These MS-managed resources trigger multiple new BIO-noncompliances. One example:
"Audit diagnostic setting for selected resource types" → the Azure Cosmos DB account is non-compliant.
You cannot place a policy exemption on these resources, because MS also places a Deny Assignment on the resource group. This blocks any modifications, including exemptions.
Meaning, if you want to be compliant, you have to be non-compliant. 🤡
Can you reconsider the default setting for this policy?
Note 1: The ASC-initiative (azure security center aka Defender) includes the same policy, but ASC has it set to Disabled by default.
Note 2: These CMK-resources are quite expensive: in their base configuration, they cost around €700 per month.
MathieuRietman
commented
10 months ago
BIO has the policy "Azure Machine Learning workspaces should be encrypted with a customer-managed key" enabled by default. https://github.com/Azure/Bio-Compliancy/blob/main/ARM/BIO-azuredeploy.json#L1981
When you comply with this policy, then Azure creates a MS-managed resource group with some resources in your subscription: CosmosDB, Search, Storage, vnet. https://learn.microsoft.com/en-us/azure/machine-learning/concept-customer-managed-keys?view=azureml-api-2#customer-managed-keys
These MS-managed resources trigger multiple new BIO-noncompliances. One example:
You cannot place a policy exemption on these resources, because MS also places a Deny Assignment on the resource group. This blocks any modifications, including exemptions.
Meaning, if you want to be compliant, you have to be non-compliant. 🤡
Can you reconsider the default setting for this policy?
Note 1: The ASC-initiative (azure security center aka Defender) includes the same policy, but ASC has it set to Disabled by default.
Note 2: These CMK-resources are quite expensive: in their base configuration, they cost around €700 per month.