Updated documents, from docs.microsoft.com - to Learn. (#350)

Updated documents, from docs.microsoft.com - to Learn.
This commit is contained in:
Luke Murray 2023-02-07 12:26:03 +13:00 коммит произвёл GitHub
Родитель e44c7eabf8
Коммит 0fa01e8b7b
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
56 изменённых файлов: 398 добавлений и 398 удалений

Просмотреть файл

@ -2,14 +2,14 @@
## Introduction
The purpose of the reference implementation is to guide Canadian Public Sector customers on building Landing Zones in their Azure environment. The reference implementation is based on [Cloud Adoption Framework for Azure](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/) and provides an opinionated implementation that enables ITSG-33 regulatory compliance by using [NIST SP 800-53 Rev. 4](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4) and [Canada Federal PBMM](https://docs.microsoft.com/azure/governance/policy/samples/canada-federal-pbmm) Regulatory Compliance Policy Sets.
The purpose of the reference implementation is to guide Canadian Public Sector customers on building Landing Zones in their Azure environment. The reference implementation is based on [Cloud Adoption Framework for Azure](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/) and provides an opinionated implementation that enables ITSG-33 regulatory compliance by using [NIST SP 800-53 Rev. 4](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4) and [Canada Federal PBMM](https://learn.microsoft.com/azure/governance/policy/samples/canada-federal-pbmm) Regulatory Compliance Policy Sets.
Architecture supported up to Treasury Board of Canada Secretariat (TBS) Cloud Profile 3 - Cloud Only Applications. This profile is applicable to Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) with [characteristics](https://github.com/canada-ca/cloud-guardrails/blob/master/EN/00_Applicable-Scope.md):
* Cloud-based services hosting sensitive (up to Protected B) information
* No direct system to system network interconnections required with GC data centers
> This implementation is specific to **Canadian Public Sector departments**. Please see [Implement Cloud Adoption Framework enterprise-scale landing zones in Azure](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/implementation) if you are looking for implementation for other industries or customers.
> This implementation is specific to **Canadian Public Sector departments**. Please see [Implement Cloud Adoption Framework enterprise-scale landing zones in Azure](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/implementation) if you are looking for implementation for other industries or customers.
## Architecture
@ -54,7 +54,7 @@ multiple types of workloads including App Dev and Data & AI.
* Automatic approval for Canada Federal PBMM nor Authority to Operate (ATO). Customers must collect evidence, customize to meet their departmental requirements and submit for Authority to Operate based on their risk profile, requirements and process.
* Compliant on all Azure Policies when the reference implementation is deployed. This is due to the shared responsibility of cloud and customers can choose the Azure Policies to exclude. For example, using Azure Firewall is an Azure Policy that will be non-compliant since majority of the Public Sector customers use Network Virtual Appliances such as Fortinet. Customers must review [Microsoft Defender for Cloud Regulatory Compliance dashboard](https://docs.microsoft.com/azure/defender-for-cloud/update-regulatory-compliance-packages) and apply appropriate exemptions.
* Compliant on all Azure Policies when the reference implementation is deployed. This is due to the shared responsibility of cloud and customers can choose the Azure Policies to exclude. For example, using Azure Firewall is an Azure Policy that will be non-compliant since majority of the Public Sector customers use Network Virtual Appliances such as Fortinet. Customers must review [Microsoft Defender for Cloud Regulatory Compliance dashboard](https://learn.microsoft.com/azure/defender-for-cloud/update-regulatory-compliance-packages) and apply appropriate exemptions.
## Contributing
@ -64,7 +64,7 @@ See [Contributing Reference Implementation](CONTRIBUTING.md) for information on
**November 11, 2021 onward**
> Microsoft can identify the deployments of the Azure Resource Manager and Bicep templates with the deployed Azure resources. Microsoft can correlate these resources used to support the deployments. Microsoft collects this information to provide the best experiences with their products and to operate their business. The telemetry is collected through [customer usage attribution](https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution). The data is collected and governed by Microsoft's privacy policies, located at [https://www.microsoft.com/trustcenter](https://www.microsoft.com/trustcenter).
> Microsoft can identify the deployments of the Azure Resource Manager and Bicep templates with the deployed Azure resources. Microsoft can correlate these resources used to support the deployments. Microsoft collects this information to provide the best experiences with their products and to operate their business. The telemetry is collected through [customer usage attribution](https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution). The data is collected and governed by Microsoft's privacy policies, located at [https://www.microsoft.com/trustcenter](https://www.microsoft.com/trustcenter).
>
> If you don't wish to send usage data to Microsoft, you can set the `customerUsageAttribution.enabled` setting to `false` in `config/telemetry.json`. Learn more in our [Azure DevOps Pipelines](docs/onboarding/azure-devops-pipelines.md#telemetry) onboarding guide.
>

Просмотреть файл

@ -4,7 +4,7 @@
Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)), please report it to us as described below.
If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://learn.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)), please report it to us as described below.
## Reporting Security Issues

Просмотреть файл

@ -56,7 +56,7 @@ resource app 'Microsoft.Web/sites@2021-02-01' = {
clientAffinityEnabled: true
siteConfig: {
// for Linux Apps Azure DNS private zones only works if Route All is enabled.
// https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet#azure-dns-private-zones
// https://learn.microsoft.com/azure/app-service/web-sites-integrate-with-vnet#azure-dns-private-zones
linuxFxVersion: 'DOCKER|mcr.microsoft.com/appsvc/staticsite:latest'
vnetRouteAllEnabled: true
use32BitWorkerProcess: false

Просмотреть файл

@ -58,7 +58,7 @@ resource app 'Microsoft.Web/sites@2020-06-01' = {
clientAffinityEnabled: true
siteConfig: {
// for Linux Apps Azure DNS private zones only works if Route All is enabled.
// https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet#azure-dns-private-zones
// https://learn.microsoft.com/azure/app-service/web-sites-integrate-with-vnet#azure-dns-private-zones
vnetRouteAllEnabled: true
linuxFxVersion: stack

Просмотреть файл

@ -66,7 +66,7 @@ param tempKeyVaultName string = 'tmpkv${uniqueString(utcNow())}'
/*
Create a temporary key vault and key to setup CMK. These will be deleted at the end of deployment using deployment script.
See: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-customer-managed-keys#advanced-scenario-key-vault-firewall
See: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-customer-managed-keys#advanced-scenario-key-vault-firewall
*/
module tempAkv '../../security/key-vault.bicep' = {
name: 'deploy-keyvault-temp'

Просмотреть файл

@ -118,7 +118,7 @@ module identity '../../iam/user-assigned-identity.bicep' = {
}
}
// assign permissions to identity per https://docs.microsoft.com/en-us/azure/aks/private-clusters#configure-private-dns-zone
// assign permissions to identity per https://learn.microsoft.com/en-us/azure/aks/private-clusters#configure-private-dns-zone
module rbacPrivateDnsZoneContributor '../../iam/resource/private-dns-zone-role-assignment-to-sp.bicep' = {
name: 'rbac-private-dns-zone-contributor-${name}'
scope: resourceGroup(privateDnsZoneSubscriptionId, privateZoneDnsResourceGroupName)

Просмотреть файл

@ -9,4 +9,4 @@
targetScope = 'managementGroup'
// This is an empty deployment by design
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution

Просмотреть файл

@ -9,4 +9,4 @@
targetScope = 'resourceGroup'
// This is an empty deployment by design
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution

Просмотреть файл

@ -9,4 +9,4 @@
targetScope = 'subscription'
// This is an empty deployment by design
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution

Просмотреть файл

@ -9,4 +9,4 @@
targetScope = 'tenant'
// This is an empty deployment by design
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution

Просмотреть файл

@ -1,6 +1,6 @@
# Archetype Authoring Guide
[Azure landing zones](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/) are the output of a multi-subscription Azure environment that accounts for scale, security governance, networking, and identity. Therefore, deploying an archetype will result in an Azure landing zone that can be enhanced, scaled and refined based on business need.
[Azure landing zones](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/) are the output of a multi-subscription Azure environment that accounts for scale, security governance, networking, and identity. Therefore, deploying an archetype will result in an Azure landing zone that can be enhanced, scaled and refined based on business need.
This reference implementation provides a number of archetypes that can be used as-is or customized further to suit business needs. Archetypes are self-contained Bicep deployment templates that are used to configure multiple subscriptions. Archetypes provide the ability to configure new subscriptions with use case specific architecture in a repeatable method. One archetype can be used to configure many subscriptions.
@ -233,7 +233,7 @@ module subScaffold '../scaffold-subscription.bicep' = {
## JSON Schema for deployment parameters
Spoke archetypes are deployed to a subscription using a JSON parameters file. This parameters file defines all configuration expected by the archetype in order to deploy and configure a subscription. An archetype can have an arbitrary number of parameters (up to a [maximum of 256 parameters](https://docs.microsoft.com/azure/azure-resource-manager/templates/best-practices#template-limits)).
Spoke archetypes are deployed to a subscription using a JSON parameters file. This parameters file defines all configuration expected by the archetype in order to deploy and configure a subscription. An archetype can have an arbitrary number of parameters (up to a [maximum of 256 parameters](https://learn.microsoft.com/azure/azure-resource-manager/templates/best-practices#template-limits)).
While these parameters offer customization benefits, they incur overhead when defining input values and correlating them to the resources that are deployed. To keep all related parameters together and to make them contextual, we've chosen to use `object` parameter type. This type can contain simple and complex nested types and offers greater flexibility when defining many related parameters together. For example:
@ -270,7 +270,7 @@ A complex object parameter used for configuring Service Health alerts:
}
```
Azure Resource Manager templates (and by extension Bicep) does not support parameter validation for `object` type. Therefore, it's not possible to depend on Azure Resource Manager to perform pre-deployment validation. The input validation supported for parameters are described in [Azure Docs](https://docs.microsoft.com/azure/azure-resource-manager/templates/parameters).
Azure Resource Manager templates (and by extension Bicep) does not support parameter validation for `object` type. Therefore, it's not possible to depend on Azure Resource Manager to perform pre-deployment validation. The input validation supported for parameters are described in [Azure Docs](https://learn.microsoft.com/azure/azure-resource-manager/templates/parameters).
As a result, we could either
@ -286,7 +286,7 @@ We chose to check the input parameters prior to deployment to identify misconfig
## Telemetry
This reference implementation is instrumented to track deployment telemetry per module through [customer usage attribution](https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution). When a new archetype is developed, the telemetry settings must be updated to reference the tracking id. Telemetry configuration is located at [`config/telemetry.json`](../../config/telemetry.json).
This reference implementation is instrumented to track deployment telemetry per module through [customer usage attribution](https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution). When a new archetype is developed, the telemetry settings must be updated to reference the tracking id. Telemetry configuration is located at [`config/telemetry.json`](../../config/telemetry.json).
To support per-module tracking, we've split each archetype to be tracked independently. At the moment, a single tracking id is used for all modules and can be modified in the future when required.
@ -321,7 +321,7 @@ To support per-module tracking, we've split each archetype to be tracked indepen
```bicep
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../azresources/telemetry/customer-usage-attribution-subscription.bicep' = if (telemetry.customerUsageAttribution.enabled) {
@ -335,7 +335,7 @@ module telemetryCustomerUsageAttribution '../../azresources/telemetry/customer-u
> Use the [Onboarding Guide for Azure DevOps](../onboarding/azure-devops-pipelines.md) to configure the `subscription` pipeline. This pipeline will deploy workload archetypes such as Generic Subscription, Machine Learning and Healthcare.
Azure Resource Manager (ARM) parameters files provide deployment information to setup subscriptions. Deployment information can include `location`, `resource group names`, `resource names` and `networking`. You can find more information in [Azure Docs](https://docs.microsoft.com/azure/azure-resource-manager/templates/parameter-files) on ARM parameter files.
Azure Resource Manager (ARM) parameters files provide deployment information to setup subscriptions. Deployment information can include `location`, `resource group names`, `resource names` and `networking`. You can find more information in [Azure Docs](https://learn.microsoft.com/azure/azure-resource-manager/templates/parameter-files) on ARM parameter files.
These parameter files are located in [config/subscription](../../config/subscriptions) folder. This folder is configurable in `common.yml` and you can override in environment configuration files using the `subscriptionsPathFromRoot` setting. By default it is set to `config/subscriptions`.

Просмотреть файл

@ -92,15 +92,15 @@ Reference implementation uses parameter files with `object` parameters to consol
### Delete Locks
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have. You can set the lock level to `CanNotDelete` or `ReadOnly`. Please see [Azure Docs](https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have. You can set the lock level to `CanNotDelete` or `ReadOnly`. Please see [Azure Docs](https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
**This archetype does not use `CanNotDelete` nor `ReadOnly` locks as part of the deployment. You may customize the deployment templates when it's required for your environment.**
### Service Health
[Service health notifications](https://docs.microsoft.com/azure/service-health/service-health-notifications-properties) are published by Azure, and contain information about the resources under your subscription. Service health notifications can be informational or actionable, depending on the category.
[Service health notifications](https://learn.microsoft.com/azure/service-health/service-health-notifications-properties) are published by Azure, and contain information about the resources under your subscription. Service health notifications can be informational or actionable, depending on the category.
Our examples configure service health alerts for `Security` and `Incident`. However, these categories can be customized based on your need. Please review the possible options in [Azure Docs](https://docs.microsoft.com/azure/service-health/service-health-notifications-properties#details-on-service-health-level-information).
Our examples configure service health alerts for `Security` and `Incident`. However, these categories can be customized based on your need. Please review the possible options in [Azure Docs](https://learn.microsoft.com/azure/service-health/service-health-notifications-properties#details-on-service-health-level-information).
### Deployment Scenarios

Просмотреть файл

@ -78,19 +78,19 @@ Subscription can be moved to a target Management Group through Azure ARM Templat
| Category | Service | Configuration | Reference |
| --- | --- | --- | --- |
| Storage | Azure Data Lake Gen 2 - Cloud storage enabling big data analytics. | Hierarchical namespace enabled. Optional – Customer Managed Keys. | [Azure Docs](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-introduction)
| Compute | Azure Databricks - Managed Spark cloud platform for data analytics and data science | Premium tier; Secured Cluster Connectivity enabled with load balancer for egress. | [Azure Docs](https://docs.microsoft.com/azure/databricks/scenarios/what-is-azure-databricks) |
| Compute | Azure Synapse - End-to-end cloud analytics and data warehousing platform. | Disabled public network access by default. Managed Private Endpoints for Compute & Synapse Studio. Optional – Customer Managed Keys. | [Managed Private Endpoints](https://docs.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints) / [Connect to Synapse Studio with private links](https://docs.microsoft.com/azure/synapse-analytics/security/synapse-private-link-hubs)
| Compute | FHIR API - Fast Healthcare Interoperability Resources for healthcare medical exchange. | Private endpoint by default. | [Azure Docs](https://docs.microsoft.com/azure/healthcare-apis/fhir/) |
| Compute | Azure Stream Analytics | Real-time analytics and event-processing engine for process high volumes of fast streaming data from multiple sources simultaneously. | [Azure Docs](https://docs.microsoft.com/azure/stream-analytics/stream-analytics-introduction)
| Compute | Azure Function App - Serverless computing service | Virtual Network Integration for accessing resources in virtual network. | [Azure Docs](https://docs.microsoft.com/azure/azure-functions/functions-overview)
| Ingestion | Azure Data Factory - Managed cloud service for data integration and orchestration | Managed virtual network. Optional – Customer Managed Keys | [Azure Docs](https://docs.microsoft.com/azure/data-factory/introduction) |
| Ingestion | Event Hub - Data streaming platform and event ingestion service | N/A | [Azure Docs](https://docs.microsoft.com/azure/event-hubs/event-hubs-about)
| Machine learning and deployment | Azure Machine Learning - Cloud platform for end-to-end machine learning workflows | Optional – Customer Managed Keys, High Business Impact Workspace | [Azure Docs](https://docs.microsoft.com/azure/machine-learning/overview-what-is-azure-ml) |
| Machine learning and deployment | Azure Container Registry - Managed private Docker cloud registry | Premium SKU. Optional – Customer Managed Keys | [Azure Docs](https://docs.microsoft.com/azure/container-registry/container-registry-intro) |
| SQL Storage | Azure SQL Database - Fully managed cloud database engine | Optional – Customer Managed Keys | [Azure Docs](https://docs.microsoft.com/azure/azure-sql/database/sql-database-paas-overview) |
| Key Management | Azure Key Vault - Centralized cloud storage of secrets and keys | Private Endpoint | [Azure Docs](https://docs.microsoft.com/azure/key-vault/general/overview)
| Monitoring | Application Insights - Application performance and monitoring cloud service | - | [Azure Docs](https://docs.microsoft.com/azure/azure-monitor/app/app-insights-overview)
| Storage | Azure Data Lake Gen 2 - Cloud storage enabling big data analytics. | Hierarchical namespace enabled. Optional – Customer Managed Keys. | [Azure Docs](https://learn.microsoft.com/azure/storage/blobs/data-lake-storage-introduction)
| Compute | Azure Databricks - Managed Spark cloud platform for data analytics and data science | Premium tier; Secured Cluster Connectivity enabled with load balancer for egress. | [Azure Docs](https://learn.microsoft.com/azure/databricks/scenarios/what-is-azure-databricks) |
| Compute | Azure Synapse - End-to-end cloud analytics and data warehousing platform. | Disabled public network access by default. Managed Private Endpoints for Compute & Synapse Studio. Optional – Customer Managed Keys. | [Managed Private Endpoints](https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints) / [Connect to Synapse Studio with private links](https://learn.microsoft.com/azure/synapse-analytics/security/synapse-private-link-hubs)
| Compute | FHIR API - Fast Healthcare Interoperability Resources for healthcare medical exchange. | Private endpoint by default. | [Azure Docs](https://learn.microsoft.com/azure/healthcare-apis/fhir/) |
| Compute | Azure Stream Analytics | Real-time analytics and event-processing engine for process high volumes of fast streaming data from multiple sources simultaneously. | [Azure Docs](https://learn.microsoft.com/azure/stream-analytics/stream-analytics-introduction)
| Compute | Azure Function App - Serverless computing service | Virtual Network Integration for accessing resources in virtual network. | [Azure Docs](https://learn.microsoft.com/azure/azure-functions/functions-overview)
| Ingestion | Azure Data Factory - Managed cloud service for data integration and orchestration | Managed virtual network. Optional – Customer Managed Keys | [Azure Docs](https://learn.microsoft.com/azure/data-factory/introduction) |
| Ingestion | Event Hub - Data streaming platform and event ingestion service | N/A | [Azure Docs](https://learn.microsoft.com/azure/event-hubs/event-hubs-about)
| Machine learning and deployment | Azure Machine Learning - Cloud platform for end-to-end machine learning workflows | Optional – Customer Managed Keys, High Business Impact Workspace | [Azure Docs](https://learn.microsoft.com/azure/machine-learning/overview-what-is-azure-ml) |
| Machine learning and deployment | Azure Container Registry - Managed private Docker cloud registry | Premium SKU. Optional – Customer Managed Keys | [Azure Docs](https://learn.microsoft.com/azure/container-registry/container-registry-intro) |
| SQL Storage | Azure SQL Database - Fully managed cloud database engine | Optional – Customer Managed Keys | [Azure Docs](https://learn.microsoft.com/azure/azure-sql/database/sql-database-paas-overview) |
| Key Management | Azure Key Vault - Centralized cloud storage of secrets and keys | Private Endpoint | [Azure Docs](https://learn.microsoft.com/azure/key-vault/general/overview)
| Monitoring | Application Insights - Application performance and monitoring cloud service | - | [Azure Docs](https://learn.microsoft.com/azure/azure-monitor/app/app-insights-overview)
The intended cloud service workflows and data movements for this archetype include:
@ -253,15 +253,15 @@ Reference implementation uses parameter files with `object` parameters to consol
### Delete Locks
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have. You can set the lock level to `CanNotDelete` or `ReadOnly`. Please see [Azure Docs](https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have. You can set the lock level to `CanNotDelete` or `ReadOnly`. Please see [Azure Docs](https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
**This archetype does not use `CanNotDelete` nor `ReadOnly` locks as part of the deployment. You may customize the deployment templates when it's required for your environment.**
### Service Health
[Service health notifications](https://docs.microsoft.com/azure/service-health/service-health-notifications-properties) are published by Azure, and contain information about the resources under your subscription. Service health notifications can be informational or actionable, depending on the category.
[Service health notifications](https://learn.microsoft.com/azure/service-health/service-health-notifications-properties) are published by Azure, and contain information about the resources under your subscription. Service health notifications can be informational or actionable, depending on the category.
Our examples configure service health alerts for `Security` and `Incident`. However, these categories can be customized based on your need. Please review the possible options in [Azure Docs](https://docs.microsoft.com/azure/service-health/service-health-notifications-properties#details-on-service-health-level-information).
Our examples configure service health alerts for `Security` and `Incident`. However, these categories can be customized based on your need. Please review the possible options in [Azure Docs](https://learn.microsoft.com/azure/service-health/service-health-notifications-properties#details-on-service-health-level-information).
### Deployment Scenarios

Просмотреть файл

@ -42,7 +42,7 @@ The recommended network design achieves the purpose of hosting [**Protected B**
Application Gateway with WAFv2 will be used for ingress traffic and application delivery. Application Gateways will be placed on the shared Public Access Zone (a subnet in the Hub), where public IPs will be protected with Azure DDoS (either Basic or Standard).
Other possible topologies are explained in [Azure documentation](https://docs.microsoft.com/azure/architecture/example-scenario/gateway/firewall-application-gateway) and we recommend reviewing to ensure the topology aligns to your department's network design.
Other possible topologies are explained in [Azure documentation](https://learn.microsoft.com/azure/architecture/example-scenario/gateway/firewall-application-gateway) and we recommend reviewing to ensure the topology aligns to your department's network design.
There will be at least one shared Application Gateway instance and multiple dedicated Application Gateways for those line of businesses that require their own deployment (i.e. performance or cost allocation). All egress traffic from the spokes will be routed to the hub's edge firewall, inspected, and authorized/denied based on network (IP/Port) or application rules (FQDNs).
@ -62,9 +62,9 @@ Network design will require 3 IP blocks:
## Hub Virtual Network
* Azure Firewall Premium instance configured with
* Either [forced tunneling](https://docs.microsoft.com/azure/firewall/forced-tunneling) (requires the next hop as another device such as NVA, on-premises or another Azure Firewall at the edge) or without forced tunneling. When forced tunneling is turned on, all management traffic will flow through the separate `AzureFirewallManagementSubnet` subnet.
* [DNS Proxy](https://docs.microsoft.com/azure/firewall/dns-details)
* [Threat Intelligence in Alert mode](https://docs.microsoft.com/azure/firewall/threat-intel)
* Either [forced tunneling](https://learn.microsoft.com/azure/firewall/forced-tunneling) (requires the next hop as another device such as NVA, on-premises or another Azure Firewall at the edge) or without forced tunneling. When forced tunneling is turned on, all management traffic will flow through the separate `AzureFirewallManagementSubnet` subnet.
* [DNS Proxy](https://learn.microsoft.com/azure/firewall/dns-details)
* [Threat Intelligence in Alert mode](https://learn.microsoft.com/azure/firewall/threat-intel)
* IDPS in Alert mode
* Azure Firewall Policy
* Base firewall rules to support spoke archetypes
@ -88,7 +88,7 @@ To simplify management and compliance, all public-facing web servers, reverse pr
Application Gateway can have either public or private frontends (also with [RFC 6598][rfc6598] space) and it requires a full subnet for it's instances.
The Backend URL should map to a VIP and Port mapping in the firewall's External network. In the future, Backend URLs could be directly pointed to the Frontend subnets in the spoke. The firewall performs DNAT and sends to the webserver, which will answer to the source IP (Application Gateway's internal IP), which means the webserver may need a UDR to force traffic destined to Application Gateway to re-traverse the firewall (next-hop), which is considered asymmetric routing ([other example topologies](https://docs.microsoft.com/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-before-firewall)).
The Backend URL should map to a VIP and Port mapping in the firewall's External network. In the future, Backend URLs could be directly pointed to the Frontend subnets in the spoke. The firewall performs DNAT and sends to the webserver, which will answer to the source IP (Application Gateway's internal IP), which means the webserver may need a UDR to force traffic destined to Application Gateway to re-traverse the firewall (next-hop), which is considered asymmetric routing ([other example topologies](https://learn.microsoft.com/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-before-firewall)).
## User Defined Routes
@ -193,7 +193,7 @@ Azure Firewall forwards it's logs to Log Analytics Workspace. This integration
![Diagnostic Settings](../media/architecture/hubnetwork-azfw/azfw-diagnostic-settings.jpg)
Once Log Analytics Workspace has collected logs, [Azure Monitor Workbook for Azure Firewall](https://docs.microsoft.com/azure/firewall/firewall-workbook) can be used to monitor traffic flows.
Once Log Analytics Workspace has collected logs, [Azure Monitor Workbook for Azure Firewall](https://learn.microsoft.com/azure/firewall/firewall-workbook) can be used to monitor traffic flows.
Below are sample queries that can also be used to query Log Analytics Workspace directly.
@ -225,9 +225,9 @@ AzureDiagnostics
[cloudUsageProfiles]: https://github.com/canada-ca/cloud-guardrails/blob/master/EN/00_Applicable-Scope.md
[rfc1918]: https://tools.ietf.org/html/rfc1918
[rfc6598]: https://tools.ietf.org/html/rfc6598
[nsgAzureLoadBalancer]: https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview#allowazureloadbalancerinbound
[nsgAzureBastion]: https://docs.microsoft.com/azure/bastion/bastion-nsg#apply
[nsgAppGatewayV2]: https://docs.microsoft.com/azure/application-gateway/configuration-infrastructure#network-security-groups
[nsgAzureLoadBalancer]: https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview#allowazureloadbalancerinbound
[nsgAzureBastion]: https://learn.microsoft.com/azure/bastion/bastion-nsg#apply
[nsgAppGatewayV2]: https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#network-security-groups
## Azure Deployment
@ -253,7 +253,7 @@ Reference implementation uses parameter files with `object` parameters to consol
### Delete Locks
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have. You can set the lock level to `CanNotDelete` or `ReadOnly`. Please see [Azure Docs](https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have. You can set the lock level to `CanNotDelete` or `ReadOnly`. Please see [Azure Docs](https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
By default, this archetype deploys `CanNotDelete` lock to prevent accidental deletion at:
@ -264,9 +264,9 @@ By default, this archetype deploys `CanNotDelete` lock to prevent accidental del
### Service Health
[Service health notifications](https://docs.microsoft.com/azure/service-health/service-health-notifications-properties) are published by Azure, and contain information about the resources under your subscription. Service health notifications can be informational or actionable, depending on the category.
[Service health notifications](https://learn.microsoft.com/azure/service-health/service-health-notifications-properties) are published by Azure, and contain information about the resources under your subscription. Service health notifications can be informational or actionable, depending on the category.
Our examples configure service health alerts for `Security` and `Incident`. However, these categories can be customized based on your need. Please review the possible options in [Azure Docs](https://docs.microsoft.com/azure/service-health/service-health-notifications-properties#details-on-service-health-level-information).
Our examples configure service health alerts for `Security` and `Incident`. However, these categories can be customized based on your need. Please review the possible options in [Azure Docs](https://learn.microsoft.com/azure/service-health/service-health-notifications-properties#details-on-service-health-level-information).
### Deployment Scenarios for Azure Firewall Policy

Просмотреть файл

@ -41,7 +41,7 @@ The recommended network design achieves the purpose of hosting [**Protected B**
Application Gateway with WAFv2 will be used for ingress traffic and application delivery. Application Gateways will be placed on the shared Public Access Zone (a subnet in the Hub), where public IPs will be protected with Azure DDoS (either Basic or Standard).
Other possible topologies are explained in [Azure documentation](https://docs.microsoft.com/azure/architecture/example-scenario/gateway/firewall-application-gateway) and we recommend reviewing to ensure the topology aligns to your department's network design.
Other possible topologies are explained in [Azure documentation](https://learn.microsoft.com/azure/architecture/example-scenario/gateway/firewall-application-gateway) and we recommend reviewing to ensure the topology aligns to your department's network design.
There will be at least one shared Application Gateway instance and multiple dedicated Application Gateways for those line of businesses that require their own deployment (i.e. performance or cost allocation). All egress traffic from the spokes will be routed to the hub's edge firewall, inspected, and authorized/denied based on network (IP/Port) or application rules (FQDNs).
@ -84,7 +84,7 @@ To simplify management and compliance, all public-facing web servers, reverse pr
Application Gateway can have either public or private frontends (also with [RFC 6598][rfc6598] space) and it requires a full subnet for it's instances.
The Backend URL should map to a VIP and Port mapping in the firewall's External network. In the future, Backend URLs could be directly pointed to the Frontend subnets in the spoke. The firewall performs DNAT and sends to the webserver, which will answer to the source IP (Application Gateway's internal IP), which means the webserver may need a UDR to force traffic destined to Application Gateway to re-traverse the firewall (next-hop), which is considered asymmetric routing ([other example topologies](https://docs.microsoft.com/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-before-firewall)).
The Backend URL should map to a VIP and Port mapping in the firewall's External network. In the future, Backend URLs could be directly pointed to the Frontend subnets in the spoke. The firewall performs DNAT and sends to the webserver, which will answer to the source IP (Application Gateway's internal IP), which means the webserver may need a UDR to force traffic destined to Application Gateway to re-traverse the firewall (next-hop), which is considered asymmetric routing ([other example topologies](https://learn.microsoft.com/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-before-firewall)).
## User Defined Routes
@ -271,7 +271,7 @@ Reference implementation uses parameter files with `object` parameters to consol
### Delete Locks
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have. You can set the lock level to `CanNotDelete` or `ReadOnly`. Please see [Azure Docs](https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have. You can set the lock level to `CanNotDelete` or `ReadOnly`. Please see [Azure Docs](https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
By default, this archetype deploys `CanNotDelete` lock to prevent accidental deletion at:
@ -282,9 +282,9 @@ By default, this archetype deploys `CanNotDelete` lock to prevent accidental del
### Service Health
[Service health notifications](https://docs.microsoft.com/azure/service-health/service-health-notifications-properties) are published by Azure, and contain information about the resources under your subscription. Service health notifications can be informational or actionable, depending on the category.
[Service health notifications](https://learn.microsoft.com/azure/service-health/service-health-notifications-properties) are published by Azure, and contain information about the resources under your subscription. Service health notifications can be informational or actionable, depending on the category.
Our examples configure service health alerts for `Security` and `Incident`. However, these categories can be customized based on your need. Please review the possible options in [Azure Docs](https://docs.microsoft.com/azure/service-health/service-health-notifications-properties#details-on-service-health-level-information).
Our examples configure service health alerts for `Security` and `Incident`. However, these categories can be customized based on your need. Please review the possible options in [Azure Docs](https://learn.microsoft.com/azure/service-health/service-health-notifications-properties#details-on-service-health-level-information).
### Deployment Scenarios
@ -622,7 +622,7 @@ This example configures:
[cloudUsageProfiles]: https://github.com/canada-ca/cloud-guardrails/blob/master/EN/00_Applicable-Scope.md
[rfc1918]: https://tools.ietf.org/html/rfc1918
[rfc6598]: https://tools.ietf.org/html/rfc6598
[nsgAzureLoadBalancer]: https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview#allowazureloadbalancerinbound
[nsgAzureBastion]: https://docs.microsoft.com/azure/bastion/bastion-nsg#apply
[nsgAppGatewayV2]: https://docs.microsoft.com/azure/application-gateway/configuration-infrastructure#network-security-groups
[nsgAzureLoadBalancer]: https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview#allowazureloadbalancerinbound
[nsgAzureBastion]: https://learn.microsoft.com/azure/bastion/bastion-nsg#apply
[nsgAppGatewayV2]: https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#network-security-groups
[azmarketplacefortinet]: https://portal.azure.com/#blade/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/fortinet.fortigatengfw-high-availability/product/%7B%22displayName%22%3A%22FortiGate%20NGFW%20for%20Azure%20LB%20HA%20with%20ARM%20template%22%2C%22itemDisplayName%22%3A%22FortiGate%20NGFW%20for%20Azure%20LB%20HA%20with%20ARM%20template%22%2C%22id%22%3A%22fortinet.fortigatengfw-high-availability%22%2C%22offerId%22%3A%22fortigatengfw-high-availability%22%2C%22publisherId%22%3A%22fortinet%22%2C%22publisherDisplayName%22%3A%22Fortinet%22%2C%22summary%22%3A%22FortiGate%20NGFW%20improves%20on%20the%20Azure%20firewall%20with%20complete%20data%2C%20application%20and%20network%20security%22%2C%22longSummary%22%3A%22Automated%20deployment%20for%20the%20combined%20use%20of%20Azure%20LB%20and%20NGFW%20configurations%20(2%20FortiGate%20virtual%20machines)%20to%20support%20your%20Enterprise%20Cloud%20workload%22%2C%22description%22%3A%22%3Cp%3EThe%20FortiGate%20Next-Generation%20Firewall%20combines%20a%20comprehensive%20suite%20of%20powerful%20security%20tools%20into%20a%20high-performance%20virtual%20device.%20FortiGate%20NGFWs%20can%20be%20combined%20with%20other%20Fortinet%20solutions%20to%20form%20a%20unified%20security%20fabric%20to%20secure%20your%20network%2C%20users%2C%20data%20and%20applications%20across%20clouds%20and%20enterprises.%3Cbr%3E%3C%2Fp%3E%3Cp%20class%3D%5C%22x_xmsonormal%5C%22%3EThe%20FortiGate%20NGFW%20includes%20application%20aware%20network%20security%2C%20secure%20SD-WAN%2C%20virus%20protection%2C%20IPS%2C%20Web%20filtering%20and%20VPN%20along%20with%20advanced%20features%20such%20as%20an%20extreme%20threat%20database%2C%20vulnerability%20management%20and%20flow-based%20inspection%20work%20in%20concert%20to%20identify%20and%20mitigate%20the%20latest%20complex%20security%20threats.%20The%20security-hardened%20FortiOS%20operating%20system%20is%20purpose-built%20for%20inspection%20and%20identification%20of%20malware.%3C%2Fp%3E%3Cp%20class%3D%5C%22x_xmsonormal%5C%22%3EDesigned%20to%20ensure%20easy%2C%20consistent%20deployment%20for%20the%20most%20ef

Просмотреть файл

@ -60,15 +60,15 @@ Reference implementation uses parameter files with `object` parameters to consol
## Delete Locks
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have. You can set the lock level to `CanNotDelete` or `ReadOnly`. Please see [Azure Docs](https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have. You can set the lock level to `CanNotDelete` or `ReadOnly`. Please see [Azure Docs](https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
By default, this archetype deploys `CanNotDelete` lock to prevent accidental deletion on all resource groups it creates.
## Service Health
[Service health notifications](https://docs.microsoft.com/azure/service-health/service-health-notifications-properties) are published by Azure, and contain information about the resources under your subscription. Service health notifications can be informational or actionable, depending on the category.
[Service health notifications](https://learn.microsoft.com/azure/service-health/service-health-notifications-properties) are published by Azure, and contain information about the resources under your subscription. Service health notifications can be informational or actionable, depending on the category.
Our examples configure service health alerts for `Security` and `Incident`. However, these categories can be customized based on your need. Please review the possible options in [Azure Docs](https://docs.microsoft.com/azure/service-health/service-health-notifications-properties#details-on-service-health-level-information).
Our examples configure service health alerts for `Security` and `Incident`. However, these categories can be customized based on your need. Please review the possible options in [Azure Docs](https://learn.microsoft.com/azure/service-health/service-health-notifications-properties#details-on-service-health-level-information).
## Deployment Scenarios

Просмотреть файл

@ -78,17 +78,17 @@ Subscription can be moved to a target Management Group through Azure ARM Templat
| Category | Service | Configuration | Reference |
| --- | --- | --- | --- |
| Storage | Azure Data Lake Gen 2 - Cloud storage enabling big data analytics | Hierarchical namespace enabled. Optional – Customer Managed Keys | [Azure Docs](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-introduction)
| Compute | Azure Databricks - Managed Spark cloud platform for data analytics and data science | Premium tier; Secured Cluster Connectivity enabled with load balancer for egress | [Azure Docs](https://docs.microsoft.com/azure/databricks/scenarios/what-is-azure-databricks) |
| Ingestion | Azure Data Factory - Managed cloud service for data integration and orchestration | Managed virtual network. Optional – Customer Managed Keys | [Azure Docs](https://docs.microsoft.com/azure/data-factory/introduction) |
| Machine learning and deployment | Azure Machine Learning - Cloud platform for end-to-end machine learning workflows | Optional – Customer Managed Keys, High Business Impact Workspace | [Azure Docs](https://docs.microsoft.com/azure/machine-learning/overview-what-is-azure-ml) |
| Machine learning and deployment | Azure Container Registry - Managed private Docker cloud registry | Premium SKU. Optional – Customer Managed Keys | [Azure Docs](https://docs.microsoft.com/azure/container-registry/container-registry-intro) |
| Machine learning and deployment | Azure Kubernetes Service - Cloud hosted Kubernetes service | Private cluster enabled; Managed identity type; Network plugin set to kubenet. Optional – Customer Managed Keys for Managed Disks | [Azure Docs](https://docs.microsoft.com/azure/aks/intro-kubernetes) |
| Machine learning and deployment | Azure App Service on Linux (container) - Cloud hosted web app for model deployment | With App Service Plan SKU default as Premium 1 V2. Virtual network integration | [Azure Docs](https://docs.microsoft.com/en-us/azure/app-service/overview) |
| SQL Storage | Azure SQL Managed Instance - Cloud database storage enabling lift and shift on-premise application migrations | Optional – Customer Managed Keys | [Azure Docs](https://docs.microsoft.com/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview)
| SQL Storage | Azure SQL Database - Fully managed cloud database engine | Optional – Customer Managed Keys | [Azure Docs](https://docs.microsoft.com/azure/azure-sql/database/sql-database-paas-overview) |
| Key Management | Azure Key Vault - Centralized cloud storage of secrets and keys | Private Endpoint | [Azure Docs](https://docs.microsoft.com/azure/key-vault/general/overview)
| Monitoring | Application Insights - Application performance and monitoring cloud service | - | [Azure Docs](https://docs.microsoft.com/azure/azure-monitor/app/app-insights-overview)
| Storage | Azure Data Lake Gen 2 - Cloud storage enabling big data analytics | Hierarchical namespace enabled. Optional – Customer Managed Keys | [Azure Docs](https://learn.microsoft.com/azure/storage/blobs/data-lake-storage-introduction)
| Compute | Azure Databricks - Managed Spark cloud platform for data analytics and data science | Premium tier; Secured Cluster Connectivity enabled with load balancer for egress | [Azure Docs](https://learn.microsoft.com/azure/databricks/scenarios/what-is-azure-databricks) |
| Ingestion | Azure Data Factory - Managed cloud service for data integration and orchestration | Managed virtual network. Optional – Customer Managed Keys | [Azure Docs](https://learn.microsoft.com/azure/data-factory/introduction) |
| Machine learning and deployment | Azure Machine Learning - Cloud platform for end-to-end machine learning workflows | Optional – Customer Managed Keys, High Business Impact Workspace | [Azure Docs](https://learn.microsoft.com/azure/machine-learning/overview-what-is-azure-ml) |
| Machine learning and deployment | Azure Container Registry - Managed private Docker cloud registry | Premium SKU. Optional – Customer Managed Keys | [Azure Docs](https://learn.microsoft.com/azure/container-registry/container-registry-intro) |
| Machine learning and deployment | Azure Kubernetes Service - Cloud hosted Kubernetes service | Private cluster enabled; Managed identity type; Network plugin set to kubenet. Optional – Customer Managed Keys for Managed Disks | [Azure Docs](https://learn.microsoft.com/azure/aks/intro-kubernetes) |
| Machine learning and deployment | Azure App Service on Linux (container) - Cloud hosted web app for model deployment | With App Service Plan SKU default as Premium 1 V2. Virtual network integration | [Azure Docs](https://learn.microsoft.com/en-us/azure/app-service/overview) |
| SQL Storage | Azure SQL Managed Instance - Cloud database storage enabling lift and shift on-premise application migrations | Optional – Customer Managed Keys | [Azure Docs](https://learn.microsoft.com/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview)
| SQL Storage | Azure SQL Database - Fully managed cloud database engine | Optional – Customer Managed Keys | [Azure Docs](https://learn.microsoft.com/azure/azure-sql/database/sql-database-paas-overview) |
| Key Management | Azure Key Vault - Centralized cloud storage of secrets and keys | Private Endpoint | [Azure Docs](https://learn.microsoft.com/azure/key-vault/general/overview)
| Monitoring | Application Insights - Application performance and monitoring cloud service | - | [Azure Docs](https://learn.microsoft.com/azure/azure-monitor/app/app-insights-overview)
The intended cloud service workflows and data movements for this archetype include:
@ -134,7 +134,7 @@ Once the machine learning archetype is deployed and available to use, access con
| Azure Container Registry | Network ACL deny, public network access disabled | Private endpoint on `registry` + DNS registration to either hub or spoke | `privateEndpoints`|f
| Azure Application Insights | N/A | N/A | N/A |
> For App Service, private endpoint requires the SKU tier `Premium`: https://docs.microsoft.com/azure/app-service/networking/private-endpoint so this may require a quota increase.
> For App Service, private endpoint requires the SKU tier `Premium`: https://learn.microsoft.com/azure/app-service/networking/private-endpoint so this may require a quota increase.
This archetype also has the following security features as options for deployment:
@ -254,15 +254,15 @@ Reference implementation uses parameter files with `object` parameters to consol
### Delete Locks
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have. You can set the lock level to `CanNotDelete` or `ReadOnly`. Please see [Azure Docs](https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have. You can set the lock level to `CanNotDelete` or `ReadOnly`. Please see [Azure Docs](https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
**This archetype does not use `CanNotDelete` nor `ReadOnly` locks as part of the deployment. You may customize the deployment templates when it's required for your environment.**
### Service Health
[Service health notifications](https://docs.microsoft.com/azure/service-health/service-health-notifications-properties) are published by Azure, and contain information about the resources under your subscription. Service health notifications can be informational or actionable, depending on the category.
[Service health notifications](https://learn.microsoft.com/azure/service-health/service-health-notifications-properties) are published by Azure, and contain information about the resources under your subscription. Service health notifications can be informational or actionable, depending on the category.
Our examples configure service health alerts for `Security` and `Incident`. However, these categories can be customized based on your need. Please review the possible options in [Azure Docs](https://docs.microsoft.com/azure/service-health/service-health-notifications-properties#details-on-service-health-level-information).
Our examples configure service health alerts for `Security` and `Incident`. However, these categories can be customized based on your need. Please review the possible options in [Azure Docs](https://learn.microsoft.com/azure/service-health/service-health-notifications-properties#details-on-service-health-level-information).
### Deployment Scenarios

Просмотреть файл

@ -51,7 +51,7 @@ The table below outlines the key decisions each department must consider as part
Departments are targeting workloads with **Unclassified**, **Protected A** and **Protected B** data classifications in Azure. These classifications are based on [ITSG-33][itsg33] which is derived from [NIST SP 800-53 Revision 4][nist80053R4].
Guardrails in Azure are deployed through [Azure Policy](https://docs.microsoft.com/azure/governance/policy/overview). Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.
Guardrails in Azure are deployed through [Azure Policy](https://learn.microsoft.com/azure/governance/policy/overview). Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.
Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Policy definitions for these common use cases are already available in your Azure environment as built-ins to help you get started.
@ -91,7 +91,7 @@ The compliance reporting will outline the Azure Policies, the resource types, th
### 2.5 Compliance Data Export
For custom reporting requirements, the raw compliance data can be exported using [Azure Resource Graph](https://docs.microsoft.com/azure/governance/resource-graph/overview). This export allows for additional analysis and align to operational requirements. A custom data export pipeline and processes will be needed to operationalize the dataset. Primary queries to access the data are:
For custom reporting requirements, the raw compliance data can be exported using [Azure Resource Graph](https://learn.microsoft.com/azure/governance/resource-graph/overview). This export allows for additional analysis and align to operational requirements. A custom data export pipeline and processes will be needed to operationalize the dataset. Primary queries to access the data are:
```none
securityresources
@ -108,7 +108,7 @@ securityresources
## 3. Management Groups
[Management Groups](https://docs.microsoft.com/azure/governance/management-groups/overview) enable organizations to efficiently manage access, governance and compliance across all subscriptions. Azure management groups provide a level of scope above subscriptions. Subscriptions are organized into containers called "management groups" and apply Azure Policies and role-based access control to the management groups. All subscriptions within a management group automatically inherit the settings applied to the management group.
[Management Groups](https://learn.microsoft.com/azure/governance/management-groups/overview) enable organizations to efficiently manage access, governance and compliance across all subscriptions. Azure management groups provide a level of scope above subscriptions. Subscriptions are organized into containers called "management groups" and apply Azure Policies and role-based access control to the management groups. All subscriptions within a management group automatically inherit the settings applied to the management group.
Management groups give you enterprise-grade management at a large scale no matter what type of subscriptions you might have. All subscriptions within a single management group must trust the same Azure Active Directory tenant.
@ -170,7 +170,7 @@ When choosing a management group hierarchy, consider the following:
* Authoritative guidance from subject matter experts
* Your organizational requirements
* Recommended best practices
* [Important facts about management groups](https://docs.microsoft.com/azure/governance/management-groups/overview#important-facts-about-management-groups)
* [Important facts about management groups](https://learn.microsoft.com/azure/governance/management-groups/overview#important-facts-about-management-groups)
Customers with existing management group structure can consider merging the recommended structure to continue to use the existing structure. The new structure deployed side-by-side will enable the ability to:
@ -204,7 +204,7 @@ The service principal requires `Owner` role to configure role assignments for:
* Policy Assignments that provide remediation (i.e. `deployIfNotExists` policies)
* Archetype deployments (i.e. workload deployments) with role assignments between Azure Services for integration and to Security Groups for user access
> **Recommendation:** Consider setting up approval flow through Azure DevOps to ensure better control over pipeline execution. See [Release gates and approvals overview](https://docs.microsoft.com/azure/devops/pipelines/release/approvals/?view=azure-devops) in Azure Docs.
> **Recommendation:** Consider setting up approval flow through Azure DevOps to ensure better control over pipeline execution. See [Release gates and approvals overview](https://learn.microsoft.com/azure/devops/pipelines/release/approvals/?view=azure-devops) in Azure Docs.
Additional service principal accounts must be created and scoped to child management groups, subscriptions or resource groups based on tasks that are expected of the service principal accounts.
@ -220,24 +220,24 @@ Access Control at Management Group scope enables management and oversight at sca
| Scenario | Permanent Assignment | On-Demand Assignment (through Azure AD PIM) |
| --- | --- | --- |
| Global Reader | [Reader](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#reader) | - |
| Governance | - | [Resource Policy Contributor](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#resource-policy-contributor) |
| Log Management | [Log Analytics Reader](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#log-analytics-reader) | [Log Analytics Contributor](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#log-analytics-contributor) |
| Security Management | [Security Reader](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#security-reader) | [Security Admin](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#security-admin) |
| User Management | - | [User Access Administrator](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#user-access-administrator) |
| Cost Management | [Billing Reader](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#billing-reader) | - |
| Global Reader | [Reader](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#reader) | - |
| Governance | - | [Resource Policy Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#resource-policy-contributor) |
| Log Management | [Log Analytics Reader](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#log-analytics-reader) | [Log Analytics Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#log-analytics-contributor) |
| Security Management | [Security Reader](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#security-reader) | [Security Admin](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#security-admin) |
| User Management | - | [User Access Administrator](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#user-access-administrator) |
| Cost Management | [Billing Reader](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#billing-reader) | - |
### 4.4 Recommendations for Subscriptions
The table provides the 3 generic roles that are commonly used in Azure environment. Granular built-in roles can be used based on use case to further limit the access control. Our recommendation is to assign the least privileged role that is required for a person or service principal to complete the tasks.
Review the [Azure Built-In roles](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles) to evaluate applicability.
Review the [Azure Built-In roles](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles) to evaluate applicability.
| Environment | Scenario | Considerations | Permanent Assignment | On-Demand Assignment (through Azure AD PIM)
| --- | --- | --- | --- | --- |
| All | Read Access | Permanent role assigned to all users who need access to the Azure resources. | [Reader](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#reader) | - |
| Dev/Test, QA | Manage Azure resources | Contributor role can deploy all Azure resources, however any RBAC assignments will require the permissions to be elevated to Owner.<br /><br />Alternative is to leverage DevOps Pipeline and the Service Principal Account with elevated permissions. | [Contributor](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#contributor) | [Owner](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#owner) |
| Production | Manage Azure resources | No standing management permissions in Production.<br /><br />Owner role is only required for RBAC changes, otherwise, use Contributor role or another built-in role for all other operations. | - | [Contributor](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#contributor) or [Owner](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#owner)
| All | Read Access | Permanent role assigned to all users who need access to the Azure resources. | [Reader](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#reader) | - |
| Dev/Test, QA | Manage Azure resources | Contributor role can deploy all Azure resources, however any RBAC assignments will require the permissions to be elevated to Owner.<br /><br />Alternative is to leverage DevOps Pipeline and the Service Principal Account with elevated permissions. | [Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#contributor) | [Owner](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#owner) |
| Production | Manage Azure resources | No standing management permissions in Production.<br /><br />Owner role is only required for RBAC changes, otherwise, use Contributor role or another built-in role for all other operations. | - | [Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#contributor) or [Owner](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#owner)
### 4.5 Recommendations for Resource Groups
@ -273,11 +273,11 @@ Reference implementation provides two topologies for Hub Network design:
### Azure Bastion
Bastion [does not support User Defined Route](https://docs.microsoft.com/azure/bastion/bastion-faq#udr) but can work with Virtual Machines on peered virtual networks as long as the [Network Security Groups allow][nsgAzureBastion] it and the user has the [required role based access control](https://docs.microsoft.com/azure/bastion/bastion-faq#i-have-access-to-the-peered-vnet-but-i-cant-see-the-vm-deployed-there)
Bastion [does not support User Defined Route](https://learn.microsoft.com/azure/bastion/bastion-faq#udr) but can work with Virtual Machines on peered virtual networks as long as the [Network Security Groups allow][nsgAzureBastion] it and the user has the [required role based access control](https://learn.microsoft.com/azure/bastion/bastion-faq#i-have-access-to-the-peered-vnet-but-i-cant-see-the-vm-deployed-there)
### Azure Application Gateway
Application Gateway [does not support default UDRs to an NVA](https://docs.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure):
Application Gateway [does not support default UDRs to an NVA](https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure):
> "Any scenario where 0.0.0.0/0 needs to be redirected through any virtual appliance, a hub/spoke virtual network, or on-premise (forced tunneling) isn't supported for V2.".
@ -301,7 +301,7 @@ The following diagram shows a typical high-level architecture for enterprise env
![Hub Managed DNS](media/architecture/hubnetwork-private-link-central-dns.png)
**Reference:** [Private Link and DNS integration at scale](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale)
**Reference:** [Private Link and DNS integration at scale](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale)
Reference implementation provides the following capabilities:
@ -314,7 +314,7 @@ The reference implementation does not deploy DNS Servers (as Virtual Machines) i
* Leverage Azure Firewall's DNS Proxy where the Private DNS Zones are linked only to the Hub Virtual Network. DNS resolution for all spokes will be through the VIP provided by Azure Firewall.
* Link Private DNS Zones directly to the spoke virtual networks and use the [built-in DNS resolver in each virtual network](https://docs.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances). Virtual network(s) in spoke subscriptions be configured through Virtual Network Link for name resolution. DNS resolution is automatic once the Private DNS Zone is linked to the virtual network.
* Link Private DNS Zones directly to the spoke virtual networks and use the [built-in DNS resolver in each virtual network](https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances). Virtual network(s) in spoke subscriptions be configured through Virtual Network Link for name resolution. DNS resolution is automatic once the Private DNS Zone is linked to the virtual network.
* Leverage DNS Servers on virtual machines that are managed by department's IT.
@ -336,7 +336,7 @@ Following the nomenclature of [ITSG-22][itsg22], these would be the default subn
### 6.1 Scope
Microsoft's recommendation is [one central Log Analytics workspace](https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment#important-considerations-for-an-access-control-strategy) that will be shared by IT, Security Analysts and Application Teams.
Microsoft's recommendation is [one central Log Analytics workspace](https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment#important-considerations-for-an-access-control-strategy) that will be shared by IT, Security Analysts and Application Teams.
The design and recommendation are based on the following requirements:
@ -367,9 +367,9 @@ The workspace will be configured as:
As the logging strategy evolves, Microsoft recommends considering the following improvements:
* To optimize cost, configure [data retention periods by data type](https://docs.microsoft.com/azure/azure-monitor/logs/manage-cost-storage#retention-by-data-type).
* To optimize cost, configure [data retention periods by data type](https://learn.microsoft.com/azure/azure-monitor/logs/manage-cost-storage#retention-by-data-type).
* To optimize cost, collect only the logs that are required for operations and security monitoring. Current requirement is to collect all logs.
* For data retention greater than 2 years, export logs to Azure Storage and [leverage immutable storage](https://docs.microsoft.com/azure/storage/blobs/storage-blob-immutable-storage) with WORM policy (Write Once, Read Many) to make data non-erasable and non-modifiable.
* For data retention greater than 2 years, export logs to Azure Storage and [leverage immutable storage](https://learn.microsoft.com/azure/storage/blobs/storage-blob-immutable-storage) with WORM policy (Write Once, Read Many) to make data non-erasable and non-modifiable.
* Use Security Groups to control access to all or per-resource logs.
### 6.2 Design considerations for multiple Log Analytics workspaces
@ -380,7 +380,7 @@ As the logging strategy evolves, Microsoft recommends considering the following
| Avoid outbound data transfer charges by having a workspace in the same region as the Azure resources it manages. | Not applicable to current environment since all Azure deployments will be in Canada Central. |
| Manage multiple departments or business groups, and need each to see their own data, but not data from others. Also, there is no business requirement for a consolidated cross department or business group view. | Not applicable since security analysts require cross department querying capabilities, but each department or Application Team can only see their data. Data access control is achieved through role-based access control. |
**Reference**: [Designing your Azure Monitor Logs deployment](https://docs.microsoft.com/en-ca/azure/azure-monitor/logs/design-logs-deployment#important-considerations-for-an-access-control-strategy)
**Reference**: [Designing your Azure Monitor Logs deployment](https://learn.microsoft.com/en-ca/azure/azure-monitor/logs/design-logs-deployment#important-considerations-for-an-access-control-strategy)
### 6.3 Access Control - Use resource or workspace permissions
@ -388,11 +388,11 @@ With Azure role-based access control (Azure RBAC), you can grant users and group
For example, when you grant access to your team responsible for infrastructure services hosted on Azure virtual machines (VMs), and as a result they'll have access to only the logs generated by those VMs. This is following **resource-context** log model. The basis for this model is for every log record emitted by an Azure resource, it is automatically associated with this resource. Logs are forwarded to a central workspace that respects scoping and Azure RBAC based on the resources.
**Reference**: [Designing your Azure Monitor Logs deployment - Access Control](https://docs.microsoft.com/en-ca/azure/azure-monitor/logs/design-logs-deployment?WT.mc_id=modinfra-11671-pierrer#access-control-overview)
**Reference**: [Designing your Azure Monitor Logs deployment - Access Control](https://learn.microsoft.com/en-ca/azure/azure-monitor/logs/design-logs-deployment?WT.mc_id=modinfra-11671-pierrer#access-control-overview)
| Scenario | Log Access Mode | Log Data Visibility |
| --- | --- | --- |
| Security Analyst with [Log Analytics Reader or Log Analytics Contributor](https://docs.microsoft.com/en-ca/azure/azure-monitor/logs/manage-access#manage-access-using-azure-permissions) RBAC role assignment. | Access the Log Analytics workspace directly through Azure Portal or through Microsoft Sentinel. | All data in the Log Analytics Workspace. |
| Security Analyst with [Log Analytics Reader or Log Analytics Contributor](https://learn.microsoft.com/en-ca/azure/azure-monitor/logs/manage-access#manage-access-using-azure-permissions) RBAC role assignment. | Access the Log Analytics workspace directly through Azure Portal or through Microsoft Sentinel. | All data in the Log Analytics Workspace. |
| IT Teams responsible for one or more line of business with permissions to one or more subscriptions, resource groups or resources with at least Reader role. | Access the logs through the resource's Logs menu for the Azure resource (i.e., VM or Storage Account or Database). | Only to Azure resources based on RBAC. User can query logs for specific resources, resource groups, or subscription they have access to from any workspace but can't query logs for other resources. |
| Application Team with permissions to one or more subscriptions, resource groups or resources with at least Reader role. | Access the logs through the resource's Logs menu for the Azure resource (i.e., VM or Storage Account or Database). | Only to Azure resources based on RBAC. User can query logs for specific resources, resource groups, or subscription they have access to from any workspace but can't query logs for other resources. |
@ -565,13 +565,13 @@ By using gates, approvals, and manual intervention you can take full control of
| Scenario | Feature(s) to use |
| --- | --- |
| A user must manually validate the change request and approve the deployment to a certain stage. | [Pre-deployment approvals](https://docs.microsoft.com/azure/devops/pipelines/release/approvals/approvals?view=azure-devops) |
| A user must manually sign off after deployment before the release is triggered to other stages. | [Post-deployment approvals](https://docs.microsoft.com/azure/devops/pipelines/release/approvals/approvals?view=azure-devops) |
| A team wants to ensure there are no active issues in the work item or problem management system before deploying a build to a stage. | [Pre-deployment gates](https://docs.microsoft.com/azure/devops/pipelines/release/approvals/gates?view=azure-devops) |
| A team wants to ensure there are no reported incidents after deployment, before triggering a release. | [Post-deployment gates](https://docs.microsoft.com/azure/devops/pipelines/release/approvals/gates?view=azure-devops) |
| After deployment, a team wants to wait for a specified time before prompting users to sign out. | [Post-deployment gates](https://docs.microsoft.com/azure/devops/pipelines/release/approvals/gates?view=azure-devops) and [post-deployment approvals](https://docs.microsoft.com/azure/devops/pipelines/release/approvals/approvals?view=azure-devops) |
| During deployment, a user must manually follow specific instructions and then resume the deployment. | [Manual Intervention](https://docs.microsoft.com/azure/devops/pipelines/release/deploy-using-approvals?view=azure-devops#configure-maninter) or [Manual Validation](https://docs.microsoft.com/azure/devops/pipelines/release/deploy-using-approvals?view=azure-devops#view-approvals) |
| During deployment, a team wants to prompt users to enter a value for a parameter used by the deployment tasks or allow users to edit the release. | [Manual Intervention](https://docs.microsoft.com/azure/devops/pipelines/release/deploy-using-approvals?view=azure-devops#configure-maninter) or [Manual Validation](https://docs.microsoft.com/azure/devops/pipelines/release/deploy-using-approvals?view=azure-devops#view-approvals) |
| A user must manually validate the change request and approve the deployment to a certain stage. | [Pre-deployment approvals](https://learn.microsoft.com/azure/devops/pipelines/release/approvals/approvals?view=azure-devops) |
| A user must manually sign off after deployment before the release is triggered to other stages. | [Post-deployment approvals](https://learn.microsoft.com/azure/devops/pipelines/release/approvals/approvals?view=azure-devops) |
| A team wants to ensure there are no active issues in the work item or problem management system before deploying a build to a stage. | [Pre-deployment gates](https://learn.microsoft.com/azure/devops/pipelines/release/approvals/gates?view=azure-devops) |
| A team wants to ensure there are no reported incidents after deployment, before triggering a release. | [Post-deployment gates](https://learn.microsoft.com/azure/devops/pipelines/release/approvals/gates?view=azure-devops) |
| After deployment, a team wants to wait for a specified time before prompting users to sign out. | [Post-deployment gates](https://learn.microsoft.com/azure/devops/pipelines/release/approvals/gates?view=azure-devops) and [post-deployment approvals](https://learn.microsoft.com/azure/devops/pipelines/release/approvals/approvals?view=azure-devops) |
| During deployment, a user must manually follow specific instructions and then resume the deployment. | [Manual Intervention](https://learn.microsoft.com/azure/devops/pipelines/release/deploy-using-approvals?view=azure-devops#configure-maninter) or [Manual Validation](https://learn.microsoft.com/azure/devops/pipelines/release/deploy-using-approvals?view=azure-devops#view-approvals) |
| During deployment, a team wants to prompt users to enter a value for a parameter used by the deployment tasks or allow users to edit the release. | [Manual Intervention](https://learn.microsoft.com/azure/devops/pipelines/release/deploy-using-approvals?view=azure-devops#configure-maninter) or [Manual Validation](https://learn.microsoft.com/azure/devops/pipelines/release/deploy-using-approvals?view=azure-devops#view-approvals) |
| During deployment, a team wants to wait for monitoring or information portals to detect any active incidents, before continuing with other deployment jobs. | Planned, but not yet implemented for YAML pipelines |
You can combine all three techniques within a release pipeline to fully achieve your own deployment requirements.
@ -609,9 +609,9 @@ Steps to implement user validation (approval) check:
[rfc1918]: https://tools.ietf.org/html/rfc1918
[rfc6598]: https://tools.ietf.org/html/rfc6598
[nist80053r4]: https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/archive/2015-01-22
[nist80053r4Policyset]: https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4
[nist80053r5Policyset]: https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5
[pbmmPolicyset]: https://docs.microsoft.com/azure/governance/policy/samples/canada-federal-pbmm
[cafLandingZones]: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/
[policyRemediation]: https://docs.microsoft.com/azure/governance/policy/how-to/remediate-resources
[nsgAzureBastion]: https://docs.microsoft.com/azure/bastion/bastion-nsg#apply
[nist80053r4Policyset]: https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4
[nist80053r5Policyset]: https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5
[pbmmPolicyset]: https://learn.microsoft.com/azure/governance/policy/samples/canada-federal-pbmm
[cafLandingZones]: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/
[policyRemediation]: https://learn.microsoft.com/azure/governance/policy/how-to/remediate-resources
[nsgAzureBastion]: https://learn.microsoft.com/azure/bastion/bastion-nsg#apply

Просмотреть файл

@ -39,13 +39,13 @@ Many of the guardrails contain identity and access management requirements. Howe
### Azure AD Logging and Monitoring
When configuring your Azure AD tenant, ensure that:
- [Azure AD logs are being sent to Log Analytics](https://docs.microsoft.com/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics)
- [Azure AD logs are being sent to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)
- [Azure AD logs are being sent to Log Analytics](https://learn.microsoft.com/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics)
- [Azure AD logs are being sent to Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/connect-azure-active-directory)
> NOTE: Azure AD P1/P2 is required to ingest sign-in logs to Microsoft Sentinel.
To create alerts from sign-in logs, refer to:
- [Create, view, and manage log alerts using Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/alerts/alerts-log)
- [Microsoft Sentinel: Create custom analytics rules to detect threats](https://docs.microsoft.com/azure/sentinel/detect-threats-custom)
- [Create, view, and manage log alerts using Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-log)
- [Microsoft Sentinel: Create custom analytics rules to detect threats](https://learn.microsoft.com/azure/sentinel/detect-threats-custom)
### Azure AD Recommendations
@ -57,60 +57,60 @@ The following features provide native solutions to several guardrails, including
#### Azure AD Conditional Access (Azure AD P1/P2 Required)
Consider implementing [Azure AD Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) to create fine-tuned access policies with contextual factors such as user, device, location, and real-time risk information to control what a specific user can access, and how and when they have access.
Consider implementing [Azure AD Conditional Access](https://learn.microsoft.com/azure/active-directory/conditional-access/overview) to create fine-tuned access policies with contextual factors such as user, device, location, and real-time risk information to control what a specific user can access, and how and when they have access.
Refer to [Plan a Conditional Access deployment](https://docs.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access) to get started.
Refer to [Plan a Conditional Access deployment](https://learn.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access) to get started.
#### Azure AD Identity Protection (Azure AD P2 Required)
Consider implementing [Azure AD Identity Protection](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection) to detect, investigate, and remediate suspicious user and sign-in behavior in your environment.
Consider implementing [Azure AD Identity Protection](https://learn.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection) to detect, investigate, and remediate suspicious user and sign-in behavior in your environment.
When configuring Azure AD Identity Protection, ensure that:
- [Azure AD Identity Protection alerts are configured](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-notifications)
- [Azure AD Identity Protection logs are being sent to Log Analytics](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-export-risk-data)
- [Azure AD Identity Protection logs are being sent to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection).
- [Azure AD Identity Protection alerts are configured](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-notifications)
- [Azure AD Identity Protection logs are being sent to Log Analytics](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-export-risk-data)
- [Azure AD Identity Protection logs are being sent to Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection).
#### Azure AD Privileged Identity Management (Azure AD P2 Required)
Consider implementing [Azure AD Privileged Identity Management (PIM)](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure) to provide time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access to important resources in your organization
Consider implementing [Azure AD Privileged Identity Management (PIM)](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure) to provide time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access to important resources in your organization
When configuring Azure AD PIM, ensure that [Azure AD PIM alerts are configured](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts).
When configuring Azure AD PIM, ensure that [Azure AD PIM alerts are configured](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts).
Refer to [Plan a Privileged Identity Management deployment](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan) to get started.
Refer to [Plan a Privileged Identity Management deployment](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan) to get started.
#### Azure AD Access Reviews (Azure AD P2 Required)
Consider implementing [Azure AD Access Reviews](https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview) to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access.
Consider implementing [Azure AD Access Reviews](https://learn.microsoft.com/azure/active-directory/governance/access-reviews-overview) to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access.
Refer to [Plan an Azure Active Directory access reviews deployment](https://docs.microsoft.com/azure/active-directory/governance/deploy-access-reviews) to get started.
Refer to [Plan an Azure Active Directory access reviews deployment](https://learn.microsoft.com/azure/active-directory/governance/deploy-access-reviews) to get started.
#### User and Entity Behavioral Analytics
Consider enabling [User and Entity Behavioral Analytics](https://docs.microsoft.com/azure/sentinel/identify-threats-with-entity-behavior-analytics) within Microsoft Sentinel to identify anomalous activity and help you determine if an asset has been compromised (usage fees apply).
Consider enabling [User and Entity Behavioral Analytics](https://learn.microsoft.com/azure/sentinel/identify-threats-with-entity-behavior-analytics) within Microsoft Sentinel to identify anomalous activity and help you determine if an asset has been compromised (usage fees apply).
### ALZCPS Identity Management Policies
The following policies related to identity management are enabled by default in ALZCPS deployments:
- [Azure Policy - NIST SP 800-53 Rev. 5 AC-2: Account Management](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#account-management)
- [Azure Policy - NIST SP 800-53 Rev. 5 AC-2 (1): Automated System Account Management](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#automated-system-account-management)
- [Azure Policy - NIST SP 800-53 Rev. 5 AC-3: Access Enforcement](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#access-enforcement)
- [Azure Policy - NIST SP 800-53 Rev. 5 AC-5: Separation of Duties](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#separation-of-duties)
- [Azure Policy - NIST SP 800-53 Rev. 5 AC-6: Least Privilege](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#least-privilege)
- [Azure Policy - NIST SP 800-53 Rev. 4 AC-6 (5): Account Management](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#account-management)
- [Azure Policy - NIST SP 800-53 Rev. 4 AC-6 (10): Prohibit Non-privileged Users from Executing Privileged Functions](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#prohibit-non-privileged-users-from-executing-privileged-functions)
- [Azure Policy - NIST SP 800-53 Rev. 4 AC-7: Unsuccessful Logon Attempts](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#unsuccessful-logon-attempts)
- [Azure Policy - NIST SP 800-53 Rev. 4 AC-19: Access Control for Mobile Devices](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#access-control-for-mobile-devices)
- [Azure Policy - NIST SP 800-53 Rev. 5 IA-2: Identification and Authentication (organizational Users)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#identification-and-authentication-organizational-users)
- [Azure Policy - NIST SP 800-53 Rev. 5 IA-2 (1): Multi-factor Authentication to Privileged Accounts](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#access-control-for-mobile-devices)
- [Azure Policy - NIST SP 800-53 Rev. 5 IA-2 (2): Multi-factor Authentication to Non-privileged Accounts](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#multi-factor-authentication-to-non-privileged-accounts)
- [Azure Policy - NIST SP 800-53 Rev. 4 IA-2 (11): Remote Access - Separate Device](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#remote-access---separate-device)
- [Azure Policy - NIST SP 800-53 Rev. 5 IA-4: Identifier Management](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#identifier-management)
- [Azure Policy - NIST SP 800-53 Rev. 5 IA-5: Authenticator Management](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#authenticator-management)
- [Azure Policy - NIST SP 800-53 Rev. 5 IA-5 (1): Password-based Authentication](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#password-based-authentication)
- [Azure Policy - NIST SP 800-53 Rev. 4 IA-5 (7): No Embedded Unencrypted Static Authenticators](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#no-embedded-unencrypted-static-authenticators)
- [Azure Policy - NIST SP 800-53 Rev. 4 IA-5 (13): Expiration of Cached Authenticators](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#expiration-of-cached-authenticators)
- [Azure Policy - NIST SP 800-53 Rev. 4 IA-6: Authenticator Feedback](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#authenticator-feedback)
- [Azure Policy - NIST SP 800-53 Rev. 4 IA-8: Identification and Authentication (non-organizational Users)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#identification-and-authentication-non-organizational-users)
- [Azure Policy - NIST SP 800-53 Rev. 5 AC-2: Account Management](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#account-management)
- [Azure Policy - NIST SP 800-53 Rev. 5 AC-2 (1): Automated System Account Management](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#automated-system-account-management)
- [Azure Policy - NIST SP 800-53 Rev. 5 AC-3: Access Enforcement](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#access-enforcement)
- [Azure Policy - NIST SP 800-53 Rev. 5 AC-5: Separation of Duties](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#separation-of-duties)
- [Azure Policy - NIST SP 800-53 Rev. 5 AC-6: Least Privilege](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#least-privilege)
- [Azure Policy - NIST SP 800-53 Rev. 4 AC-6 (5): Account Management](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#account-management)
- [Azure Policy - NIST SP 800-53 Rev. 4 AC-6 (10): Prohibit Non-privileged Users from Executing Privileged Functions](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#prohibit-non-privileged-users-from-executing-privileged-functions)
- [Azure Policy - NIST SP 800-53 Rev. 4 AC-7: Unsuccessful Logon Attempts](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#unsuccessful-logon-attempts)
- [Azure Policy - NIST SP 800-53 Rev. 4 AC-19: Access Control for Mobile Devices](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#access-control-for-mobile-devices)
- [Azure Policy - NIST SP 800-53 Rev. 5 IA-2: Identification and Authentication (organizational Users)](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#identification-and-authentication-organizational-users)
- [Azure Policy - NIST SP 800-53 Rev. 5 IA-2 (1): Multi-factor Authentication to Privileged Accounts](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#access-control-for-mobile-devices)
- [Azure Policy - NIST SP 800-53 Rev. 5 IA-2 (2): Multi-factor Authentication to Non-privileged Accounts](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#multi-factor-authentication-to-non-privileged-accounts)
- [Azure Policy - NIST SP 800-53 Rev. 4 IA-2 (11): Remote Access - Separate Device](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#remote-access---separate-device)
- [Azure Policy - NIST SP 800-53 Rev. 5 IA-4: Identifier Management](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#identifier-management)
- [Azure Policy - NIST SP 800-53 Rev. 5 IA-5: Authenticator Management](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#authenticator-management)
- [Azure Policy - NIST SP 800-53 Rev. 5 IA-5 (1): Password-based Authentication](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#password-based-authentication)
- [Azure Policy - NIST SP 800-53 Rev. 4 IA-5 (7): No Embedded Unencrypted Static Authenticators](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#no-embedded-unencrypted-static-authenticators)
- [Azure Policy - NIST SP 800-53 Rev. 4 IA-5 (13): Expiration of Cached Authenticators](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#expiration-of-cached-authenticators)
- [Azure Policy - NIST SP 800-53 Rev. 4 IA-6: Authenticator Feedback](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#authenticator-feedback)
- [Azure Policy - NIST SP 800-53 Rev. 4 IA-8: Identification and Authentication (non-organizational Users)](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#identification-and-authentication-non-organizational-users)
## Guardrails
@ -120,28 +120,28 @@ The following policies related to identity management are enabled by default in
#### 1.1 Implement multi-factor authentication (MFA) mechanism for root/master account.
This consideration can be met by appropriately configuring your Azure AD instance. Review the following tutorial: [Secure user sign-in events with Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa)
This consideration can be met by appropriately configuring your Azure AD instance. Review the following tutorial: [Secure user sign-in events with Azure AD Multi-Factor Authentication](https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa)
[Azure AD Conditional Access](#azure-ad-conditional-access-azure-ad-p1-required) is a native solution that can help to meet this consideration.
Multi-factor authentication controls are implemented as listed in [ALZCPS Identity Management Policies](#alzcps-identity-management-policies).
Relevant Links:
- [Conditional Access: Require MFA for administrators](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa)
- [Conditional Access: Require MFA for administrators](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa)
#### 1.2 Document a break glass emergency account management procedure. Including names of users with root or master account access.
Documentation exercises are out of scope. GC intranet users can reference the [break-glass emergency account procedure document](https://gcconnex.gc.ca/file/view/55010566/break-glass-emergency-account-procedure-departments-can-use-to-develop-their-emergency-access-management-controls-for-cloud?language=en).
Relevant Links:
- [Manage emergency access accounts in Azure AD](https://docs.microsoft.com/azure/active-directory/roles/security-emergency-access)
- [Manage emergency access accounts in Azure AD](https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access)
#### 1.3 Obtain signature from Departmental Chief Information Officer (CIO) and Chief Security Officer (CSO) to confirm acknowledgement and approval of the break glass emergency account management procedures.
Documentation exercises are out of scope. GC intranet users can reference the [break-glass emergency account procedure document](https://gcconnex.gc.ca/file/view/55010566/break-glass-emergency-account-procedure-departments-can-use-to-develop-their-emergency-access-management-controls-for-cloud?language=en).
Relevant Links:
- [Manage emergency access accounts in Azure AD](https://docs.microsoft.com/azure/active-directory/roles/security-emergency-access)
- [Manage emergency access accounts in Azure AD](https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access)
#### 1.4 Implement a mechanism for enforcing access authorizations.
@ -155,9 +155,9 @@ The following native solutions can help to meet this consideration:
Access authorization controls are implemented as listed in [ALZCPS Identity Management Policies](#alzcps-identity-management-policies).
Relevant Links:
- [Authorization with Azure AD](https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authorization)
- [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/azure/role-based-access-control/overview)
- [Steps to assign an Azure role](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-steps)
- [Authorization with Azure AD](https://learn.microsoft.com/azure/architecture/framework/security/design-identity-authorization)
- [What is Azure role-based access control (Azure RBAC)?](https://learn.microsoft.com/azure/role-based-access-control/overview)
- [Steps to assign an Azure role](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-steps)
#### 1.5 Configure appropriate alerts on root/master accounts to detect a potential compromise, in accordance with the GC Event Logging Guidance.
@ -168,8 +168,8 @@ The following native solutions can help to meet this consideration:
- [User and Entity Behavioral Analytics (UEBA)](#azure-ad-privileged-identity-management-azure-ad-p2-required)
Related Links:
- [Azure Active Directory Identity Protection notifications](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-notifications)
- [Identity Protection - How To: Export risk data](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-export-risk-data)
- [Azure Active Directory Identity Protection notifications](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-notifications)
- [Identity Protection - How To: Export risk data](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-export-risk-data)
---
@ -187,7 +187,7 @@ The following native solutions can help to meet this consideration:
Relevant Links:
- [SPIN 2017-01 Subsection 6.2.3](https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/direction-secure-use-commercial-cloud-services-spin.html#toc6-2-3)
- [Enhance security with the principle of least privilege](https://docs.microsoft.com/azure/active-directory/develop/secure-least-privileged-access)
- [Enhance security with the principle of least privilege](https://learn.microsoft.com/azure/active-directory/develop/secure-least-privileged-access)
#### 2.2 Implement a mechanism for enforcing access authorizations.
@ -201,9 +201,9 @@ The following native solutions can help to meet this consideration:
Access authorization controls are implemented as listed in [ALZCPS Identity Management Policies](#alzcps-identity-management-policies).
Relevant Links:
- [Authorization with Azure AD](https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authorization)
- [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/azure/role-based-access-control/overview)
- [Steps to assign an Azure role](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-steps)
- [Authorization with Azure AD](https://learn.microsoft.com/azure/architecture/framework/security/design-identity-authorization)
- [What is Azure role-based access control (Azure RBAC)?](https://learn.microsoft.com/azure/role-based-access-control/overview)
- [Steps to assign an Azure role](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-steps)
#### 2.3 Implement a mechanism for uniquely identifying and authenticating organizational users, non-organizational users (if applicable), and processes (for example, username and password).
@ -212,20 +212,20 @@ This consideration can be met by appropriately configuring your Azure AD instanc
Controls for authenticating organizational users, non-organizational users, and processes are implemented as listed in [ALZCPS Identity Management Policies](#alzcps-identity-management-policies).
Relevant Links:
- [Azure Active Directory Authentication management operations reference guide](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-ops-guide-auth)
- [B2B collaboration overview](https://docs.microsoft.com/azure/active-directory/external-identities/what-is-b2b) (Guest Accounts)
- [Application and service principal objects in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/develop/app-objects-and-service-principals) (Apps)
- [Azure Active Directory Authentication management operations reference guide](https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-ops-guide-auth)
- [B2B collaboration overview](https://learn.microsoft.com/azure/active-directory/external-identities/what-is-b2b) (Guest Accounts)
- [Application and service principal objects in Azure Active Directory](https://learn.microsoft.com/azure/active-directory/develop/app-objects-and-service-principals) (Apps)
#### 2.4 Implement a multi-factor authentication mechanism for privileged accounts (for example, username, password and one-time password) and for external facing interfaces.
This consideration can be met by appropriately configuring your Azure AD instance. Review the following tutorial: [Secure user sign-in events with Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa)
This consideration can be met by appropriately configuring your Azure AD instance. Review the following tutorial: [Secure user sign-in events with Azure AD Multi-Factor Authentication](https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa)
[Azure AD Conditional Access](#azure-ad-conditional-access-azure-ad-p1-required) is a native solution that can help to meet this consideration.
Multi-factor authentication controls are implemented as listed in [ALZCPS Identity Management Policies](#alzcps-identity-management-policies).
Relevant Links:
- [Conditional Access: Require MFA for administrators](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa)
- [Conditional Access: Require MFA for administrators](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa)
#### 2.5 Change default passwords.
@ -234,11 +234,11 @@ This consideration can be met by appropriately configuring your Azure AD instanc
Password controls are implemented as listed in [ALZCPS Identity Management Policies](#alzcps-identity-management-policies).
Relevant Links:
- [Combined password policy and weak password check in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad-combined-policy)
- [Combined password policy and weak password check in Azure Active Directory](https://learn.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad-combined-policy)
#### 2.6 Ensure that no custom subscription owner roles are created.
As described in the [Microsoft Cloud Adoption Framework design recommendations](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zonedesign-recommendations), there is one custom owner role created:
As described in the [Microsoft Cloud Adoption Framework design recommendations](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zonedesign-recommendations), there is one custom owner role created:
- Custom - Landing Zone Subscription Owner
However, this is not truly a "subscription owner", as it has limited permissions and is unable to manage RBAC and networking.
@ -253,14 +253,14 @@ Password controls are implemented as listed in [ALZCPS Identity Management Polic
Relevant Links:
- [GC Password Guidance](https://www.canada.ca/en/government/system/digital-government/online-security-privacy/password-guidance.html)
- [Password policies and account restrictions in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy)
- [Password policies and account restrictions in Azure Active Directory](https://learn.microsoft.com/azure/active-directory/authentication/concept-sspr-policy)
#### 2.8 Minimize number of guest users; add only if needed.
Out of scope.
Relevant Links:
- [B2B collaboration overview](https://docs.microsoft.com/azure/active-directory/external-identities/what-is-b2b) (Guest Accounts)
- [B2B collaboration overview](https://learn.microsoft.com/azure/active-directory/external-identities/what-is-b2b) (Guest Accounts)
#### 2.9 Determine access restrictions and configuration requirements for GC-issued endpoint devices, including those of non-privileged and privileged users, and configure access restrictions for endpoint devices accordingly. Note: Some service providers may offer configuration options to restrict endpoint device access. Alternatively, organizational policy and procedural instruments can be implemented to restrict access.
@ -281,14 +281,14 @@ Access restriction controls are implemented as listed in [ALZCPS Identity Manage
#### 3.1 Implement multi-factor authentication mechanism for privileged accounts and remote network (cloud) access.
This consideration can be met by appropriately configuring your Azure AD instance. Review the following tutorial: [Secure user sign-in events with Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa)
This consideration can be met by appropriately configuring your Azure AD instance. Review the following tutorial: [Secure user sign-in events with Azure AD Multi-Factor Authentication](https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa)
[Azure AD Conditional Access](#azure-ad-conditional-access-azure-ad-p1-required) is a native solution that can help to meet this consideration.
Multi-factor authentication controls are implemented as listed in [ALZCPS Identity Management Policies](#alzcps-identity-management-policies).
Relevant Links:
- [Conditional Access: Require MFA for administrators](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa)
- [Conditional Access: Require MFA for administrators](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa)
#### 3.2 Determine access restrictions and configuration requirements for GC managed devices, including those of non-privileged and privileged users, and configure access restrictions for endpoint devices accordingly.
@ -312,7 +312,7 @@ For logging and monitoring, see [Azure AD Logging and Monitoring](#azure-ad-logg
Access-control controls are implemented as listed in [ALZCPS Identity Management Policies](#alzcps-identity-management-policies).
Relevant Links:
- [Conditional Access: Require compliant or hybrid Azure AD joined device](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device)
- [Conditional Access: Require compliant or hybrid Azure AD joined device](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device)
#### 3.4 Implement a mechanism for enforcing access authorizations.
@ -326,21 +326,21 @@ The following native solutions can help to meet this consideration:
Access authorization controls are implemented as listed in [ALZCPS Identity Management Policies](#alzcps-identity-management-policies).
Relevant Links:
- [Authorization with Azure AD](https://docs.microsoft.com/azure/architecture/framework/security/design-identity-authorization)
- [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/azure/role-based-access-control/overview)
- [Steps to assign an Azure role](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-steps)
- [Authorization with Azure AD](https://learn.microsoft.com/azure/architecture/framework/security/design-identity-authorization)
- [What is Azure role-based access control (Azure RBAC)?](https://learn.microsoft.com/azure/role-based-access-control/overview)
- [Steps to assign an Azure role](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-steps)
#### 3.5 Implement password protection mechanisms to protect against password brute force attacks.
This consideration can be met by appropriately configuring your Azure AD instance. Specifically, [configuring Azure AD smart lockout](https://docs.microsoft.com/azure/active-directory/authentication/howto-password-smart-lockout) or by implementing a [passwordless authentication deployment](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-deployment).
This consideration can be met by appropriately configuring your Azure AD instance. Specifically, [configuring Azure AD smart lockout](https://learn.microsoft.com/azure/active-directory/authentication/howto-password-smart-lockout) or by implementing a [passwordless authentication deployment](https://learn.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-deployment).
Password controls are implemented as listed in [ALZCPS Identity Management Policies](#alzcps-identity-management-policies).
Relevant Links:
- [What authentication and verification methods are available in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-methods)
- [What authentication and verification methods are available in Azure Active Directory?](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods)
- [Forget passwords, go passwordless](https://www.microsoft.com/security/business/identity-access-management/passwordless-authentication)
- [Plan and deploy on-premises Azure Active Directory Password Protection](https://docs.microsoft.com/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy)
- [Combined password policy and weak password check in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad-combined-policy)
- [Plan and deploy on-premises Azure Active Directory Password Protection](https://learn.microsoft.com/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy)
- [Combined password policy and weak password check in Azure Active Directory](https://learn.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad-combined-policy)
---
@ -350,21 +350,21 @@ Relevant Links:
#### 4.1 Assign roles to approved GC stakeholders to enable enterprise visibility. Roles include billing reader, policy contributor/reader, security reader, and global reader.
This consideration can be met by appropriately configuring your Azure AD instance. Specifically, by assigning the appropriate [RBAC roles](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles).
This consideration can be met by appropriately configuring your Azure AD instance. Specifically, by assigning the appropriate [RBAC roles](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles).
Role-related controls are implemented as listed in [ALZCPS Identity Management Policies](#alzcps-identity-management-policies).
Relevant Links:
- [Steps to assign an Azure role](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-steps)
- [Steps to assign an Azure role](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-steps)
#### 4.2 Ensure that multi-factor authentication mechanism for enterprise monitoring accounts is enabled.
This consideration can be met by appropriately configuring your Azure AD instance. Review the following tutorial: [Secure user sign-in events with Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa)
This consideration can be met by appropriately configuring your Azure AD instance. Review the following tutorial: [Secure user sign-in events with Azure AD Multi-Factor Authentication](https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa)
[Azure AD Conditional Access](#azure-ad-conditional-access-azure-ad-p1-required) is a native solution that can help to meet this consideration.
Relevant Links:
- [Tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa)
- [Tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication](https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa)
---
@ -381,8 +381,8 @@ The following policies related to data location are enabled by default in ALZCPS
Relevant Links:
- [ALZCPS location parameters](../policy/builtin/assignments/location.parameters.json)
- [Azure built-in policies](https://docs.microsoft.com/azure/governance/policy/samples/built-in-policies)
- [General built-in policies](https://docs.microsoft.com/azure/governance/policy/samples/built-in-policies#general)
- [Azure built-in policies](https://learn.microsoft.com/azure/governance/policy/samples/built-in-policies)
- [General built-in policies](https://learn.microsoft.com/azure/governance/policy/samples/built-in-policies#general)
---
@ -396,51 +396,51 @@ Institutional policy guidance exercises are out of scope.
#### 6.2 Implement an encryption mechanism to protect the confidentiality and integrity of data when data are at rest in your solution's storage.
[Most Azure services that support encryption at rest](https://docs.microsoft.com/azure/security/fundamentals/encryption-models#supporting-services) typically support offloading the management of encryption keys to Azure. The Azure resource provider creates the keys, places them in secure storage, and retrieves them when needed. This means that the service has full access to the keys and the service has full control over the credential lifecycle management. However, there are various supported encryption models, including:
[Most Azure services that support encryption at rest](https://learn.microsoft.com/azure/security/fundamentals/encryption-models#supporting-services) typically support offloading the management of encryption keys to Azure. The Azure resource provider creates the keys, places them in secure storage, and retrieves them when needed. This means that the service has full access to the keys and the service has full control over the credential lifecycle management. However, there are various supported encryption models, including:
- [Server-side encryption using Service-Managed keys](https://docs.microsoft.com/azure/security/fundamentals/encryption-models#server-side-encryption-using-service-managed-keys)
- [Server-side encryption using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/security/fundamentals/encryption-models#server-side-encryption-using-customer-managed-keys-in-azure-key-vault)
- [Server-side encryption using customer-managed keys in customer-controlled hardware](https://docs.microsoft.com/azure/security/fundamentals/encryption-models#server-side-encryption-using-customer-managed-keys-in-customer-controlled-hardware)
- [Client-side encryption](https://docs.microsoft.com/azure/security/fundamentals/encryption-models#client-encryption-model)
- [Server-side encryption using Service-Managed keys](https://learn.microsoft.com/azure/security/fundamentals/encryption-models#server-side-encryption-using-service-managed-keys)
- [Server-side encryption using customer-managed keys in Azure Key Vault](https://learn.microsoft.com/azure/security/fundamentals/encryption-models#server-side-encryption-using-customer-managed-keys-in-azure-key-vault)
- [Server-side encryption using customer-managed keys in customer-controlled hardware](https://learn.microsoft.com/azure/security/fundamentals/encryption-models#server-side-encryption-using-customer-managed-keys-in-customer-controlled-hardware)
- [Client-side encryption](https://learn.microsoft.com/azure/security/fundamentals/encryption-models#client-encryption-model)
Refer to [this list](https://docs.microsoft.com/azure/security/fundamentals/encryption-models#client-encryption-model) to see encryption models are supported by each service.
Refer to [this list](https://learn.microsoft.com/azure/security/fundamentals/encryption-models#client-encryption-model) to see encryption models are supported by each service.
The following policies related to protection of information at rest are enabled by default in ALZCPS deployments:
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-28: Protection of Information at Rest](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#protection-of-information-at-rest)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-28: Protection of Information at Rest](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#protection-of-information-at-rest)
Relevant Links:
- [Azure encryption overview](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview)
- [Azure Data Encryption at rest](https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest)
- [Azure Storage encryption for data at rest](https://docs.microsoft.com/azure/storage/common/storage-service-encryption)
- [Data encryption models](https://docs.microsoft.com/azure/security/fundamentals/encryption-models)
- [Azure data security and encryption best practices](https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices)
- [Azure encryption overview](https://learn.microsoft.com/azure/security/fundamentals/encryption-overview)
- [Azure Data Encryption at rest](https://learn.microsoft.com/azure/security/fundamentals/encryption-atrest)
- [Azure Storage encryption for data at rest](https://learn.microsoft.com/azure/storage/common/storage-service-encryption)
- [Data encryption models](https://learn.microsoft.com/azure/security/fundamentals/encryption-models)
- [Azure data security and encryption best practices](https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices)
#### 6.3 Use CSE-approved cryptographic algorithms and protocols, in accordance with ITSP.40.111 and ITSP.40.062.
Azure provides the ability to use CSE-approved algorithms and protocols. However, _policy enforcement_ is not possible across all use-cases as it is dependant upon the individual application architecture. For example, the [default certificate signing algorithm within Azure AD](https://docs.microsoft.com/azure/active-directory/manage-apps/certificate-signing-options#certificate-signing-algorithms) is SHA-256. However, if an application only supports SHA-1, Azure AD can be manually configured to sign SAML responses using SHA-1 for that application.
Azure provides the ability to use CSE-approved algorithms and protocols. However, _policy enforcement_ is not possible across all use-cases as it is dependant upon the individual application architecture. For example, the [default certificate signing algorithm within Azure AD](https://learn.microsoft.com/azure/active-directory/manage-apps/certificate-signing-options#certificate-signing-algorithms) is SHA-256. However, if an application only supports SHA-1, Azure AD can be manually configured to sign SAML responses using SHA-1 for that application.
The following policies related to approved cryptographic algorithms are enabled by default in ALZCPS deployments:
- [Azure Policy - NIST SP 800-53 Rev. 4 SC-13: Cryptographic Protection](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#cryptographic-protection-3)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-28 (1): Cryptographic Protection](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#cryptographic-protection-1)
- [Azure Policy - NIST SP 800-53 Rev. 4 SC-13: Cryptographic Protection](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#cryptographic-protection-3)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-28 (1): Cryptographic Protection](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#cryptographic-protection-1)
Relevant Links:
- [ITSP.40.111: Cryptographic Algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information](https://cyber.gc.ca/guidance/cryptographic-algorithms-unclassified-protected-and-protected-b-information-itsp40111)
- [ITSP.40.062: Guidance on Securely Configuring Network Protocols](https://cyber.gc.ca/guidance/guidance-securely-configuring-network-protocols-itsp40062)
- [Azure encryption overview](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview)
- [Azure encryption overview](https://learn.microsoft.com/azure/security/fundamentals/encryption-overview)
#### 6.4 Implement key management procedures.
[Most Azure services that support encryption at rest](https://docs.microsoft.com/azure/security/fundamentals/encryption-models#supporting-services) typically support offloading the management of encryption keys to Azure. The Azure resource provider creates the keys, places them in secure storage, and retrieves them when needed. This means that the service has full access to the keys and the service has full control over the credential lifecycle management. [Customer-managed key](https://docs.microsoft.com/azure/security/fundamentals/encryption-models#server-side-encryption-using-customer-managed-keys-in-azure-key-vault) scenarios are supported within ALZCPS in the [Healthcare](./archetypes/healthcare.md) and [Machine Learning](./docs/archetypes/machinelearning.md) archetypes. See [Key management in Azure](https://docs.microsoft.com/azure/security/fundamentals/key-management) for more details on platform-managed and customer-managed keys.
[Most Azure services that support encryption at rest](https://learn.microsoft.com/azure/security/fundamentals/encryption-models#supporting-services) typically support offloading the management of encryption keys to Azure. The Azure resource provider creates the keys, places them in secure storage, and retrieves them when needed. This means that the service has full access to the keys and the service has full control over the credential lifecycle management. [Customer-managed key](https://learn.microsoft.com/azure/security/fundamentals/encryption-models#server-side-encryption-using-customer-managed-keys-in-azure-key-vault) scenarios are supported within ALZCPS in the [Healthcare](./archetypes/healthcare.md) and [Machine Learning](./docs/archetypes/machinelearning.md) archetypes. See [Key management in Azure](https://learn.microsoft.com/azure/security/fundamentals/key-management) for more details on platform-managed and customer-managed keys.
The following policies related to key management are enabled by default in ALZCPS deployments:
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-12: Cryptographic Key Establishment and Management](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#cryptographic-key-establishment-and-management)
- [Azure Policy - NIST SP 800-53 Rev. 4 SC-17: Public Key Infrastructure Certificates](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#public-key-infrastructure-certificates)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-12: Cryptographic Key Establishment and Management](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#cryptographic-key-establishment-and-management)
- [Azure Policy - NIST SP 800-53 Rev. 4 SC-17: Public Key Infrastructure Certificates](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#public-key-infrastructure-certificates)
Relevant Links:
- [Government of Canada Considerations for the Use of Cryptography in Commercial Cloud Services: Key Management](https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/government-canada-consideration-use-cryptography-in-cloud.html#toc3)
- [Key management in Azure](https://docs.microsoft.com/azure/security/fundamentals/key-management)
- [Data encryption models](https://docs.microsoft.com/azure/security/fundamentals/encryption-models)
- [About Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/overview)
- [Key management in Azure](https://learn.microsoft.com/azure/security/fundamentals/key-management)
- [Data encryption models](https://learn.microsoft.com/azure/security/fundamentals/encryption-models)
- [About Azure Key Vault](https://learn.microsoft.com/azure/key-vault/general/overview)
---
@ -450,28 +450,28 @@ Relevant Links:
#### 7.1 Implement an encryption mechanism to protect the confidentiality and integrity of data when data are in transit to and from your solution.
For client applications, this is specific to the application architecture and determined risk profiles. Azure PaaS services can be audited for compliance via Azure Policy. [Azure offers many mechanisms for keeping data private as it moves from one location to another.](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit).
For client applications, this is specific to the application architecture and determined risk profiles. Azure PaaS services can be audited for compliance via Azure Policy. [Azure offers many mechanisms for keeping data private as it moves from one location to another.](https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit).
The following policies related to protection of data in transit are enabled by default in ALZCPS deployments:
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-8: Transmission Confidentiality and Integrity](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#transmission-confidentiality-and-integrity)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-8: Transmission Confidentiality and Integrity](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#transmission-confidentiality-and-integrity)
Relevant Links:
- [Azure encryption overview](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview)
- [Encryption of data in transit](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit)
- [Data encryption models](https://docs.microsoft.com/azure/security/fundamentals/encryption-models)
- [Azure data security and encryption best practices](https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices)
- [Azure encryption overview](https://learn.microsoft.com/azure/security/fundamentals/encryption-overview)
- [Encryption of data in transit](https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit)
- [Data encryption models](https://learn.microsoft.com/azure/security/fundamentals/encryption-models)
- [Azure data security and encryption best practices](https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices)
#### 7.2 Use CSE-approved cryptographic algorithms and protocols.
Azure provides the ability to use CSE-approved algorithms and protocols. However, _policy enforcement_ is not possible across all use-cases as it is dependant upon the individual application architecture. For example, the [default certificate signing algorithm within Azure AD](https://docs.microsoft.com/azure/active-directory/manage-apps/certificate-signing-options#certificate-signing-algorithms) is SHA-256. However, if an application only supports SHA-1, Azure AD can be manually configured to sign SAML responses using SHA-1 for that application.
Azure provides the ability to use CSE-approved algorithms and protocols. However, _policy enforcement_ is not possible across all use-cases as it is dependant upon the individual application architecture. For example, the [default certificate signing algorithm within Azure AD](https://learn.microsoft.com/azure/active-directory/manage-apps/certificate-signing-options#certificate-signing-algorithms) is SHA-256. However, if an application only supports SHA-1, Azure AD can be manually configured to sign SAML responses using SHA-1 for that application.
The following policies related to approved cryptographic algorithms are enabled by default in ALZCPS deployments:
- [Azure Policy - NIST SP 800-53 Rev. 4 SC-13: Cryptographic Protection](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#cryptographic-protection-3)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-28 (1): Cryptographic Protection](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#cryptographic-protection-1)
- [Azure Policy - NIST SP 800-53 Rev. 4 SC-13: Cryptographic Protection](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#cryptographic-protection-3)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-28 (1): Cryptographic Protection](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#cryptographic-protection-1)
Relevant Links:
- [Azure encryption overview](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview)
- [Azure encryption overview](https://learn.microsoft.com/azure/security/fundamentals/encryption-overview)
#### 7.3 Encryption of data in transit by default (e.g. TLS v1.2, etc.) for all publicly accessible sites and external communications as per the direction on Implementing HTTPS for Secure Web Connections (ITPIN 2018-01).
@ -481,51 +481,51 @@ TLS 1.2 is set as the minimum TLS version in the following deployed resources:
- Storage
The following policies related to encryption of data in transit for publicly accessible sites and external communications are enabled by default in ALZCPS deployments:
- [Azure Policy - Canada Federal PBMM SC8(1): Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection](https://docs.microsoft.com/azure/governance/policy/samples/canada-federal-pbmm#transmission-confidentiality-and-integrity--cryptographic-or-alternate-physical-protection)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-8(1): Cryptographic Protection](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#cryptographic-protection)
- [Azure Policy - Canada Federal PBMM SC8(1): Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection](https://learn.microsoft.com/azure/governance/policy/samples/canada-federal-pbmm#transmission-confidentiality-and-integrity--cryptographic-or-alternate-physical-protection)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-8(1): Cryptographic Protection](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#cryptographic-protection)
Relevant Links:
- [ITPIN 2018-01: Implementing HTTPS for Secure Web Connections](https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/policy-implementation-notices/implementing-https-secure-web-connections-itpin.html)
- [Azure encryption overview](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview)
- [Encryption of data in transit](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit)
- [Azure encryption overview](https://learn.microsoft.com/azure/security/fundamentals/encryption-overview)
- [Encryption of data in transit](https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit)
#### 7.4 Encryption for all access to cloud services (e.g. Cloud storage, Key Management systems, etc.).
The following policies related to encryption for access to cloud services are enabled by default in ALZCPS deployments:
- [Azure Policy - Canada Federal PBMM SC8(1): Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection](https://docs.microsoft.com/azure/governance/policy/samples/canada-federal-pbmm#transmission-confidentiality-and-integrity--cryptographic-or-alternate-physical-protection)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-8(1): Cryptographic Protection](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#cryptographic-protection)
- [Azure Policy - Canada Federal PBMM SC8(1): Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection](https://learn.microsoft.com/azure/governance/policy/samples/canada-federal-pbmm#transmission-confidentiality-and-integrity--cryptographic-or-alternate-physical-protection)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-8(1): Cryptographic Protection](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#cryptographic-protection)
Relevant Links:
- [Azure encryption overview](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview)
- [Azure encryption overview](https://learn.microsoft.com/azure/security/fundamentals/encryption-overview)
#### 7.5 Consider encryption for internal zone communication in the cloud based on risk profile and as per the direction in CCCS network security zoning guidance in ITSG-22 and ITSG-38.
For client applications, this is specific to the application architecture and determined risk profiles. Azure PaaS services can be audited for compliance via Azure Policy. [Azure offers many mechanisms for keeping data private as it moves from one location to another](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit).
For client applications, this is specific to the application architecture and determined risk profiles. Azure PaaS services can be audited for compliance via Azure Policy. [Azure offers many mechanisms for keeping data private as it moves from one location to another](https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit).
As an additional layer of protection, [Azure Private Link](https://docs.microsoft.com/azure/private-link/private-link-overview) enables access to Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network. Azure Private Link is enabled on all supported PaaS services in an ALZCPS deployment.
As an additional layer of protection, [Azure Private Link](https://learn.microsoft.com/azure/private-link/private-link-overview) enables access to Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network. Azure Private Link is enabled on all supported PaaS services in an ALZCPS deployment.
The following policies related to information flow enforcement are enabled by default in ALZCPS deployments:
- [Azure Policy - NIST SP 800-53 Rev. 5 AC-4: Information Flow Enforcement](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#information-flow-enforcement)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-28 (1): Cryptographic Protection](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#cryptographic-protection-1)
- [Azure Policy - NIST SP 800-53 Rev. 5 AC-4: Information Flow Enforcement](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#information-flow-enforcement)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-28 (1): Cryptographic Protection](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#cryptographic-protection-1)
Relevant Links:
- [ITSG-22: Baseline Security Requirements for Network Security Zones in the Government of Canada](https://www.cyber.gc.ca/sites/default/files/publications/itsg-22-eng.pdf)
- [ITSG-38: Network Security Zoning - Design Considerations for Placement of Services within Zones](https://cyber.gc.ca/guidance/network-security-zoning-design-considerations-placement-services-within-zones-itsg-38)
- [What is Azure Private Link?](https://docs.microsoft.com/azure/private-link/private-link-overview)
- [What is Azure Private Link?](https://learn.microsoft.com/azure/private-link/private-link-overview)
#### 7.6 Implement key management procedures.
See [Key management in Azure](https://docs.microsoft.com/azure/security/fundamentals/key-management) for details on platform-managed and customer-managed keys.
See [Key management in Azure](https://learn.microsoft.com/azure/security/fundamentals/key-management) for details on platform-managed and customer-managed keys.
The following policies related to key management are enabled by default in ALZCPS deployments:
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-12: Cryptographic Key Establishment and Management](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#cryptographic-key-establishment-and-management)
- [Azure Policy - NIST SP 800-53 Rev. 4 SC-17: Public Key Infrastructure Certificates](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#public-key-infrastructure-certificates)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-12: Cryptographic Key Establishment and Management](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#cryptographic-key-establishment-and-management)
- [Azure Policy - NIST SP 800-53 Rev. 4 SC-17: Public Key Infrastructure Certificates](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#public-key-infrastructure-certificates)
Relevant Links:
- [Government of Canada Considerations for the Use of Cryptography in Commercial Cloud Services: Key Management](https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/government-canada-consideration-use-cryptography-in-cloud.html#toc3)
- [Data encryption models](https://docs.microsoft.com/azure/security/fundamentals/encryption-models)
- [About Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/overview)
- [Data encryption models](https://learn.microsoft.com/azure/security/fundamentals/encryption-models)
- [About Azure Key Vault](https://learn.microsoft.com/azure/key-vault/general/overview)
---
@ -538,9 +538,9 @@ Relevant Links:
The [ALZCPS network design](./architecture.md#5-network) implements separate hub virtual networks that allow for segmenting management operations. However, it is up to the implementer to determine how these networks should be enhanced to meet their specific security needs.
The following policies related to network security are enabled by default in ALZCPS deployments:
- [Azure Policy - NIST SP 800-53 Rev. 5 AC-4: Information Flow Enforcement](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#information-flow-enforcement)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-7: Boundary Protection](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#boundary-protection)
- [Azure Policy - NIST SP 800-53 Rev. 4 SC-7 (5): Deny by Default / Allow by Exception](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#deny-by-default--allow-by-exception)
- [Azure Policy - NIST SP 800-53 Rev. 5 AC-4: Information Flow Enforcement](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#information-flow-enforcement)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-7: Boundary Protection](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#boundary-protection)
- [Azure Policy - NIST SP 800-53 Rev. 4 SC-7 (5): Deny by Default / Allow by Exception](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#deny-by-default--allow-by-exception)
Relevant Links:
- [ITSG-22: Baseline Security Requirements for Network Security Zones in the Government of Canada](https://www.cyber.gc.ca/sites/default/files/publications/itsg-22-eng.pdf)
@ -550,12 +550,12 @@ Relevant Links:
#### 8.2 Implement increased levels of protection for management interfaces.
ALZCPS adheres to boundary protection policies for management interfaces. This includes the use of [Azure Private Link](https://docs.microsoft.com/azure/private-link/private-link-overview), routing traffic to a [deployed firewall](./architecture.md#topology), and disabling public network access to sensitive resources.
ALZCPS adheres to boundary protection policies for management interfaces. This includes the use of [Azure Private Link](https://learn.microsoft.com/azure/private-link/private-link-overview), routing traffic to a [deployed firewall](./architecture.md#topology), and disabling public network access to sensitive resources.
For custom applications, it is up to the implementer to identify management interfaces which may need increased levels of protection.
The following policies related to protection for management interfaces are enabled by default in ALZCPS deployments:
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-7: Boundary Protection](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#boundary-protection)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-7: Boundary Protection](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#boundary-protection)
---
@ -573,55 +573,55 @@ For logging and monitoring, review the [Azure Firewall Archetype Log Analytics I
The following policies related to boundary protection are enabled by default in ALZCPS deployments:
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-7: Boundary Protection](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#boundary-protection)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-7: Boundary Protection](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#boundary-protection)
Relevant Links:
- [What is Azure Firewall?](https://docs.microsoft.com/azure/firewall/overview)
- [Monitor Azure Firewall logs and metrics](https://docs.microsoft.com/azure/firewall/firewall-diagnostics)
- [Azure Firewall Premium features](https://docs.microsoft.com/azure/firewall/premium-features)
- [Monitor logs using Azure Firewall Workbook](https://docs.microsoft.com/azure/firewall/firewall-workbook)
- [What is Azure Firewall?](https://learn.microsoft.com/azure/firewall/overview)
- [Monitor Azure Firewall logs and metrics](https://learn.microsoft.com/azure/firewall/firewall-diagnostics)
- [Azure Firewall Premium features](https://learn.microsoft.com/azure/firewall/premium-features)
- [Monitor logs using Azure Firewall Workbook](https://learn.microsoft.com/azure/firewall/firewall-workbook)
#### 9.2 Implement network boundary protection mechanisms for all external facing interfaces that enforce a deny-all or allow-by-exception policy.
When using the Azure Firewall Archetype, please review the pre-configured [Azure Firewall Rules](./archetypes/hubnetwork-azfw.md#azure-firewall-rules).
The following policies related to boundary protection are enabled by default in ALZCPS deployments:
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-7: Boundary Protection](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#boundary-protection)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-7: Boundary Protection](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#boundary-protection)
#### 9.3 Perimeter security services such as boundary protection, intrusion prevention services, proxy services, TLS traffic inspection, etc. must be enabled based on risk profile, in alignment with GC Secure Connectivity Requirements and ITSG-22 and ITSG-38.
The required/available security services will depend on the deployed workload, such as the firewall used, and any additional requirements of the workload based on risk profile. When deploying using ALZCPS:
- Microsoft Defender for Cloud is enabled [via a custom policy](../policy/custom/definitions/policyset/DefenderForCloud.bicep) on all supported resources.
- Microsoft Sentinel is enabled, but requires further [configuration and management](https://docs.microsoft.com/azure/sentinel/best-practices).
- Microsoft Sentinel is enabled, but requires further [configuration and management](https://learn.microsoft.com/azure/sentinel/best-practices).
- Azure Private DNS Zones [are used to enable Private Link](./architecture.md#private-dns-zones) for Azure PaaS services.
- Azure DDoS Standard can optionally be enabled during [hub networking configuration](./onboarding/azure-devops-pipelines.md#step-7---configure-hub-networking).
- [TLS Inspection](https://docs.microsoft.com/azure/firewall/premium-features#tls-inspection) can be enabled on Azure Firewall Premium.
- [TLS Inspection](https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection) can be enabled on Azure Firewall Premium.
The following policies related to perimeter security services are enabled by default in ALZCPS deployments:
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-5: Denial-of-service Protection](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#denial-of-service-protection)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-7: Boundary Protection](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#boundary-protection)
- [Azure Policy - NIST SP 800-53 Rev. 5 SI-3: Malicious Code Protection](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#malicious-code-protection)
- [Azure Policy - NIST SP 800-53 Rev. 4 SI-3 (7): Nonsignature-based Detection](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#nonsignature-based-detection)
- [Azure Policy - NIST SP 800-53 Rev. 4 SI-4: System Monitoring](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#system-monitoring)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-5: Denial-of-service Protection](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#denial-of-service-protection)
- [Azure Policy - NIST SP 800-53 Rev. 5 SC-7: Boundary Protection](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#boundary-protection)
- [Azure Policy - NIST SP 800-53 Rev. 5 SI-3: Malicious Code Protection](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#malicious-code-protection)
- [Azure Policy - NIST SP 800-53 Rev. 4 SI-3 (7): Nonsignature-based Detection](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#nonsignature-based-detection)
- [Azure Policy - NIST SP 800-53 Rev. 4 SI-4: System Monitoring](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#system-monitoring)
Relevant Links:
- [ITSG-22: Baseline Security Requirements for Network Security Zones in the Government of Canada](https://www.cyber.gc.ca/sites/default/files/publications/itsg-22-eng.pdf)
- [ITSG-38: Network Security Zoning - Design Considerations for Placement of Services within Zones](https://cyber.gc.ca/guidance/network-security-zoning-design-considerations-placement-services-within-zones-itsg-38)
- [What is Microsoft Defender for Cloud?](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction)
- [What is Microsoft Sentinel?](https://docs.microsoft.com/azure/sentinel/overview)
- [Azure DDoS Protection Standard overview](https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview)
- [Azure Firewall Premium features](https://docs.microsoft.com/azure/firewall/premium-features)
- [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction)
- [What is Microsoft Sentinel?](https://learn.microsoft.com/azure/sentinel/overview)
- [Azure DDoS Protection Standard overview](https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview)
- [Azure Firewall Premium features](https://learn.microsoft.com/azure/firewall/premium-features)
#### 9.4 Ensure that access to cloud storage services is protected and restricted to authorized users and services.
For the archetypes provided in ALZCPS, we provide Private Endpoints for storage accounts. Further controls may be required to limit access to specific users and groups as needed.
The following policies related to access to cloud storage services are enabled by default in ALZCPS deployments:
- [Azure Policy - NIST SP 800-53 Rev. 5 AC-4: Information Flow Enforcement](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#information-flow-enforcement)
- [Azure Policy - NIST SP 800-53 Rev. 5 AC-4: Information Flow Enforcement](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#information-flow-enforcement)
Relevant Links:
- [Authorize access to data in Azure Storage](https://docs.microsoft.com/azure/storage/common/authorize-data-access)
- [Authorize access to data in Azure Storage](https://learn.microsoft.com/azure/storage/common/authorize-data-access)
---
@ -641,19 +641,19 @@ Relevant Links:
The required/available cyber defense services will depend on the deployed workload, such as the firewall used, and any additional requirements of the workload based on risk profile. When deploying using ALZCPS:
- Microsoft Defender for Cloud is enabled [via a custom policy](../policy/custom/definitions/policyset/DefenderForCloud.bicep) on all supported resources.
- Microsoft Sentinel is enabled, but requires further [configuration and management](https://docs.microsoft.com/azure/sentinel/best-practices).
- Microsoft Sentinel is enabled, but requires further [configuration and management](https://learn.microsoft.com/azure/sentinel/best-practices).
- Azure DDoS Standard can optionally be enabled during [hub networking configuration](./onboarding/azure-devops-pipelines.md#step-7---configure-hub-networking).
- [TLS Inspection](https://docs.microsoft.com/azure/firewall/premium-features#tls-inspection) can be enabled on Azure Firewall Premium.
- [TLS Inspection](https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection) can be enabled on Azure Firewall Premium.
The following policies related to to cyber defense services are enabled by default in ALZCPS deployments:
- [Azure Policy - NIST SP 800-53 Rev. 4 SI-2: Flaw Remediation](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#flaw-remediation)
- [Azure Policy - NIST SP 800-53 Rev. 5 SI-4: System Monitoring](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#system-monitoring)
- [Azure Policy - NIST SP 800-53 Rev. 4 SI-2: Flaw Remediation](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#flaw-remediation)
- [Azure Policy - NIST SP 800-53 Rev. 5 SI-4: System Monitoring](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#system-monitoring)
Relevant Links:
- [What is Microsoft Defender for Cloud?](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction)
- [What is Microsoft Sentinel?](https://docs.microsoft.com/azure/sentinel/overview)
- [Azure DDoS Protection Standard overview](https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview)
- [Azure Firewall Premium features](https://docs.microsoft.com/azure/firewall/premium-features)
- [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction)
- [What is Microsoft Sentinel?](https://learn.microsoft.com/azure/sentinel/overview)
- [Azure DDoS Protection Standard overview](https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview)
- [Azure Firewall Premium features](https://learn.microsoft.com/azure/firewall/premium-features)
---
@ -685,17 +685,17 @@ For VMs, diagnostic logs are collected using the Microsoft Monitoring Agent whic
For PaaS services, diagnostics settings are turned on.
The following policies related to to logging and reporting are enabled by default in ALZCPS deployments:
- [Azure Policy - NIST SP 800-53 Rev. 4 AU-2: Audit Events](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#audit-events)
- [Azure Policy - NIST SP 800-53 Rev. 4 AU-3: Audit Events](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#content-of-audit-records)
- [Azure Policy - NIST SP 800-53 Rev. 5 AU-6: Audit Record Review, Analysis, and Reporting](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#audit-record-review-analysis-and-reporting)
- [Azure Policy - NIST SP 800-53 Rev. 4 AU-9: Protection of Audit Information](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#protection-of-audit-information)
- [Azure Policy - NIST SP 800-53 Rev. 4 AU-9 (4): Access by Subset of Privileged Users](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#access-by-subset-of-privileged-users)
- [Azure Policy - NIST SP 800-53 Rev. 5 AU-12: Audit Record Generation](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#audit-record-generation)
- [Azure Policy - NIST SP 800-53 Rev. 5 SI-4: System Monitoring](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#system-monitoring)
- [Azure Policy - NIST SP 800-53 Rev. 4 AU-2: Audit Events](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#audit-events)
- [Azure Policy - NIST SP 800-53 Rev. 4 AU-3: Audit Events](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#content-of-audit-records)
- [Azure Policy - NIST SP 800-53 Rev. 5 AU-6: Audit Record Review, Analysis, and Reporting](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#audit-record-review-analysis-and-reporting)
- [Azure Policy - NIST SP 800-53 Rev. 4 AU-9: Protection of Audit Information](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#protection-of-audit-information)
- [Azure Policy - NIST SP 800-53 Rev. 4 AU-9 (4): Access by Subset of Privileged Users](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#access-by-subset-of-privileged-users)
- [Azure Policy - NIST SP 800-53 Rev. 5 AU-12: Audit Record Generation](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#audit-record-generation)
- [Azure Policy - NIST SP 800-53 Rev. 5 SI-4: System Monitoring](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#system-monitoring)
Relevant Links:
- [Azure Monitor: Log Analytics workspaces](https://docs.microsoft.com/azure/azure-monitor/logs/data-platform-logs#log-analytics-workspaces)
- [Monitoring solutions in Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/insights/solutions)
- [Azure Monitor: Log Analytics workspaces](https://learn.microsoft.com/azure/azure-monitor/logs/data-platform-logs#log-analytics-workspaces)
- [Monitoring solutions in Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/insights/solutions)
#### 11.2 Identify the events within the solution that must be audited in accordance with GC Event Logging.
@ -710,8 +710,8 @@ ALZCPS sets up email notifications for the following alerts by default:
Further configuration is required to set up appropriate alerts and notifications for any deployment.
Relevant Links:
- [Microsoft Defender for Cloud: Configure email notifications for security alerts](https://docs.microsoft.com/azure/defender-for-cloud/configure-email-notifications)
- [Microsoft Sentinel: Automate incident handling in Microsoft Sentinel with automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules)
- [Microsoft Defender for Cloud: Configure email notifications for security alerts](https://learn.microsoft.com/azure/defender-for-cloud/configure-email-notifications)
- [Microsoft Sentinel: Automate incident handling in Microsoft Sentinel with automation rules](https://learn.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules)
#### 11.4 Configure or use an authoritative time source for the time-stamp of the audit records generated by your solution components.
@ -720,15 +720,15 @@ Azure PaaS Services and Azure Marketplace Windows VMs use _time.windows.com_ as
Since early 2021, Azure Marketplace Linux VMs use the _chronyd_ service to synchronize with the host time (_time.windows.com_).
There are two standard time-stamp columns within Azure Monitor logs:
- [TimeGenerated](https://docs.microsoft.com/azure/azure-monitor/logs/log-standard-columns#timegenerated), which contains the date and time that the record was created by the data source.
- [_TimeReceived](https://docs.microsoft.com/azure/azure-monitor/logs/log-standard-columns#_timereceived), which contains the date and time that the record was received by the Azure Monitor ingestion point in the Azure cloud.
- [TimeGenerated](https://learn.microsoft.com/azure/azure-monitor/logs/log-standard-columns#timegenerated), which contains the date and time that the record was created by the data source.
- [_TimeReceived](https://learn.microsoft.com/azure/azure-monitor/logs/log-standard-columns#_timereceived), which contains the date and time that the record was received by the Azure Monitor ingestion point in the Azure cloud.
The following policies related to to time stamps are enabled by default in ALZCPS deployments:
- [Azure Policy - NIST SP 800-53 Rev. 4 AU-8: Time Stamps](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#time-stamps)
- [Azure Policy - NIST SP 800-53 Rev. 4 AU-8: Time Stamps](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#time-stamps)
Relevant Links:
- [Time sync for Linux VMs in Azure](https://docs.microsoft.com/azure/virtual-machines/linux/time-sync)
- [Time sync for Windows VMs in Azure](https://docs.microsoft.com/azure/virtual-machines/windows/time-sync)
- [Time sync for Linux VMs in Azure](https://learn.microsoft.com/azure/virtual-machines/linux/time-sync)
- [Time sync for Windows VMs in Azure](https://learn.microsoft.com/azure/virtual-machines/windows/time-sync)
#### 11.5 Continuously monitor system events and performance.
@ -755,18 +755,18 @@ For PaaS services, diagnostics settings are turned on.
Additionally, Microsoft Defender for Cloud is enabled by default on all supported solutions.
The following policies related to to logging and reporting are enabled by default in ALZCPS deployments:
- [Azure Policy - NIST SP 800-53 Rev. 4 AU-2: Audit Events](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#audit-events)
- [Azure Policy - NIST SP 800-53 Rev. 4 AU-3: Audit Events](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#content-of-audit-records)
- [Azure Policy - NIST SP 800-53 Rev. 5 AU-6: Audit Record Review, Analysis, and Reporting](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#audit-record-review-analysis-and-reporting)
- [Azure Policy - NIST SP 800-53 Rev. 4 AU-9: Protection of Audit Information](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#protection-of-audit-information)
- [Azure Policy - NIST SP 800-53 Rev. 4 AU-9 (4): Access by Subset of Privileged Users](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#access-by-subset-of-privileged-users)
- [Azure Policy - NIST SP 800-53 Rev. 5 AU-12: Audit Record Generation](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#audit-record-generation)
- [Azure Policy - NIST SP 800-53 Rev. 5 SI-4: System Monitoring](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#system-monitoring)
- [Azure Policy - NIST SP 800-53 Rev. 4 AU-2: Audit Events](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#audit-events)
- [Azure Policy - NIST SP 800-53 Rev. 4 AU-3: Audit Events](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#content-of-audit-records)
- [Azure Policy - NIST SP 800-53 Rev. 5 AU-6: Audit Record Review, Analysis, and Reporting](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#audit-record-review-analysis-and-reporting)
- [Azure Policy - NIST SP 800-53 Rev. 4 AU-9: Protection of Audit Information](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#protection-of-audit-information)
- [Azure Policy - NIST SP 800-53 Rev. 4 AU-9 (4): Access by Subset of Privileged Users](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#access-by-subset-of-privileged-users)
- [Azure Policy - NIST SP 800-53 Rev. 5 AU-12: Audit Record Generation](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#audit-record-generation)
- [Azure Policy - NIST SP 800-53 Rev. 5 SI-4: System Monitoring](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5#system-monitoring)
Relevant Links:
- [Azure Monitor: Log Analytics workspaces](https://docs.microsoft.com/azure/azure-monitor/logs/data-platform-logs#log-analytics-workspaces)
- [Monitoring solutions in Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/insights/solutions)
- [What is Microsoft Defender for Cloud?](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction)
- [Azure Monitor: Log Analytics workspaces](https://learn.microsoft.com/azure/azure-monitor/logs/data-platform-logs#log-analytics-workspaces)
- [Monitoring solutions in Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/insights/solutions)
- [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction)
---
@ -779,7 +779,7 @@ Relevant Links:
The private marketplace is not enabled by default. Once enabled, only approved public marketplace offerings are allowed.
Relevant Links:
- [Create and manage Private Azure Marketplace collections in the Azure portal](https://docs.microsoft.com/marketplace/create-manage-private-azure-marketplace-new)
- [Create and manage Private Azure Marketplace collections in the Azure portal](https://learn.microsoft.com/marketplace/create-manage-private-azure-marketplace-new)
#### 12.2 Submit requests to add third-party products to marketplace to SSC Cloud Broker.

Просмотреть файл

@ -12,7 +12,7 @@ This document provides steps required to onboard to the Azure Landing Zones desi
> Telemetry is introduced on November 11, 2021.
Microsoft can identify the deployments of the Azure Resource Manager and Bicep templates with the deployed Azure resources. Microsoft can correlate these resources used to support the deployments. Microsoft collects this information to provide the best experiences with their products and to operate their business. The telemetry is collected through [customer usage attribution](https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution). The data is collected and governed by Microsoft's privacy policies, located at [https://www.microsoft.com/trustcenter](https://www.microsoft.com/trustcenter).
Microsoft can identify the deployments of the Azure Resource Manager and Bicep templates with the deployed Azure resources. Microsoft can correlate these resources used to support the deployments. Microsoft collects this information to provide the best experiences with their products and to operate their business. The telemetry is collected through [customer usage attribution](https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution). The data is collected and governed by Microsoft's privacy policies, located at [https://www.microsoft.com/trustcenter](https://www.microsoft.com/trustcenter).
The automation is instrumented to identify the modules that are being deployed. At this time, we don't differentiate the deployments and tracked under a single GUID (`a83f6385-f514-415f-991b-2d9bd7aed658`).
@ -196,9 +196,9 @@ An Azure service principal is an identity created for use with applications, hos
* **Scope:** Tenant Root Group (this is a management group in the Azure environment)
* **Role:** [Owner](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#owner) (Grants full access to manage all resources, including the ability to assign roles in [Azure RBAC](https://docs.microsoft.com/azure/role-based-access-control/overview). Owner permission is required so that the Azure DevOps Pipelines can create resources and role assignments.)
* **Role:** [Owner](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#owner) (Grants full access to manage all resources, including the ability to assign roles in [Azure RBAC](https://learn.microsoft.com/azure/role-based-access-control/overview). Owner permission is required so that the Azure DevOps Pipelines can create resources and role assignments.)
* **Instructions**: [Create an Azure service principal with the Azure CLI | Microsoft Docs](https://docs.microsoft.com/cli/azure/create-an-azure-service-principal-azure-cli)
* **Instructions**: [Create an Azure service principal with the Azure CLI | Microsoft Docs](https://learn.microsoft.com/cli/azure/create-an-azure-service-principal-azure-cli)
To create the service principal account and role assignment through Azure CLI:
@ -263,11 +263,11 @@ Note down the `appId`, `tenant` and `password`. These will be required to for s
* Verify and save
* **Reference**: [Service connections in Azure Pipelines - Azure Pipelines | Microsoft Docs](https://docs.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml). Use the settings described above when following the instructions.
* **Reference**: [Service connections in Azure Pipelines - Azure Pipelines | Microsoft Docs](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml). Use the settings described above when following the instructions.
### Step 2.2: Configure Azure DevOps Pipeline Environment
An environment is a collection of resources that you can target with deployments from a pipeline. Typical examples of environment names are Dev, Test, QA, Staging, and Production. More information such as benefits of using Environments can be found in [Azure Docs](https://docs.microsoft.com/azure/devops/pipelines/process/environments).
An environment is a collection of resources that you can target with deployments from a pipeline. Typical examples of environment names are Dev, Test, QA, Staging, and Production. More information such as benefits of using Environments can be found in [Azure Docs](https://learn.microsoft.com/azure/devops/pipelines/process/environments).
Azure DevOps may create an environment if it doesn't exist, however, it's recommended to explicitly create an empty environment and reference it from deployment jobs. This lets you record the deployment history against the environment.
@ -688,7 +688,7 @@ In order to configure audit stream for Azure Monitor, identify the following inf
3. Navigate to Agents Management
4. Select either Primary or Secondary Key
**Instructions**: [Create an audit stream in Azure DevOps for Azure Monitor](https://docs.microsoft.com/azure/devops/organizations/audit/auditing-streaming?view=azure-devops#create-a-stream).
**Instructions**: [Create an audit stream in Azure DevOps for Azure Monitor](https://learn.microsoft.com/azure/devops/organizations/audit/auditing-streaming?view=azure-devops#create-a-stream).
---
@ -1534,7 +1534,7 @@ In order to configure audit stream for Azure Monitor, identify the following inf
You can migrate to the management group hierarchy implemented in v0.9.0 by populating the hierarchy from your existing Azure environment. By migrating to the hierarchy, you can take advantage of simplified configuration without modifying Bicep templates. To generate the hierarchy:
1. Install [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) & [jq](https://stedolan.github.io/jq/download/) on your environment.
1. Install [Azure CLI](https://learn.microsoft.com/cli/azure/install-azure-cli) & [jq](https://stedolan.github.io/jq/download/) on your environment.
2. Login to Azure CLI.

Просмотреть файл

@ -26,23 +26,23 @@ The instructions in this document and scripts in the `/scripts/onboarding` folde
Install instructions:
- <https://docs.microsoft.com/cli/azure/install-azure-cli>
- <https://learn.microsoft.com/cli/azure/install-azure-cli>
After installation:
- Sign in with `az login`
<https://docs.microsoft.com/cli/azure/authenticate-azure-cli>
<https://learn.microsoft.com/cli/azure/authenticate-azure-cli>
### Azure CLI devops extension
Install instructions:
- <https://docs.microsoft.com/azure/devops/cli>
- <https://learn.microsoft.com/azure/devops/cli>
After installation:
- Sign-in with a Personal Access Token (PAT):
<https://docs.microsoft.com/azure/devops/cli/log-in-via-pat>. For example:
<https://learn.microsoft.com/azure/devops/cli/log-in-via-pat>. For example:
`az devops login --organization https://dev.azure.com/[DEVOPS-ORG]`
Optionally, you may also want to perform the following steps:
@ -55,7 +55,7 @@ Optionally, you may also want to perform the following steps:
These additional steps are optional since the scripts use the `DEVOPS_ORG` and `DEVOPS_PROJECT_NAME` environment variables. Setting the default Azure DevOps organization and project may be useful when you are invoking the `az devops` commands directly.
- For other `az devops` commands, refer to the following documentation: <https://docs.microsoft.com/cli/azure/ext/azure-devops>
- For other `az devops` commands, refer to the following documentation: <https://learn.microsoft.com/cli/azure/ext/azure-devops>
### jq.exe
@ -87,7 +87,7 @@ If you need to create Azure DevOps project(s) or manage organization-wide policy
If you don't need to create Azure DevOps project(s) or manage organization-wide policy settings, then your user account will only need to be a member of the `Project Administrators` group in an existing Azure DevOps project.
Detailed instructions on how to configure security & usage settings for Azure DevOps are outside the scope of this documentation. For additional information on these topics, refer to the following: [Settings, Security & Usage documentation](https://docs.microsoft.com/azure/devops/organizations).
Detailed instructions on how to configure security & usage settings for Azure DevOps are outside the scope of this documentation. For additional information on these topics, refer to the following: [Settings, Security & Usage documentation](https://learn.microsoft.com/azure/devops/organizations).
### Azure Active Directory
@ -102,7 +102,7 @@ Perform the following steps to verify your administrative access level:
1. Verify your account is assigned the `Global administrator` role
Next, ensure your account has elevated access at Azure AD tenant root scope, so that you are able to manage management groups:
Reference: <https://docs.microsoft.com/azure/role-based-access-control/elevate-access-global-admin>
Reference: <https://learn.microsoft.com/azure/role-based-access-control/elevate-access-global-admin>
Here are some sample Azure CLI commands you can use:
@ -119,7 +119,7 @@ Here are some sample Azure CLI commands you can use:
### Azure Subscriptions
You will need to either have the ability to create new Azure subscriptions or have Azure subscriptions created for you and ready for use. If you need to create Azure subscriptions, then review the following documentation that discusses the role requirements depending on whether your Azure subscriptions are procured through an Azure Enterprise Agreement, Microsoft Customer Agreement, Microsoft Partner Agreement, or Microsoft Online Service Program billing account: [Create an additional Azure subscription](https://docs.microsoft.com/azure/cost-management-billing/manage/create-subscription).
You will need to either have the ability to create new Azure subscriptions or have Azure subscriptions created for you and ready for use. If you need to create Azure subscriptions, then review the following documentation that discusses the role requirements depending on whether your Azure subscriptions are procured through an Azure Enterprise Agreement, Microsoft Customer Agreement, Microsoft Partner Agreement, or Microsoft Online Service Program billing account: [Create an additional Azure subscription](https://learn.microsoft.com/azure/cost-management-billing/manage/create-subscription).
---
@ -143,7 +143,7 @@ There are two options for hosting the repository code, outlined in the following
> Choose this option if you are already using (or more comfortable working with) Azure DevOps as a location for maintaining your repository files. This option is also a good choice if you want to simplify Azure DevOps pipelines creation by referencing Git repositories in Azure DevOps instead of GitHub Enterprise.
Follow the instructions in the documentation [Import a Git repo](https://docs.microsoft.com/azure/devops/repos/git/import-git-repository?view=azure-devops).
Follow the instructions in the documentation [Import a Git repo](https://learn.microsoft.com/azure/devops/repos/git/import-git-repository?view=azure-devops).
In the instructions above, you will use the following Clone URL value: `https://github.com/Azure/CanadaPubSecALZ.git`, and the process will look similar to the following screenshot at the import stage:

Просмотреть файл

@ -20,7 +20,7 @@ This section introduces some terminology, and examines logical boundaries at the
- **`Organization`**: an Azure DevOps organization may have the same or different Azure AD tenant backing user authentication. Generally speaking, there little to no visibility between `Projects` (and `Teams`) that are located in different Azure DevOps organizations. Furthermore, it is difficult to track work efforts (e.g. using Agile Portfolio Management techniques) for `Projects` and `Teams` that are located in different Azure DevOps organizations. Where these boundaries are desirable, perhaps at higher levels in a large organization, having a separate Azure DevOps organization may be desirable.
- **`Project`**: a project within an Azure DevOps organization shares `Organization`-level administrative capabilities, such as work item process customization, access to the same set of extensions, a common billing source (Azure subscription), a common Azure AD tenant for identity/authentication, auditing, and a common set of security policies. Additionally, there is visibility between projects on elements such as work items, repositories.
- **`Team`**: a team within an Azure DevOps project shares `Project`-level administrative capabilities, but may customize many aspects of the interface to their teams requirements, for example: boards, repositories, wikis, etc. Pipelines do not have team-specific views, however it is possible to have multiple Git repositories per `Project` and organize them in a folder hierarchy by `Team`. Read more about this topic in [When to add a team or project](https://docs.microsoft.com/azure/devops/pipelines/create-first-pipeline) and [When to add another project](https://docs.microsoft.com/azure/devops/organizations/projects/about-projects#when-to-add-another-project).
- **`Team`**: a team within an Azure DevOps project shares `Project`-level administrative capabilities, but may customize many aspects of the interface to their teams requirements, for example: boards, repositories, wikis, etc. Pipelines do not have team-specific views, however it is possible to have multiple Git repositories per `Project` and organize them in a folder hierarchy by `Team`. Read more about this topic in [When to add a team or project](https://learn.microsoft.com/azure/devops/pipelines/create-first-pipeline) and [When to add another project](https://learn.microsoft.com/azure/devops/organizations/projects/about-projects#when-to-add-another-project).
Generally, it is recommended to strive for fewer Azure DevOps organizations and projects where possible. For ideas on how to determine the right mix of `Organizations`, `Projects` and `Teams` for your business, refer to the Q&A in the next section.
@ -42,7 +42,7 @@ These activities should be completed once per Azure Active Directory tenant that
| # | | Task
| :-: | - | --------------------
| 1 | [Link](https://docs.microsoft.com/azure/devops/organizations/accounts/azure-ad-tenant-policy-restrict-org-creation#prerequisites) | Enable the Azure AD prerequisites for the `Restrict organization creation` policy.
| 1 | [Link](https://learn.microsoft.com/azure/devops/organizations/accounts/azure-ad-tenant-policy-restrict-org-creation#prerequisites) | Enable the Azure AD prerequisites for the `Restrict organization creation` policy.
| 2 | | Add users to the Azure AD group `Azure DevOps Administrators` who should have the ability to create new Azure DevOps organizations that are linked to your Azure AD tenant.
## Creating an Azure DevOps organization
@ -51,14 +51,14 @@ These activities should be completed once per new Azure DevOps organization crea
| # | | Task
| :-: | - | --------------------
| 1 | [Link](https://docs.microsoft.com/azure/devops/organizations/accounts/create-organization) | Create a new Azure DevOps organization. Ensure you are signed in with the identity from the Azure AD tenant you want associated with the new Azure DevOps organization. During the creation process, ensure you select the Canada geography for [data location](https://docs.microsoft.com/azure/devops/organizations/security/data-location) - it should default to this setting based on nearest geography, but it's good to be aware of this configuration option just in case.
| 2 | [Link](https://docs.microsoft.com/azure/devops/organizations/security/set-project-collection-level-permissions) | Add one or more secondary users to the `Project Collection Administrators` group. This ensures continuity in the event the original creator (Owner) of the Azure DevOps organization is unavailable. Limit the total number of users assigned this role to the minium needed.
| 3 | [Link](https://docs.microsoft.com/azure/devops/organizations/accounts/azure-ad-tenant-policy-restrict-org-creation#turn-on-the-policy) | Turn on the `Restrict organization creation` policy.
| 4 | [Link](https://docs.microsoft.com/azure/devops/organizations/billing/set-up-billing-for-your-organization-vs) | Set up billing for your organization. This step associates your Azure DevOps organization with an Azure subscription as a means of payment for things like additional `Basic` access licensed users, additional parallel jobs for Azure Pipelines, and additional storage for Azure Artifacts.
| 5 | [Link](https://docs.microsoft.com/azure/devops/organizations/accounts/add-organization-users) | Add users who will need access to projects within this organization. As part of adding users you will specify an Access Level (Stakeholder, Basic, or Visual Studio Subscriber). Optionally, you may want to consider implementing one or more [Group Rules](https://docs.microsoft.com/azure/devops/organizations/accounts/assign-access-levels-by-group-membership) to automate Access Level and Project permission assignments based on user membership in either an Azure AD group or an Azure DevOps Services group.
| 6 | [Link](https://docs.microsoft.com/azure/devops/organizations/settings/work/manage-process#set-the-default-process) | Set/change the default process to one of the following values, based on your organization's process template standard or the process you anticipate will be most often used during Azure DevOps project creation: `Agile`, `Scrum`, `Basic`, or `CMMI`. You may also customize an existing process (inheritance) and set that to be the default process selected during Azure DevOps project creation.
| 1 | [Link](https://learn.microsoft.com/azure/devops/organizations/accounts/create-organization) | Create a new Azure DevOps organization. Ensure you are signed in with the identity from the Azure AD tenant you want associated with the new Azure DevOps organization. During the creation process, ensure you select the Canada geography for [data location](https://learn.microsoft.com/azure/devops/organizations/security/data-location) - it should default to this setting based on nearest geography, but it's good to be aware of this configuration option just in case.
| 2 | [Link](https://learn.microsoft.com/azure/devops/organizations/security/set-project-collection-level-permissions) | Add one or more secondary users to the `Project Collection Administrators` group. This ensures continuity in the event the original creator (Owner) of the Azure DevOps organization is unavailable. Limit the total number of users assigned this role to the minium needed.
| 3 | [Link](https://learn.microsoft.com/azure/devops/organizations/accounts/azure-ad-tenant-policy-restrict-org-creation#turn-on-the-policy) | Turn on the `Restrict organization creation` policy.
| 4 | [Link](https://learn.microsoft.com/azure/devops/organizations/billing/set-up-billing-for-your-organization-vs) | Set up billing for your organization. This step associates your Azure DevOps organization with an Azure subscription as a means of payment for things like additional `Basic` access licensed users, additional parallel jobs for Azure Pipelines, and additional storage for Azure Artifacts.
| 5 | [Link](https://learn.microsoft.com/azure/devops/organizations/accounts/add-organization-users) | Add users who will need access to projects within this organization. As part of adding users you will specify an Access Level (Stakeholder, Basic, or Visual Studio Subscriber). Optionally, you may want to consider implementing one or more [Group Rules](https://learn.microsoft.com/azure/devops/organizations/accounts/assign-access-levels-by-group-membership) to automate Access Level and Project permission assignments based on user membership in either an Azure AD group or an Azure DevOps Services group.
| 6 | [Link](https://learn.microsoft.com/azure/devops/organizations/settings/work/manage-process#set-the-default-process) | Set/change the default process to one of the following values, based on your organization's process template standard or the process you anticipate will be most often used during Azure DevOps project creation: `Agile`, `Scrum`, `Basic`, or `CMMI`. You may also customize an existing process (inheritance) and set that to be the default process selected during Azure DevOps project creation.
| 7 | [Link](https://aka.ms/vsts-anon-access) | Turn off the option allowing public projects.
| 8 | [Link](https://docs.microsoft.com/azure/devops/organizations/settings/timezone-settings-usage) | Configure time zone settings.
| 8 | [Link](https://learn.microsoft.com/azure/devops/organizations/settings/timezone-settings-usage) | Configure time zone settings.
## Creating an Azure DevOps project
@ -66,12 +66,12 @@ These activities should be completed once per new Azure DevOps project created i
| # | | Task
| :-: | - | --------------------
| 1 | [Link](https://docs.microsoft.com/azure/devops/organizations/projects/create-project) | Create a new Azure DevOps project. You will need to have the following information available to configure the newly created project: project name, visibility (typically Private), version control (typically Git), and work item process (e.g. Agile, Scrum, Basic, or CMMI). You should develop and follow an standard naming convention for projects. This allows users to easily find and identify projects based on their usage within the organization. While you may use spaces in your project names, this is discouraged as it leads to special encoding requirements in reference URLs. E.g. the URL-encoded sequence for a space character is `%20`, which has the effect of visually cluttering URL references to elements of the project, such as pipelines, and generally makes it more difficult to write automation scripts.
| 2 | [Link](https://docs.microsoft.com/azure/devops/organizations/security/add-users-team-project) | Add users to the newly created project. When adding users to a project, you will place them into one of three roles: 1) Readers, 2) Contributors, or 3) Project Administrators. The list of users and their roles should be acquired from the group requesting the project as part of the intake process. Once one or more Project Administrators have been added to a project, they can complete any additional configuration for the project (e.g. the following steps in this list), or you may continue and do so on their behalf.
| 3 | [Link](https://docs.microsoft.com/azure/devops/organizations/settings/set-services) | **Optionally** disable visibility of any Azure DevOps services that are not required by the project members. For example, if no project members are using source control (Azure Repos), you can turn off its visibility in the menu at the project scope so it does not appear in the sidebar menu.
| 4 | [Link](https://docs.microsoft.com/azure/devops/organizations/projects/create-project#add-a-repository-to-your-project) | Add a repository to the project. Additionally you may also: [Clone an existing Git repo](https://docs.microsoft.com/azure/devops/repos/git/clone), [Import a Git repo](https://docs.microsoft.com/azure/devops/repos/git/import-git-repository), and [Import a repo from TFVC](https://docs.microsoft.com/azure/devops/repos/git/import-from-tfvc).
| 5 | [Link](https://docs.microsoft.com/azure/devops/boards/work-items/view-add-work-items) | Add new work items to the project. For example, populate an initial set of User Stories.
| 6 | [Link](https://docs.microsoft.com/azure/devops/organizations/settings/about-areas-iterations) | Configure `Area` and `Iteration` (sprint) paths.
| 1 | [Link](https://learn.microsoft.com/azure/devops/organizations/projects/create-project) | Create a new Azure DevOps project. You will need to have the following information available to configure the newly created project: project name, visibility (typically Private), version control (typically Git), and work item process (e.g. Agile, Scrum, Basic, or CMMI). You should develop and follow an standard naming convention for projects. This allows users to easily find and identify projects based on their usage within the organization. While you may use spaces in your project names, this is discouraged as it leads to special encoding requirements in reference URLs. E.g. the URL-encoded sequence for a space character is `%20`, which has the effect of visually cluttering URL references to elements of the project, such as pipelines, and generally makes it more difficult to write automation scripts.
| 2 | [Link](https://learn.microsoft.com/azure/devops/organizations/security/add-users-team-project) | Add users to the newly created project. When adding users to a project, you will place them into one of three roles: 1) Readers, 2) Contributors, or 3) Project Administrators. The list of users and their roles should be acquired from the group requesting the project as part of the intake process. Once one or more Project Administrators have been added to a project, they can complete any additional configuration for the project (e.g. the following steps in this list), or you may continue and do so on their behalf.
| 3 | [Link](https://learn.microsoft.com/azure/devops/organizations/settings/set-services) | **Optionally** disable visibility of any Azure DevOps services that are not required by the project members. For example, if no project members are using source control (Azure Repos), you can turn off its visibility in the menu at the project scope so it does not appear in the sidebar menu.
| 4 | [Link](https://learn.microsoft.com/azure/devops/organizations/projects/create-project#add-a-repository-to-your-project) | Add a repository to the project. Additionally you may also: [Clone an existing Git repo](https://learn.microsoft.com/azure/devops/repos/git/clone), [Import a Git repo](https://learn.microsoft.com/azure/devops/repos/git/import-git-repository), and [Import a repo from TFVC](https://learn.microsoft.com/azure/devops/repos/git/import-from-tfvc).
| 5 | [Link](https://learn.microsoft.com/azure/devops/boards/work-items/view-add-work-items) | Add new work items to the project. For example, populate an initial set of User Stories.
| 6 | [Link](https://learn.microsoft.com/azure/devops/organizations/settings/about-areas-iterations) | Configure `Area` and `Iteration` (sprint) paths.
## Creating an Azure DevOps team in existing project
@ -79,8 +79,8 @@ These activities should be completed once per new `Team` created in an existing
| # | | Task
| :-: | - | --------------------
| 1 | [Link](https://docs.microsoft.com/azure/devops/organizations/settings/add-teams) | Add a new team.
| 2 | [Link](https://docs.microsoft.com/azure/devops/organizations/settings/add-team-administrator) | Add one or more team administrators.
| 3 | [Link](https://docs.microsoft.com/en-us/azure/devops/organizations/security/add-users-team-project) | Add users to the team.
| 4 | [Link](https://docs.microsoft.com/azure/devops/project/navigation/set-favorites) | Set team favorites.
| 5 | [Link](https://docs.microsoft.com/azure/devops/boards/plans/portfolio-management) | Determine if this team is part of a larger portfolio management effort, and if so follow the guidance in [Configure a hierarchy of team](https://docs.microsoft.com/azure/devops/boards/plans/configure-hierarchical-teams) to ensure the newly created team is configured in the hierarchy.
| 1 | [Link](https://learn.microsoft.com/azure/devops/organizations/settings/add-teams) | Add a new team.
| 2 | [Link](https://learn.microsoft.com/azure/devops/organizations/settings/add-team-administrator) | Add one or more team administrators.
| 3 | [Link](https://learn.microsoft.com/en-us/azure/devops/organizations/security/add-users-team-project) | Add users to the team.
| 4 | [Link](https://learn.microsoft.com/azure/devops/project/navigation/set-favorites) | Set team favorites.
| 5 | [Link](https://learn.microsoft.com/azure/devops/boards/plans/portfolio-management) | Determine if this team is part of a larger portfolio management effort, and if so follow the guidance in [Configure a hierarchy of team](https://learn.microsoft.com/azure/devops/boards/plans/configure-hierarchical-teams) to ensure the newly created team is configured in the hierarchy.

Просмотреть файл

@ -114,7 +114,7 @@ The built-in policy sets are used as-is to ensure future improvements from Azure
Once the permissions are identified, click the **Cancel** button to discard the changes.
Use [Azure Built-In Roles table](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles) to map the permission name to it's Resource ID. Resource ID will be used when defining the role assignments.
Use [Azure Built-In Roles table](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles) to map the permission name to it's Resource ID. Resource ID will be used when defining the role assignments.
4. Click on the **Duplicate initiative** button. We will not be duplicating the policy set definition, but use this step to identify the parameter names that will need to be populated during policy assignment.
@ -336,7 +336,7 @@ The built-in policy sets are used as-is to ensure future improvements from Azure
Execute `Azure DevOps Policy pipeline` to deploy. The policy set assignment will be deployed to the `top level management group` (i.e. `pubsec`).
> It takes approximately 30 minutes for the assignment to be applied to the defined scope. Once it's applied, the evaluation cycle begins for resources within that scope against the newly assigned policy or initiative, and depending on the effects defined by the policy or initiative, resources are marked as compliant, non-compliant, or exempt. A large policy or initiative evaluated against a large scope of resources can take time. As such, there's no pre-defined expectation of when the evaluation cycle completes. Once evaluation completes, the updated compliance results are available in the portal and to SDKs. See [Azure Docs for more information](https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data).
> It takes approximately 30 minutes for the assignment to be applied to the defined scope. Once it's applied, the evaluation cycle begins for resources within that scope against the newly assigned policy or initiative, and depending on the effects defined by the policy or initiative, resources are marked as compliant, non-compliant, or exempt. A large policy or initiative evaluated against a large scope of resources can take time. As such, there's no pre-defined expectation of when the evaluation cycle completes. Once evaluation completes, the updated compliance results are available in the portal and to SDKs. See [Azure Docs for more information](https://learn.microsoft.com/azure/governance/policy/how-to/get-compliance-data).
#### **Step 5: Verify policy set assignment**
@ -388,7 +388,7 @@ You may want to evaluate the compliance in your environment without any automati
Please review guidance and expected behaviour of these settings prior to making any modification:
* [Cloud Adoption Framework - Adopting policy driven guardrails](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/dine-guidance)
* [Cloud Adoption Framework - Adopting policy driven guardrails](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/dine-guidance)
* [Azure Policy Enforcement Mode](https://aka.ms/enforcementMode)
You can switch between these modes per-policy set based on your Azure Policy adoption strategy.
@ -445,13 +445,13 @@ Custom policies and policy sets enable an organization to expand their governanc
* all: evaluate resource groups, subscriptions, and all resource types
* indexed: only evaluate resource types that support tags and location
See [Azure Policy Reference](https://docs.microsoft.com/azure/governance/policy/concepts/definition-structure#mode) for more information.
See [Azure Policy Reference](https://learn.microsoft.com/azure/governance/policy/concepts/definition-structure#mode) for more information.
4. Edit `azurepolicy.parameters.json`.
Define parameters that are required by the policy definition. Using parameters enable the policy to be used with different configuration.
See [Azure Parameter Reference](https://docs.microsoft.com/azure/governance/policy/concepts/definition-structure#parameters) for more information.
See [Azure Parameter Reference](https://learn.microsoft.com/azure/governance/policy/concepts/definition-structure#parameters) for more information.
**Example**
@ -472,7 +472,7 @@ Custom policies and policy sets enable an organization to expand their governanc
Describes the policy rule that will be evaluated by Azure Policy. The rule can have any effect such as Audit, Deny, DeployIfNotExists.
See [Azure Policy docs for more information on creating custom policies](https://docs.microsoft.com/azure/governance/policy/concepts/definition-structure).
See [Azure Policy docs for more information on creating custom policies](https://learn.microsoft.com/azure/governance/policy/concepts/definition-structure).
**Example**
@ -879,7 +879,7 @@ When there are deployment errors:
Execute `Azure DevOps Policy pipeline` to deploy. The policy set definition and assignment will be deployed to the `top level management group` (i.e. `pubsec`).
> It takes around 30 minutes for the assignment to be applied to the defined scope. Once it's applied, the evaluation cycle begins for resources within that scope against the newly assigned policy or initiative and depending on the effects used by the policy or initiative, resources are marked as compliant, non-compliant, or exempt. A large policy or initiative evaluated against a large scope of resources can take time. As such, there's no pre-defined expectation of when the evaluation cycle completes. Once it completes, updated compliance results are available in the portal and SDKs. See [Azure Docs for more information](https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data).
> It takes around 30 minutes for the assignment to be applied to the defined scope. Once it's applied, the evaluation cycle begins for resources within that scope against the newly assigned policy or initiative and depending on the effects used by the policy or initiative, resources are marked as compliant, non-compliant, or exempt. A large policy or initiative evaluated against a large scope of resources can take time. As such, there's no pre-defined expectation of when the evaluation cycle completes. Once it completes, updated compliance results are available in the portal and SDKs. See [Azure Docs for more information](https://learn.microsoft.com/azure/governance/policy/how-to/get-compliance-data).
#### **Step 5: Verify policy set definition and assignment deployment**
@ -911,7 +911,7 @@ Execute `Azure DevOps Policy pipeline` to automatically deploy the policy defini
Navigate to [Azure Policy Definitions][portalAzurePolicyDefinition] to verify that the policy has been updated.
> It takes around 30 minutes for the update to be applied. Once it's applied, the evaluation cycle begins for resources within that scope against the newly assigned policy or initiative and depending on the effects used by the policy or initiative, resources are marked as compliant, non-compliant, or exempt. A large policy or initiative evaluated against a large scope of resources can take time. As such, there's no pre-defined expectation of when the evaluation cycle completes. Once it completes, updated compliance results are available in the portal and SDKs. See [Azure Docs for more information](https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data).
> It takes around 30 minutes for the update to be applied. Once it's applied, the evaluation cycle begins for resources within that scope against the newly assigned policy or initiative and depending on the effects used by the policy or initiative, resources are marked as compliant, non-compliant, or exempt. A large policy or initiative evaluated against a large scope of resources can take time. As such, there's no pre-defined expectation of when the evaluation cycle completes. Once it completes, updated compliance results are available in the portal and SDKs. See [Azure Docs for more information](https://learn.microsoft.com/azure/governance/policy/how-to/get-compliance-data).
When there are deployment errors:
@ -1025,7 +1025,7 @@ You may want to evaluate the compliance in your environment without any automati
Please review guidance and expected behaviour of these settings prior to making any modification:
* [Cloud Adoption Framework - Adopting policy driven guardrails](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/dine-guidance)
* [Cloud Adoption Framework - Adopting policy driven guardrails](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/dine-guidance)
* [Azure Policy Enforcement Mode](https://aka.ms/enforcementMode)
You can switch between these modes per-policy set based on your Azure Policy adoption strategy.
@ -1052,13 +1052,13 @@ The Diagnostic Settings policies in this reference implementation were created u
* Create `azurepolicy.config.json` with policy name and mode.
4. Delete the instance created in Step 1.
[nist80053r4Policyset]: https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4
[nist80053r5Policyset]: https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5
[pbmmPolicyset]: https://docs.microsoft.com/azure/governance/policy/samples/canada-federal-pbmm
[asbPolicySet]: https://docs.microsoft.com/security/benchmark/azure/overview
[cisMicrosoftAzureFoundationPolicySet]: https://docs.microsoft.com/azure/governance/policy/samples/cis-azure-1-3-0
[fedrampmPolicySet]: https://docs.microsoft.com/azure/governance/policy/samples/fedramp-moderate
[hipaaHitrustPolicySet]: https://docs.microsoft.com/azure/governance/policy/samples/hipaa-hitrust-9-2
[nist80053r4Policyset]: https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4
[nist80053r5Policyset]: https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5
[pbmmPolicyset]: https://learn.microsoft.com/azure/governance/policy/samples/canada-federal-pbmm
[asbPolicySet]: https://learn.microsoft.com/security/benchmark/azure/overview
[cisMicrosoftAzureFoundationPolicySet]: https://learn.microsoft.com/azure/governance/policy/samples/cis-azure-1-3-0
[fedrampmPolicySet]: https://learn.microsoft.com/azure/governance/policy/samples/fedramp-moderate
[hipaaHitrustPolicySet]: https://learn.microsoft.com/azure/governance/policy/samples/hipaa-hitrust-9-2
[portalAzurePolicyDefinition]: https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Definitions
[portalAzurePolicyAssignment]: https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Assignments
[portalAzurePolicyCompliance]: https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Compliance

Просмотреть файл

@ -13,7 +13,7 @@
## Overview
Guardrails in Azure are deployed through [Azure Policy](https://docs.microsoft.com/azure/governance/policy/overview). Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.
Guardrails in Azure are deployed through [Azure Policy](https://learn.microsoft.com/azure/governance/policy/overview). Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.
Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Policy definitions for these common use cases are already available in your Azure environment as built-ins to help you get started.
@ -170,10 +170,10 @@ See [Azure Policy Authoring Guide](authoring-guide.md) for step-by-step instruct
[nist80053r4Policyset]: https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4
[nist80053r5Policyset]: https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5
[pbmmPolicyset]: https://docs.microsoft.com/azure/governance/policy/samples/canada-federal-pbmm
[asbPolicySet]: https://docs.microsoft.com/security/benchmark/azure/overview
[cisMicrosoftAzureFoundationPolicySet]: https://docs.microsoft.com/azure/governance/policy/samples/cis-azure-1-3-0
[fedrampmPolicySet]: https://docs.microsoft.com/azure/governance/policy/samples/fedramp-moderate
[hipaaHitrustPolicySet]: https://docs.microsoft.com/azure/governance/policy/samples/hipaa-hitrust-9-2
[nist80053r4Policyset]: https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4
[nist80053r5Policyset]: https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r5
[pbmmPolicyset]: https://learn.microsoft.com/azure/governance/policy/samples/canada-federal-pbmm
[asbPolicySet]: https://learn.microsoft.com/security/benchmark/azure/overview
[cisMicrosoftAzureFoundationPolicySet]: https://learn.microsoft.com/azure/governance/policy/samples/cis-azure-1-3-0
[fedrampmPolicySet]: https://learn.microsoft.com/azure/governance/policy/samples/fedramp-moderate
[hipaaHitrustPolicySet]: https://learn.microsoft.com/azure/governance/policy/samples/hipaa-hitrust-9-2

Просмотреть файл

@ -95,7 +95,7 @@ param hubNetwork object
param network object
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../azresources/telemetry/customer-usage-attribution-subscription.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.archetypes.genericSubscription}'

Просмотреть файл

@ -80,7 +80,7 @@ param hubNetwork object
param network object
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../azresources/telemetry/customer-usage-attribution-subscription.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.archetypes.healthcare}'

Просмотреть файл

@ -229,7 +229,7 @@ module nsgDatabricks '../../azresources/network/nsg/nsg-databricks.bicep' = {
// Network security groups (NSGs): You can block outbound traffic with an NSG that's placed on your integration subnet.
// The inbound rules don't apply because you can't use VNet Integration to provide inbound access to your app.
// At the moment, there are no outbound rules to block outbound traffic
// See https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet#regional-vnet-integration
// See https://learn.microsoft.com/azure/app-service/web-sites-integrate-with-vnet#regional-vnet-integration
module nsgWebApp '../../azresources/network/nsg/nsg-empty.bicep' = {
name: 'deploy-nsg-webapp'
params: {
@ -265,7 +265,7 @@ module udrDatabricksPrivate '../../azresources/network/udr/udr-databricks-privat
// Route tables (UDRs): You can place a route table on the integration subnet to send outbound traffic where you want.
// At the moment, the route table is empty but rules can be added to force tunnel.
// See https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet#regional-vnet-integration
// See https://learn.microsoft.com/azure/app-service/web-sites-integrate-with-vnet#regional-vnet-integration
module udrWebApp '../../azresources/network/udr/udr-custom.bicep' = {
name: 'deploy-route-table-web-app'
params: {

Просмотреть файл

@ -93,7 +93,7 @@ param hubNetwork object
param network object
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../azresources/telemetry/customer-usage-attribution-subscription.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.archetypes.machineLearning}'

Просмотреть файл

@ -390,7 +390,7 @@ resource policy 'Microsoft.Network/firewallPolicies@2021-02-01' = {
targetFqdns: [
'adf.azure.com'
// https://docs.microsoft.com/en-us/azure/data-factory/data-factory-ux-troubleshoot-guide
// https://learn.microsoft.com/en-us/azure/data-factory/data-factory-ux-troubleshoot-guide
'dpcanadacentral.svc.datafactory.azure.com'
'dpcanadaeast.svc.datafactory.azure.com'
]
@ -474,7 +474,7 @@ resource policy 'Microsoft.Network/firewallPolicies@2021-02-01' = {
type: 'Allow'
}
rules: [
// Reference: https://docs.microsoft.com/azure/security-center/deploy-vulnerability-assessment-vm#deploy-the-integrated-scanner-to-your-azure-and-hybrid-machines
// Reference: https://learn.microsoft.com/azure/security-center/deploy-vulnerability-assessment-vm#deploy-the-integrated-scanner-to-your-azure-and-hybrid-machines
{
ruleType: 'ApplicationRule'
name: 'US Data Center'
@ -739,8 +739,8 @@ resource policy 'Microsoft.Network/firewallPolicies@2021-02-01' = {
]
}
{
// https://docs.microsoft.com/azure/firewall/fqdn-tags
// https://docs.microsoft.com/mem/configmgr/sum/get-started/install-a-software-update-point
// https://learn.microsoft.com/azure/firewall/fqdn-tags
// https://learn.microsoft.com/mem/configmgr/sum/get-started/install-a-software-update-point
name: 'Windows Update'
ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
priority: 1000
@ -771,7 +771,7 @@ resource policy 'Microsoft.Network/firewallPolicies@2021-02-01' = {
}
// AKS required FQDNs
// https://docs.microsoft.com/en-us/azure/aks/limit-egress-traffic
// https://learn.microsoft.com/en-us/azure/aks/limit-egress-traffic
resource AKSCollectionGroup 'ruleCollectionGroups@2021-02-01' = {
dependsOn: [
windowsCollectionGroup
@ -904,7 +904,7 @@ resource policy 'Microsoft.Network/firewallPolicies@2021-02-01' = {
priority: 2000
ruleCollections: [
{
// https://docs.microsoft.com/azure/virtual-machines/workloads/redhat/redhat-rhui#the-ips-for-the-rhui-content-delivery-servers
// https://learn.microsoft.com/azure/virtual-machines/workloads/redhat/redhat-rhui#the-ips-for-the-rhui-content-delivery-servers
name: 'RedHat Update Infrastructure'
ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
priority: 100

Просмотреть файл

@ -47,7 +47,7 @@ param resourceGroupName string
param policyName string
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../azresources/telemetry/customer-usage-attribution-subscription.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.networking.azureFirewall}'

Просмотреть файл

@ -179,7 +179,7 @@ param managementRestrictedZone object
param publicAccessZone object
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../azresources/telemetry/customer-usage-attribution-subscription.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.networking.azureFirewall}'

Просмотреть файл

@ -204,7 +204,7 @@ param fwUsername string
param fwPassword string
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../azresources/telemetry/customer-usage-attribution-subscription.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.networking.nvaFortinet}'

Просмотреть файл

@ -196,7 +196,7 @@ param dataCollectionRule object
param enableDeleteLockOnResourceGroup bool = true
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../azresources/telemetry/customer-usage-attribution-subscription.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.logging}-${uniqueString(location)}'

Просмотреть файл

@ -22,7 +22,7 @@ param childManagementGroupId string
param childManagementGroupName string
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled && (childManagementGroupName == topLevelManagementGroupName)) {
name: 'pid-${telemetry.customerUsageAttribution.modules.managementGroups}'

Просмотреть файл

@ -18,7 +18,7 @@ param topLevelManagementGroupName string
param parentManagementGroupId string
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.managementGroups}'

Просмотреть файл

@ -29,7 +29,7 @@ var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssi
var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions', policyId)
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-asb'

Просмотреть файл

@ -41,7 +41,7 @@ var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssi
var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions', policyId)
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-cis-msft-130'

Просмотреть файл

@ -32,7 +32,7 @@ var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssi
var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions', policyId)
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-fedramp-m'

Просмотреть файл

@ -44,7 +44,7 @@ var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssi
var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions', policyId)
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-hitrust-hipaa'

Просмотреть файл

@ -28,7 +28,7 @@ param allowedLocations array
var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssignmentManagementGroupId)
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-location'

Просмотреть файл

@ -38,7 +38,7 @@ var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssi
var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions', policyId)
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-nist-80053-r4'

Просмотреть файл

@ -32,7 +32,7 @@ var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssi
var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions', policyId)
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-nist-80053-r5'

Просмотреть файл

@ -38,7 +38,7 @@ var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssi
var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions', policyId)
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-pbmm'

Просмотреть файл

@ -32,7 +32,7 @@ var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssi
var policyScopedId = '/providers/Microsoft.Management/managementGroups/${policyDefinitionManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/${policyId}'
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-aks'

Просмотреть файл

@ -35,7 +35,7 @@ var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssi
var policyScopedId = '/providers/Microsoft.Management/managementGroups/${policyDefinitionManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/${policyId}'
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-ddos'

Просмотреть файл

@ -38,7 +38,7 @@ var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssi
var policyScopedId = '/providers/Microsoft.Management/managementGroups/${policyDefinitionManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/${policyId}'
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-dns-pe'

Просмотреть файл

@ -32,7 +32,7 @@ var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssi
var policyScopedId = '/providers/Microsoft.Management/managementGroups/${policyDefinitionManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/${policyId}'
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-mdfc'

Просмотреть файл

@ -38,7 +38,7 @@ var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssi
var policyScopedId = '/providers/Microsoft.Management/managementGroups/${policyDefinitionManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/${policyId}'
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-logging'

Просмотреть файл

@ -32,7 +32,7 @@ var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssi
var policyScopedId = '/providers/Microsoft.Management/managementGroups/${policyDefinitionManagementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/${policyId}'
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-network'

Просмотреть файл

@ -28,7 +28,7 @@ param enforcementMode string = 'Default'
var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssignmentManagementGroupId)
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-tags'

Просмотреть файл

@ -17,7 +17,7 @@ var roleName = 'Custom - Log Analytics - Read Only for VM Insights'
var roleDescription = 'Read only access to Log Analytics for VM Insights.'
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.roles}-lavminsightsreadonly'

Просмотреть файл

@ -17,13 +17,13 @@ var roleName = 'Custom - Landing Zone Application Owner'
var roleDescription = 'Contributor role granted for application/operations team at resource group level.'
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.roles}-lzappowner'
}
// Reference: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access
// Reference: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access
resource roleDefn 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {
name: guid(roleName)
scope: managementGroup()

Просмотреть файл

@ -17,13 +17,13 @@ var roleName = 'Custom - Network Operations (NetOps)'
var roleDescription = 'Platform-wide global connectivity management: virtual networks, UDRs, NSGs, NVAs, VPN, Azure ExpressRoute, and others.'
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.roles}-lznetops'
}
// Reference: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access
// Reference: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access
resource roleDefn 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {
name: guid(roleName)
scope: managementGroup()

Просмотреть файл

@ -17,13 +17,13 @@ var roleName = 'Custom - Security Operations (SecOps)'
var roleDescription = 'Security Administrator role with a horizontal view across the entire Azure estate and the Azure Key Vault purge policy.'
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.roles}-lzsecops'
}
// Reference: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access
// Reference: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access
resource roleDefn 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {
name: guid(roleName)
scope: managementGroup()

Просмотреть файл

@ -17,13 +17,13 @@ var roleName = 'Custom - Landing Zone Subscription Owner'
var roleDescription = 'Delegated role for subscription owner generated from subscription Owner role.'
// Telemetry - Azure customer usage attribution
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.roles}-lzsubowner'
}
// Reference: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access
// Reference: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access
resource roleDefn 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {
name: guid(roleName)
scope: managementGroup()

Просмотреть файл

@ -60,5 +60,5 @@ echo.
echo Now that an environment exists for the repository branch [%DEVOPS_REPO_BRANCH%],
echo learn more about configuring approvals and checks for deployments associated with this
echo environment by reviewing the following documentation:
echo * https://docs.microsoft.com/azure/devops/pipelines/process/approvals
echo * https://learn.microsoft.com/azure/devops/pipelines/process/approvals
echo.