if (1)
• 'Microsoft.ElasticSan/elasticSans/publicNetworkAccess' (ref)
{
"displayName": "ElasticSan should disable public network access",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Disable public network access for your ElasticSan so that it's not accessible over the public internet. This can reduce data leakage risks.",
"metadata": {
"version": "1.0.0",
"category": "ElasticSan"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.ElasticSan/elasticSans"
},
{
"field": "Microsoft.ElasticSan/elasticSans/publicNetworkAccess",
"notEquals": "Disabled"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}{"displayName":"ElasticSan should disable public network access","policyType":"BuiltIn","mode":"Indexed","description":"Disable public network access for your ElasticSan so that it's not accessible over the public internet. This can reduce data leakage risks.","metadata":{"version":"1.0.0","category":"ElasticSan"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ElasticSan/elasticSans"},{"field":"Microsoft.ElasticSan/elasticSans/publicNetworkAccess","notEquals":"Disabled"}]},"then":{"effect":"[parameters('effect')]"}}}if (1)
• 'Microsoft.ElasticSan/elasticSans/volumeGroups/encryption' (ref)
{
"displayName": "ElasticSan Volume Group should use customer-managed keys to encrypt data at rest",
"policyType": "BuiltIn",
"mode": "All",
"description": "Use customer-managed keys to manage the encryption at rest of your VolumeGroup. By default, customer data is encrypted with platform-managed keys, but CMKs are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you, with full control and responsibility, including rotation and management.",
"metadata": {
"version": "1.0.0",
"category": "ElasticSan"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.ElasticSan/elasticSans/volumeGroups"
},
{
"field": "Microsoft.ElasticSan/elasticSans/volumeGroups/encryption",
"notEquals": "EncryptionAtRestWithCustomerManagedKey"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}{"displayName":"ElasticSan Volume Group should use customer-managed keys to encrypt data at rest","policyType":"BuiltIn","mode":"All","description":"Use customer-managed keys to manage the encryption at rest of your VolumeGroup. By default,customer data is encrypted with platform-managed keys,but CMKs are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you,with full control and responsibility,including rotation and management.","metadata":{"version":"1.0.0","category":"ElasticSan"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ElasticSan/elasticSans/volumeGroups"},{"field":"Microsoft.ElasticSan/elasticSans/volumeGroups/encryption","notEquals":"EncryptionAtRestWithCustomerManagedKey"}]},"then":{"effect":"[parameters('effect')]"}}}{
"displayName": "ElasticSan Volume Group should use private endpoints",
"policyType": "BuiltIn",
"mode": "All",
"description": "Private endpoints lets administrator connect virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to volume group, administrator can reduce data leakage risks",
"metadata": {
"version": "1.0.0",
"category": "ElasticSan"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.ElasticSan/elasticSans/volumeGroups"
},
{
"count": {
"field": "Microsoft.ElasticSan/elasticSans/volumeGroups/privateEndpointConnections[*]",
"where": {
"field": "Microsoft.ElasticSan/elasticSans/volumeGroups/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
"equals": "Approved"
}
},
"less": 1
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}{"displayName":"ElasticSan Volume Group should use private endpoints","policyType":"BuiltIn","mode":"All","description":"Private endpoints lets administrator connect virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to volume group,administrator can reduce data leakage risks","metadata":{"version":"1.0.0","category":"ElasticSan"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ElasticSan/elasticSans/volumeGroups"},{"count":{"field":"Microsoft.ElasticSan/elasticSans/volumeGroups/privateEndpointConnections[*]","where":{"field":"Microsoft.ElasticSan/elasticSans/volumeGroups/privateEndpointConnections[*].privateLinkServiceConnectionState.status","equals":"Approved"}},"less":1}]},"then":{"effect":"[parameters('effect')]"}}}