module/ConfigurationProvider/ControlConfigurations/Services/CognitiveServices.json
|
{
"FeatureName": "CognitiveServices", "Reference": "", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_CognitiveServices_DP_Enable_Encryption_With_Customer_Managed_Keys_MCSB", "Description": "[MCSB] Cognitive Services accounts should enable data encryption with a customer-managed key", "Id": "CognitiveServices110", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Cognitive Services accounts should enable data encryption with a customer-managed key", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Data Encryption ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements. And by using a customer-managed key, you can supplement default encryption with an additional encryption layer.", "Recommendation": "To use customer managed keys in Azure Cognitive Services, please refer: https://learn.microsoft.com/en-us/azure/cognitive-services/openai/encrypt-data-at-rest", "Tags": [ "CognitiveServices", "Automated", "Baseline", "DP" ], "AssessmentProperties": { "AssessmentNames": [ "18bf29b3-a844-e170-2826-4e95d0ba4dc9" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_CognitiveServices_NetSec_Restrict_Network_Access_MCSB", "Description": "[MCSB] Cognitive Services accounts should restrict network access", "Id": "CognitiveServices120", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Cognitive Services accounts should restrict network access", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Restricting the network access improves security by ensuring your Cognitive Services can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules.", "Recommendation": "To restrict network access in Azure Cognitive Services, please refer: https://learn.microsoft.com/en-us/azure/cognitive-services/cognitive-services-virtual-networks?tabs=portal", "Tags": [ "CognitiveServices", "Automated", "Baseline", "NetSec" ], "AssessmentProperties": { "AssessmentNames": [ "f738efb8-005f-680d-3d43-b3db762d6243" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_CognitiveServices_NetSec_Dont_Allow_Public_Network_Access_MCSB", "Description": "[MCSB] Cognitive Services accounts should disable public network access", "Id": "CognitiveServices130", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Cognitive Services accounts should disable public network accesss", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.", "Recommendation": "To disable or allow public network access in Azure Cognitive Services, go to Azure Portal --> Select the resource management menu called Virtual network --> under section 'Allow access from' choose selected networks or refer: https://learn.microsoft.com/en-us/azure/cognitive-services/cognitive-services-virtual-networks?tabs=portal", "Tags": [ "CognitiveServices", "Automated", "Baseline", "NetSec" ], "AssessmentProperties": { "AssessmentNames": [ "684a5b6d-a270-61ce-306e-5cea400dc3a7" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_CognitiveServices_NetSec_Dont_Allow_Public_Network_Access", "Description": "Public network access on Cognitive Service accounts must be disabled", "Id": "CognitiveServices140", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDCOrReader", "MethodName": "CheckPublicNetworkAccess", "DisplayName": "Public network access on Cognitive Service accounts must be disabled", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.", "Recommendation": "To disable or allow public network access in Azure Cognitive Services, go to Azure Portal --> Select the resource management menu called Virtual network --> under section 'Allow access from' choose selected networks or refer: https://learn.microsoft.com/en-us/azure/cognitive-services/cognitive-services-virtual-networks?tabs=portal", "Tags": [ "CognitiveServices", "Automated", "Baseline", "NetSec" ], "ControlEvaluationDetails": { "RequiredProperties": [ "PublicNetworkAccess" ] }, "AssessmentProperties": { "AssessmentNames": [ "684a5b6d-a270-61ce-306e-5cea400dc3a7" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": true, "CustomTags": [ "Weekly" ] } ] } |