-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
LogAnalyticsClusters_CMKDoubleEncryptionEnabled_Deny.json
55 lines (55 loc) · 1.74 KB
/
LogAnalyticsClusters_CMKDoubleEncryptionEnabled_Deny.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
{
"properties": {
"displayName": "Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview.",
"metadata": {
"version": "1.1.0",
"category": "Monitoring"
},
"version": "1.1.0",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "The effect determines what happens when the policy rule is evaluated to match"
},
"allowedValues": [
"audit",
"Audit",
"deny",
"Deny",
"disabled",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.OperationalInsights/clusters"
},
{
"not": {
"field": "Microsoft.OperationalInsights/clusters/isDoubleEncryptionEnabled",
"equals": "true"
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"versions": [
"1.1.0"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/ea0dfaed-95fb-448c-934e-d6e713ce393d",
"name": "ea0dfaed-95fb-448c-934e-d6e713ce393d"
}