Machine Learning - oWretch/policy GitHub Wiki
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Machine Learning |
[Preview]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry Only deploy Registry Models in the allowed Registry and that are not restricted. |
Deny Disabled |
Deny Disabled |
|||||||
| Machine Learning |
[Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. |
enforceSetting disabled |
enforceSetting disabled |
|||||||
| Machine Learning |
[Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. |
enforceSetting disabled |
enforceSetting disabled |
|||||||
| Machine Learning |
[Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. |
enforceSetting disabled |
enforceSetting disabled |
|||||||
| Machine Learning |
Azure Machine Learning Compute Instance should have idle shutdown. Having an idle shutdown schedule reduces cost by shutting down computes that are idle after a pre-determined period of activity. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Machine Learning |
Azure Machine Learning compute instances should be recreated to get the latest software updates Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. |
Audit Disabled |
Audit Disabled |
Audit Disabled |
||||||
| Machine Learning |
Azure Machine Learning Computes should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access. When a compute is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. |
Audit Disabled |
Audit Disabled |
Audit Disabled |
||||||
| Machine Learning |
Azure Machine Learning Computes should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Machine Learning |
Azure Machine Learning workspaces should be encrypted with a customer-managed key Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. |
Deny Disabled Audit |
Deny Disabled Audit |
Disabled Deny Audit |
||||||
| Machine Learning |
Azure Machine Learning Workspaces should disable public network access Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. |
Audit Deny Disabled |
Deny Disabled Audit |
|||||||
| Machine Learning |
Azure Machine Learning workspaces should enable V1LegacyMode to support network isolation backward compatibility Azure ML is making a transition to a new V2 API platform on Azure Resource Manager and you can control API platform version using V1LegacyMode parameter. Enabling the V1LegacyMode parameter will enable you to keep your workspaces in the same network isolation as V1, though you won't have use of the new V2 features. We recommend turning on V1 Legacy Mode only when you want to keep the AzureML control plane data inside your private networks. Learn more at: https://aka.ms/V1LegacyMode. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Machine Learning |
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. |
Audit Disabled |
Audit Disabled |
Audit Disabled |
||||||
| Machine Learning |
Azure Machine Learning workspaces should use user-assigned managed identity Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. Learn more at https://docs.microsoft.com/azure/machine-learning/how-to-use-managed-identities?tabs=python. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Machine Learning |
Configure Azure Machine Learning Computes to disable local authentication methods Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. |
Modify Disabled |
Modify Disabled |
|||||||
| Machine Learning |
Configure Azure Machine Learning workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview. |
DeployIfNotExists Disabled |
||||||||
| Machine Learning |
Configure Azure Machine Learning Workspaces to disable public network access Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. |
Modify Disabled |
Modify Disabled |
|||||||
| Machine Learning |
Resource logs in Azure Machine Learning Workspaces should be enabled Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Machine Learning |
Configure Azure Machine Learning workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview. |
azureMachineLearningWorkspaceSecondPriv... = --DNSZonePrefix--privatelink.notebooks....azureMachineLearningWorkspacePrivateDns... = --DNSZonePrefix--privatelink.api.azurem...
|