Policy Templates for Azure - DEPRECATED

Policy Templates Deprecated in 6.6.1

The following Policy Templates for Azure are deprecated in Skyhigh CASB 6.6.1.

Policy Name	Comments	Web Link
AKS: Do not admit containers with NET_RAW capabilities in Pod Security Policies	PodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25.

Policy Templates Deprecated in 6.2.0

The following Policy Templates for Azure are deprecated in Skyhigh CASB 6.2.0.

Policy Name	Comments	Web Link
Threat detection should be enabled for SQL databases	This setting is at the subscription level

Policy Templates Deprecated in 6.1.2

The following Policy Templates for Azure are deprecated in Skyhigh CASB 6.2.0.

Policy Name	Comments	Web Link
Email service and co-administrators should be enabled for SQL databases	This setting is at the top-level server, and not the constituent database

Policy Templates Deprecated in 6.1.1

The following Policy Templates for Azure are deprecated in Skyhigh CASB 6.1.1.

Policy Name	Comments	Web Link
Monitor access rules in Event Hub namespaces should be enabled in Security Center	Azure Microsoft Defender has deprecated multiple security recommendations. The corresponding Policy Templates for Azure Security Configuration Audit are now deprecated.	https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference
Monitor Configure IP restrictions for API App should be enabled in Security Center
Web sockets for API App should be disabled in Security Center
Custom domain use in API App should be enabled in Security Center
Use latest DotNet version in API App should be enabled in Security Center
Use latest Java version in API App should be enabled in Security Center
Use latest PHP version in API App should be enabled in Security Center
Use latest Python version in API App should be enabled in Security Center
Monitor Configure IP restrictions for Function App should be enabled in Security Center
Web sockets for Function App should be disabled in Security Center
Custom domain use in Function App should be enabled in Security Center
Monitor Configure IP restrictions for Web App should be enabled in Security Center
Web sockets for Web App should be disabled in Security Center
Custom domain use in Web App should be enabled in Security Center
Use latest DotNet version in Web App should be enabled in Security Center
Use latest Node js version in Web App should be enabled in Security Center
Monitoring agent health issues should be resolved on virtual machines
Disk encryption should be applied on your Virtual Machines
IP restrictions for Web App should be configured
Custom domains should be used for Web application
Latest supported .NET framework version should be used for Web Application
Web Sockets should be disabled for Web Application
IP restrictions for Function App should be configured
Custom domains should be used for Function App
Web Sockets should be disabled for function Application
All resources should not be allowed to access your application
Virtual Machines should be rebooted after system updates
Latest supported Node.js version should be used for Web Application
Application protection should be finalized
OS version should be updated

Policy Templates Deprecated in 5.2.0

The following Policy Templates for Azure are deprecated in Skyhigh CASB 5.2.0.

Policy Name	Comments	Web Link
Unencrypted activity logs in storage account	As par Azure, post-June 2017: Storage Service Encryption is enabled by default and cannot be disabled. Also, as part of latest CIS benchmark 1.1.0, the control " 3.6 Ensure that Storage service encryption is set to enabled for File Service" is marked as deleted. Hence deprecating the policy	https://azure.microsoft.com/en-in/blog/announcing-default-encryption-for-azure-blobs-files-table-and-queue-storage/
Storage Service Encryption for Storage Accounts	As par Azure, post-June 2017: Storage Service Encryption is enabled by default and cannot be disabled. Also, as part of latest CIS benchmark 1.1.0, the control " 3.6 Ensure that Storage service encryption is set to enabled for File Service" is marked as deleted. Hence deprecating the policy	https://azure.microsoft.com/en-in/blog/announcing-default-encryption-for-azure-blobs-files-table-and-queue-storage/
Latest OS Patch Updates Enabled for Virtual Machines	1:This policy depends on the "osProfile.windowsConfiguration.enableAutomaticUpdates" . As this property does not come for Linux OS ,this policy will not work for Linux OS VMs. 2:If you create a windows machine from Azure Portal "osProfile.windowsConfiguration.enableAutomaticUpdates" this property is by default true and cannot be updated after VM is created. 3:Even though the osProfile.windowsConfiguration.enableAutomaticUpdates is by default true for windows VMs, on Azure Portal, it shows an option to enable the Update Management for windows VMs which it should not. 4:Create a VM with Update Management disabled using Rest API, "osProfile.windowsConfiguration.enableAutomaticUpdates" will return false. Even after Enabling Update Management "osProfile.windowsConfiguration.enableAutomaticUpdates" will return false in data collection . Due to the limitations mentioned above, deprecating the policy	Azure VMs, like all on-premises VMs, are meant to be user managed. Azure doesn't push Windows updates to them. You need to manage your VM updates. https://docs.microsoft.com/en-us/azure/security/fundamentals/iaas#manage-operating-systems
Enable VM agent on Virtual Machines	We are dependent on Azure APIs to check the configuration check whether VM agent is installed in VM. The configuration parameter to check this is "provisionVMAgent". Even if agent is manually installed, the value of the parameter is returned as always false by the API. Also, as part of latest CIS benchmark 1.1.0, the control " 7.1 Ensure that VM agent is installed" is marked as deleted. Hence deprecating the policy	https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get