PBMM & HITRUST/HIPAA policy update (#238)

2022-04-08 10:26:12 -04:00 · 2022-04-08 10:26:12 -04:00 · cc5f017b01
--- a/policy/builtin/assignments/hitrust-hipaa.bicep
+++ b/policy/builtin/assignments/hitrust-hipaa.bicep
@ -34,6 +34,9 @@ param deployDiagnosticSettingsforNetworkSecurityGroupsRgName string
@description('A semicolon-separated list of certificate thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3')
 param certificateThumbprints string

+@description('Log Analytics Workspace Data Retention in days.')
+param requiredRetentionDays string
+
 var policyId = 'a169a624-5599-4385-a696-c8d643089fab' // HITRUST/HIPAA
 var assignmentName = 'HITRUST/HIPAA'

@ -55,6 +58,14 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
    scope: scope
    notScopes: []
    parameters: {
+      'logsEnabled-7f89b1eb-583c-429a-8828-af049802c1d9': {
+        value: true
+      }
+      
+      'metricsEnabled-7f89b1eb-583c-429a-8828-af049802c1d9': {
+        value: false
+      }
+
      // A semicolon-separated list of the names of the applications that should be installed.
      // e.g. 'Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL Server 2014*'
      // (to match any application starting with 'Microsoft SQL Server 2014')
@ -77,6 +88,61 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
      CertificateThumbprints: {
        value: certificateThumbprints
      }
+
+      requiredRetentionDays: {
+        value: requiredRetentionDays
+      }
+
+      listOfResourceTypes: {
+        value: [
+          'Microsoft.AnalysisServices/servers'
+          'Microsoft.ApiManagement/service'
+          'Microsoft.Network/applicationGateways'
+          'Microsoft.Automation/automationAccounts'
+          // 'Microsoft.ContainerInstance/containerGroups'  # Removed since it doesn't have any logs
+          'Microsoft.ContainerRegistry/registries'
+          'Microsoft.ContainerService/managedClusters'
+          'Microsoft.Batch/batchAccounts'
+          'Microsoft.Cdn/profiles/endpoints'
+          'Microsoft.CognitiveServices/accounts'
+          'Microsoft.DocumentDB/databaseAccounts'
+          'Microsoft.DataFactory/factories'
+          'Microsoft.DataLakeAnalytics/accounts'
+          'Microsoft.DataLakeStore/accounts'
+          'Microsoft.EventGrid/eventSubscriptions'
+          'Microsoft.EventGrid/topics'
+          'Microsoft.EventHub/namespaces'
+          'Microsoft.Network/expressRouteCircuits'
+          'Microsoft.Network/azureFirewalls'
+          'Microsoft.HDInsight/clusters'
+          'Microsoft.Devices/IotHubs'
+          'Microsoft.KeyVault/vaults'
+          'Microsoft.Network/loadBalancers'
+          'Microsoft.Logic/integrationAccounts'
+          'Microsoft.Logic/workflows'
+          'Microsoft.DBforMySQL/servers'
+          //'Microsoft.Network/networkInterfaces' # Removed since it doesn't have any logs
+          'Microsoft.Network/networkSecurityGroups'
+          'Microsoft.DBforPostgreSQL/servers'
+          'Microsoft.PowerBIDedicated/capacities'
+          'Microsoft.Network/publicIPAddresses'
+          'Microsoft.RecoveryServices/vaults'
+          'Microsoft.Cache/redis'
+          'Microsoft.Relay/namespaces'
+          'Microsoft.Search/searchServices'
+          'Microsoft.ServiceBus/namespaces'
+          'Microsoft.SignalRService/SignalR'
+          'Microsoft.Sql/servers/databases'
+          //'Microsoft.Sql/servers/elasticPools' # Removed since it doesn't have any logs
+          'Microsoft.StreamAnalytics/streamingjobs'
+          'Microsoft.TimeSeriesInsights/environments'
+          'Microsoft.Network/trafficManagerProfiles'
+          //'Microsoft.Compute/virtualMachines' # Logs are collected through Microsoft Monitoring Agent
+          //'Microsoft.Compute/virtualMachineScaleSets' Removed since it is not supported
+          'Microsoft.Network/virtualNetworks'
+          'Microsoft.Network/virtualNetworkGateways'
+        ]
+      }
    }
    enforcementMode: enforcementMode
  }
--- a/policy/builtin/assignments/hitrust-hipaa.parameters.json
+++ b/policy/builtin/assignments/hitrust-hipaa.parameters.json
@ -19,6 +19,9 @@
        },
        "certificateThumbprints": {
            "value": "__tbd__implementation_specific__"
+        },
+        "requiredRetentionDays": {
+            "value": "{{var-logging-logAnalyticsRetentionInDays}}"
        }
    }
 }
--- a/policy/builtin/assignments/pbmm.bicep
+++ b/policy/builtin/assignments/pbmm.bicep
@ -68,6 +68,56 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
       'metricsEnabled-7f89b1eb-583c-429a-8828-af049802c1d9': {
         value: false
       }
+       listOfResourceTypesWithDiagnosticLogsEnabled: {
+         value: [
+          'Microsoft.AnalysisServices/servers'
+          'Microsoft.ApiManagement/service'
+          'Microsoft.Network/applicationGateways'
+          'Microsoft.Automation/automationAccounts'
+          // 'Microsoft.ContainerInstance/containerGroups'  # Removed since it doesn't have any logs
+          'Microsoft.ContainerRegistry/registries'
+          'Microsoft.ContainerService/managedClusters'
+          'Microsoft.Batch/batchAccounts'
+          'Microsoft.Cdn/profiles/endpoints'
+          'Microsoft.CognitiveServices/accounts'
+          'Microsoft.DocumentDB/databaseAccounts'
+          'Microsoft.DataFactory/factories'
+          'Microsoft.DataLakeAnalytics/accounts'
+          'Microsoft.DataLakeStore/accounts'
+          'Microsoft.EventGrid/eventSubscriptions'
+          'Microsoft.EventGrid/topics'
+          'Microsoft.EventHub/namespaces'
+          'Microsoft.Network/expressRouteCircuits'
+          'Microsoft.Network/azureFirewalls'
+          'Microsoft.HDInsight/clusters'
+          'Microsoft.Devices/IotHubs'
+          'Microsoft.KeyVault/vaults'
+          'Microsoft.Network/loadBalancers'
+          'Microsoft.Logic/integrationAccounts'
+          'Microsoft.Logic/workflows'
+          'Microsoft.DBforMySQL/servers'
+          //'Microsoft.Network/networkInterfaces' # Removed since it doesn't have any logs
+          'Microsoft.Network/networkSecurityGroups'
+          'Microsoft.DBforPostgreSQL/servers'
+          'Microsoft.PowerBIDedicated/capacities'
+          'Microsoft.Network/publicIPAddresses'
+          'Microsoft.RecoveryServices/vaults'
+          'Microsoft.Cache/redis'
+          'Microsoft.Relay/namespaces'
+          'Microsoft.Search/searchServices'
+          'Microsoft.ServiceBus/namespaces'
+          'Microsoft.SignalRService/SignalR'
+          'Microsoft.Sql/servers/databases'
+          //'Microsoft.Sql/servers/elasticPools' # Removed since it doesn't have any logs
+          'Microsoft.StreamAnalytics/streamingjobs'
+          'Microsoft.TimeSeriesInsights/environments'
+          'Microsoft.Network/trafficManagerProfiles'
+          //'Microsoft.Compute/virtualMachines' # Logs are collected through Microsoft Monitoring Agent
+          //'Microsoft.Compute/virtualMachineScaleSets' Removed since it is not supported
+          'Microsoft.Network/virtualNetworks'
+          'Microsoft.Network/virtualNetworkGateways'
+         ]
+       }
    }
    enforcementMode: enforcementMode
  }