Search - oWretch/policy GitHub Wiki
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Search |
Azure AI Search service should use a SKU that supports private link With supported SKUs of Azure AI Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Search |
Azure AI Search services should disable public network access Disabling public network access improves security by ensuring that your Azure AI Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. |
Deny Disabled Audit |
||||||||
| Search |
Azure AI Search services should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure AI Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/azure-cognitive-search/rbac. Note that while the disable local authentication parameter is still in preview, the deny effect for this policy may result in limited Azure AI Search portal functionality since some features of the Portal use the GA API which does not support the parameter. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Search |
Azure AI Search services should use customer-managed keys to encrypt data at rest Enabling encryption at rest using a customer-managed key on your Azure AI Search services provides additional control over the key used to encrypt data at rest. This feature is often applicable to customers with special compliance requirements to manage data encryption keys using a key vault. |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
|||||||
| Search |
Configure Azure AI Search services to disable local authentication Disable local authentication methods so that your Azure AI Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/azure-cognitive-search/rbac. |
Modify Disabled |
Modify Disabled |
|||||||
| Search |
Configure Azure AI Search services to disable public network access Disable public network access for your Azure AI Search service so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. |
Modify Disabled |
Modify Disabled |
|||||||
| Search |
Configure Azure AI Search services to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure AI Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. |
DeployIfNotExists Disabled |
||||||||
| Search |
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Search |
Configure Azure AI Search services to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure AI Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. |
azureCognitiveSearchPrivateDnsZoneId = --DNSZonePrefix--privatelink.search.win...
|
||||||||
| Search |
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |
diagnosticsLogsInSearchServiceRetention... = 1
|