Renamed Cognitive Services to Azure AI (Azure#2780)

* Renamed Cognitive Services to Azure AI

* Bump change log

Author: BernieWhite

data/policy-ignore.json

@@ -105,14 +105,14 @@
       "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555"
     ],
     "reason": "Duplicate",
-    "value": "Azure.Cognitive.DisableLocalAuth"
+    "value": "Azure.AI.DisableLocalAuth"
   },
   {
     "policyDefinitionIds": [
       "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418"
     ],
     "reason": "Duplicate",
-    "value": "Azure.Cognitive.ManagedIdentity"
+    "value": "Azure.AI.ManagedIdentity"
   },
   {
     "policyDefinitionIds": [

docs/CHANGELOG-v1.md

@@ -32,6 +32,14 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
 
 ## Unreleased
 
+What's changed since pre-release v1.35.0-B0084:
+
+- General improvements:
+  - Renamed Cognitive Services rules to Azure AI by @BernieWhite.
+    [#2776](https://github.com/Azure/PSRule.Rules.Azure/issues/2776)
+    - Rules that were previously named `Azure.Cognitive.*` have been renamed to `Azure.AI.*`.
+    - For each rule that has been renamed, an alias has been added to reference the old name.
+
 ## v1.35.0-B0084 (pre-release)
 
 What's changed since pre-release v1.35.0-B0055:

docs/en/rules/Azure.Cognitive.DisableLocalAuth.md docs/en/rules/Azure.AI.DisableLocalAuth.md

@@ -1,32 +1,33 @@
 ---
-reviewed: 2023-10-01
+reviewed: 2024-03-26
 severity: Important
 pillar: Security
-category: Authentication
-resource: Cognitive Services
-online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cognitive.DisableLocalAuth/
+category: SE:05 Identity and access management
+resource: Azure AI
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AI.DisableLocalAuth/
 ---
 
-# Use identity-based authentication for Cognitive Services accounts
+# Use identity-based authentication for Azure AI accounts
 
 ## SYNOPSIS
 
-Authenticate requests to Cognitive Services with Azure AD identities.
+Authenticate requests to Azure AI services with Entra ID identities.
 
 ## DESCRIPTION
 
-To send requests to Cognitive Services endpoints, each request must include an authentication header.
-Cognitive Services endpoints supports authentication with keys or tokens.
-Using an Azure AD token instead of a cryptographic key has some additional security benefits.
+To send requests to Azure AI service endpoints (previously known as Cognitive Services),
+each request must include an authentication header.
+Azure AI service endpoints supports authentication with keys or access tokens.
+Using an Entra ID access token instead of a cryptographic key has some additional security benefits.
 
-With Azure AD authentication, the identity is validated against Azure AD identity provider.
-Using Azure AD identities centralizes identity management and auditing.
+With Entra ID authentication, an authorized identity is issued an OAuth2 access token issued by Entra ID.
+Using Entra ID as the identity provider centralizes identity management and auditing.
 
-Once you decide to use Azure AD authentication, you can disable authentication using keys.
+Once you decide to use Entra ID authentication, you can disable authentication using keys.
 
 ## RECOMMENDATION
 
-Consider only using Azure AD identities to authenticate requests to Cognitive Services accounts.
+Consider only using Entra ID identities to authenticate requests to Azure AI service accounts.
 Once configured, disable authentication based on access keys.
 
 ## EXAMPLES
@@ -95,15 +96,15 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
 
 To address this issue at runtime use the following policies:
 
-- [Azure AI Services resources should have key access disabled (disable local authentication)](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json)
+- [Azure AI Services resources should have key access disabled (disable local authentication)](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json)
   `/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc`
-- [Configure Cognitive Services accounts to disable local authentication methods](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Modify.json)
+- [Configure Cognitive Services accounts to disable local authentication methods](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisableLocalAuth_Modify.json)
   `/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555`
 
 ## LINKS
 
-- [Use identity-based authentication](https://learn.microsoft.com/azure/well-architected/security/design-identity-authentication#use-identity-based-authentication)
-- [Authenticate with Azure Active Directory](https://learn.microsoft.com/azure/ai-services/authentication#authenticate-with-azure-active-directory)
-- [Azure Policy built-in policy definitions for Azure AI services](https://learn.microsoft.com/azure/ai-services/policy-reference)
+- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access)
 - [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/cognitive-services-security-baseline#im-1-use-centralized-identity-and-authentication-system)
+- [Authenticate with Microsoft Entra ID](https://learn.microsoft.com/azure/ai-services/authentication#authenticate-with-microsoft-entra-id)
+- [Azure Policy built-in policy definitions for Azure AI services](https://learn.microsoft.com/azure/ai-services/policy-reference)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts)

docs/en/rules/Azure.Cognitive.ManagedIdentity.md docs/en/rules/Azure.AI.ManagedIdentity.md

@@ -1,22 +1,22 @@
 ---
-reviewed: 2024-01-03
+reviewed: 2024-03-26
 severity: Important
 pillar: Security
 category: SE:05 Identity and access management
-resource: Cognitive Services
-online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cognitive.ManagedIdentity/
+resource: Azure AI
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AI.ManagedIdentity/
 ---
 
-# Use Managed Identity for Cognitive Services accounts
+# Use Managed Identity for Azure AI services accounts
 
 ## SYNOPSIS
 
 Configure managed identities to access Azure resources.
 
 ## DESCRIPTION
 
-Cognitive Services must authenticate to Azure resources such storage accounts.
-To authenticate to Azure resources, Cognitive Services can use managed identities.
+Azure AI services (previously known as Cognitive Services) must authenticate to Azure resources such storage accounts.
+To authenticate to Azure resources, Azure AI can use managed identities.
 
 Using Azure managed identities have the following benefits:
 
@@ -27,7 +27,7 @@ Using Azure managed identities have the following benefits:
 
 ## RECOMMENDATION
 
-Consider configuring a managed identity for each Cognitive Services account.
+Consider configuring a managed identity for each Azure AI services account.
 
 ## EXAMPLES
 
@@ -97,13 +97,13 @@ resource language 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
 
 To address this issue at runtime use the following policies:
 
-- [Cognitive Services accounts should use a managed identity](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_ManagedIdentity_Audit.json)
+- [Cognitive Services accounts should use a managed identity](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/ManagedIdentity_Audit.json)
   `/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418`.
 
 ## NOTES
 
-Configuration of additional Azure resources is not required for all Cognitive Services.
-This rule will run for the following Cognitive Services:
+Configuration of additional Azure resources is not required for all Azure AI services.
+This rule will run for the following Azure AI services:
 
 - `TextAnalytics` - Language service.
 

docs/en/rules/Azure.Cognitive.PrivateEndpoints.md docs/en/rules/Azure.AI.PrivateEndpoints.md

@@ -1,32 +1,32 @@
 ---
-reviewed: 2022-07-26
+reviewed: 2024-03-26
 severity: Important
 pillar: Security
-category: Data flow
-resource: Cognitive Services
-online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cognitive.PrivateEndpoints/
+category: SE:06 Network controls
+resource: Azure AI
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AI.PrivateEndpoints/
 ---
 
-# Use Cognitive Service Private Endpoints
+# Use Azure AI services Private Endpoints
 
 ## SYNOPSIS
 
-Use Private Endpoints to access Cognitive Services accounts.
+Use Private Endpoints to access Azure AI services accounts.
 
 ## DESCRIPTION
 
-By default, a public endpoint is enabled for Cognitive Services accounts.
+By default, a public endpoint is enabled for Azure AI services accounts (previously known as Cognitive Services).
 The public endpoint is used for all access except for requests that use a Private Endpoint.
 Access through the public endpoint can be disabled or restricted to authorized virtual networks.
 
 Data exfiltration is an attack where an malicious actor does an unauthorized data transfer.
 Private Endpoints help prevent data exfiltration by an internal or external malicious actor.
 They do this by providing clear separation between public and private endpoints.
-As a result, broad access to public endpoints which could be operated by a malicious actor are not required.
+As a result, broad access to public endpoints which could be operated by a malicious actor is not required.
 
 ## RECOMMENDATION
 
-Consider accessing Cognitive Services accounts by Private Endpoints and disabling public endpoints.
+Consider accessing Azure AI services accounts by Private Endpoints and disabling public endpoints.
 
 ## EXAMPLES
 
@@ -92,7 +92,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
 
 ## LINKS
 
-- [Traffic flow security in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-network-flow#data-exfiltration)
-- [Configure Azure Cognitive Services virtual networks](https://docs.microsoft.com/azure/cognitive-services/cognitive-services-virtual-networks)
-- [Azure Policy built-in policy definitions for Azure Cognitive Services](https://docs.microsoft.com/azure/cognitive-services/policy-reference)
-- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts)
+- [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking)
+- [Configure Azure AI services virtual networks](https://learn.microsoft.com/azure/ai-services/cognitive-services-virtual-networks)
+- [Azure Policy built-in policy definitions for Azure AI services](https://learn.microsoft.com/azure/ai-services/policy-reference)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts)

docs/en/rules/Azure.Cognitive.PublicAccess.md docs/en/rules/Azure.AI.PublicAccess.md

@@ -1,29 +1,29 @@
 ---
-reviewed: 2022-07-26
+reviewed: 2024-03-26
 severity: Important
 pillar: Security
-category: Application endpoints
-resource: Cognitive Services
-online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cognitive.PublicAccess/
+category: SE:06 Network controls
+resource: Azure AI
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AI.PublicAccess/
 ---
 
-# Restrict Cognitive Service endpoints
+# Restrict Azure AI service endpoints
 
 ## SYNOPSIS
 
-Restrict access of Cognitive Services accounts to authorized virtual networks.
+Restrict access of Azure AI services to authorized virtual networks.
 
 ## DESCRIPTION
 
-By default, public network access is enabled for a Cognitive Service account.
+By default, public network access is enabled for a Azure AI service accounts (previously known as Cognitive Services).
 Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints.
 When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated.
 
 Configure service endpoints and private links where appropriate.
 
 ## RECOMMENDATION
 
-Consider configuring network access restrictions for Cognitive Services accounts.
+Consider configuring network access restrictions for Azure AI service accounts.
 Limit access to accounts so that access is permitted from authorized virtual networks only.
 
 ## EXAMPLES
@@ -92,7 +92,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
 
 ## LINKS
 
-- [Best practices for endpoint security on Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-network-endpoints#public-endpoints)
-- [Configure Azure Cognitive Services virtual networks](https://docs.microsoft.com/azure/cognitive-services/cognitive-services-virtual-networks)
-- [Azure Policy built-in policy definitions for Azure Cognitive Services](https://docs.microsoft.com/azure/cognitive-services/policy-reference)
-- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts)
+- [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking)
+- [Configure Azure AI services virtual networks](https://learn.microsoft.com/azure/ai-services/cognitive-services-virtual-networks)
+- [Azure Policy built-in policy definitions for Azure AI services](https://learn.microsoft.com/azure/ai-services/policy-reference)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts)

src/PSRule.Rules.Azure/rules/Azure.Cognitive.Rule.yaml src/PSRule.Rules.Azure/rules/Azure.AI.Rule.yaml

@@ -8,18 +8,20 @@
 #region Rules
 
 ---
-# Synopsis: Restrict access to Cognitive Services accounts to authorized virtual networks.
+# Synopsis: Restrict access of Azure AI services to authorized virtual networks.
 apiVersion: github.com/microsoft/PSRule/v1
 kind: Rule
 metadata:
-  name: Azure.Cognitive.PublicAccess
+  name: Azure.AI.PublicAccess
   ref: AZR-000280
+  alias:
+    - Azure.Cognitive.PublicAccess
   tags:
     release: GA
     ruleSet: 2022_09
-    Azure.WAF/pillar: 'Security'
+    Azure.WAF/pillar: Security
   labels:
-    Azure.MCSB.v1/control: 'NS-2'
+    Azure.MCSB.v1/control: NS-2
 spec:
   type:
   - Microsoft.CognitiveServices/accounts
@@ -35,8 +37,10 @@ spec:
 apiVersion: github.com/microsoft/PSRule/v1
 kind: Rule
 metadata:
-  name: Azure.Cognitive.ManagedIdentity
+  name: Azure.AI.ManagedIdentity
   ref: AZR-000281
+  alias:
+    - Azure.Cognitive.ManagedIdentity
   tags:
     release: GA
     ruleSet: 2022_09
@@ -60,12 +64,14 @@ spec:
     - SystemAssigned, UserAssigned
 
 ---
-# Synopsis: Authenticate requests to Cognitive Services with Azure AD identities.
+# Synopsis: Authenticate requests to Azure AI services with Entra ID identities.
 apiVersion: github.com/microsoft/PSRule/v1
 kind: Rule
 metadata:
-  name: Azure.Cognitive.DisableLocalAuth
+  name: Azure.AI.DisableLocalAuth
   ref: AZR-000282
+  alias:
+    - Azure.Cognitive.DisableLocalAuth
   tags:
     release: GA
     ruleSet: 2022_09
@@ -83,12 +89,14 @@ spec:
     equals: true
 
 ---
-# Synopsis: Use Private Endpoints to access Cognitive Services accounts.
+# Synopsis: Use Private Endpoints to access Azure AI services accounts.
 apiVersion: github.com/microsoft/PSRule/v1
 kind: Rule
 metadata:
-  name: Azure.Cognitive.PrivateEndpoints
+  name: Azure.AI.PrivateEndpoints
   ref: AZR-000283
+  alias:
+    - Azure.Cognitive.PrivateEndpoints
   tags:
     release: GA
     ruleSet: 2022_09