General Policies

How to Use this Page

This page lists the Azure General Policies that Bridgecrew helps you enforce. You can browse this page, or search for a specific policy ID or short title. For each policy, press the link for more details about a policy and its fix options.

Ensure Azure VM data disk is encrypted with ADE/CMK
Policy ID: BC_AZR_GENERAL_1

Ensure Azure App Service Web app authentication is On
Policy ID: BC_AZR_GENERAL_2

Ensure a security contact phone number is present
Policy ID: BC_AZR_GENERAL_3

Ensure Send email notification for high severity alerts is enabled
Policy ID: BC_AZR_GENERAL_4

Ensure Send email notification for high severity alerts to admins is enabled
Policy ID: BC_AZR_GENERAL_5

Ensure Azure SQL Server threat detection alerts are enabled for all threat types
Policy ID: BC_AZR_GENERAL_6

Ensure Azure SQL server send alerts to field value is set
Policy ID: BC_AZR_GENERAL_7

Ensure MSSQL servers have email service and co-administrators enabled
Policy ID: BC_AZR_GENERAL_8

Ensure standard pricing tier is selected
Policy ID: BC_AZR_GENERAL_9

Ensure all keys have an expiration date
Policy ID: BC_AZR_GENERAL_10

Ensure Azure key vault is recoverable
Policy ID: BC_AZR_GENERAL_11

Ensure a retention period of less than 90 days is specified
Policy ID: BC_AZR_GENERAL_12

Ensure Azure Linux scale set uses an SSH key
Policy ID: BC_AZR_GENERAL_13

Ensure Virtual Machine extensions are not installed
Policy ID: BC_AZR_GENERAL_14

Ensure FTP Deployments are disabled
Policy ID: BC_AZR_GENERAL_15

Ensure PostgreSQL server enables geo-redundant backups
Policy ID: BC_AZR_GENERAL_16

Ensure key vault key is backed by HSM
Policy ID: BC_AZR_GENERAL_17

Ensure MariaDB server enables geo-redundant backups
Policy ID: BC_AZR_GENERAL_18

Ensure My SQL server enables geo-redundant backups
Policy ID: BC_AZR_GENERAL_19

Ensure Virtual Machines are backed up using Azure backup
Policy ID: BC_AZR_GENERAL_20

Ensure Cosmos DB accounts have CMKs to encrypt data at rest
Policy ID: BC_AZR_GENERAL_21

Ensure Data Lake Store accounts enable encryption
Policy ID: BC_AZR_GENERAL_22

Ensure PostgreSQL server enables infrastructure encryption
Policy ID: BC_AZR_GENERAL_24

Ensure Automation account variables are encrypted
Policy ID: BC_AZR_GENERAL_25

Ensure Azure Data Explorer uses disk encryption
Policy ID: BC_AZR_GENERAL_26

Ensure Azure Data Explorer uses double encryption
Policy ID: BC_AZR_GENERAL_27

Ensure Azure Batch account uses key vault to encrypt data
Policy ID: BC_AZR_GENERAL_28

Ensure managed disks use a specific set of disk encryption sets for customer-managed key encryption
Policy ID: BC_AZR_GENERAL_29

Ensure MySQL server enables infrastructure encryption
Policy ID: BC_AZR_GENERAL_30

Ensure Virtual Machine scale sets have encryption at host enabled
Policy ID: BC_AZR_GENERAL_31

Ensure storage for critical data are encrypted with CMKs
Policy ID: BC_AZR_GENERAL_32

Ensure Azure Data Explorer encryption at rest uses a CMK
Policy ID: BC_AZR_GENERAL_33

Ensure unattached disks are encrypted
Policy ID: BC_AZR_GENERAL_34

Ensure Azure data factories are encrypted with a CMK
Policy ID: BC_AZR_GENERAL_35

Ensure MySQL server enables CMKs for encryption
Policy ID: BC_AZR_GENERAL_36

Ensure PostgreSQL server enables CMKs for encryption
Policy ID: BC_AZR_GENERAL_37

Ensure Azure storage account encryption CMKs are enabled
Policy ID: BC_AZR_GENERAL_38

Ensure Azure Data Factory uses Git repository for source control
Policy ID: BC_AZR_GENERAL_39

Ensure key vault enables purge protection
Policy ID: BC_AZR_GENERAL_40

Ensure key vault enables soft-delete
Policy ID: BC_AZR_GENERAL_41

Ensure key vault secrets have content_type set
Policy ID: BC_AZR_GENERAL_42

Ensure Service Fabric clusters use AD for authentication
Policy ID: BC_AZR_GENERAL_43

Ensure My SQL server enables Threat Detection policy
Policy ID: BC_AZR_GENERAL_44

Ensure PostgreSQL server enables Threat Detection policy
Policy ID: BC_AZR_GENERAL_45

Ensure Azure Security Center Defender is set to On for servers
Policy ID: BC_AZR_GENERAL_46

Ensure Azure function app authentication is set to On
Policy ID: BC_AZR_GENERAL_47

Ensure CORS disallows resource to access app services
Policy ID: BC_AZR_GENERAL_48

Ensure security contact emails are set
Policy ID: BC_AZR_GENERAL_49

Ensure Azure Security Center Defender is set to On for app service
Policy ID: BC_AZR_GENERAL_50

Ensure CORS does not allow resources to access function apps
Policy ID: BC_AZR_GENERAL_51

Ensure function app uses the latest HTTP version
Policy ID: BC_AZR_GENERAL_52

Ensure Azure Security Center Defender is set to On for Azure SQL database servers
Policy ID: BC_AZR_GENERAL_53

Ensure managed identity provider is enabled for app services
Policy ID: BC_AZR_GENERAL_54

Ensure remote debugging is not enabled for app services
Policy ID: BC_AZR_GENERAL_55

Ensure Azure Defender is set to On for SQL servers on machines
Policy ID: BC_AZR_GENERAL_56

Ensure Azure App Service Web app uses the latest .Net Core version
Policy ID: BC_AZR_GENERAL_57

Ensure Azure App Service Web app uses the latest PHP version
Policy ID: BC_AZR_GENERAL_58

Ensure Azure App Service Web app uses the latest Python version
Policy ID: BC_AZR_GENERAL_59

Ensure Azure App Service Web app uses the latest Java version
Policy ID: BC_AZR_GENERAL_60

Ensure Azure Security Center Defender is set to On for storage
Policy ID: BC_AZR_GENERAL_61

Ensure Azure Security Center Defender is set to On for Kubernetes
Policy ID: BC_AZR_GENERAL_62

Ensure Azure Defender is set to On for container registries
Policy ID: BC_AZR_GENERAL_63

Ensure Azure Security Center Defender set to On for Key Vault
Policy ID: BC_AZR_GENERAL_64

Ensure app services use Azure files
Policy ID: BC_AZR_GENERAL_65

Ensure Virtual Machines are utilizing managed disks
Policy ID: BC_AZR_GENERAL_66

Ensure automatic OS image patching is enabled for Virtual Machine scale sets
Policy ID: BC_AZR_GENERAL_67

Ensure Microsoft Antimalware is configured to automatically update Virtual Machines
Policy ID: BC_AZR_GENERAL_68

Ensure SQL servers enable data security policy
Policy ID: BC_AZR_GENERAL_69

Ensure Azure SQL server ADS Vulnerability Assessment is enabled
Policy ID: BC_AZR_GENERAL_70

Ensure Azure SQL server ADS Vulnerability Assessment Periodic recurring scans is enabled
Policy ID: BC_AZR_GENERAL_71

Ensure Azure SQL server ADS VA Send scan reports to is configured
Policy ID: BC_AZR_GENERAL_72

Ensure Azure SQL server ADS VA Also send email notifications to admins and subscription owners is enabled
Policy ID: BC_AZR_GENERAL_73

Ensure SQL servers have Azure Active Directory admin configured
Policy ID: BC_AZR_GENERAL_74

Ensure Azure Virtual Machines are utilizing managed disks
Policy ID: BC_AZR_GENERAL_75

Ensure MSSQL is using the latest version of TLS encryption
Policy ID: BC_AZR_GENERAL_76

Ensure MySQL is using the latest version of TLS encryption
Policy ID: BC_AZR_GENERAL_77

Ensure that Active Directory is used for Service Fabric authentication
Policy ID: BC_AZR_GENERAL_78

Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
Policy ID: BC_AZR_GENERAL_79

Ensure that Service Fabric uses available three levels of protection
Policy ID: BC_AZR_GENERAL_80

Ensure Azure resources that support tags have Tags
Policy ID: BC_AZR_GENERAL_81