From c3e5f564b8758683bfbe2a715d31dc0091515a9c Mon Sep 17 00:00:00 2001 From: Sara Joshi Date: Wed, 5 Jul 2023 12:57:38 -0500 Subject: [PATCH 1/2] adding policy files --- .../audit-content-logging/.DS_Store | Bin 0 -> 6148 bytes .../audit-content-logging/azurepolicy.json | 53 +++++++++++++ .../azurepolicy.parameters.json | 15 ++++ .../azurepolicy.rules.json | 25 ++++++ .../public-access-restriction/.DS_Store | Bin 0 -> 6148 bytes .../azurepolicy.json | 73 ++++++++++++++++++ .../azurepolicy.parameters.json | 15 ++++ .../azurepolicy.rules.json | 45 +++++++++++ 8 files changed, 226 insertions(+) create mode 100644 policyDefinitions/Cognitive Services/audit-content-logging/.DS_Store create mode 100644 policyDefinitions/Cognitive Services/audit-content-logging/azurepolicy.json create mode 100644 policyDefinitions/Cognitive Services/audit-content-logging/azurepolicy.parameters.json create mode 100644 policyDefinitions/Cognitive Services/audit-content-logging/azurepolicy.rules.json create mode 100644 policyDefinitions/Cognitive Services/public-access-restriction/.DS_Store create mode 100644 policyDefinitions/Cognitive Services/public-access-restriction/azurepolicy.json create mode 100644 policyDefinitions/Cognitive Services/public-access-restriction/azurepolicy.parameters.json create mode 100644 policyDefinitions/Cognitive Services/public-access-restriction/azurepolicy.rules.json diff --git a/policyDefinitions/Cognitive Services/audit-content-logging/.DS_Store b/policyDefinitions/Cognitive Services/audit-content-logging/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..baf61ffa03fa58bf7d1ba9a7c5c37c787ea46c35 GIT binary patch literal 6148 zcmeHK%Sr=55Ukc50$%ncf(Y{k0smkP@!;7X&_oZ)>W0-E^t6BECu;RWF>&`QBHhqk zlbP#PB?AG zvGx*LQv&P2-jORb@lv9fO0*c_<(w~(R|ocvUJi-oL*mJw&5PL6$zLoTQaff$1yX@+ z1+@32ReJxQ^Di^ld>)4W~>G>*4E0{BDU gBS*IA>qW=Rs{?ySWzl&nC+3HM36dcd_yq+%029eX(*OVf literal 0 HcmV?d00001 diff --git a/policyDefinitions/Cognitive Services/audit-content-logging/azurepolicy.json b/policyDefinitions/Cognitive Services/audit-content-logging/azurepolicy.json new file mode 100644 index 00000000..a902aa6a --- /dev/null +++ b/policyDefinitions/Cognitive Services/audit-content-logging/azurepolicy.json @@ -0,0 +1,53 @@ +{ + "name": "5e68f029-0f81-4ee3-b578-705b0fdb237d", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Audit OpenAI instances with content filtering enabled", + "description": "Azure OpenAI Service includes a content management system that filters content. If you are working with sensitive data, content filtering should be disabled so that Microsoft is not processing your data.", + "metadata": { + "category": "Cognitive Services", + "version": "1.0.0" + }, + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "field": "kind", + "equals": "OpenAI" + }, + { + "anyOf": [ + { + "field": "Microsoft.CognitiveServices/accounts/capabilities[*].name", + "notEquals": "ContentLogging" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/Cognitive Services/audit-content-logging/azurepolicy.parameters.json b/policyDefinitions/Cognitive Services/audit-content-logging/azurepolicy.parameters.json new file mode 100644 index 00000000..69730b21 --- /dev/null +++ b/policyDefinitions/Cognitive Services/audit-content-logging/azurepolicy.parameters.json @@ -0,0 +1,15 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } +} diff --git a/policyDefinitions/Cognitive Services/audit-content-logging/azurepolicy.rules.json b/policyDefinitions/Cognitive Services/audit-content-logging/azurepolicy.rules.json new file mode 100644 index 00000000..590dd9c2 --- /dev/null +++ b/policyDefinitions/Cognitive Services/audit-content-logging/azurepolicy.rules.json @@ -0,0 +1,25 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "field": "kind", + "equals": "OpenAI" + }, + { + "anyOf": [ + { + "field": "Microsoft.CognitiveServices/accounts/capabilities[*].name", + "notEquals": "ContentLogging" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } +} diff --git a/policyDefinitions/Cognitive Services/public-access-restriction/.DS_Store b/policyDefinitions/Cognitive Services/public-access-restriction/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..cd5a1ace86223b9b186b1bb84f89eeaa9e0a1524 GIT binary patch literal 6148 zcmeHKyH3ME5S)b+k!V~YB!qNd0OAi!6bfp701_xb21kYzQ2CGeM3{YmNU&Rk(5|#Q zm%H8Z-AM6y0my89a|%=drgTNo!GP)X;L=Vc?-Ip0Zm~j(26tEv5dFm|-Ft;=ykd_~^B^((G)^anCO(>wBwvA%7w?vJu|+-pO& zQ7$>!;<9aKNCi@XR3H^d1xx|n*=o~0$Bd~!Dv%0%DWLC%LRYK;-y3{m1r@<%Q;^nuMX@Ty&MwFhs2XVn-{UClfPIxq;|}h3Zw#? z3TW?3tMvXq=U-;9$+wgYsX!|5Ulowa{Bl0y>EdqvaZbH!3;l|&rg^;%XdG{R1n`Hx gM-FV!*NcvsR|ocv%A)gDPRtJh6C^__@Cyoj09O=5)&Kwi literal 0 HcmV?d00001 diff --git a/policyDefinitions/Cognitive Services/public-access-restriction/azurepolicy.json b/policyDefinitions/Cognitive Services/public-access-restriction/azurepolicy.json new file mode 100644 index 00000000..e1f1f138 --- /dev/null +++ b/policyDefinitions/Cognitive Services/public-access-restriction/azurepolicy.json @@ -0,0 +1,73 @@ +{ + "name": "5e68f029-0f81-4ee3-b578-705b0fdb237c", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Audit OpenAI instances public access enabled", + "description": "Azure OpenAI instances should not have public access enabled. Open AI instances should only be accessible via select networks or a private endpoint.", + "metadata": { + "category": "Cognitive Services", + "version": "1.0.0" + }, + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "field": "kind", + "equals": "OpenAI" + }, + { + "anyof": [ + { + "allof": [ + { + "field": "Microsoft.CognitiveServices/accounts/networkAcls.defaultAction", + "notEquals": "Deny" + }, + { + "field": "Microsoft.CognitiveServices/accounts/publicNetworkAccess", + "equals": "Enabled" + } + ] + }, + { + "allof": [ + { + "field": "Microsoft.CognitiveServices/accounts/networkAcls", + "exists": "false" + }, + { + "field": "Microsoft.CognitiveServices/accounts/publicNetworkAccess", + "equals": "Enabled" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/Cognitive Services/public-access-restriction/azurepolicy.parameters.json b/policyDefinitions/Cognitive Services/public-access-restriction/azurepolicy.parameters.json new file mode 100644 index 00000000..69730b21 --- /dev/null +++ b/policyDefinitions/Cognitive Services/public-access-restriction/azurepolicy.parameters.json @@ -0,0 +1,15 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } +} diff --git a/policyDefinitions/Cognitive Services/public-access-restriction/azurepolicy.rules.json b/policyDefinitions/Cognitive Services/public-access-restriction/azurepolicy.rules.json new file mode 100644 index 00000000..4beae02a --- /dev/null +++ b/policyDefinitions/Cognitive Services/public-access-restriction/azurepolicy.rules.json @@ -0,0 +1,45 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "field": "kind", + "equals": "OpenAI" + }, + { + "anyof": [ + { + "allof": [ + { + "field": "Microsoft.CognitiveServices/accounts/networkAcls.defaultAction", + "notEquals": "Deny" + }, + { + "field": "Microsoft.CognitiveServices/accounts/publicNetworkAccess", + "equals": "Enabled" + } + ] + }, + { + "allof": [ + { + "field": "Microsoft.CognitiveServices/accounts/networkAcls", + "exists": "false" + }, + { + "field": "Microsoft.CognitiveServices/accounts/publicNetworkAccess", + "equals": "Enabled" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } +} From 6ea4246e809b1a8f314694448b07dbdfc1cda88f Mon Sep 17 00:00:00 2001 From: Sara Joshi Date: Wed, 5 Jul 2023 13:14:23 -0500 Subject: [PATCH 2/2] removing dsstore --- .../audit-content-logging/.DS_Store | Bin 6148 -> 0 bytes .../public-access-restriction/.DS_Store | Bin 6148 -> 0 bytes 2 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 policyDefinitions/Cognitive Services/audit-content-logging/.DS_Store delete mode 100644 policyDefinitions/Cognitive Services/public-access-restriction/.DS_Store diff --git a/policyDefinitions/Cognitive Services/audit-content-logging/.DS_Store b/policyDefinitions/Cognitive Services/audit-content-logging/.DS_Store deleted file mode 100644 index baf61ffa03fa58bf7d1ba9a7c5c37c787ea46c35..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHK%Sr=55Ukc50$%ncf(Y{k0smkP@!;7X&_oZ)>W0-E^t6BECu;RWF>&`QBHhqk zlbP#PB?AG zvGx*LQv&P2-jORb@lv9fO0*c_<(w~(R|ocvUJi-oL*mJw&5PL6$zLoTQaff$1yX@+ z1+@32ReJxQ^Di^ld>)4W~>G>*4E0{BDU gBS*IA>qW=Rs{?ySWzl&nC+3HM36dcd_yq+%029eX(*OVf diff --git a/policyDefinitions/Cognitive Services/public-access-restriction/.DS_Store b/policyDefinitions/Cognitive Services/public-access-restriction/.DS_Store deleted file mode 100644 index cd5a1ace86223b9b186b1bb84f89eeaa9e0a1524..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHKyH3ME5S)b+k!V~YB!qNd0OAi!6bfp701_xb21kYzQ2CGeM3{YmNU&Rk(5|#Q zm%H8Z-AM6y0my89a|%=drgTNo!GP)X;L=Vc?-Ip0Zm~j(26tEv5dFm|-Ft;=ykd_~^B^((G)^anCO(>wBwvA%7w?vJu|+-pO& zQ7$>!;<9aKNCi@XR3H^d1xx|n*=o~0$Bd~!Dv%0%DWLC%LRYK;-y3{m1r@<%Q;^nuMX@Ty&MwFhs2XVn-{UClfPIxq;|}h3Zw#? z3TW?3tMvXq=U-;9$+wgYsX!|5Ulowa{Bl0y>EdqvaZbH!3;l|&rg^;%XdG{R1n`Hx gM-FV!*NcvsR|ocv%A)gDPRtJh6C^__@Cyoj09O=5)&Kwi