Policy Templates for Azure - DEPRECATED
For instructions on how to find Policy templates that are new or updated due to changed recommendations, see Find New and Updated Policy Templates
Policy Templates Deprecated in 6.6.1
The following Policy Templates for Azure are deprecated in Skyhigh CASB 6.6.1.
Policy Name | Comments | Web Link |
---|---|---|
AKS: Do not admit containers with NET_RAW capabilities in Pod Security Policies | PodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25. |
Policy Templates Deprecated in 6.2.0
The following Policy Templates for Azure are deprecated in Skyhigh CASB 6.2.0.
Policy Name | Comments | Web Link |
---|---|---|
Threat detection should be enabled for SQL databases | This setting is at the subscription level |
Policy Templates Deprecated in 6.1.2
The following Policy Templates for Azure are deprecated in Skyhigh CASB 6.2.0.
Policy Name | Comments | Web Link |
---|---|---|
Email service and co-administrators should be enabled for SQL databases | This setting is at the top-level server, and not the constituent database |
Policy Templates Deprecated in 6.1.1
The following Policy Templates for Azure are deprecated in Skyhigh CASB 6.1.1.
Policy Name | Comments | Web Link |
---|---|---|
Monitor access rules in Event Hub namespaces should be enabled in Security Center |
Azure Microsoft Defender has deprecated multiple security recommendations. The corresponding Policy Templates for Azure Security Configuration Audit are now deprecated. |
https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference
|
Monitor Configure IP restrictions for API App should be enabled in Security Center |
||
Web sockets for API App should be disabled in Security Center |
||
Custom domain use in API App should be enabled in Security Center |
||
Use latest DotNet version in API App should be enabled in Security Center |
||
Use latest Java version in API App should be enabled in Security Center |
||
Use latest PHP version in API App should be enabled in Security Center |
||
Use latest Python version in API App should be enabled in Security Center |
||
Monitor Configure IP restrictions for Function App should be enabled in Security Center |
||
Web sockets for Function App should be disabled in Security Center |
||
Custom domain use in Function App should be enabled in Security Center |
||
Monitor Configure IP restrictions for Web App should be enabled in Security Center |
||
Web sockets for Web App should be disabled in Security Center |
||
Custom domain use in Web App should be enabled in Security Center |
||
Use latest DotNet version in Web App should be enabled in Security Center |
||
Use latest Node js version in Web App should be enabled in Security Center |
||
Monitoring agent health issues should be resolved on virtual machines |
||
Disk encryption should be applied on your Virtual Machines |
||
IP restrictions for Web App should be configured |
||
Custom domains should be used for Web application |
||
Latest supported .NET framework version should be used for Web Application |
||
Web Sockets should be disabled for Web Application |
||
IP restrictions for Function App should be configured |
||
Custom domains should be used for Function App |
||
Web Sockets should be disabled for function Application |
||
All resources should not be allowed to access your application |
||
Virtual Machines should be rebooted after system updates |
||
Latest supported Node.js version should be used for Web Application |
||
Application protection should be finalized |
||
OS version should be updated |
Policy Templates Deprecated in 5.2.0
The following Policy Templates for Azure are deprecated in Skyhigh CASB 5.2.0.
Policy Name | Comments | Web Link |
---|---|---|
Unencrypted activity logs in storage account |
As par Azure, post-June 2017: Storage Service Encryption is enabled by default and cannot be disabled. Also, as part of latest CIS benchmark 1.1.0, the control " 3.6 Ensure that Storage service encryption is set to enabled for File Service" is marked as deleted. Hence deprecating the policy |
https://azure.microsoft.com/en-in/blog/announcing-default-encryption-for-azure-blobs-files-table-and-queue-storage/ |
Storage Service Encryption for Storage Accounts |
As par Azure, post-June 2017: Storage Service Encryption is enabled by default and cannot be disabled. Also, as part of latest CIS benchmark 1.1.0, the control " 3.6 Ensure that Storage service encryption is set to enabled for File Service" is marked as deleted. Hence deprecating the policy |
https://azure.microsoft.com/en-in/blog/announcing-default-encryption-for-azure-blobs-files-table-and-queue-storage/ |
Latest OS Patch Updates Enabled for Virtual Machines | 1:This policy depends on the "osProfile.windowsConfiguration.enableAutomaticUpdates" . As this property does not come for Linux OS ,this policy will not work for Linux OS VMs. 2:If you create a windows machine from Azure Portal "osProfile.windowsConfiguration.enableAutomaticUpdates" this property is by default true and cannot be updated after VM is created. 3:Even though the osProfile.windowsConfiguration.enableAutomaticUpdates is by default true for windows VMs, on Azure Portal, it shows an option to enable the Update Management for windows VMs which it should not. 4:Create a VM with Update Management disabled using Rest API, "osProfile.windowsConfiguration.enableAutomaticUpdates" will return false. Even after Enabling Update Management "osProfile.windowsConfiguration.enableAutomaticUpdates" will return false in data collection . Due to the limitations mentioned above, deprecating the policy |
Azure VMs, like all on-premises VMs, are meant to be user managed. Azure doesn't push Windows updates to them. You need to manage your VM updates. https://docs.microsoft.com/en-us/azure/security/fundamentals/iaas#manage-operating-systems |
Enable VM agent on Virtual Machines |
We are dependent on Azure APIs to check the configuration check whether VM agent is installed in VM. The configuration parameter to check this is "provisionVMAgent". Even if agent is manually installed, the value of the parameter is returned as always false by the API. Also, as part of latest CIS benchmark 1.1.0, the control " 7.1 Ensure that VM agent is installed" is marked as deleted. Hence deprecating the policy |
https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get |