-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
Vaults_Immutability_Audit.json
82 lines (82 loc) · 2.57 KB
/
Vaults_Immutability_Audit.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
{
"properties": {
"displayName": "[Preview]: Immutability must be enabled for backup vaults",
"description": "This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults.",
"policyType": "BuiltIn",
"mode": "Indexed",
"metadata": {
"version": "1.0.1-preview",
"preview": true,
"category": "Backup"
},
"version": "1.0.1-preview",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy."
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"checkLockedImmutabiltyOnly": {
"type": "Boolean",
"metadata": {
"displayName": "CheckLockedImmutabiltyOnly",
"description": "This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant."
},
"allowedValues": [
true,
false
],
"defaultValue": true
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DataProtection/backupvaults"
},
{
"anyOf": [
{
"field": "Microsoft.DataProtection/backupVaults/securitySettings.immutabilitySettings.State",
"notIn": [
"Locked",
"Unlocked"
]
},
{
"allOf": [
{
"value": "[parameters('checkLockedImmutabiltyOnly')]",
"equals": true
},
{
"field": "Microsoft.DataProtection/backupVaults/securitySettings.immutabilitySettings.State",
"notEquals": "Locked"
}
]
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"versions": [
"1.0.1-PREVIEW",
"1.0.0-PREVIEW"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018",
"name": "2514263b-bc0d-4b06-ac3e-f262c0979018"
}