaluationFrequency = PT5MVMDataDiskReadLatencyWindowSize = PT15MVMDataDiskReadLatencyThreshold = 30VMDataDiskReadLatencyAutoResolve = trueVMDataDiskReadLatencyAlertSeverity = 2VMDataDiskReadLatencyOperator = GreaterThanVMDataDiskReadLatencyTimeAggregation = CountVMDataDiskReadLatencyAutoResolveTime = 00:10:00VMDataDiskReadLatencyComputersToInclude = ["*"]VMDataDiskReadLatencyAlertState = trueVMDataDiskReadLatencyAutoMitigate = trueVMDataDiskReadLatencyFailingPeriods = 1
|
VMDataDiskReadLatencyEvaluationPeriods = 1VMDataDiskReadLatencyEvaluationFrequency = PT5MVMDataDiskReadLatencyWindowSize = PT15MVMDataDiskReadLatencyThreshold = 30VMDataDiskReadLatencyAutoResolve = trueVMDataDiskReadLatencyAlertSeverity = 2VMDataDiskReadLatencyOperator = GreaterThanVMDataDiskReadLatencyTimeAggregation = CountVMDataDiskReadLatencyAutoResolveTime = 00:10:00VMDataDiskReadLatencyComputersToInclude = ["*"]VMDataDiskReadLatencyAlertState = trueVMDataDiskReadLatencyAutoMitigate = trueVMDataDiskReadLatencyFailingPeriods = 1
|
|||||||
| Compute |
Deploy VM Data Disk Space Alert Policy to audit/deploy VM data Disk Space Alert |
VMDataDiskSpaceEvaluationPeriods = 1VMDataDiskSpaceFailingPeriods = 1VMDataDiskSpaceAlertSeverity = 2VMDataDiskSpaceAutoResolve = trueVMDataDiskSpaceOperator = GreaterThanVMDataDiskSpaceWindowSize = PT15MVMDataDiskSpaceAutoMitigate = trueVMDataDiskSpaceThreshold = 10VMDataDiskSpaceAlertState = trueVMDataDiskSpaceTimeAggregation = CountVMDataDiskSpaceComputersToInclude = ["*"]VMDataDiskSpaceEvaluationFrequency = PT5MVMDataDiskSpaceAutoResolveTime = 00:10:00
|
VMDataDiskSpaceEvaluationPeriods = 1VMDataDiskSpaceFailingPeriods = 1VMDataDiskSpaceAlertSeverity = 2VMDataDiskSpaceAutoResolve = trueVMDataDiskSpaceOperator = GreaterThanVMDataDiskSpaceWindowSize = PT15MVMDataDiskSpaceAutoMitigate = trueVMDataDiskSpaceThreshold = 10VMDataDiskSpaceAlertState = trueVMDataDiskSpaceTimeAggregation = CountVMDataDiskSpaceComputersToInclude = ["*"]VMDataDiskSpaceEvaluationFrequency = PT5MVMDataDiskSpaceAutoResolveTime = 00:10:00
|
|||||||
| Compute |
Deploy VM Data Disk Write Latency Alert Policy to audit/deploy VM dataDiskWriteLatency Alert |
VMDataDiskWriteLatencyAlertSeverity = 2VMDataDiskWriteLatencyWindowSize = PT15MVMDataDiskWriteLatencyEvaluationPeriods = 1VMDataDiskWriteLatencyThreshold = 30VMDataDiskWriteLatencyComputersToInclude = ["*"]VMDataDiskWriteLatencyAutoResolve = trueVMDataDiskWriteLatencyFailingPeriods = 1VMDataDiskWriteLatencyTimeAggregation = CountVMDataDiskWriteLatencyAutoResolveTime = 00:10:00VMDataDiskWriteLatencyAutoMitigate = trueVMDataDiskWriteLatencyOperator = GreaterThanVMDataDiskWriteLatencyEvaluationFrequency = PT5MVMDataDiskWriteLatencyAlertState = true
|
VMDataDiskWriteLatencyAlertSeverity = 2VMDataDiskWriteLatencyWindowSize = PT15MVMDataDiskWriteLatencyEvaluationPeriods = 1VMDataDiskWriteLatencyThreshold = 30VMDataDiskWriteLatencyComputersToInclude = ["*"]VMDataDiskWriteLatencyAutoResolve = trueVMDataDiskWriteLatencyFailingPeriods = 1VMDataDiskWriteLatencyTimeAggregation = CountVMDataDiskWriteLatencyAutoResolveTime = 00:10:00VMDataDiskWriteLatencyAutoMitigate = trueVMDataDiskWriteLatencyOperator = GreaterThanVMDataDiskWriteLatencyEvaluationFrequency = PT5MVMDataDiskWriteLatencyAlertState = true
|
|||||||
| Compute |
Deploy VM HeartBeat Alert Policy to audit/deploy VM HeartBeat Alert for all VMs in the subscription |
VMHeartBeatRGAlertSeverity = 1VMHeartBeatRGComputersToInclude = ["*"]ALZMonitorResourceGroupLocation = eastusVMHeartBeatRGTimeAggregation = CountVMHeartBeatRGEvaluationFrequency = PT5MVMHeartBeatRGAutoResolveTime = 00:10:00VMHeartBeatRGAutoResolve = trueVMHeartBeatRGAlertState = trueVMHeartBeatRGAutoMitigate = trueVMHeartBeatRGFailingPeriods = 1VMHeartBeatRGOperator = GreaterThanVMHeartBeatRGWindowSize = PT6HVMHeartBeatRGThreshold = 10ALZMonitorResourceGroupName = rg-amba-monitoring-001ALZMonitorResourceGroupTags = {"Project":"amba-monitoring"}
|
VMHeartBeatRGAlertSeverity = 1VMHeartBeatRGComputersToInclude = ["*"]VMHeartBeatRGTimeAggregation = CountVMHeartBeatRGEvaluationFrequency = PT5MVMHeartBeatRGAutoResolveTime = 00:10:00VMHeartBeatRGAutoResolve = trueVMHeartBeatRGAlertState = trueVMHeartBeatRGAutoMitigate = trueVMHeartBeatRGFailingPeriods = 1VMHeartBeatRGOperator = GreaterThanVMHeartBeatRGWindowSize = PT6HVMHeartBeatRGThreshold = 10
|
|||||||
| Compute |
Deploy VM Memory Alert Policy to audit/deploy VM Memory Alert |
VMPercentMemoryAlertState = trueVMPercentMemoryOperator = GreaterThanVMPercentMemoryWindowSize = PT15MVMPercentMemoryFailingPeriods = 1VMPercentMemoryEvaluationFrequency = PT5MVMPercentMemoryAutoMitigate = trueVMPercentMemoryThreshold = 10VMPercentMemoryAlertSeverity = 2VMPercentMemoryTimeAggregation = CountVMPercentMemoryAutoResolve = trueVMPercentMemoryAutoResolveTime = 00:10:00
|
VMPercentMemoryAlertState = trueVMPercentMemoryOperator = GreaterThanVMPercentMemoryWindowSize = PT15MVMPercentMemoryFailingPeriods = 1VMPercentMemoryEvaluationFrequency = PT5MVMPercentMemoryAutoMitigate = trueVMPercentMemoryThreshold = 10VMPercentMemoryAlertSeverity = 2VMPercentMemoryTimeAggregation = CountVMPercentMemoryAutoResolve = trueVMPercentMemoryAutoResolveTime = 00:10:00
|
|||||||
| Compute |
Deploy VM Network Read Alert Policy to audit/deploy VM Network Read Alert |
VMNetworkInAutoMitigate = trueVMNetworkInAlertState = trueVMNetworkInWindowSize = PT15MVMNetworkInEvaluationFrequency = PT5MVMNetworkInTimeAggregation = CountVMNetworkInAutoResolve = trueVMNetworkInComputersToInclude = ["*"]VMNetworkInAutoResolveTime = 00:10:00VMNetworkInThreshold = 10000000VMNetworkInOperator = GreaterThanVMNetworkInAlertSeverity = 2VMNetworkInEvaluationPeriods = 1VMNetworkInFailingPeriods = 1
|
VMNetworkInAutoMitigate = trueVMNetworkInAlertState = trueVMNetworkInWindowSize = PT15MVMNetworkInEvaluationFrequency = PT5MVMNetworkInTimeAggregation = CountVMNetworkInAutoResolve = trueVMNetworkInComputersToInclude = ["*"]VMNetworkInAutoResolveTime = 00:10:00VMNetworkInThreshold = 10000000VMNetworkInOperator = GreaterThanVMNetworkInAlertSeverity = 2VMNetworkInEvaluationPeriods = 1VMNetworkInFailingPeriods = 1
|
|||||||
| Compute |
Deploy VM Network Write Alert Policy to audit/deploy VM Network Out Alert |
VMNetworkOutEvaluationPeriods = 1VMNetworkOutAutoMitigate = trueVMNetworkOutEvaluationFrequency = PT5MVMNetworkOutAutoResolveTime = 00:10:00VMNetworkOutAutoResolve = trueVMNetworkOutComputersToInclude = ["*"]VMNetworkOutTimeAggregation = CountVMNetworkOutAlertSeverity = 2VMNetworkOutFailingPeriods = 1VMNetworkOutThreshold = 10000000VMNetworkOutOperator = GreaterThanVMNetworkOutAlertState = trueVMNetworkOutWindowSize = PT15M
|
VMNetworkOutEvaluationPeriods = 1VMNetworkOutAutoMitigate = trueVMNetworkOutEvaluationFrequency = PT5MVMNetworkOutAutoResolveTime = 00:10:00VMNetworkOutAutoResolve = trueVMNetworkOutComputersToInclude = ["*"]VMNetworkOutTimeAggregation = CountVMNetworkOutAlertSeverity = 2VMNetworkOutFailingPeriods = 1VMNetworkOutThreshold = 10000000VMNetworkOutOperator = GreaterThanVMNetworkOutAlertState = trueVMNetworkOutWindowSize = PT15M
|
|||||||
| Compute |
Deploy VM OS Disk Read Latency Alert Policy to audit/deploy VM OSDiskreadLatency Alert |
VMOSDiskReadLatencyAlertState = trueVMOSDiskReadLatencyWindowSize = PT15MVMOSDiskReadLatencyAutoResolve = trueVMOSDiskReadLatencyEvaluationFrequency = PT5MVMOSDiskReadLatencyTimeAggregation = CountVMOSDiskReadLatencyFailingPeriods = 1VMOSDiskReadLatencyEvaluationPeriods = 1VMOSDiskReadLatencyAlertSeverity = 2VMOSDiskReadLatencyAutoResolveTime = 00:10:00VMOSDiskReadLatencyOperator = GreaterThanVMOSDiskReadLatencyComputersToInclude = ["*"]VMOSDiskReadLatencyAutoMitigate = trueVMOSDiskReadLatencyThreshold = 30
|
VMOSDiskReadLatencyAlertState = trueVMOSDiskReadLatencyWindowSize = PT15MVMOSDiskReadLatencyAutoResolve = trueVMOSDiskReadLatencyEvaluationFrequency = PT5MVMOSDiskReadLatencyTimeAggregation = CountVMOSDiskReadLatencyFailingPeriods = 1VMOSDiskReadLatencyEvaluationPeriods = 1VMOSDiskReadLatencyAlertSeverity = 2VMOSDiskReadLatencyAutoResolveTime = 00:10:00VMOSDiskReadLatencyOperator = GreaterThanVMOSDiskReadLatencyComputersToInclude = ["*"]VMOSDiskReadLatencyAutoMitigate = trueVMOSDiskReadLatencyThreshold = 30
|
|||||||
| Compute |
Deploy VM OS Disk Space Alert Policy to audit/deploy VM OSDiskSpace Alert |
VMOSDiskSpaceAlertState = trueVMOSDiskSpaceEvaluationFrequency = PT5MVMOSDiskSpaceAutoResolveTime = 00:10:00VMOSDiskSpaceFailingPeriods = 1VMOSDiskSpaceAutoMitigate = trueVMOSDiskSpaceOperator = GreaterThanVMOSDiskSpaceThreshold = 10VMOSDiskSpaceComputersToInclude = ["*"]VMOSDiskSpaceEvaluationPeriods = 1VMOSDiskSpaceAutoResolve = trueVMOSDiskSpaceAlertSeverity = 2VMOSDiskSpaceWindowSize = PT15MVMOSDiskSpaceTimeAggregation = Count
|
VMOSDiskSpaceAlertState = trueVMOSDiskSpaceEvaluationFrequency = PT5MVMOSDiskSpaceAutoResolveTime = 00:10:00VMOSDiskSpaceFailingPeriods = 1VMOSDiskSpaceAutoMitigate = trueVMOSDiskSpaceOperator = GreaterThanVMOSDiskSpaceThreshold = 10VMOSDiskSpaceComputersToInclude = ["*"]VMOSDiskSpaceEvaluationPeriods = 1VMOSDiskSpaceAutoResolve = trueVMOSDiskSpaceAlertSeverity = 2VMOSDiskSpaceWindowSize = PT15MVMOSDiskSpaceTimeAggregation = Count
|
|||||||
| Compute |
Deploy VM OS Disk Write Latency Alert Policy to audit/deploy VM OSDiskwriteLatency Alert |
VMOSDiskWriteLatencyFailingPeriods = 1VMOSDiskWriteLatencyAlertState = trueVMOSDiskWriteLatencyAutoResolveTime = 00:10:00VMOSDiskWriteLatencyAutoMitigate = trueVMOSDiskWriteLatencyEvaluationFrequency = PT5MVMOSDiskWriteLatencyAlertSeverity = 2VMOSDiskWriteLatencyOperator = GreaterThanVMOSDiskWriteLatencyTimeAggregation = CountVMOSDiskWriteLatencyAutoResolve = trueVMOSDiskWriteLatencyComputersToInclude = ["*"]VMOSDiskWriteLatencyWindowSize = PT15MVMOSDiskWriteLatencyThreshold = 30VMOSDiskWriteLatencyEvaluationPeriods = 1
|
VMOSDiskWriteLatencyFailingPeriods = 1VMOSDiskWriteLatencyAlertState = trueVMOSDiskWriteLatencyAutoResolveTime = 00:10:00VMOSDiskWriteLatencyAutoMitigate = trueVMOSDiskWriteLatencyEvaluationFrequency = PT5MVMOSDiskWriteLatencyAlertSeverity = 2VMOSDiskWriteLatencyOperator = GreaterThanVMOSDiskWriteLatencyTimeAggregation = CountVMOSDiskWriteLatencyAutoResolve = trueVMOSDiskWriteLatencyComputersToInclude = ["*"]VMOSDiskWriteLatencyWindowSize = PT15MVMOSDiskWriteLatencyThreshold = 30VMOSDiskWriteLatencyEvaluationPeriods = 1
|