You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/security-controls-policy.md
+123-8Lines changed: 123 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
title: Azure Policy Regulatory Compliance controls for Azure App Service
3
3
description: Lists Azure Policy Regulatory Compliance controls available for Azure App Service. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources.
4
-
ms.date: 06/16/2022
4
+
ms.date: 07/04/2022
5
5
ms.topic: sample
6
6
ms.service: app-service
7
7
ms.custom: subject-policy-compliancecontrols
@@ -21,15 +21,130 @@ compliant with the specific standard.
21
21
22
22
## Release notes
23
23
24
+
### July 2022
25
+
26
+
- Deprecation of the following policies:
27
+
-**Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'**
28
+
-**Ensure that 'Python version' is the latest, if used as a part of the API app**
29
+
-**CORS should not allow every resource to access your API App**
30
+
-**Managed identity should be used in your API App**
31
+
-**Remote debugging should be turned off for API Apps**
32
+
-**Ensure that 'PHP version' is the latest, if used as a part of the API app**
33
+
-**API apps should use an Azure file share for its content directory**
34
+
-**FTPS only should be required in your API App**
35
+
-**Ensure that 'Java version' is the latest, if used as a part of the API app**
36
+
-**Ensure that 'HTTP Version' is the latest, if used to run the API app**
37
+
-**Latest TLS version should be used in your API App**
38
+
-**Authentication should be enabled on your API app**
39
+
-**Function apps should have 'Client Certificates (Incoming client certificates)' enabled**
40
+
- Update scope of policy to include slots
41
+
- Update scope of policy to exclude Logic apps
42
+
-**Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'**
43
+
- Rename of policy to "App Service apps should have 'Client Certificates (Incoming client certificates)' enabled"
44
+
- Update scope of policy to include slots
45
+
- Update scope of policy to include all app types except Function apps
46
+
-**Ensure that 'Python version' is the latest, if used as a part of the Web app**
47
+
- Rename of policy to "App Service apps that use Python should use the latest 'Python version'"
48
+
- Update scope of policy to include all app types except Function apps
49
+
-**Ensure that 'Python version' is the latest, if used as a part of the Function app**
50
+
- Rename of policy to "Function apps that use Python should use the latest 'Python version'"
51
+
- Update scope of policy to exclude Logic apps
52
+
-**CORS should not allow every resource to access your Web Applications**
53
+
- Rename of policy to "App Service apps should not have CORS configured to allow every resource to access your apps"
54
+
- Update scope of policy to include all app types except Function apps
55
+
-**CORS should not allow every resource to access your Function Apps**
56
+
- Rename of policy to "Function apps should not have CORS configured to allow every resource to access your apps"
57
+
- Update scope of policy to exclude Logic apps
58
+
-**Managed identity should be used in your Function App**
59
+
- Rename of policy to "Function apps should use managed identity"
60
+
- Update scope of policy to exclude Logic apps
61
+
-**Managed identity should be used in your Web App**
62
+
- Rename of policy to "App Service apps should use managed identity"
63
+
- Update scope of policy to include all app types except Function apps
64
+
-**Remote debugging should be turned off for Function Apps**
65
+
- Rename of policy to "Function apps should have remote debugging turned off"
66
+
- Update scope of policy to exclude Logic apps
67
+
-**Remote debugging should be turned off for Web Applications**
68
+
- Rename of policy to "App Service apps should have remote debugging turned off"
69
+
- Update scope of policy to include all app types except Function apps
70
+
-**Ensure that 'PHP version' is the latest, if used as a part of the WEB app**
71
+
- Rename of policy to "App Service apps that use PHP should use the latest 'PHP version'"
72
+
- Update scope of policy to include all app types except Function apps
73
+
-**App Service slots should have local authentication methods disabled for SCM site deployment**
74
+
- Rename of policy to "App Service app slots should have local authentication methods disabled for SCM site deployments"
75
+
-**App Service should have local authentication methods disabled for SCM site deployments**
76
+
- Rename of policy to "App Service apps should have local authentication methods disabled for SCM site deployments"
77
+
-**App Service slots should have local authentication methods disabled for FTP deployments**
78
+
- Rename of policy to "App Service app slots should have local authentication methods disabled for FTP deployments"
79
+
-**App Service should have local authentication methods disabled for FTP deployments**
80
+
- Rename of policy to "App Service apps should have local authentication methods disabled for FTP deployments"
81
+
-**Function apps should use an Azure file share for its content directory**
82
+
- Update scope of policy to include slots
83
+
- Update scope of policy to exclude Logic apps
84
+
-**Web apps should use an Azure file share for its content directory**
85
+
- Rename of policy to "App Service apps should use an Azure file share for its content directory"
86
+
- Update scope of policy to include slots
87
+
- Update scope of policy to include all app types except Function apps
88
+
-**FTPS only should be required in your Function App**
89
+
- Rename of policy to "Function apps should require FTPS only"
90
+
- Update scope of policy to exclude Logic apps
91
+
-**FTPS should be required in your Web App**
92
+
- Rename of policy to "App Service apps should require FTPS only"
93
+
- Update scope of policy to include all app types except Function apps
94
+
-**Ensure that 'Java version' is the latest, if used as a part of the Function app**
95
+
- Rename of policy to "Function apps that use Java should use the latest 'Java version'"
96
+
- Update scope of policy to exclude Logic apps
97
+
-**Ensure that 'Java version' is the latest, if used as a part of the Web app**
98
+
- Rename of policy to "App Service apps that use Java should use the latest 'Java version"
99
+
- Update scope of policy to include all app types except Function apps
100
+
-**App Service should use private link**
101
+
- Rename of policy to "App Service apps should use private link"
102
+
-**Configure App Services to use private DNS zones**
103
+
- Rename of policy to "Configure App Service apps to use private DNS zones"
104
+
-**App Service Apps should be injected into a virtual network**
105
+
- Rename of policy to "App Service apps should be injected into a virtual network"
106
+
- Update scope of policy to include slots
107
+
-**Ensure that 'HTTP Version' is the latest, if used to run the Web app**
108
+
- Rename of policy to "App Service apps should use latest 'HTTP Version'"
109
+
- Update scope of policy to include all app types except Function apps
110
+
-**Ensure that 'HTTP Version' is the latest, if used to run the Function app**
111
+
- Rename of policy to "Function apps should use latest 'HTTP Version'"
112
+
- Update scope of policy to exclude Logic apps
113
+
-**Latest TLS version should be used in your Web App**
114
+
- Rename of policy to "App Service apps should use the latest TLS version"
115
+
- Update scope of policy to include all app types except Function apps
116
+
-**Latest TLS version should be used in your Function App**
117
+
- Rename of policy to "Function apps should use the latest TLS version"
118
+
- Update scope of policy to exclude Logic apps
119
+
-**App Service Environment should disable TLS 1.0 and 1.1**
120
+
- Rename of policy to "App Service Environment should have TLS 1.0 and 1.1 disabled"
121
+
-**Resource logs in App Services should be enabled**
122
+
- Rename of policy to "App Service apps should have resource logs enabled"
123
+
-**Authentication should be enabled on your web app**
124
+
- Rename of policy to "App Service apps should have authentication enabled"
125
+
-**Authentication should be enabled on your Function app**
126
+
- Rename of policy to "Function apps should have authentication enabled"
127
+
- Update scope of policy to exclude Logic apps
128
+
-**App Service Environment should enable internal encryption**
129
+
- Rename of policy to "App Service Environment should have internal encryption enabled"
130
+
-**Function apps should only be accessible over HTTPS**
131
+
- Update scope of policy to exclude Logic apps
132
+
-**App Service should use a virtual network service endpoint**
133
+
- Rename of policy to "App Service apps should use a virtual network service endpoint"
134
+
- Update scope of policy to include all app types except Function apps
135
+
24
136
### June 2022
25
137
26
-
- Deprecation of policy "API App should only be accessible over HTTPS"
27
-
- Rename of policy "Web Application should only be accessible over HTTPS" to "App Service apps should only be accessible over HTTPS"
28
-
- Update scope of policy "App Service apps should only be accessible over HTTPS" to include all app types except Function apps
29
-
- Update scope of policy "App Service apps should only be accessible over HTTPS" to include slots
30
-
- Update scope of policy "Function apps should only be accessible over HTTPS" to include slots
31
-
- Update logic of policy "App Service apps should use a SKU that supports private link" to include checks on App Service plan tier or name so that the policy supports Terraform deployments
32
-
- Update list of supported SKUs of policy "App Service apps should use a SKU that supports private link" to include the Basic and Standard tiers
138
+
- Deprecation of policy **API App should only be accessible over HTTPS**
139
+
-**Web Application should only be accessible over HTTPS**
140
+
- Rename of policy to "App Service apps should only be accessible over HTTPS"
141
+
- Update scope of policy to include all app types except Function apps
142
+
- Update scope of policy to include slots
143
+
-**Function apps should only be accessible over HTTPS**
144
+
- Update scope of policy to include slots
145
+
-**App Service apps should use a SKU that supports private link**
146
+
- Update logic of policy to include checks on App Service plan tier or name so that the policy supports Terraform deployments
147
+
- Update list of supported SKUs of policy to include the Basic and Standard tiers
0 commit comments